Step 3. Checklist | Information Protection and Security

The following checklist was developed to assist departments in evaluating security processes and procedures that promote the protection and security of information assets and resources. The goal is to provide you with a comprehensive approach to enhanced security within your organization by presenting opportunities to mitigate risk.

Most of the survey questions can be answered yes or no. Upon completion of the Checklist review the questions with the Dean/Director/Administrator and determine if your current actions are adequate for the type of protection your data and services require. Address the questions answered 'no' to determine the need to address those issues by looking at them from a risk mitigating perspective. What steps need to be taken to provide positive responses? Are those issues important based on your risk assessment?

Mitigating Hardware Risks

Is there redundant hardware to allow work to continue in the event of a single hardware failure?
When were they last tested?
Does the uninterruptible power supply (UPS) notify someone when it goes into operation? When was it last tested?
Is there a plan to have departmental hardware replaced at regular intervals?
Does the department have change control procedures?
Does the department have system maintenance standards and procedures?
Does the IT System Administrator ensure that all non-public personal information (NPPI) is removed from equipment before being sent out for repair or replacement?
Is diagnostic hardware and/or software maintained onsite?
Are laptops free of non-public personal information (NPPI) and encrypted where necessary?

Mitigating Software Risks

Do you have original disks to reinstall the software if the hard drive fails?
Is all software supported? If your software is old or unsupported, what are your plans to replace it?
Is locally developed software supported by an easy to reach developer?
Do you have provisions to continue operation if central services software is not available?

Mitigating Environmental Failures

Is your equipment situated in locations that are safe and free from potential danger (i.e., leaky roofs, sufficient power sources, etc.)?
Do uninterruptible power supplies (UPS) protect servers and workstations?
Is the heating, cooling and ventilation (HVAC) keeping your systems at the appropriate temperature and humidity?

Mitigating Network failures

Does your department have network documentation to assist problem resolution of a computer or network device?
Does your department have physical and remote access to your network devices?
Does your department have the ability to continue to function in the event of a wide area network failure?

Department Security Policies

Does the department have written security policies, standards and processes?
Are these documented and available for faculty and staff to view? Please establish media type (hardcopy, electronic)
Do security standards identify all individuals responsible for implementing such standards and what their duties are?
Do the standards identify steps to be taken if there is a physical and/or information security breach?
Do the standards define and identify what physical and/or information (NPPI) are most important to protect?
Are all departmental staff aware of security processes?
Are departmental staff aware of university IT policies?

Duties & Responsibilities

Deans, Chairs, or Directors

Does the department have an IT Systems Administrator
Is there a background and/or reference check on new employees?
Are there clearly defined system security procedures for the administrator?
Are security-related duties clear to department IT personnel?
Do all security related IT duties appear in department job descriptions?
Are IT staff aware of university policies relating to IT security related positions?
Do security related duties have a place in department evaluations?
Do written department procedures exist that explain how to perform all IT security related duties?
Are IT personnel up to date on training for security related duties?
Do personnel in your department have sufficient authority to accomplish IT security related duties and policies in place to remove employee discretion where necessary ?
Are there available and competent personnel to back up IT security related duties in the event the regular system administrator is unavailable?
Are sufficient funds budgeted to cover IT security?
Does the department have a process to address incidents or compromises?
Do employees sign nondisclosure agreements on the use of confidential material/research material?
Has funding been provided to recycle old computers and operating systems?

Primary System Administrator &/or Unit Computing Manager (UCM)

Does the technical staff know to review, the security settings and policies when necessary?
Does the technical staff know how to respond to security breaches?
Does the technical staff know to use user level accounts when not providing administrative services?
Can you ensure that any forms of media containing confidential and sensitive information (NPPI) are sanitized before disposal?
Are you fully aware of your duties, responsibilities, and resources?
Have you identified and secured systems that hold critical information information, NPPI or applications?
Have you identified and secured documents designated as "critical" or NPPI?
Is equipment that is being disposed of stripped of data before disposal?
Is mobile equipment free of NPPI and critical information?

Department User

Is staff instructed on basic workstation security?
Are users familiar with email best practices?
Are employees aware of the dangers social engineering and social networks can bring?
Does staff have written guidelines for the storage of media files and protecting mobile equipment?

Accounts and Passwords

Is there a departmental policy for selecting strong passwords?
Is the department using software that enforces strong passwords?
Is the system administrator authorized to check for weak passwords?
Are passwords changed? If so, how often?
Is the department planning to use other forms of authentication other than passwords in the future?
Does the department have an account removal process?
Does the department have a method for identifying unauthorized users?
Have staff received computer security awareness training?
Is there a document establishing the identity and number of those having root access to departmental information?
Is the identity of those having remote access to departmental information known?
Are there written procedures for forgotten passwords?
Are there written procedures for closing accounts when an employee terminates employment?

Federal and State Compliance and Privacy

Are backup files sent off-site to a physically secure location?
Are on-site files in a secure location?
Is the department in compliance with IT standards relative to state and/or federal mandates and grants (GLBA, HIPAA, SEVIS, etc.)
If the department handles credit cards, is use in compliance with the Payment Card Incustry (PCI) Data Security Program?
Is the department aware of identity theft compliance legislation and the risks of identity theft?

Physical Security

Has a physical security audit been done?
Does the department have physical security standards and procedures?
Are there procedures for locking IT offices, telephone closets and computer rooms?
Does the department have an alarm system?
Are accesses secure when vacant?
Are visitors greeted upon arrival?
Are workstations and laptops locked down to deter theft?
Are all workstations cases locked to prevent access to internal components?
Are unused laptop computers kept in locked storage areas?
Is security hardware available, and used, when laptops leave the office? (laptop cables, tracking software, etc.)
Are microphones and cameras attached to any workstations or servers secure?

Network and Configuration Security

Does your department have a network diagram that includes IP addresses, room numbers and responsible parties?
Is there an IT auditing standard in place?
Are end users prevented from downloading and/or installing software? How?
Are contents of system logs protected from unauthorized access, modification, and/or deletion?
Is there a retention standard?
Is the CD-ROM Autorun feature disabled on all workstations?
Is password caching disabled on all workstations?
Have "trusted workstations" (workstations with access to critical information) been identified for critical applications?
Have special procedures been setup to maintain security for these?
Are the trusted workstations workstations secured if used for other purposes?
Are trusted workstations SSL, SSH or VPN enabled?
Are trusted workstations required to have complex passwords?
Are are workstations used by more than one employee secured? How?
Are chat clients (ICQ, Yahoo Messenger, IM, etc.) managed (if allowed at departmental workstations) and if so, how are they managed?
Will any clear-test passwords be embedded in SQL scripts for routine functions such as back up and recovery? If so, how will this data be protected?
Is ActiveX, Javascript, and Java disabled in web browsers and email programs for all workstations?
Is remote control software (for example, PCAnywhere) permitted in the department? If so where? Define how it is controlled.
Is the Administrator account, and any equivalent accounts, on all workstations limited to the office technical support person?
Do administrators use an administrative account ONLY when doing actual administration?
Can users tell if files have been changed? (Is data integrity software in use?)
Have host based firewalls been activated?
Has remote desktop and remote assistance been disabled?
Specific to Web Servers
Is the web server set to only accept traffic on port 80?
Is the web server set to reject attempts to remotely administer it?
Is the web server set to authenticate certain user traffic?
Have the sample files, scripts, help and development files been removed?
Specific to SFTP
Are all servers set to authenticate users?
Are all directories set to either read or write- but not to both?
Does the server operator know about site copyright/file-sharing problems and techniques?
Specific to Email
Is the E-mail server set to scan mail and attachments for viruses?
Is the e-mail server set to reject attachments?
Is the e-mail server set NOT to act as a relay?
Is web access to e-mail secured?
Are client connections from outside the subnet secured/encrypted?
Specific to Network
Does the department have an Internet Use Policy?
Are all computers registered with Hostmaster?
Does the department have a network map/diagram?
Does the department have an inventory of devices attached to the network?
Are the room jacks mapped to a switch port?
Is there a policy as to how network services are accessed by users?

Business Continuity and Disaster Planning

Is there a written contingency plan to perform critical processing in the event that on-site workstations are unavailable?
Do you have a plan to continue departmental business in the event that the University's Central Systems are down for an extended period?
Do you have a partnership with vendors who can help in an emergency if your equipment is damaged due to disaster?
Is the contingency plan periodically tested to verify it can be followed to resume critical processing?

Backup and Recovery

Are critical files regularly backed up?
Do you store media off site?
Is the environment of a selected off-site storage area (temperature, humidity, etc.) within the manufacturer's recommended range for the backup media?
Are backup files periodically restored as a test to verify they are usable?

Change Management

Are records kept of systems changes?
Is there a process for communication of systems changes?
Does the department have a configuration/asset control plan for all hardware and software products?
Does the department have a version control plan for software products?
Does the department have network and system diagrams of all system resources?
Are only trained authorized individuals allowed to install computer equipment and software?
Are maintenance records kept to indicate what repairs and/or diagnostics were performed and by whom?

Patching

Are software patches applied to all workstation software, especially operating system, web browser, word processing, spreadsheet, and database regularly? Checked how often?
Have you created a plan for upgrades and set aside funding to enable you to keep software up to date?

Software Licensing

Is all software in your department licensed to Rutgers University?
Are you aware of the university's software portal and site licensed software?

User Awareness Training

Do you require new employees to read any university and department level policies?
Does your staff know what's expected of them regarding security for the university, and your department?
Is department staff security aware in regard to handling email, social engineering, passwords, etc?

Network and Host Based Security

Does the department have any way of telling that systems have been or are being compromised?
Has penetration testing been done for the department?
Are host based firewalls enabled on all desktops and laptops?
Is critical data or non-public personal information (NPPI) stored on a department server protected from compromise?
Can you monitor if anyone is accessing critical data?
How often are logs reviewed?
Is there central monitoring of settings and logs?

Antivirus Software

Are all workstations running Rutgers Anti-virus Delivery Service with automatic update or the latest version of anti virus software, scanning engine and the virus signature file?
Are you aware that antivirus/antispyware software is covered for all faculty/staff/students with the university's site license at no cost to the department?