Server Security Checklist

Similar documents
The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Security Standards for Electric Market Participants

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Sparta Systems TrackWise Digital Solution

Projectplace: A Secure Project Collaboration Solution

CS 356 Operating System Security. Fall 2013

Checklist: Credit Union Information Security and Privacy Policies

Juniper Vendor Security Requirements

The Common Controls Framework BY ADOBE

Vendor Security Questionnaire

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

SERVER HARDENING CHECKLIST

Trust Services Principles and Criteria

CIS Controls Measures and Metrics for Version 7

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

CompTIA Security+(2008 Edition) Exam

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Sparta Systems Stratas Solution

Client Computing Security Standard (CCSS)

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

CIS Controls Measures and Metrics for Version 7

University of Pittsburgh Security Assessment Questionnaire (v1.7)

PCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity

AUTHORITY FOR ELECTRICITY REGULATION

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

WHITE PAPER- Managed Services Security Practices

01.0 Policy Responsibilities and Oversight

Sparta Systems TrackWise Solution

IPM Secure Hardening Guidelines

Security Architecture

Information Technology General Control Review

Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

HISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security

Payment Card Industry (PCI) Data Security Standard

Google Cloud Platform: Customer Responsibility Matrix. December 2018

7.16 INFORMATION TECHNOLOGY SECURITY

Cyber security tips and self-assessment for business

Education Network Security

ISC2 EXAM - CISSP. Certified Information Systems Security Professional. Buy Full Product.

Rev.1 Solution Brief

Information Security Policy

SECURITY & PRIVACY DOCUMENTATION

Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard

Server Hardening Title Author Contributors Date Reviewed By Document Version

Morningstar ByAllAccounts Service Security & Privacy Overview

Total Security Management PCI DSS Compliance Guide

Google Cloud & the General Data Protection Regulation (GDPR)

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

PCI Compliance Assessment Module with Inspector

Google Cloud Platform: Customer Responsibility Matrix. April 2017

ISSUE N 1 MAJOR MODIFICATIONS. Version Changes Related Release No. PREVIOUS VERSIONS HISTORY. Version Date History Related Release No.

Access to University Data Policy

ISSP Network Security Plan

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

FDA 21 CFR Part 11 Compliance by Metrohm Raman

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

QuickBooks Online Security White Paper July 2017

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

PCI DSS and VNC Connect

EXHIBIT A. - HIPAA Security Assessment Template -

1 Data Center Requirements

ACM Retreat - Today s Topics:

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

AudBase Security Document Page 0. Maintaining Data Security and Integrity

FairWarning Mapping to PCI DSS 3.0, Requirement 10

HIPAA Federal Security Rule H I P A A

Adobe Sign and 21 CFR Part 11

State of Colorado Cyber Security Policies

Security Policies and Procedures Principles and Practices

Support for the HIPAA Security Rule

Cyber Essentials Questionnaire Guidance

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Information Security Data Classification Procedure

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Afilias DNSSEC Practice Statement (DPS) Version

Windows Server Security Best Practices

Table of Contents. Policy Patch Management Version Control

Maher Duessel Not for Profit Training July Agenda

2017 Annual Meeting of Members and Board of Directors Meeting

IT Services IT LOGGING POLICY

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Standard Req # Requirement D20MX Security Mechanisms D20ME II and Predecessors Security Mechanisms

Standard CIP Cyber Security Critical Cyber Asset Identification

Security Principles for Stratos. Part no. 667/UE/31701/004

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

DRAFT 2012 UC Davis Cyber-Safety Survey

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP 007 3a Cyber Security Systems Security Management

Standard: Vulnerability Management & Standard

Transcription:

Server identification and location: Completed by (please print): Date: Signature: Manager s signature: Next scheduled review date: Date: Secure Network and Physical Environment 1. Server is secured in locked rack or in an area with restricted access. (1.1) 2. All non-removable media is configured with file systems with access controls enabled. (1.2) 3. Server is set up in an environment with appropriately restricted network access. (1.3) 4. The server displays a trespassing banner at login. (1.4) If unable to display banner, check box Patching/ Server Maintenance 5. There is a documented maintenance process to keep applications and operating systems at the latest practical patch levels. (2.1) Where is it documented? 6. Vendor-supported operating systems and application patches are readily available to RIT. (2.2) 7. Operating systems or applications that are no longer supported by the vendor or an open source community have an exception request pending or granted by the ISO. (2.2) 8. There is a documented maintenance process which includes a reasonable timetable for routine application of patches and patch clusters (service packs and patch rollups). (2.3) Where is this documented? 9. Systems supported by vendor patches have the patch application integrated into a documented server maintenance process. (2.4) Where is this documented? 10. There is a process to inventory the current level of patches specific to this server (2.5 11. There is a process for monitoring patch installation failures (2.6) Logging 12. Server is configured with appropriate real-time OS/application logging turned on. (3.1) 13. There is a documented process for routine log monitoring and analysis. (3.2) Where is it documented? 14. Reviews are conducted periodically to ensure effectiveness of the server logging process. (3.3) How often? (At least monthly): 15. There is a schedule for log monitoring of the server. (3.4) Where is it documented? ServerSecurityChecklist-2014.doc 1 of 5 Revised 12/21/2017

16. Logging has been configured to include at least 2 weeks of relevant OS/application information. (3.5) The logging elements include: All authentication Privilege escalation User additions and deletions Access control changes Job schedule start-up System integrity information Log entries should be time and date stamped 17. Intentional logging of private information, such as passwords, has been disabled. (3.6) 18. Logging is mirrored in real time and stored on another secure server. (3.7) System Integrity Controls 19. System is configured to restrict changes to start-up procedures. (4.1) 20. There is a documented change control process for system configurations (4.2) Where is it documented? 21. All unused services are disabled. 22. If available, anti-virus software and definitions are current and up-to-date. (4.4) 23. Server has a host firewall installed and enabled. (4.5) 24. Is host-based intrusion prevention software (HIPS) enabled? (Y/N) (4.6) 25. Is this an authentication server? (Y/N) (4.6) (Host-based intrusion prevention software is required for authentication servers) 26. If available, hardware-based system integrity control is enabled. (4.7) (4.3) Vulnerability Assessment 27. A pre-production configuration or vulnerability assessment has been performed on (5.1) the server and its services prior to moving to production. 28. Server was scanned using an ISO-approved vulnerability scanner before being moved (5.2) to production, after being moved to production, and ISO-specified periods thereafter. How often is the server being scanned? 29. A copy of the configuration and/or vulnerability assessment reports done at initial server (5.5) configuration has been retained for possible future use by the ISO. 30. After vulnerabilities with the CVSS score of 7 or greater are announced the (5.6) corresponding patches and/or configurations are updated within one business day. 31. If no CVSS applies to a vulnerability then the vulnerability should be evaluated for (5.6) remote exploitation. 32. The ISO is authorized to perform vulnerability scanning for this server. (5.3) ServerSecurityChecklist-2014.doc 2 of 5 Revised 12/21/2017

33. The ISO vulnerability scanner is not blocked specifically or permanently whitelisted. (5.3) 34. A systems/server administrator is authorized to perform scans when approved by the (5.4) system owner or the ISO. Is there anyone else authorized to perform scanning?(y/n) If yes, who? 35. Confirm only ISO-approved security assessment tools are used for scanning (acceptable tools are listed at: https://www.rit.edu/security/content/technical-resources. (5.7) Authentication and Access Control 36. All trust relationships have been identified and reviewed. (6.1) 37. All manufacturer and default passwords have been changed. (6.2) 38. Strong authentication has been configured for all users with root or administrator system privileges.(6.3) Refer to the ISO website for a list of strong authentication practices. 39. Access Control has been configured to allow only authorized, authenticated access to the system (6.4) and its applications and data. 40. There is a documented process for granting and removing authorized access (6.4) Where is it documented? 41. Generic or persistent guest accounts allowing user interactive logins have been disabled. (6.4) (Service accounts are excluded from this requirement.) Backup, Restore, and Business Continuity 42. Operationally Critical data has been backed up. (7.1) 43. All servers with Operationally Critical data have documented back-up, system and application (7.1) restoration (including configurations) and data restoration procedures to support business continuity and disaster recovery planning. Where is this documented? 44. Back-up procedures are verified at least monthly through automated verification, customer (7.1) restores, or through trial restores. How often are they verified? 45. Backups are not being stored solely in the same building where the Operationally Critical (7.1) data is located. 46. Backups have been made readily accessible. (7.1) 47. Measures to transmit server back-ups securely have been put in to place. (7.1) 48. Back-up media is compliant with the Portable Media Security Standard. (7.1) ServerSecurityChecklist-2014.doc 3 of 5 Revised 12/21/2017

Applications Administration 49. The application administrator is responsible for application-specific aspects including ensuring (8.2) the application is in compliance with the server standard where applicable. 50. The applications/module administrator is responsible for ensuring the security of their (8.1) applications/modules. 51. For each application, the application owner should identify an application administrator and (8.1) systems administrator. These administrators should be approved by their management. (Use the form on the last page to list all applications and their application and systems administrators.) Security Review and Risk Management 52. Is this a new server installation? (Y/N) (9.1) If No, skip to 53. 53. A security review/risk assessment has been completed (9.1-9.2) (See ISO Server Security Standard Section 9.2 for specific criteria.) When? By who? Are they ISO approved? 54. Any system or application administration contract is reviewed by purchasing for appropriate risk management clauses. (9.5) Server Registration 55. The server has network access and has been registered in an ISO-approved centralized (10.1) registration system. Server Hardware Replacement and Retirement 56. Have there been any server storage media and/or devices containing RIT Confidential Information(11.1) been removed or replaced? (Y/N) If yes, the media or device should be degaussed or the data otherwise rendered unrecoverable. Server Administration 57. All computers used to administer servers conform to the requirements for RIT-owned or leased (12.1) computers as stated in the Desktop and Portable Computer Security Standard. 58. Secure protocols are being used for administrative functions and transmission of login credentials. (12.2) 59. NTP and DNS have authoritative sources. (12.2) High Performance and Distributed Computing 60. Does this server participate in High Performance/Distributed Computing/grid computing? (13.1) (Y/N) If yes, list which one: Servers that do participate in this type of computing should employ appropriate and documented safeguards to protect RIT Confidential Information and access to RIT internal networks. ServerSecurityChecklist-2014.doc 4 of 5 Revised 12/21/2017

(For Checklist Item #50/Standard Requirement 8.1) Application Application Administrator Systems Administrator For more information: RIT Information Security 585-475-4122 infosec@rit.edu https://www.rit.edu/security ServerSecurityChecklist-2014.doc 5 of 5 Revised 12/21/2017

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback