Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Human Resource Management

Information Technology Control Questionnaire

advertisement 
I T R i s k As s e s s m e n t D o c u m e n t
Staffing
1. Who are the system administrator(s)?
2. List the system administrator’s duties and responsibilities.
3. Is there a backup administrator?
4. What skills requirements and development exists for administrator(s)?
5. What is the relationship between system administrator and security admin?
6. What types of background checks are conducted on IT employees? Is this
conducted with HR? Do IT employees sign confidentiality agreements?
7. For Security/Compliance Administration versus system administration- is it
the same people/procedures?
8. What are the technical staff termination procedures/deprovisioning
procedures?
I T R i s k As s e s s m e n t D o c u m e n t
Configuration Management1. What types of Build Guides are in Use?
Build ChecklistDo they include both servers and workstation?
Do security configuration checklists exist for both servers and workstations?
2. Are automated build, deployment, checking procedures in use?
3. What are the practices and training for configuring equipment?
4. Are unnecessary services and ports turned off?
5. Are default usernames and admin passwords changed?
6. Is there strong authentication, if so, elaborate.
7. Do application and db admins have restrictions or limits on system rights?
8. Are backups are routine and encrypted?
9. Is there a server inventory?
10. Is there an inventory of devices?
I T R i s k As s e s s m e n t D o c u m e n t
Vendor Management1. Does a list of all vendors with access rights exist?
2. What processes are in place to sponsor vendors (Each vendor must be
owned by a designated individual- Sys or app admin)?
3. Are individuated access control lists in place?
4. Do vendors follow config/change management procedures?
5. Are vendor access logs by individual reviewed annually?
6. Do vendors have system rights?
7. Do vendors have constraints on physical access to systems? Does this
include escorts?
8. Are remote communications encrypted?
I T R i s k As s e s s m e n t D o c u m e n t
Maintenance1. Do Maintenance Plans exist for:

workstations and
 Devices
2. What are the automated patch management procedures?
3. What are the automated AV management procedures?
4. Do Monthly checks exist for lagging servers (patch/AV) or at risk devices?
What are the exception tracking procedures?
5. Are there limitations to remote access (specific ports, authentication,
remote device security, and encryption)?
6. What are the “break glass” access procedures?
7. Is there a prohibition on shared access accounts?
8. Are there written standards for escalating maintenance changes to change
control process?
I T R i s k As s e s s m e n t D o c u m e n t
Monitoring and Log Management1. Is there an inventory of monitoring, log management, and alerting tools?
2. What procedures exist to monitor patch management and AV
management?
3. Are server configuration integrity checks run on a routine basis? What is the
timeframe?
4. What type of routine server vulnerability monitoring- such as Nessusexists?
5. Does a process that includes performance monitoring of servers with
documented alert triggers and escalation procedures exist?
6. Are security logs maintained for 60 days?
7. Do logs contain :
Successful and unsuccessful access attempts
Config changes
Systems or services accessed
Network addresses/ports and protocols
Deactivation or Activation of security tools
Standard Clocking
8. What type of intrusion detection exists?
Are there procedures in place for Post intrusion prevention triggers and
alerts based on anomalies in security logs?
I T R i s k As s e s s m e n t D o c u m e n t
Security Management1. Is a risk assessment conducted and are security controls documented
according to risk?
2. Are new applications and services are reviewed for security risk?
3. Does staff have designated individuals for addressing user security
questions and issues?
4. Are security policies and standards reviewed biannually and are additional
security controls deployed as needed?
5. Does IT staff discourage users from using unencrypted USB drives or other
mobile media?
6. Do the password policies for users conform to standards?
7. Are there more stringent password settings for system administrators- such
as multifactor authentication or 15 character passwords?
8. Are there prohibitions against unencrypted laptops or personal electronic
devices?
9. Are the procedures for terminating user accounts are coordinated with HR
and enterprise systems? What is the timeframe for removing user
accounts? What is the timeframe for terminating admin accounts? Are
admin accounts annually recertified?
I T R i s k As s e s s m e n t D o c u m e n t
Change Management1. Does a documented change management procedure exist?
2.
Is the IT staff briefed on change management processes biannually?
3. Are stakeholders identified and communications prior to change requests?
4. Are change requests reviewed and communicated with appropriate IT and
business units?
5. Are problematic changes are reviewed? Do informal cm processes for root
causes and lesson learned exist?
6. Are vendors, business partners, and other entities expected to follow CM
processes?
7. Do CM procedures require documented testing plans?
8. Do processes include coordination, test dev, and prod data and systems as
part of testing plan?
9. Are there prohibitions on testing on production systems? Is testing on prod
data discouraged, limited and documented?
I T R i s k As s e s s m e n t D o c u m e n t
Problem Management1. Do documented procedures exist for identifying and classifying problems
(e.g. usability or interfaces)? What are the procedures?
2. Do customers and partners have channel for communicating problems?
3. What are the documented procedures for escalating problems and events
to incidents?
4. Are incident handlers identified based on type and scope of incidents?
5. Does an incident policy and procedure exist, and is it documented?
6. Are incident post mortems are conducted? Are remediation actions planned
and deployed?
I T R i s k As s e s s m e n t D o c u m e n t
End Of life1. Is there an inventory of applications and services near EOL?
2. Do migration plans for EOL systems including maintenance and support
exist?
3. What data migration plans for EOL including formats, structures exist?
4. Are device disposal procedures followed with respect specifically
environmental and confidentiality controls?
5. Are all server hard drives wiped or destroyed? What type of documentation
exists for the destruction?
6. Is there a process is in place to destroy Workstation hard drives?
7. Do contractual or procedural controls for digital media disposition (e.g.
photocopiers, printers, PED, etc) exist?
8. What types of routine communications on EOL and disposal to affected
units exist?
I T R i s k As s e s s m e n t D o c u m e n t
Physical Security and Devices1. Is there a software package for monitoring system and/or user activity?
What is it? What does it monitor?
2. What is the extent of vendor support (i.e., on-site, off-site, warranty
coverage, extended hours, and system maintenance agreements)?
3.
What security controls exist for data centers?
What security controls are in place for network closets?
4. Is authorization required for access to sensitive areas? Are there logs for
visitors to data centers that include – date time, name, organization
represented, and authorizing employee?
Are access rights reviewed annually?
5. Are Critical facilities out of public site and not be mapped for public access?
Is video monitoring should be routinely reviewed?
I T R i s k As s e s s m e n t D o c u m e n t
Disaster Recovery1. Is there a DR plan? Does it include the inventory of hardware and software
assets?
2. What is the date of the last DR test?
3. Does the DR plan include a Recovery Time Objective (RTO), and a
Recovery Point Objective?
4. Is the DR plan coordinated with the Hopkins DR plan?
5. Is the DR plan linked to the BCP plan(s)?
I T R i s k As s e s s m e n t D o c u m e n t
Network1. Does the network policy include the acceptable use of network services?
Network authorization procedures?
2. What type of network segmentation exists?
3. Is NAT or PAT in use?
4. Where are the firewalls located?
5. Is there a formal firewall policy in place? Is it reviewed against the IDS and
IPS?
6. Is there filtering between the DMZ and the production network?
7. Are there testing processes in place for Web applications (such as SQL
injection, XSS)?
8. What processes monitor database activity?
9. What policies are in place for email? Are there email checks on the
gateway?
10. What restrictions are in place for numbers of email sent (assists in
preventing spam)?
11. Are there procedures for internal or external penetration testing of the
infrastructure?
12. Is remote administrative access limited to certain IP addresses?
13. Are users trained in acceptable use procedures? If yes, explain the
process.
14. What type of encryption exists on the wireless network?
15. Is there a wireless guest network?
16. Is there a process to monitor for unauthorized WAP’s?
Related documents
6112 School Day (11-12) - West Long Branch School District
6112 School Day (11-12) - West Long Branch School District
CRNA Record Review Tool ANESTHESIA RECORD REVIEW
CRNA Record Review Tool ANESTHESIA RECORD REVIEW
IPOC - Puget Sound Nursing Informatics (PSNI)
IPOC - Puget Sound Nursing Informatics (PSNI)
it here
it here
SIEMENS Power Transmission & Distribution, LLC
SIEMENS Power Transmission & Distribution, LLC
Task Hazard Analysis Worksheet
Task Hazard Analysis Worksheet
Summer Special Topics Course Proposal Form
Summer Special Topics Course Proposal Form
Download
advertisement