Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Management

Application Security Assessment

advertisement 
Application Security Assessment
Department:
Department Contact Name:
Department Contact No:
EA Assessor: Sharon McNeil
Review Date:
Software:
GENERAL QUESTIONS
Summary of Application & Use: Please describe and provide website links if available
Company website address:
Has the application been approved by a Director of ITCS for purchase? Yes:
No:
Will this system require a laptop, workstation or server? Please specify. _______________________________
Who is the ECU System Administrator for this system? ______________________________________________
Who is there an ECU backup System Administrator? ________________________________________________
Please explain the software Authentication process:
Does the application support Shibboleth authentication?
Yes:
No:
Does the system support Active Directory / LDAP operations?
Yes:
No:
Please explain:
Application Security Assessment
Rev: 4/18/13
Page 1 of 9
Does the application interface with any existing application?
Yes:
If yes, please list applications:
No:
Does your product support auditing?
Yes:
Please explain:
No:
Will auditing be enabled?
Yes:
If so, what will be recorded for auditing? Attach a list if needed
No:
Does the application use:
Domain credentials:
Application credentials:
Both:
Please explain:
Does the software enable unique user IDs and passwords?
Yes:
Please explain:
No:
Are the password strength requirements configurable?
Yes:
Please explain:
No:
Do these passwords expire periodically?
Yes:
No:
Are there any user passwords stored within the software?
Yes:
If yes, what form of encryption is used? ___________________________________
No:
Are the stored passwords encrypted?
Yes:
If yes, what is the algorithm used for the encryption?
No:
Application Security Assessment
Rev: 4/18/13
Page 2 of 9
Will any data from this system be printed?
Yes:
If yes, what happens to the printed copies? ________________________________________________
No:
Will any data from this system be copied to CD or DVD?
Yes:
No:
Will it be encrypted when copied to the CD or DVD?
Yes:
If yes, what happens to the CDs or DVDs? _________________________________________________
No:
Will data from this system be placed in the medical record?
Yes:
If yes, what technical mechanism is used for this purpose?
No:
Is there a Disaster Recovery/Business Continuity Plan in place if the laptop/workstation/server used to access
this application were stolen, no longer functions, or if hosted application is unavailable? Yes:
No:
Please explain:
Please explain the software’s Data Backup Process:
Will this application require a server?
Yes:
If yes, can a virtual server be used? Yes:
No:
No:
If software requires a virtual server, what are the approved applications to run on the server?
Has a server assessment been completed?
Yes:
Application Security Assessment
Rev: 4/18/13
Page 3 of 9
No:
If no, a request must be sent to Enterprise System Team for assessment.
If the software requires a web server, is the web server configured to use SSL version 3 and refuse connectivity
on SSL2? (Required Response)
Yes:
No:
What type of encryption will be used? Algorithm: ___________________ Keyspace (Bits): ________________
What type of encryption is used for data in storage: ___________________ Data in transit: ________________
Does the software vendor possess SAS70 or SSAE16 Audit credentials? (Required Response)
Yes:
If yes, please provide a copy of agreement.
No:
If data is stored locally, are there options for central storage such as Pirate Drive? Yes:
No:
Is remote vendor access required for support?
Yes:
If yes, then How? VPN
Other technology
No:
Indicate Availability:
24x7x365
8x5
Other_______
Does the application have FAX capabilities?
Yes:
If yes, will it be used? Yes:
No:
No:
N/A:
Will FAX data remain on the system?
Yes:
No:
Will FAX data be encrypted?
Yes:
No:
Application Security Assessment
Rev: 4/18/13
Page 4 of 9
How many users will access this system? ________________________________________________________
Is data uploaded from this system to another system?
Yes:
No:
If yes, what type of data will be uploaded?
If not, will this data remain on this workstation permanently? Yes:
No:
Will data from this workstation be backed up?
Yes:
No:
Does the application support portable devices operating systems, e.g., iPhone, iPad, Android, Windows
Mobile, Blackberry, etc.?
Yes:
If so, specify: _______________________________________________________
No:
DATA STORAGE
Will data be stored locally (ECU)?
Yes:
No:
If not, where will data be stored?
N/A:
(check only if there is no data to be stored)
Where will data be stored locally (at ECU)? Please list the sever name and location. _____________________
If the data will be stored locally (at ECU), will it be encrypted?
Yes:
Via what format?
No:
If the data will be stored locally (at ECU), please explain the data backup process:
Please provide a brief description of the department’s Business Continuity Plan with regard to this application:
Will data be stored with the software vendor or outsourced to a third party?
Software Vendor:
Outsourced to third-party:
List company name and website address:
Does the software vendor possess SAS70 or SSAE16 Audit credentials? (Required Response)
Application Security Assessment
Rev: 4/18/13
Page 5 of 9
Yes:
No:
If yes, please provide a copy of agreement.
If the data will be stored with the software vendor, please explain the data backup process:
Please provide a brief description of the software vendor’s Business Continuity Plan with regard to this
application:
If the data will be stored with the third-party vendor, please explain the hosting vendor’s data backup process:
Please provide a brief description of the hosting vendor’s Disaster Recovery /Business Continuity Plan:
Does the third-party hosting vendor possess SAS70 or SSAE16 Audit credentials? (Required Response)
Yes:
If yes, please provide a copy of agreement.
No:
Please explain the hosting vendor’s data backup process for local storage:
Who will own the data stored with the hosing vendor?
Once the contract expires, what happens to the data stored by the hosting vendor? Explain the process:
Will the data stored by the hosting vendor be encrypted?
Yes:
If yes, via what format – provide brief explanation below:
No:
Can data stored by the hosting vendor be simultaneously backed up locally to ECU?
Yes:
If yes, please explain below
No:
Anti-Virus Software:
Application Security Assessment
Rev: 4/18/13
Page 6 of 9

Is the system compatible with Anti-Virus software Symantec Endpoint V.11 or above? Yes:
 Can updates to software and signature files be deployed when available? Yes:
No:
Spyware/Adware/Pop-up blocker Software:
 Is the system compatible with Spyware/Adware/Pop-up blocker software? Yes:

Can updates to software and signature files be deployed when available? Yes:
No:
No:
No:
Operating System Patching:
 Is the vendor-supplied method of patching supported (e.g. Microsoft Windows Update)? Yes:
No:

Can updates be applied when available from vendor? Yes:

Are there any supported third party products for proactive patch updates (e.g. Bigfix, Patch Link)
Yes:
No:
Does this system contain a web server?
Yes:
If yes, does it reside locally on the system? Yes:
No:
No:
No:
COMPLIANCE
Does the application store, transmit or access Social Security Numbers (SSN)?
Yes:
No:
If SSN data is stored, has client submitted an SSN Use Request and received approval by ITPC? Yes:
Has this application been approved by the CIS Committee (Helpdesk Form)? Yes:
No:
No:
Does the application store, transmit or access protected health information (PHI1) protected by HIPAA?
Yes:
No:
If PHI data is stored, has client received Privacy approval of use of data? Yes:
No:
If the application is vendor provided or supported, has the department submitted a Vendor Security Matrix
form to the vendor? Yes:
No:
Does the application store, transmit or access student data protected by FERPA?
Yes:
No:
If yes, please list FERPA identifiers. Example: Banner ID, SSN, etc.:
Application Security Assessment
Rev: 4/18/13
Page 7 of 9
If FERPA data is stored, has client received approval from the Office of the Registrar?
Yes:
No:
Does the application store, transmit or access Credit Card Data (PCI)?
Yes:
No:
If PCI data is stored, has client received approval from Financial Services? Yes:
No:
Does the application store, transmit or access Human Subjects Research data?
Yes:
No:
If the application stores, transmit, or accesses human subjects research data, has IRB approved?
Yes:
No:
NETWORKING
Does the software support external data transmission? Yes:
No:
Please indicate the method(s)
supported?
Methods:
FTP
Fax
Email
File Copies (CD, Diskette, etc.)
Browser applications
Tape media
Other (provide details):
For externally electronically transmitted information, can the solution support encryption and data
protection?
Yes:
No:
Data Protection: Yes:
No:
Is network connectivity required? Yes:
Application Security Assessment
No:
Rev: 4/18/13
Page 8 of 9
Required TCP/IP Ports Required:
TCP/IP Ports Required for Server/Clients (All IP ports closed by default)
Port #
1PHI
TCP/UDP
Inbound
Outbound
Function
- any information about health status, provision of health care, or payment for health care that can be
linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical
record or payment history.
Application Security Assessment
Rev: 4/18/13
Page 9 of 9
Related documents
GREEN SHEET 101
GREEN SHEET 101
Reengineering Vendor Fees
Reengineering Vendor Fees
Chapter 6 Product Development
Chapter 6 Product Development
New Application Form - University of Toledo
New Application Form - University of Toledo
Tips for Obtaining Accurate Vendor Quotes
Tips for Obtaining Accurate Vendor Quotes
Click here to View BPS-Company Profile
Click here to View BPS-Company Profile
here - IHRIM Atlanta
here - IHRIM Atlanta
Download
advertisement