Security Policy Checklist

Checklist: IT Security Policy Version 1.0
April 27, 2005

By David M Davis, CCIE, MCSE

Every organization, large or small, needs a solid IT Security Policy. The following comprehensive checklist can
help you get started in creating a policy, or it can help audit the one you already have. This checklist, based on
suggestions submitted by TechRepublic members, covers a wide variety of technologies and issues, and provides
some helpful recommendations.

Planning Item Notes

Web browsing
Document the central point of control for Web browsing.
Perhaps it is a proxy server, a router, or a firewall.

Document who has access to determine who can perform
Web browsing, what Web sites users can access, and when
they can access those sites. Some newer Web browsing
content control systems can even categorize sites and control
who can access certain categories of sites and for how long
(i.e. Joe can only access news sites for 20 minutes per day).
Document the method for reporting who is browsing the Web,
what sites they are visiting, who those reports will be delivered
to, and how often.
Document what the process is if an employee visits improper
sites or engages in excessive Web browsing, and define those
two actions. Also, is it the job of IT to notify their supervisor?
Log all Web browsing activity, making sure to record the
username, and make it clear in the policy that this is a
company practice.
Ensure that all employees are aware of the company’s Web
browsing policy. This is important since most employees will
browse the Web everyday and the security policy about Web
browsing is something that will most likely affect them.
Implement Windows Group Policy settings (if using Active
Directory) on Internet Explorer to strengthen end user systems
and protect from some malicious Web content. For example,
using GPO you can standardize Windows IE settings
throughout the company to that browsers do not download
unsigned ActiveX components. Make it a company policy not
to download unsigned ActiveX controls unless they are
approved by IT
Put download security software in place to prevent adware,
malware, and spyware from being unknowingly installed on
users’ machines. Use this download security software to
block/quarantine certain types of downloads (perhaps MP3s or
videos) and to scan other downloads for viruses.

Page 1
Copyright ©2005 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html

Checklist: IT Security Policy

Username and passwords
Implement complex password requirements. This can be done
with a Windows policy. Using a Group Policy (if possible),
force passwords to be reasonable long, to expire every few
months, to prevent the reuse of old passwords, and to lock out
users with too many failed logins.
Log successful and failed logins and logouts. This is especially
important for administrator accounts.

Consider renaming the default quot;Administratorquot; account so that
it is less of a target for password cracking.

Consider using Single-Sign-On (SSO) so that all users only
have one username/password to remember for all
applications. This is only important if you have multiple
username/password databases for authentication (such as
Windows, Linux/UNIX, and Novell) or if you have different
applications with their own username/password database.

Document your policy on usernames and passwords and
educate users on the proper use of them.

Periodically perform in-house password cracking attempts on
administrator accounts to test the strength of passwords. This
can be done with a tool such as L0ptcrack.

Instant Messaging
Seriously consider blocking all instant messaging (IM) unless
it is needed for business reasons.
If IM is needed for business reasons, implement a program to
control who can use it, what software they can use, and log all
conversations. Programs that do this can also control the
content that is passed through the IM conversations and
whether they can send/receive downloads through IM (which
can open up the company to virus, malware, and privacy
concerns).
Document and educate users on your IM policies.

E-Mail
Document what level of storage will be required from each e-
mail user. Determine what will be the consequences when an
e-mail user exceeds their quota (such as preventing them
from sending and/or receiving email).
Control external access to internal groups (such as “all
employees”).
Consider performing e-mail content control to prevent trade
secrets or confidential information from exiting the company.

Page 2


Implement a corporate e-mail anti-spam program.
Educate users on the proper use of e-mail and how they
should not give out their e-mail address to companies that
might send them spam. Educate users on what to do if they do
receive spam.
Implement e-mail antivirus scanning

Implement an email archiving program. Depending on the
advice of your company’s legal team, the archive program
may be used more to destroy email at set expiration dates
instead of preserving email. The other function of the archiving
program is to control the size of the email database.
Develop a policy on using company e-mail for personal use
(including the forwarding of jokes and chain letters) and
decide what is quot;acceptable use.quot; Educate users on this policy.
Educate users on “phishing” scams to help prevent identity
theft.

File access permissions
Document who the owners are for critical files. These will be
the persons who determine who has access to what.
Determining who has access to what should not be an IT
function. The function of IT is to configure that access within
the operating system or application once it is determined.
Watch out for shares with the default permission quot;Everyone.quot;
Consider logging success and failure access and
modifications to files.

Backups
Document what data needs to be backed up, how often it
should be backed up, and how long it should be retained.
Document how often a test should be done to ensure that the
backups are restorable.

Consider encrypting backup tapes so that the data cannot be
recovered if they are lost or stolen.

Ensure that backups are taken offsite. Consider a service that
will do this for you.

Crisis management and Disaster recovery
Develop a crisis management plan. This plan should cover not
just an IT crisis but any crisis that may occur. This should
include natural disasters and terrorist attacks.

Page 3


Develop an IT disaster recovery plan. This plan must be
periodically tested. We won’t go into how to create a disaster
recovery plan, as that is outside of the scope of this document.
However, this document can help.

Physical
Document what physical security controls are in place for IT
security. Does the datacenter/server room have locks on the
doors? Are they electronic locks with a log of who goes in and
out? Does the room have windows that could be broken? How
resilient would it be to a flood, tornado, or power outage? Are
there UPS and generators in place? What sort of fire
protection does the datacenter/server room have? Also,
consider video surveillance. Keep in mind that this only covers
IT assets and does not cover physical security for the entire
company.
Ensure against physical access to a console that can connect
to servers, routers, and/or switches.

PCs and laptops
Document the controls on PCs and laptops.
Users should not have administrator privilege on their local
PCs, unless there is a stated business need for it (e.g. to run a
business application). Users should always log onto the
domain and not have a local account, if possible.
Use file encryption so that if a PC or laptop is lost or stolen, its
data cannot be read.
Run antivirus and anti-spyware on all PCs and laptops

Consider a personal firewall on laptops because they will
travel from network to network.
Implement Windows Group Policy security controls to lock
down what users can do on PCs and laptops. For instance,
preventing users from being able to install programs.
Develop a procedure to ensure that PCs and laptops have the
latest patches installed.
Develop a policy on USB removable devices. These are a
major security risk because they can easily be used to remove
large amounts of data, including corporate secrets.

Remote access
Control who has access to dial-up and VPN remote access.
Only set up permissions for those who truly need it. The list
should be as short as possible.
Document the company’s policy on remote access

Page 4


Log the success and failure of logins for remote access
Periodically have a 3rd party company perform a penetration
test on any dial-up remote access methods.
Implement a method to ensure that clients connecting through
remote access have the proper antivirus and patches installed
to prevent them from infecting the company’s systems.
Document whether remote VPN users can have a split tunnel.
Consider using access tokens as a secondary authentication
method for remote access. This way, if a username and
password are stolen, they still cannot be used to gain access
to the network without the token.

Servers, routers, and switches
Run antivirus anti-spyware software on servers
Ensure that servers, routers, and switches have the latest
patches installed.
Log the events from these devices to a central logging server.
Run performance monitoring software so that you can be
alerted if something abnormal happens on the servers or the
network. Many times, this can be an indication of a security
breach or another critical problem.
Document who has administrator/root level access on these
devices and how often the password is changed.
Document what privilege and access method will be given to
vendors who need access to support and/or change servers
and network devices.
Document the security around the software development and
testing environment, as well as the server and network device
testing environment.
Harden servers and network devices based on guidelines that
are available from sites like the NSA.

Internet / external network
Periodically (I suggest quarterly) have a 3rd party company
perform a penetration test on your Internet connection (or
connections).
Protect the internal network and the DMZ from the external
network with a stateful firewall. Log what the firewall denies
from coming into the network.
Document the firewall rules with explanations, and make
firewall configurations consistent across different segments.
Use an Intrusion Prevention System to stop malicious attacks
that would have, otherwise, gotten through the firewall.

Page 5


Ensure that you have the fewest number of Internet
connections as possible (including dial-up connections). Every
Internet connection is an avenue for a malicious attacker to
get into your network.
Consider implementing a Security Information Management
(SIM) in your network as a central repository for security
information that will do event correlation and alerting.

Wireless
Periodically have a 3rd party company perform a penetration
test on your wireless networks.
Ensure that you are using the strongest form of WEP
encryption possible.
Consider a wireless security product that will help to prevent
wireless signals from leaving your building or office and will
control rogue access points on your network.
Consider using 802.1X authentication as a secondary
authentication method for any wireless users (besides WEP
key).
Consider putting the wireless network in the DMZ and forcing
users to connect to it via a VPN connection.
Document the wireless security policy and educate users on it.

Logging
Implement a centralized logging server
Document how information is logged, who can view the logs,
and how long those logs are kept. Various sections above
cover what specifically should be logged.

PDA and cell phone
Document proper and improper company use of cellular
phones and PDA’s.
Consider using a product that will “remote kill” a lost PDA or
cell phone and render its data useless.
Document what types of cellular phones will be supported and
who will support them.

Documentation and change management
Document who will control the changes made to the security
policy and who will keep the documentation up to date.
Document the process that changes must go through before
they can be implemented.

Page 6


David Davis manages a group of systems/network administrators for a privately owned retail
company. He also does networking/systems consulting on a part-time basis. His certifications
include IBM Certified Professional-AIX Support, MCSE+Internet, Sun Certified Solaris Admin
(SCSA), Certified Information Systems Security Professional (CISSP), Cisco CCNA, CCDA, and
CCNP. He is also Cisco CCIE #9369.

Additional resources
• Sign up for our Security Solutions newsletter, delivered on Fridays
• Sign up for our IT Management newsletter, delivered on Tuesdays, Thursdays, and Fridays
• Check out all of TechRepublic's newsletter offerings.
• Information Security Policy (TechRepublic download)
• Sample PDA IT support policy (TechRepublic download)
• Disaster recovery plan template (TechRepublic download)
• Crisis communications policy (TechRepublic download)

Version history
Version: 1.0
Published: April 27, 2005

Tell us what you think
TechRepublic downloads are designed to help you get your job done as painlessly and effectively as possible.
Because we're continually looking for ways to improve the usefulness of these tools, we need your feedback.
Please take a minute to drop us a line and tell us how well this download worked for you and offer your suggestions
for improvement.

Thanks!

—The TechRepublic Downloads Team

Page 7

Security Policy Checklist

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Security Policy Checklist

Similar a Security Policy Checklist (20)

Más de backdoor

Más de backdoor (20)

Último

Último (20)

Security Policy Checklist