[h1]Security Assessment Template[/h1]
Please note that this post is a document in progress and will continue to be updated on an ongoing basis. Please check back regularly for updates.
This simple template is a good starting point for an assessment to be used with any Information Technology project (network design, web site, mobile app, desktop software, business systems, portals, intranets, extranets, Microsoft SharePoint implementations, Microsoft CRM Implementations, etc.)
First of all, here are some important points to keep in mind:
During a security assessment, the first thing to consider is the client’s business requirements.
The following criteria can be useful in documenting and organizing the specific needs of the customer.[h2]Confidentiality[/h2]
What information is proprietary, and to what degree?
What information is private (personal data)?
What information is public?
What are the consequences of the data being intercepted, sold or publicized?
Does the HR Policies and Procedures confidentiality clause need to be updated?[h2]Integrity[/h2]
What are the consequences of the data being modified?
What are the consequences of the data being destroyed?[h2]Availability[/h2]
What are the consequences of the data being unavailable?
Discuss MTBF (Mean Time Between Failure) and MTR (Mean Time to Repair) for specific applications. This should lead to a Disaster Recovery plan which includes:
What logging is currently available?
What additional logging is required?
How long should the log files be kept?
Should there be an auditing component to the system? (in other words, does new data have to be audited before it is published?)[h2]Non-repudiation (liability)[/h2]
How sure can you be that a transaction or event was performed by a specific individual?
To what degree is that person liable?
Is two factor authentication required? (i.e. username/password + mobile text-based temporary PIN, bank card + PIN number, digital signature & username/password, etc.)[h2]HR Policies & Procedures [/h2]
Is there a clearly defined entry checklist for new hires that includes appropriate technology steps?
Is there a clearly defined exit checklist for terminated employees that includes appropriate technology steps?
Are the following policies and procedures clearly defined: