Please note that this post is a document in progress and will continue to be updated on an ongoing basis.  Please check back regularly for updates.

[h1]Security Assessment Template[/h1]

This simple template is a good starting point for an assessment to be used with any Information Technology project (network design, web site, mobile app, desktop software, business systems, portals, intranets, extranets, Microsoft SharePoint implementations, Microsoft CRM Implementations, etc.)

First of all, here are some important points to keep in mind:

    • Security within computer systems can be considered as a chain of trust.  There is no sense in creating (or paying for) a really strong link in the chain, if weaker links provide easy breaches in the overall security.
    • In addition to the technology, appropriate policies and procedures need to be in place to protect corporate and personal data and to avoid other legal consequences (see below for more details).
    • The system has to prevent theft and malicious actions.  You need to consider everything in terms of consequences.  Not just: ‘what if someone can access the data?’, but also ‘what if someone erases the data?’ or ‘what if someone modifies the data?’.

During a security assessment, the first thing to consider is the client’s business requirements.

The following criteria can be useful in documenting and organizing the specific needs of the customer.

[h2]Confidentiality[/h2]

What information is proprietary, and to what degree?

What information is private (personal data)?

What information is public?

What are the consequences of the data being intercepted, sold or publicized?

Does the HR Policies and Procedures confidentiality clause need to be updated?

[h2]Integrity[/h2]

What are the consequences of the data being modified?

What are the consequences of the data being destroyed?

[h2]Availability[/h2]

What are the consequences of the data being unavailable?

Discuss MTBF (Mean Time Between Failure) and MTR (Mean Time to Repair) for specific applications. This should lead to a Disaster Recovery plan which includes:

    • a list of the disaster scenarios
    • the appropriate action to take in each scenario
    • a test plan with specific tests to be performed and the frequency of each test and the person or group responsible
[h2]Logging and Accounting[/h2]

What logging is currently available?

What additional logging is required?

How long should the log files be kept?

Should there be an auditing component to the system?  (in other words, does new data have to be audited before it is published?)

[h2]Non-repudiation (liability)[/h2]

How sure can you be that a transaction or event was performed by a specific individual?

To what degree is that person liable?

Is two factor authentication required?  (i.e. username/password + mobile text-based temporary PIN, bank card + PIN number, digital signature & username/password, etc.)

[h2]HR Policies & Procedures [/h2]

Is there a clearly defined entry checklist for new hires that includes appropriate technology steps?

Is there a clearly defined exit checklist for terminated employees that includes appropriate technology steps?

Are the following policies and procedures clearly defined:

    • acceptable software use policy (no illegal software, no pirating illegal software, etc.)
    • acceptable computer use policy (company systems will only be used for company business unless the employee gets explicit permission from their manager, software installation policy, travel precautions)
    • data privacy policy (any data on company systems is and will be viewed by system administration personnel, never store personal data on company systems, etc.)
    • social media policy (use of social media, representation, etc.)
Comments are closed.