A checklist developed by security experts using questions dealing with a number of security issues. But before detailing the questions (which is not a complete listing), this overriding question needs to be answered by organizations having security policy checklists: Are all of the items on the checklist distributed to all employees and fully understood? Take, for example, the following items:
• Administrator rights and responsibilities: Under what conditions may a system administrator examine an employee’s account or his or her email, and what parts of the system should the system administrator not examine (for example, Netscape bookmarks)? Can the system administrator monitor network traffic, and if so, what boundaries exist?
• Backups: What systems are backed up, and how often? How are backups secured and verified?
• Connections to and from the Internet: What computers should be seen from the outside? If computers are outside the firewall (bastion hosts), how securely are they separated from computers on the inside? Are connections from the Internet to the internal network allowed and, if so, how are they authenticated and encrypted? What traffic is allowed to go outside the internal network? If there is traffic across the Internet, how is it secured, and what protection is in place against worms, viruses, or hostile java applets?
• Dial-up connections: Are dial-up connections allowed, and if so, how are they authenticated and what access level to the internal network do dial-up connections provide? How are modems distributed in this company, and can employees set up modem connections to their home or desktop computers?
• Documentation: Does a map of the network topology exist, and is it clearly stated where each computer fits on that map? Is there an inventory of all hardware and software, and does a document exist detailing the preferred security configuration of every system?
• Emergency procedures: What kinds of procedures exist for installing security patches or handling exploits? In cases of system intrusion, is it company policy to shut down the network immediately, or does the company prefer to monitor the intruder for a while? How and when are employees notified of exploits, and at what stage and at what time are law enforcement agencies called in?
• Logs: What information is logged, and how and where? Are the information logs secure from tampering, and if so, are they regularly examined, and, if so, by whom?
• Physical security: Are systems physically protected from outsider crackers and adequately secured, where needed, from insider crackers? Are reusable passwords used internally or externally, and are employees told through company policy to change their passwords routinely?
• Sensitive information: How are sensitive and proprietary information protected online, and how are backup tapes protected?
• User rights and responsibilities: How much freedom do employees have in terms of selecting their own operating system, software, and games for their computers, and can employees in our company send and receive personal email or do personal work on company computers? What policies exist regarding resource consumption (for example, disk or CPU quotas) and abuse (accidental or intentional) of services? What penalties exist, for example, if an employee brings down a server?
Queeg Company. Security Policy Checklist. [Online, October 6, 1997.] Queeg Company Website. http://queeg.com/~brion/security/secpolicy.html.