Table 8.4 continued Operational Assurance Control Questions No. Question L1 L2 L3 L4 Are procedures documented for using system maintenance and monitoring utilities? Are processes in place to track version control of operating systems? Are processes in place to track version control of hardware? Are processes in place to track version control of applications? Is licensed software labeled and stored securely? Is licensed software inventoried either manually or automatically? Does a policy exist to prohibit the use of nonlicensed software (that is not freeware or shareware)? Does a policy exist to explain how freeware and shareware should or should not be used? Does a process exist to allow for expedited emergency change procedures? When new versions of software are installed, are the versions tested prior to being put into production? Do procedures exist to test and install new software patches? Are operating systems hardened and are unnecessary services turned off? Are systems scanned for known vulnerabilities on a regular basis? Are vulnerabilities reviewed and mitigated? Does all purchased software and hardware include vendor supplied documentation? www.syngress.com 126 Chapter 8 • Performing and Preparing the Self-Assessment Continued 409_Cert_Accred_08.qxd 11/2/06 1:51 PM Page 126 Table 8.4 continued Operational Assurance Control Questions No. Question L1 L2 L3 L4 Does documentation exist for custom and in-house developed applications? Do procedures for testing security configuration exist? Are router and switch configurations documented? Does an up-to-date topological map of the network exist? Are the firewall rules documented? Data Integrity Required by: FISMA § 3544 (c)(2)(G); OMB Circular A-130 III; FISCAM SP-1, SS-2.2 Recommended by: NIST SP 800-18; NIST SP 800-30 Has data integrity been characterized? Have threats to data integrity been reviewed? Have safeguards been implemented to preserve data integrity? Is sensitive information encrypted as required? Are PKI certificates issued securely? Are PKI certificates distributed only to authorized users? Have safeguards been put into place to protect systems from viruses, worms, and Trojans? Are antivirus signatures updated on a regular basis? Is virus scanning automatic? Are reconciliation routines (e.g., hashes, checksums) used for programs and files as required? www.syngress.com Performing and Preparing the Self-Assessment • Chapter 8 127 Continued 409_Cert_Accred_08.qxd 11/2/06 1:51 PM Page 127 Table 8.4 continued Operational Assurance Control Questions No. Question L1 L2 L3 L4 Are passwords audited for compliance? Are intrusion detection (and prevention) tools installed and operational? Are firewall logs reviewed for dubious network traffic? Are intrusion detection logs reviewed for dubious behavior? Are intrusion prevention heuristics updated regularly to safeguard against new exploits? Is network traffic monitored to detect performance (availability) problems created by denial of service attacks? Are message authentication codes (MACs) used in accordance with security policies? Are Virtual Private Network (VPN) configurations documented? Media Controls Required by: FISMA § 3544 (b) AGENCY PROGRAM (2)(D)(iv); FISCAM AC-3.4 Recommended by: NIST SP 800-18 Is access to stored media controlled and documented? Are data files backed up on a regular schedule? Is the backup schedule documented with files, directories, and filesystems noted? Are backups stored off-site through a rotation basis? Is the location of stored backups identified? Are procedures documented on how to back up and restore files? www.syngress.com 128 Chapter 8 • Performing and Preparing the Self-Assessment Continued 409_Cert_Accred_08.qxd 11/2/06 1:51 PM Page 128 Table 8.4 continued Operational Assurance Control Questions No. Question L1 L2 L3 L4 When files are restored, are the particulars documented? Is media properly sanitized before reuse and disposal? Are electronic records properly archived or disposed? Is digital media properly stored and disposed of? Are paper records properly archived or shredded? Are logs kept regarding who disposes or archives records, documents, and media? Do procedures exist for mailing (or transporting) sensitive printed materials and digital media? Do audit trails exist for receipt of sensitive printed materials and digital media? Are media audit trails available for inventory management? Are there controls to ensure that unauthorized users are not able to access sensitive printed materials and digital media? Are only authorized users allowed to obtain and deliver sensitive printer materials and digital media? Does an inventory of all archived media exist? Is damaged media properly disposed of or destroyed? Is all media properly labeled? Are data classifications and handling instructions clearly marked on all media? www.syngress.com Performing and Preparing the Self-Assessment • Chapter 8 129 Continued 409_Cert_Accred_08.qxd 11/2/06 1:51 PM Page 129 Table 8.4 continued Operational Assurance Control Questions No. Question L1 L2 L3 L4 Contingency Planning & Disaster Recovery Required by: FISMA § 3542-44; OMB Circular A-130 III, FISCAM SC1.1, 1.2, 1.3 Recommended by: NIST SP 800-18, NIST SP 800-34 Does a Contingency Plan exist? Does the Contingency Plan include a business impact assessment? Are critical assets identified? Is a current copy of the contingency plan stored off-site in a secure location? Has the Contingency Plan been distributed to appropriate personnel? Are roles and responsibilities for recovery assigned? Have relative priorities for recovery been established? Have notification and activation processes been established? Are there detailed instructions for restoring operations? Does an alternate processing site exist? Is the alternate processing site in a different geographic location than the primary site? Does the Contingency Plan and recovery documentation exist at the alternate processing site? Are key personnel trained in recovery operations? Is the Contingency Plan periodically tested? Has the Contingency Plan been reviewed and approved by management? www.syngress.com 130 Chapter 8 • Performing and Preparing the Self-Assessment Continued 409_Cert_Accred_08.qxd 11/2/06 1:51 PM Page 130 Table 8.4 continued Operational Assurance Control Questions No. Question L1 L2 L3 L4 Incident Response Capabilities Required by: FISMA § 3546 (2), OMB Circular A-130 III, FISCAM SP-3.4 Recommended by: NIST SP 800-18, SP 800-61 Are security incidents and alerts analyzed and documented? Are remedial actions taken as required when a security incident occurs? Is there a documented process for reporting security incidents? Is training provided to key personnel on how to handle security incidents? Do key personnel respond to security incident alerts and advisories? Are security incidents monitored and tracked until they are resolved or closed? Does an Incident Response Plan exist? Is the Incident Response Plan updated as required? Has management reviewed and approved of the Incident Response Plan? Is information about security incidents appropriately shared with owners of interconnected systems? Are security incidents reported to the agency CSIRC, FBI, and US-CERT, 4 and local law enforcement as required? Are security vulnerabilities and threats listed on the US-CERT Web site reviewed on a regular basis? Technical security controls refer to controls that are executed by systems, products, and technologies. www.syngress.com Performing and Preparing the Self-Assessment • Chapter 8 131 409_Cert_Accred_08.qxd 11/2/06 1:51 PM Page 131 Table 8.5 Technical Assurance Control Questions No. Question L1 L2 L3 L4 Identification and Authentication Required by: FISMA § 3542-44, 3547; OMB Circular A-130 III; FISCAM AC-2, .32 Recommended by: NIST 800-18 Are users uniquely identified (e.g., unique usernames/logins) before being allowed to access sensitive systems and data? Are users required to provide proof of identify (e.g., passwords, tokens, two- factor authentication) before being allowed to access sensitive systems and data? Is identification and authentication information protected from unauthorized access? (How are passwords and usernames safeguarded on the backend?) Is authentication information protected from replay attacks (e.g., logon credentials are protected during network transmission of packets)? Are digital signatures used? Do digital signatures comply with FIPS 186-2? 5 Are access scripts, programs, and applications with hardcoded passwords prohibited? Does a list of authorized users exist and is it kept up to date? Is temporary and emergency system and network access authorized? Are there procedures for handling lost and compromised passwords? www.syngress.com 132 Chapter 8 • Performing and Preparing the Self-Assessment Continued 409_Cert_Accred_08.qxd 11/2/06 1:51 PM Page 132 Table 8.5 continued Technical Assurance Control Questions No. Question L1 L2 L3 L4 Are login processes set up so that passwords are not displayed when entered? Has automatic password expiration been configured and put into place? Are users required to change their passwords at the minimum every 90 days? Have login processes been configured (e.g., eight or more alphanumeric characters, upper- and lowercase) to require passwords to be difficult to guess? Are inactive user accounts automatically expired? Have users been informed about password disclosure policies and social engineering attacks? Are passwords distributed or disclosed in a secure manner? Do friendly termination procedures exist for closing user accounts? Do unfriendly termination procedures exist for closing user accounts? Are passwords encrypted and stored using secure protocols and algorithms? Are vendor and default passwords immediately replaced or disabled? Are accounts locked after a specified number of invalid access attempts? Are user logins recorded by the system? Are data owners consulted for access authorizations? Is access to security software and tools restricted to authorized security administrators? www.syngress.com Performing and Preparing the Self-Assessment • Chapter 8 133 Continued 409_Cert_Accred_08.qxd 11/2/06 1:51 PM Page 133 Table 8.5 continued Technical Assurance Control Questions No. Question L1 L2 L3 L4 Are guest and anonymous accounts authorized and monitored? Do biometric devices comply with appropriate false acceptance rates? Do biometric devices comply with appropriate false reject rates? Are biometric false reject and false acceptance rates tracked and documented? Logical Access Controls Required by: FISMA § 3542-44, 3547; OMB Circular A-130 III; FISCAM AC-3.2 Recommended by: NIST 800-18 Are unauthorized access attempts recorded in log files? Do screensavers lock systems after a period of inactivity? Is there a separation of duties between administrators who provide access and incident response engineers? Are remote logins disconnected after a period of inactivity? Is the user access list documented and is it updated on a regular basis? If encryption is used, are there procedures for key recovery? If encryption is used are there procedures for key distribution? Do encryption algorithms comply with FIPS 140-2? 6 Are insecure protocols (e.g., NETBIOS) used with safeguards or else disabled? Are firewalls, secure gateways, or security appliances installed? www.syngress.com 134 Chapter 8 • Performing and Preparing the Self-Assessment Continued 409_Cert_Accred_08.qxd 11/2/06 1:51 PM Page 134 Table 8.5 continued Technical Assurance Control Questions No. Question L1 L2 L3 L4 Are controls in place to monitor and authorize access to telecommunications hardware and devices? Have vendor-supplied default configurations been reviewed for security weaknesses? Do all firewalls comply with the prescribed firewall policies? Are router access lists (ACLs) documented? Is access to router ACLs restricted? Are router ACLs changed only by authorized administrators? Are data transmissions encrypted as required? Are sensitive Web transmissions encrypted (e.g., SSL) as required? Do network devices disconnect (users) at the end of logon sessions? Are procedures for authorizing remote access documented? Are procedures for configuring accounts for remote access documented? Are remote access accounts authorized? Is remote access restricted so that it can take place only through specific ports of entry and terminals? Is a login banner that warns users about unauthorized access displayed? Is a privacy policy posted in a public place for all users to review? When the system and network is scanned is a report generated that classifies vulnerabilities as high, medium, or low risk? www.syngress.com Performing and Preparing the Self-Assessment • Chapter 8 135 Continued 409_Cert_Accred_08.qxd 11/2/06 1:51 PM Page 135 [...]... stored only in an encrypted state? Does your agency allow the use of algorithms that have not undergone FIPS 140 -22 validation testing? www.syngress.com 143 40 9_Cert_Accred_09.qxd 144 11/2/06 1: 54 PM Page 144 Chapter 9 • Addressing Security Awareness and Training Requirements ■ Personal use of laptops and desktops should be stated Are employees allowed to send personal e-mails from agency accounts? Chances... 1 2 3 4 5 The instructor was interesting and held my attention 1 2 3 4 5 The instructor responded to questions 1 2 3 4 5 The training material was the right level of detail for me 1 2 3 4 5 Did you have questions about the information presented? Yes No If yes, have you received a response to your questions? Yes No Continued www.syngress.com 147 40 9_Cert_Accred_09.qxd 148 11/2/06 1: 54 PM Page 148 Chapter... Agree 1 2 3 4 5 www.syngress.com 145 40 9_Cert_Accred_09.qxd 146 11/2/06 1: 54 PM Page 146 Chapter 9 • Addressing Security Awareness and Training Requirements Using the scale shown in the preceding example, please evaluate the awareness material by circling the most appropriate response I have seen/received information on the current IT security awareness topic 1 2 3 4 5 The information was clear and easy... understand 1 2 3 4 5 The information was useful in helping to understand the topic covered 1 2 3 4 5 Information was included that I was not aware of or previously knowledgeable about 1 2 3 4 5 The information was useful to me in helping me to understand my security responsibilities 1 2 3 4 5 The information grabbed my attention 1 2 3 4 5 I would benefit from more information similar to this 1 2 3 4 5... Security Awareness and Training Checklist ■ Security Awareness Material Evaluation ■ Security Awareness Class Evaluation 139 40 9_Cert_Accred_09.qxd 140 11/2/06 1: 54 PM Page 140 Chapter 9 • Addressing Security Awareness and Training Requirements Introduction All Certification Packages that are Level 2 and above require a Security Awareness and Training Plan.The Security Awareness and Training Plan has... teaches the courses, and where are they held? If it sounds simple, that’s because it is www.syngress.com 40 9_Cert_Accred_09.qxd 11/2/06 1: 54 PM Page 145 Addressing Security Awareness and Training Requirements • Chapter 9 Security Awareness and Training Checklist The following checklist will help you ensure that you have not forgotten to note anything in your plan: ■ Is the type and frequency of training... for security awareness and training programs.The document, informally known as NIST Special Publication 800-50, describes four critical elements that all security awareness and training programs should include: 1 Design and planning of the awareness and training program 2 Development of the awareness and training materials 3 Implementation of the awareness and training program 4 Measuring the effectiveness... marketing and promotion of security inside your agency Security awareness programs put in place signs, booklets, posters, and electronic reminders Awareness programs serve as constant reminders that your agency or organization takes information security seriously and are motivational in nature www.syngress.com 40 9_Cert_Accred_09.qxd 11/2/06 1: 54 PM Page 141 Addressing Security Awareness and Training... Agree 4 5 Using the scale shown in the preceding example, please evaluate the awareness class by circling the most appropriate response I recently took a class on information security awareness 1 2 3 4 5 The class material was easy for me to understand 1 2 3 4 5 The information presented grabbed my attention 1 2 3 4 5 The information helped me to 1 understand my security responsibilities 2 3 4 5 The... (http://csrc.nist.gov/cryptval/ 140 2.htm) www.syngress.com 40 9_Cert_Accred_09.qxd 11/2/06 1: 54 PM Page 139 Chapter 9 Addressing Security Awareness and Training Requirements “The ultimate value of life depends upon awareness and the power of contemplation rather than upon mere survival.” —Aristotle Topics in this chapter: ■ Purpose of Security Awareness and Training ■ Security Training ■ The Awareness and Training Message . 8.5 Technical Assurance Control Questions No. Question L1 L2 L3 L4 Identification and Authentication Required by: FISMA § 3 542 -44 , 3 547 ; OMB Circular A-130 III; FISCAM AC-2, .32 Recommended by: NIST. reject rates? Are biometric false reject and false acceptance rates tracked and documented? Logical Access Controls Required by: FISMA § 3 542 -44 , 3 547 ; OMB Circular A-130 III; FISCAM AC-3.2 Recommended. 140 -2 2 validation testing? www.syngress.com Addressing Security Awareness and Training Requirements • Chapter 9 143 40 9_Cert_Accred_09.qxd 11/2/06 1: 54 PM Page 143 ■ Personal use of laptops and