systemsecuritychecklist：系统安全检查表

1、project name/remedy#:teamcoloraddressed by existing controlsbeadba:webdevwindows (win)unixns (network services)iso (information security office)mainframe (mf)business unit objective(biz)department of financial services division of information systemsinstructions - this checklist should first be comp

2、leted during isdm phase 3 (requirements analysis). the required controls should be designed and included in the system and will be validated during isdm phase 6 (integration, test, acceptance).isdm phase 2 一 each security control may be answered by a business unit within dis or by the customer (admi

3、nistrative controls). the chart to the right translates the color in the table below to the un it typically charged with resp on ding to the control. deviati ons from this are expected based on the level of integration or complexity of the system being assessed. checklist completion should be perfor

4、med in a group setting to ensure improved accuracy of collective responses the ism, pm, and technical contacts should be included - security risk (use a * to identify security risks, bring to system owner's attention for action) - audit risk (use a to identify audit risks, bring to system owner&

5、#39;s attention for action) isdm phase 6 一 this column is to be completed when the selected controls can be validated through observation or testing of the system. the ism validates the checklist.o = organization-wide function supporting all baselines, s = system, p = personnelcontrol no.control nam

6、etype of control/ primary teamcontrol consideration (isdm phase 2: requirements analysis)validated (isdm phase 6: in teg rati on, test acceptance)access controlac-1access control policy and procedurestech nical0 一 ap&p 4-05ac-2account managementac-3access enforcementtechnical/beaac-4information

7、flow enforcementtechnical/beaac-5separation of dutiestechnical/beaac-6least privilegetechnical/beaac-7un successful logi n attemptstechnical/beaac-8system use notificationtechnical/beaac-9previous logon (access) notificati ontech nicaln/aac-10concurrent session controltechnicaln/aac-11session lockte

8、chnical/beaac-12session termination(withdrawn)*ac-13supervision and reviewaccess control(withdrawn)ac-14permitted actions without identification or authenticationtechnical/beaac-15automated marking(withdrawn)ac-16security attributestech nicaln/aac-17remote accesstechnical/beaac-18wireless accesstech

9、nical/beaac-19access control for mobile devicestechnical/beaac-20use of external information systemstechnical/beaac-21user-based collaboration and in formatio n shari ngtechnical/beaac-22publicly accessible contenttechnical/beaawareness & trainingat-1security awareness and training policy and pr

10、oceduresoperati onal0 一 security awareness training programat-2security awarenessat-3security traini ngat-4security training recordsat-5con tacts with security groups and associati onsaudit & accountabilityau-1audit and accountability policy and procedurestechnical0 一 ap&p 4-05.au-2auditable

11、 eventstechnical/bizau-3content of audit recordstechnical/bizau-4audit storage capacitytechnical/dbaau-5response to audit processing failurestechnical/dbaau-6audit review, analysis, and reporti ng(withdrawn)*au-7audit reduction and report generati ontechnical/winau-8time stampstechnical/beaau-9prote

12、ction of audit informationtechnical/beaau-10non-repudiatio ntechnicaln/aau-11audit record retentiontechnical/bearefer to gs1-sl to properly configure, direct questions to the isoau-12audit generationtechnical/beaau-13monitoring for information disclosuretechnicaln/aau-14session audittechnicaln/asecu

13、rity assessment & authorizationca-1security assessment and authorization policies and proceduresman ageme nt0 -isdm toolkitca-2security assessme ntsman ageme ntnot cur re ntly in placeca-3information system connectionsmanagement/beaca-4security certification(withdrawn)*ca-5plan of action and mil

14、estonesmanageme nto-isdm toolkitca-6security authorizatio nman agementca-7continuous monitoringman agementconfiguration managementcm-1configuration management policy and proceduresoperational0-isdm toolkitcm-2baseli ne con figurationcm-3configuration change controlcm-4security impact analysiscm-5acc

15、ess restrict!ons for changecm-6configuration settingscm-7least functionalityo-ap&p 4-03 (x.n. 8)cm-8in formatio n system comp orient inventory0 一 ap&p 4-05.cm-9configuration management plancontingency planningcp-1contingency planning policy and proceduresoperati onal0 一 dr/coop functioncp-2c

16、ontingency plancp-3contingency trainingcp-4contingency plan testi ng and exercisescp-5contingency plan update(withdrawn)cp-6alternate storage siteoperati onalo 一 dr/coop functioncp-7alternate processing sitecp-8telecommunications servicescp-9information system backupoperational/wincp-10information s

17、ystem recovery and reconstituti onoperational/dbal&aia-1identification and authentication policy and procedurestechnical0 一 ap&p's 4-03, 4-04, and 4-05ia-2identification and authentication (organizational users)technical/beaia-3device identification and authe nticati ontechnical/beaia-4i

18、dentifier managementtechnicalo 一 ap&p's 4-03, 4-04, and 4-05 (user account management).ia-5authenticator managementtechnical/beaia-6authenticator feedbacktech nicalspecified in ap&p's 4-03ia-7cryptographic module authe nticati ontechnical/winia-8identification and authentication (non

19、-organizational users)technical/beaincident responseir-1incident response policy and proceduresoperati onal0 一 csirt functionir-2in cident resp onse trainingir-3in cide nt response testi ng and exercisesir-4in cident handlingir-5incident monitoringir-6in cident reporti ngir-7in cide nt resp onse ass

20、ists neeir-8incident response planmaintenancema-1system maintenance policy and proceduresoperati onal0 一 change management functionma-2con trolled maintenancema-3maintenance toolsma-4non-local maintenaneema-5maintenance personnelma-6timely maintenancemedia protectionmp-1media protection policy and p

21、roceduresoperati onal0 一 data center controlsmp-2media accessmp-3media markingmp-4media storagemp-5media tran sportmp-6media sanitizationoperati onal0 一 operating procedure dis-006physical & environmental protectionpe-1physical and environmental protection policy and proceduresoperati onal0 - da

22、ta center controlspe-2physical access authorizationspe-3physical access controlpe-4access control for transmission mediumpe-5access control for output devicespe-6monitoring physical accesspe-7visitor controlpe-8access recordspe-9power equipment and power cablingpe-10emerge ncy shutoffpe-11emerge ncy

23、 powerpe-12emerge ncy lighti ngpe-13fire protectionpe-14temperature and humidity controlspe-15water damage protect!onpe-16delivery and removalpe-17alternate work sitepe-18location of information system componentspe-19information leakageplanningpl-1security planning policy and proceduresman ageme nt0

24、 一 ap&p 4-03pl-2system security planman ageme nt0 -isdm toolkitpl-3system security plan update(withdrawn)*pl-4rules of behaviormanagement/beapl-5privacy impact assessmentmanagement/beapl-6security-related activity planningman agemento -isdm toolkit, dr& csirt functionspers on nel securityps-

25、1personnel security policy and proceduresoperational0 一 multiple dfs ap&p'sps-2position categorizationps-3personnel screeningps-4personnel terminationps-5pers onnel tran sferps-6access agreementsps-7third-party personnel securityps-8personnel sanctionsrisk assessmentra-1risk assessment polic

26、y and proceduresman ageme nt0 一 ap&p 4-03ra-2security categorizati ono-sspra-3risk assessment0 一 ssp checklistra-4risk assessment update(withdrawn)ra-5vulnerability scanningman agementto be implementedsystem & services acquisitionsa-1system and services acquisition policy and proceduresmanag

27、eme nto 一 ap&p 4-06sa-2allocation of resourcesmanagementisdm toolkitsa-3life cycle supportsa-4acquisiti onssa-5information system documentationsa-6software usage restrictionsman ageme ntn/asa-7user-installed softwareman agementn/asa-8security engineering principlesmanageme ntisdm toolkitsa-9exte

28、rnal information system servicesmanagement/beaidentification of functions, ports, protocols, servicessa-10developer configuration man ageme ntman ageme ntisdm toolkitsa-11developer security testi ngman ageme ntisdm toolkitsa-12supply chain protectionmanageme ntn/asa-13trustworthinessman ageme ntn/a

29、(pending rmf)sa-14critical in format! on system comp on entsmanagement/win winsystem & communications protectionsc-1system and communications protection policy and procedurestech nicalap&p 4-03, ap&p 4-04sc-2application partition!ngtechnical/beasc-3security function isolationtech nicaln/

30、asc-4information in shared resourcestechnical/winsc-5denial of service protectiontechnical/winsc-6resource prioritytech nicaln/asc-7boundary protectiontechnical/winsc-8transmission integritytechnical/winsc-9transmission confidentialitytechnical/winsc-10network disconnecttechnical/winsc-11trusted pat

31、htechnicaln/asc-12cryptographic key establishment and managementtechnical/winsc-13use of cryptographytechnical/winsc-14public access protectionstechnical/winsc-15collaborative computing devicestech nicaln/asc-16transmission of security attributestechnicaln/asc-仃public key infrastructure certificates

32、technicaln/asc-18mobile codetechnical/beasc-19voice over internet protocoltech nicaln/asc-20secure name /address resolution service (authoritative source)technical/beasc-21secure name /address resolution service(recursive or caching resolver)technical/webdevsc-22architecture and provisioning for name/address resolution servicetechnical/winsc-23session authenticitytechnical/beasc-24fail in known statetech nicaln/asc-25thin nodestechnicaln/asc-26honey pot