forked from redteamcaliber/Risk-Assessment-Checklist
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Checklist
91 lines (85 loc) · 5.74 KB
/
Checklist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# Information Security Policies
- Does company have information security policies?
- If no then you can get the resources and samples from this link to start implement with: https://www.sans.org/security-resources/policies
- Check whether policies have been approved and signed by management?
- How policies were deployed to the end users of the organization?
- Check if policies are being followed by end users?
- Check how frequently organization updates their InfoSec policies?
# Information Security Roles and Duties Segregation
- Are responsibilities are documented for each InfoSec pertaining duties?
- Responsibilities and duties are two separate things for information security. Are those both well documented and communicated over the organization?
- Make sure organization has a well-defined document which clears the information about whom to contact and when to contact in the case of any breach or risk.
- Does this security practices are applicable to all teams/departments within the organization or just pertaining to only technical department where the involvement of risk is more?
# Human Resource Security Management
- Check the process of background screening?
- Is background screening done by 3rd party?
- If yes then any non-disclosure agreement is made with the 3rd party vendor?
- Pre-onboarding, what all documents are gathered by HR? How the integrity is checked for all those documents if needed?
- During the employment, is management's behavior encourage employee to stick with InfoSec guidelines?
- How employee termination is being done?
- Do all physical and technical accesses are taken back from the employee?
- Who make sure of this and how?
# Asset & Information Management Security
- Is there asset management inventory?
- It is being kept updated?
- Who has taken the ownership of asset management?
- Does organization have any 'acceptable use policy'?
- Check if users are following 'acceptable use policy'
- Check who takes ownership of asset returning.
- Is there any policy to transfer, store, retrieve & dispose classified information?
- Check whether these 4 things are being done appropriately.
- Do dumpster diving
- Check what all physical access do users have with their laptops/desktops such as use of removable media, CD/DVD writer etc.
- Are there any polices or clause which states the amount to be taken in the consideration of unauthorized access, modification, disposable or retrieval of classified information as well as physical assets?
- Is there any documented access control policy?
- Are roles and responsibilities defined for access control policy?
- Are they properly followed?
- Are inventory/logs are maintained for access control? Are those retrievable?
- Is there any documented process for user access provisioning?
- Check if privileged access accounts are maintained separately.
- Check if user access is properly removed upon the termination or post resignation.
# System & Application Access Security
- Is application and system access controls are documented?
- Is there any 2FA to logon in a system or application?
- Does company use any password manager?
- Is there any password complex password policy generation?
- Does system have drive encryption in place?
- Check Bios access is password protected or not? If not try to boot KALI Linux
- Check for restricted access controls for sensitive information such as original source code / database server
- Check for default/common/guessable passwords on systems and applications
- Check the systems and application's version if those are outdated or old enough to be affected by any publicly exploitable vulnerabilities?
- Are privileged activities on the system and applications being monitored?
- Is there any cryptography policy standard?
- How keys are transferred between two parties for cryptography operations?
# Physical Environment Security
- Does company have any restricted security access? (such as database center)
- Is there any inventory for physical access monitoring?
- Is there any Locking up and clear desk policy? Check how it is enforced.
- Check if infrastructure was configured with security in mind or not
- Check if DR (Disaster recovery) and Production environment are not at a same physical place in case of nature disaster recovery.
- For environmental hazards, protection equipment is handy from a specific location?
- Are users trained for using fire safety and other equipment in case of emergency?
- At physical location is there UPS system for power back?
- Was it tested at different time interval?
- Is there any cabling and power management security?
- Cabling security must be protected against interception, damage and interference.
- Is there a formal process of removing assets from the physical infrastructure?
- Is data from the physical asset being cleared while disposing or removing it from the physical infrastructure?
- Where and how data is wiped from the asset?
# Operation Security
- Is there a change and capacity management process?
- Does infrastructure have malware/virus protection?
- Does infrastructure antispam filtering process?
- Does infrastructure have ransomware protection in place?
- Is there backup policy?
- Is backup being tested?
- Is backup protected with passwords or encryption?
- Is there event logging mechanism exists?
- Are logging properly reviewed?
- Are those logging protected against tampering and interference? Is there access control policy for logging?
- Who manages administrator logs?
- Is there restriction to install and use 3rd party applications without prior permission?
- Does organization have vulnerability management program on specific time interval?
- Does organization have patch management program on specific time interval?
- Does organization have IS audit program on specific time interval?
- Does organization have any compliance certification?