Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS

Information Security Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT) resources against Information Security related threats such as hacker attacks, worms, viruses, and other malicious activities. The Best Practices for Department Server and Enterprise System Checklist will be used to determine if an organizational unit of The George Washington University is using standard Information Security Best Practices to secure their Departmental Servers and Enterprise Systems. To use this checklist, review each individual Department Server Best Practice Requirement and each Enterprise System Best Practice Requirement listed to the right of each category in the first column (Physical Security, Security Administration, Operating System Security, Database Security, Network Security, Anti-Virus, and Security Documentation). Place a check mark in the Check if Complete column for each best practice requirement met in the Department Server Best Practice column and/or a check mark in the Check if Complete column for each best practice requirement met in the Enterprise System Best Practice column. If you are not able to comply with the requirement, please provide a business case justification in the Justification for Non-Completion column.

Best Practice Requirements For Department Servers and Enterprise Systems

Check if Complete Physical Security Department Server Best Practice Requirement Have entry and exit to equipment and wiring closets been restricted to unauthorized personnel? Physically lock equipment to a stationary durable device such as an office desk or inside a computer cabinet. Check if Complete Enterprise System Best Practice Requirement Have entry and exit to equipment and wiring closets been restricted to unauthorized personnel? Physically lock equipment to a stationary durable device such as an office desk or inside a computer cabinet. Justification for Non-Completion

Page 1 of 8

Ensure the temperature in the room is appropriate for the equipment (check user guide for equipment). Attach devices to an Uninterruptible Power Supply Device (UPS) and/or surge protector. Ensure that fire, smoke, and heat detectors are installed to protect people and equipment. Security Administration Apply software patches to all software programs on the system when available subject to the change management process. Apply operating system patches on the system when available subject to the change management process. Ensure the system is protected by a properly configured firewall. Ensure the system is protected by updated anti-virus software. Establish accounts for each individual user and grant the appropriate level of access necessary to perform job.

Ensure the temperature in the room is appropriate for the equipment (check user guide for equipment). Attach devices to an Uninterruptible Power Supply Device (UPS) and/or surge protector. Ensure that fire, smoke, and heat detectors are installed to protect people and equipment.

Apply software patches to all software programs on the system when available subject to the change management process. Apply operating system patches on the system when available subject to the change management process. Ensure the system is protected by a properly configured firewall. Ensure the system is protected by updated anti-virus software. Establish accounts for each individual user and grant the appropriate level of access necessary to perform job.

Page 2 of 8

Ensure that each user is authenticated before access is granted. Have process in place to clean up accounts once the user no longer requires access to the database. Enable auditing and logging features on the system to capture pertinent information pertaining to all user activities. Have a security assessment performed on the system, including penetration testing. Install host-based security tools such as Intrusion Detection and File Integrity Checkers for information that contain mission critical data and/or confidential data. Disable all unnecessary services on system.

Ensure that each user is authenticated before access is granted. Have process in place to clean up accounts once the user no longer requires access to the database. Enable auditing and logging features on the system to capture pertinent information pertaining to all user activities. Have a security assessment performed on the system, including penetration testing. Install host-based security tools such as Intrusion Detection and File Integrity Checkers for information that contain mission critical data and/or confidential data. Disable all unnecessary services on system.

Operating System Security

Use Minimum Security Configuration Benchmarks from the Center for Internet Security (supported by NSA, DISA, DHS, and NIST and security experts from more than 100 other organizations).

Use Minimum Security Configuration Benchmarks from the Center for Internet Security (supported by NSA, DISA, DHS, and NIST and security experts from more than 100 other organizations).

Page 3 of 8

There are currently minimum security configurations for 14 types of systems. There are also tools available to test systems against the benchmarks http://www.cisecurity.org/index.html Database Security Have a security assessment performed on the system that will contain the database. Establish accounts for each individual user and grant the appropriate level of access necessary to perform job. Ensure that each user is authenticated before access is granted. Have process in place to clean up accounts once the user no longer requires access to the database. Update patches, subject to change management process, on the system as they become available and after patches have been tested in a nonproduction environment Encrypt information stored in the database.

There are currently minimum security configurations for 14 types of systems. There are also tools available to test systems against the benchmarks http://www.cisecurity.org/index.html Have a security assessment performed on the system that will contain the database. Establish accounts for each individual user and grant the appropriate level of access necessary to perform job. Ensure that each user is authenticated before access is granted. Have process in place to clean up accounts once the user no longer requires access to the database. Update patches, subject to change management process, on the system as they become available and after patches have been tested in a non-production environment Encrypt information stored in the database.

Page 4 of 8

Enable auditing and logging features on the system to capture pertinent information pertaining to all user activities. Network Security Monitor network for malicious and/or abnormal activity Apply patches to network devices, operating systems, and software on network subject to change management process. Encrypt transmissions that contain sensitive and/or confidential information. Regularly review logs from network devices such as VPN, Routers, IDS, IPS, and Firewalls for suspicious activity. Update IDS/IPS signatures regularly Ensure strong passwords are set and changed regularly on routers. Remove default passwords from all networking devices. Disable all unnecessary services on network devices.

Enable auditing and logging features on the system to capture pertinent information pertaining to all user activities.

Monitor network for malicious and/or abnormal activity Apply patches to network devices, operating systems, and software on network subject to change management process.

Encrypt transmissions that contain sensitive and/or confidential information. Regularly review logs from network devices such as VPN, Routers, IDS, IPS, and Firewalls for suspicious activity. Update IDS/IPS signatures regularly Ensure strong passwords are set and changed regularly on routers. Remove default passwords from all networking devices. Disable all unnecessary services on network devices.

Page 5 of 8

Use stronger more secure protocols to security network devices such as SSH instead of telnet. Have a security assessment performed at least annually on network devices such as routers and firewall. Anti-Virus Download Anti-Virus software program and instructions from http://helpdesk.gwu.edu/nav/ Update Anti-Virus Definitions regularly. Scan system regularly for virus, worm, and Trojan activity. Security Documentation Document description of systems software and hardware. Document contingency plan for system in the event the system becomes unavailable. Document and maintain backup procedures for system.

Use stronger more secure protocols to security network devices such as SSH instead of telnet. Have a security assessment performed at least annually on network devices such as routers and firewall. Download Anti-Virus software program and instructions from http://helpdesk.gwu.edu/nav/ Update Anti-Virus Definitions regularly.

Scan system regularly for virus, worm, and Trojan activity. Document description of systems software and hardware. Document contingency plan for system in the event the system becomes unavailable. Document and maintain backup procedures for system.

Page 6 of 8

Keep user manuals from vendors for systems that were pre-built or develop documentation on systems that have been developed in house. Keep software license catalog of system software and applications on hand. Keep risk and security assessments for system on hand.

Keep user manuals from vendors for systems that were pre-built or develop documentation on systems that have been developed in house. Keep software license catalog of system software and applications on hand. Keep risk and security assessments for system on hand.

BEST PRACTICE CHECKLIST SIGN-OFF

1) I have reviewed the Department Server and/or the Enterprise System against this Best Practice checklist. 2) Best Practice requirements that could not be met for a business justifiable reason has been documented in the Justification for Non-

Completion column of this document.

System Administrator Sign-off

Name: _____________________________ Signature: _____________________________

System Owner Sign-off

Name: _____________________________ Signature: _____________________________

Page 7 of 8

Title: _____________________________ Date: _____________________________

Title: _____________________________ Date: _____________________________

Page 8 of 8