Best Practices For Department Server and Enterprise System ...

Best PracticesFor Department Server and Enterprise System ChecklistINSTRUCTIONSInformation Security Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT) resourcesagainst Information Security related threats such as hacker attacks, worms, viruses, and other malicious activities. The Best Practices forDepartment Server and Enterprise System Checklist will be used to determine if an organizational unit of The George WashingtonUniversity is using standard Information Security Best Practices to secure their Departmental Servers and Enterprise Systems.To use this checklist, review each individual Department Server Best Practice Requirement and each Enterprise System Best PracticeRequirement listed to the right of each category in the first column (Physical Security, Security Administration, Operating System Security,Database Security, Network Security, Anti-Virus, and Security Documentation). Place a check mark in the “Check if Complete” column foreach best practice requirement met in the Department Server Best Practice column and/or a check mark in the “Check if Complete” columnfor each best practice requirement met in the Enterprise System Best Practice column. If you are not able to comply with the requirement,please provide a business case justification in the “Justification for Non-Completion” column.Best Practice Requirements For Department Servers and Enterprise SystemsCheck ifCompleteDepartment ServerBest Practice RequirementCheck ifCompleteEnterprise SystemBest Practice RequirementJustification for Non-CompletionPhysicalSecurityHave entry and exit to equipmentand wiring closets been restricted tounauthorized personnel?Have entry and exit to equipment and wiringclosets been restricted to unauthorizedpersonnel?Physically lock equipment to astationary durable device such as anoffice desk or inside a computercabinet.Physically lock equipment to a stationarydurable device such as an office desk orinside a computer cabinet.Page 1 of 8

Ensure that each user isauthenticated before access isgranted.Have process in place to clean upaccounts once the user no longerrequires access to the database.Enable auditing and logging featureson the system to capture pertinentinformation pertaining to all useractivities.Have a security assessmentperformed on the system, includingpenetration testing.Install host-based security tools suchas Intrusion Detection and FileIntegrity Checkers for informationthat contain mission critical dataand/or confidential data.Disable all unnecessary services onsystem.Ensure that each user is authenticated beforeaccess is granted.Have process in place to clean up accountsonce the user no longer requires access to thedatabase.Enable auditing and logging features on thesystem to capture pertinent informationpertaining to all user activities.Have a security assessment performed on thesystem, including penetration testing.Install host-based security tools such asIntrusion Detection and File IntegrityCheckers for information that containmission critical data and/or confidential data.Disable all unnecessary services on system.OperatingSystemSecurityUse Minimum SecurityConfiguration Benchmarks – fromthe Center for Internet Security(supported by NSA, DISA, DHS,and NIST and security experts frommore than 100 other organizations).Use Minimum Security ConfigurationBenchmarks – from the Center for InternetSecurity (supported by NSA, DISA, DHS,and NIST and security experts from morethan 100 other organizations).Page 3 of 8

DatabaseSecurityThere are currently minimumsecurity configurations for 14 typesof systems. There are also toolsavailable to test systems against thebenchmarks -http://www.cisecurity.org/index.htmlHave a security assessmentperformed on the system that willcontain the database.Establish accounts for eachindividual user and grant theappropriate level of access necessaryto perform job.Ensure that each user isauthenticated before access isgranted.Have process in place to clean upaccounts once the user no longerrequires access to the database.Update patches, subject to changemanagement process, on the systemas they become available and afterpatches have been tested in a nonproductionenvironmentEncrypt information stored in thedatabase.There are currently minimum securityconfigurations for 14 types of systems.There are also tools available to test systemsagainst the benchmarks -http://www.cisecurity.org/index.htmlHave a security assessment performed on thesystem that will contain the database.Establish accounts for each individual userand grant the appropriate level of accessnecessary to perform job.Ensure that each user is authenticated beforeaccess is granted.Have process in place to clean up accountsonce the user no longer requires access to thedatabase.Update patches, subject to changemanagement process, on the system as theybecome available and after patches have beentested in a non-production environmentEncrypt information stored in the database.Page 4 of 8

Enable auditing and logging featureson the system to capture pertinentinformation pertaining to all useractivities.Enable auditing and logging features on thesystem to capture pertinent informationpertaining to all user activities.NetworkSecurityMonitor network for maliciousand/or abnormal activityApply patches to network devices,operating systems, and software onnetwork subject to changemanagement process.Monitor network for malicious and/orabnormal activityApply patches to network devices, operatingsystems, and software on network subject tochange management process.Encrypt transmissions that containsensitive and/or confidentialinformation.Regularly review logs from networkdevices such as VPN, Routers, IDS,IPS, and Firewalls for suspiciousactivity.Update IDS/IPS signatures regularlyEnsure strong passwords are set andchanged regularly on routers.Remove default passwords from allnetworking devices.Disable all unnecessary services onnetwork devices.Encrypt transmissions that contain sensitiveand/or confidential information.Regularly review logs from network devicessuch as VPN, Routers, IDS, IPS, andFirewalls for suspicious activity.Update IDS/IPS signatures regularlyEnsure strong passwords are set and changedregularly on routers.Remove default passwords from allnetworking devices.Disable all unnecessary services on networkdevices.Page 5 of 8

Use stronger more secure protocolsto security network devices such asSSH instead of telnet.Use stronger more secure protocols tosecurity network devices such as SSH insteadof telnet.Anti-VirusHave a security assessmentperformed at least annually onnetwork devices such as routers andfirewall.Download Anti-Virus softwareprogram and instructions fromhttp://helpdesk.gwu.edu/nav/Have a security assessment performed atleast annually on network devices such asrouters and firewall.Download Anti-Virus software program andinstructions fromhttp://helpdesk.gwu.edu/nav/Update Anti-Virus Definitionsregularly.Update Anti-Virus Definitions regularly.Scan system regularly for virus,worm, and Trojan activity.Scan system regularly for virus, worm, andTrojan activity.SecurityDocumentationDocument description of systemssoftware and hardware.Document contingency plan forsystem in the event the systembecomes unavailable.Document and maintain backupprocedures for system.Document description of systems softwareand hardware.Document contingency plan for system in theevent the system becomes unavailable.Document and maintain backup proceduresfor system.Page 6 of 8

Keep user manuals from vendors forsystems that were pre-built ordevelop documentation on systemsthat have been developed in house.Keep software license catalog ofsystem software and applications onhand.Keep risk and security assessmentsfor system on hand.Keep user manuals from vendors for systemsthat were pre-built or develop documentationon systems that have been developed inhouse.Keep software license catalog of systemsoftware and applications on hand.Keep risk and security assessments forsystem on hand.BEST PRACTICE CHECKLIST SIGN-OFF1) I have reviewed the Department Server and/or the Enterprise System against this Best Practice checklist.2) Best Practice requirements that could not be met for a business justifiable reason has been documented in the “Justification for Non-Completion” column of this document.System Administrator Sign-offName:_____________________________Signature:_____________________________System Owner Sign-offName:_____________________________Signature:_____________________________Page 7 of 8

Title:_____________________________Date:_____________________________Title:_____________________________Date:_____________________________Page 8 of 8