Technology Models

Risk Assessment Procedure LOCAL AREA NETWORK (LAN) Management Questionnaire

Contact: Valerie Adkins 1. Define Local Area Networks, by location, designated System Administrator and Security Officer. Domain Name Location System Administrator Security Officer

2. Do all servers, desktop, and laptop computers have anti-virus software that detects and removes computer viruses? Check one: YES NO 3. Are all server, desktop, and laptop computers anti-virus software kept current by updating virus signatures weekly at least? Check one: YES NO 4. Is there a procedure that requires that down loaded software be checked for viruses before it is loaded on a Desktop, laptop, or server? Check one: YES NO 5. Has LAN security software been used to adequately protect applications source and executable programs and data files? Check one: YES NO 6. Is the network infrastructure in compliance with the September 2002 VCCS Security Guidelines for Edge Devices v2.0? Check one: YES NO 7. Is firewall technology installed and implemented to protect sensitive internal information? Check one: YES NO 8. Are periodic test conducted for firewall technology to ensure compliance with security policies? Check one: YES NO 9. Does firewall technology have security logging turned on? Check one: YES NO 10. Has protection at the edge device router, the network server and the desktop levels to prevent the introduction of malicious code into the system been deployed? Check one: YES NO 11. Are network and host vulnerability scanners installed and implemented to test for vulnerabilities of internal systems and of perimeter defenses, and their adherence to internal security policies?

Check one: YES NO

12. Are the resulting vulnerabilities detected by the network and host vulnerability scanners address by the security administrator and/or other security staff? Check one: YES NO 13. Are all security devices (e.g. firewalls, router, secured servers email and gateways, etc.) audited on a periodic basis to determine if compliance to security policies is being met? Check one: YES NO 14. Does your edge router have access control list in place that limit access to your internal network and computing resources? Check one: YES NO

15. Do you utilize TACACS+ or RADIUS server on your LAN to control access to switches and routers? Check one: YES NO 16. Do you utilize an Intrusion Detection System? Check one: YES NO 17. Is a portable sniffer or the equivalent technology available to provide the capability to monitor and capture traffic at any location within your network? Check one: YES NO 18. Have you had an outside organization perform penetration testing on both your LAN and your WAN from the Internet and inside your network? Check one: YES NO 19. Are alternative network paths identified and tested? Check one: YES NO 20. Is a process in place to identify and evaluate suspicious activity that may be occurring on systems/networks (threat detection); and violations trigger an appropriate form of security notification to security administrators or security staff? Check one: YES NO 21. Are systems designed to handle both active (immediate paging of appropriate security personnel) and passive (logging specific types of activities to a daily system security log for later review) alarms? Check one: YES NO 22. Where are data files, and databases stored? Check all applicable: File server(s) Desktop Computers 23. Is ALL software (operating system, database, office suites, etc.) used to support applications at current release levels and supported by the vendor? Check one: YES NO

24. Are procedures to control changes to LAN software documented? Check one: YES NO 25. Do properly trained and experienced system support personnel make all changes to system software that resides on the LAN, servers, or desktop computers system software? Check one: YES NO 26. Does LAN server security software prevent unauthorized personnel from deleting, changing or adding LAN server system software? Check one: YES NO 27. Are LAN servers, which contain sensitive or critical applications, secured behind locked doors and protected from unauthorized physical access? Check one: YES NO 28. Are LAN servers used to store sensitive or critical applications adequately protected against environmental threats such as fire and water? Check one: YES NO 29. Are hand held fire extinguishers, which do not damage electrical equipment (CO2 or halon) visibly located near computer equipment? Check one: YES NO 30. Are LAN servers used to store data and programs for sensitive or critical applications adequately protected against electrical problems? (I.e. UPS, grounded power supplies, surge protectors) Check one: YES NO 31. Are backup procedures defined for all LAN specific server(s) (such as PDC, DBC, etc)? Check one: YES NO 32. Are backups of mission-critical magnetic storage media such as hard drives, removable disk drives, diskettes, CD-ROMs, zip drives, and other magnetic storage medias stored in a secure off site location? Check one: YES NO 33. Is there a procedure in place to address the disposal of confidential printed information? Check one: YES NO 34. Is there a procedure in place to address the purging of all data, using software utilities or electromagnetic means, from magnetic storage media such as hard drives, removable disk drives, diskettes, CD-ROMs, zip drives, and other magnetic storage medias before they are discarded? Check one: YES NO 35. Is access to the Internet from servers prohibited? Check one: YES NO 36. Are procedures in place to protect from unauthorized Internet access? Check one: YES NO 37. Is access to operating system and application software limited to authorized personnel? Check one: YES NO 38. Are vendors permitted to access network equipment remotely? Check one: YES NO 39. Is power-on, keyboard or screen saver passwords required on desktop computers? Check one: YES NO

40. Is automatic screen saver activation with password protection initiated after a specific period of inactivity on all desktop and laptop computers? Check one: YES NO 41. Are users responsible for their own backups? Check one: YES NO 42. Are labels, identifying Inventory Number, Model and Serial Number, placed on all servers, desktop computers, routers, switch, and other network hardware? Check one: YES NO 43. Does your site have the following alarm systems to protect LAN equipment (Servers, desktops, routers, switches etc.) from fire, water or burglar? Check one: YES NO 44. Do all LAN equipment areas utilize proper environmental controls? Check one: YES NO 45. Does a documented procedure exist to guide LAN users in restoring a backup for servers or desktops? Check one: YES NO 46. Has a contingency/disaster recovery plan that conforms to the COV ITRM Standard SEC2001-01.1, been developed to ensure the LAN can recover from potentially severe interruptions to normal processing? Check one: YES NO 47. Are alternate telecommunication paths for all LANs identified and tested? Check one: YES NO 48. Is error-checking software or a checking procedure used when performing file transfers between systems and networks and those owned and managed by other agencies and/or businesses? Check one: YES NO 49. Are all operating system changes or new software application releases tested using formal procedures and approved before being placed in operational use? Check one: YES NO 50. Are network system administrator documentation (i.e. log-on, system commands, etc.) manuals placed in a secure area when not in use? Check one: YES NO 51. Is access control documentation available, which describes system usage and user responsibilities? Check one: YES NO 52. Are users trained in data backup and recovery procedures? Check one: YES NO 53. Are locations housing backup system facilities equivalently secured as those housing primary system facilities? Check one: YES NO 54. Are the rules for connection by external users, (systems and networks) clearly defined and regularly evaluated? Check one: YES NO 55. Does the building have a viable fire detection, prevention, and suppression plan? Check one: YES NO

56. Are diskettes, CD-ROMs, removable hard drives, zip drives, and tapes labeled externally (on the cover) with the names of the owners of the data? Check one: YES NO 57. Are diskettes, CD-ROMs, removable hard drives, zip drives, and tapes labeled externally (on the cover) with the creation dates? Check one: YES NO 58. Are diskettes, CD-ROMs, removable hard drives, zip drives, and tapes labeled externally (on the cover) with unique control numbers? Check one: YES NO 59. Are computer hardware, wiring, displays, and network for the LAN, secured behind locked doors and protected from unauthorized physical access? Check one: YES NO 60. Are computer hardware, wiring, displays, and network for the LAN, documented? Check one: YES NO

61. Is a formal change management process in place that governs all installation and changes for all computer hardware, wiring, displays, and network for the LAN? Check one: YES NO

62. Is a system of monitoring and auditing physical access to all computer hardware, wiring, displays, and network for the LAN in place (e.g. badges, cameras, access logs)? Check one: YES NO

63. Is the technical infrastructure reviewed for security implications and approved by the Information Systems Security Officer (ISSO) or delegated authority, documented and auditable? Check one: YES NO

64. If you have respond to NO to any of the above questions please explain further by listing questionnaire question number and check the box that applies. Question # Check one: Aware of risk, need to correct Aware of risk, risk is acceptable Not applicable Question # Check one: Aware of risk, need to correct Aware of risk, risk is acceptable Not applicable

65. In your opinion, does this questionnaire identify all security weaknesses? Check one: YES NO If NO, please explain:

Staff Completing Questionnaire Title