Site Security Audit Checklist

This Site Security Audit Checklist is targeted towards a small to medium single site operation. The data will also be used as part of a future Enterprise Security Checklist. This checklist targets top level security items to ensure that essential policies, procedures, methodologies, and tools are in place to provide a security framework. Other security audit checklists may be used to verify specific installations of software, systems and networks. It is expected that this check list will be tailored to a specific site's needs and operations.

Asset Management

  • Physical identification of each asset
  • Revision levels
  • Maintenance agreements
  • Lease details
  • Division ownership
  • Physical location map (HW)
  • License restrictions (SW)
  • Original media labeled and stored (SW)
  • IP and Ether address (HW)
  • Regular asset verification
  • Network probes
  • Original media inventory verification
  • License conformance verification
  • Process for adding/moving/decommissioning HW and SW
  • Data and process to determine asset value

    • Facilities Management

  • Power supply capacity and distribution
  • UPS
  • Air conditioning
  • Fire control
  • Environmental failure monitoring and alerting
  • Physical security
  • Appropriate maintenance contracts for core equipment
  • Appropriate console (privilege) management
  • Data center layout and wiring maps
  • Network topology maps
  • Host responsibility assignments
  • IP allocation register
  • Critical support documents

    • Network Management

  • Network management console implemented
  • Proactive monitoring of network health
  • Network management provides alerts of network outages or failures
  • Network devices use common protocol to report failures (SNMP)
  • Procedure for addition, removal and movement of network devices
  • Procedure for allocation and recovery of network addresses
  • Accurate network register maintained
  • Tool to scan for network exceptions: duplicate addresses, illegal addresses
  • Tools for identifying and isolating network faults
  • Policy and requirements for network gateway implementation
  • Policy for remote access (modem) facilities
  • Procedure for severing gateway and modem connections in the event of a security incident
  • Mechanism(s) in place to protect network from exterior networks (Firewalls)
  • Intrusion Detection System (IDS) to detect illegal traffic on internal network
  • Mechanism for monitoring for illegally connected gateways/modems
  • Regular network security audits performed
    • The following sections are applied to individual hosts and should be customized for the host OS.

    Server Management

  • Account management standards
  • Product installation and configuration standards
  • Host configuration baseline
  • Central log host where all systems logs are maintained and reviewed
  • Regular and well defined house cleaning (rolling and archiving logs)
  • System backups
  • Centralized administration aliases - tools direct results and errors to central aliases
  • Key aliases defined

    • Software Management

  • Policy for software location, distribution, replication and currency
  • Mechanism to inventory installed software
  • Production acceptance process
  • Procedure for license management

    • Data Management

  • Well defined data archiving policy and procedure
  • Random restores to verify backup media and procedure
  • Availability management addressed (RAID, HA systems implemented where appropriate)

    • Data Security

  • Well defined and communicated information security policy (Based on RFC1244, RFC 2196 or other standard)
  • User responsibilities acceptance form
  • Acceptable usage statement
  • Formal security stance
  • Defined information security coordination
  • Allocation of information security responsibilities
  • Process for receiving and evaluating vendor and CERT advisories
  • Process for reporting and investigating suspected security breaches
  • Security logs reviewed on regular basis
  • Automated alerts defined
  • Audit trails enabled
  • Regularly used security methodologies and tools
  • Virus control systems in place, enforced and updated
  • Security methodologies and tools regularly reviewed for currency and applicability
  • Independent review of information security architecture, controls and mechanisms
  • Audits of physical, network, host and data security
  • Incident investigation reports, assessments and action plans
  • Risk assessment and contingency planning standards in place

    • Notes:

    Asset Management: Asset Management is required. It is impossible to protect assets (systems) that can not be identified or tracked. A detailed list of assets, their physical location and a unique identifier (MAC or IP address) is required. It is strongly suggested that some form of Asset Tracking be implemented along with a method to determine asset monetary value.

    Facilities Management: Good facilities management is the foundation for system security. Critical systems must be kept in a secure area. Documents that describe the facility such as Network topology maps, wiring maps and IP allocation register are critical for planning and maintaining security. Environmental failure can be devastating, and should not be over looked.

    Network Management: Verify that the network management is complying with and fulfilling the established security procedures and requirements. Proactive network management is required for secure systems and results in a more healthy network environment. Internal threats need to be addressed. Use of firewalls should not be exclusive to the network boundary. Firewalls and intrusion detection systems should be used to control and monitor traffic on all critical subnets.

    Server Management: Unique server management procedures should be defined for each operating system or server type. Common system aliases like "root" and "postmaster" should be used and be consistent from machine to machine. It is advisable that a snapshot be taken of each new operating system installation before production deployment. In certain situations it maybe appropriate to have an append only logging host, or to have logs sent directly to a printer. A tool like Tripwire may be helpful in identifying and tracking changes to the system configuration.

    Software Management: It is impossible to secure a system with unknown or uncontrolled software. A software version number database should be maintained so that required patches and upgrades can be identified and deployed promptly and accurately. A production acceptance process is required for all software, major upgrades and patches. Good license management is needed to prevent availability loss due to unexpected license expiration.

    Data Management: Backup procedures and schedules are required. Random restore tests should verify the backup procedure from end to end. High availability needs should be identified, and appropriate systems/solutions implemented.

    Data Security: Security policies should be well documented, concise and should be free from implementation details. User Responsibilities and Acceptable Usage requirements should be disseminated and understood by all users. A clearly defined and understood security responsibilities matrix is required. A reporting structure for that matrix should also be in place. Logs and audit information are critical to forensic investigations and need to be recorded in a manner such that tampering is unlikely. When dealing with multiple hosts and large volumes of log files, log reductions tools like Swatch may be recommended.

    References:

    Site Audit Check List Version 5.00, Geoff Halprin, The SysAdmin Group
    Modifications by gurneyh AT ix DOT netcom DOT com

    shrdlu AT deaddrop DOT org

    Last modified: Sat Oct 30 22:44:32 PDT 2004