Introduction

This document presents some generic questions that might be asked about any information system before or during an information security risk assessment. This is not an exhaustive list.

If you run an information system at Stanford or are planning one, you should be able to answer these questions. While they are organized for the purpose of security assessment, this information is also relevant for developers, system administrators, and system owners.

 

PLANNING AND DESIGN

Classifying Data

• Is any of the data maintained by this system subject to federal regulations such as HIPAA, FERPA, or GLBA?
• Is any of the data maintained by this system subject to California State regulations such as California Civil Code 1798.82-85 (formerly SB1386)?
• Is any of the data maintained by this system subject to Payment Card Industry Data Security Standards (PCI-DSS)?
• Is any of the data maintained by this system otherwise sensitive enough or institutionally broad enough to be classified as Restricted or Sensitive?
• This table can be used to assist in determining the appropriate category of any particular data.
• Is use and storage of Restricted and Sensitive information limited to the minimum which is required for business purposes?

Risk Management

• What would be the impact to Stanford if the system were compromised, particularly regarding monetary damage, reputational damage, and contractual or regulatory obligations?
• What other systems or processes are dependent on this system?

Topology

• Diagram the system components.
• Describe the technology and architecture used.
• Are the front-end, application, and database components of the system on separated networks?
• If so, how are the networks separated, and what other systems share those networks?
• Are any of the networks protected, e.g. by firewalls or physical isolation?
• Is redundancy used for load-balancing of any components?
• Is redundancy used for failover of any components?

Data flow

• Where and how does data enter the system?  [HIPAA]
• Where and how does data leave the system?  [HIPAA]
• What are the interfaces between system components?
• What are the interfaces with other infrastructure (e.g. email, LDAP, Registry, Kerberos, AFS)?
• What protocols are used for user access?
• What protocols are used for administrative access?
• What protocols are used for data transfer between system components?
• In each case, what type and level of encryption does the protocol employ, and how are keys generated and stored?
• Are there restrictions on what quantity or type of data can leave the system?
• Are there shadow copies of any of the data?
• Do users routinely copy data to their own devices?
• Is data maintained in a shared storage environment (e.g. NFS, AFS, CIFS, drop box)?

ACCESS CONTROL

Identify Users, System Administrators, Developers

• Who are the end-users/administrators/developers of the system?  [GLBA]
• How many are there?
• What is their affiliation with Stanford?
• Are they documented, and if so how?

Access Control Administration: Authorization and Access Granting Authority

• Is access limited to only those individuals whose job requires such access?  [GLBA, PCI]
• Is there an identified person or group that administers access control changes?  [HIPAA]
• Is there an identified authority that approves requests for access to this system?  [HIPAA]
• Does the system have role-based access control? If so, how are the roles administered? Is there documentation of requests and approvals?  [PCI]
• Are there uniquely identifiable accounts for all users requiring access?  [GLBA, PCI]
• Is there a process for managers or supervisors to notify the access granting authority when a user's status or role changes?  [GLBA, HIPAA]
• Is there documentation of these changes? Is the group different from the access granting authority?  [HIPAA]
• Are accounts which are no longer needed recognized and deleted in timely and tractable manner? Is this documented?  [HIPAA]
• Is user authentication information protected from unauthorized access or modification?

Authentication and Authorization

• What method is used to authenticate end users to the system?  [PCI]
• Do end users have access to components other than the application front-end?
• How are users' authorizations determined and enforced?  [HIPAA]
• Does the system have automatic logoff and/or automatic lock capabilities to terminate a session or lock the application or device after a predetermined time of inactivity? Are those capabilities enabled?  [GLBA, HIPAA]
• Are credentials passed to the user subject to malicious reuse? Do they expire?
• Is any part of the system open to the public or to an anonymous class of users?
• Where passwords are used, are there minimum complexity requirements? How are they enforced?  [GLBA, HIPAA]
• Are users trained to understand the appropriate use of passwords and the need to keep passwords private?  [GLBA, HIPAA]
• Are there standards for password and encryption key expiration? How are they enforced?  [GLBA, HIPAA]
• How do developers gain access to the system components?
• How are developers' authorizations determined and enforced?
• How do system administrators gain access to the system components?
• Do system administrators perform privileged operations using privileged accounts separate from their personal accounts?

VPN/Remote Access

• Which network segments provide VPN access, and to whom?
• What VPN technology is used?
• What type and level of encryption does it employ?
• Does the VPN prohibit split-tunneling?
• How is the VPN user authenticated?
• Are different classes of user granted different levels of access? By what mechanism?
• Are other remote access methods employed? Describe their function and authentication mechanism.
• Is non-console administrative access encrypted?
• Does remote administrative access require two-factor authentication?

Host Interfaces

• How do external feeder systems gain access to the system components?
• How are external feeder systems' authorizations determined and enforced?
• What method is used to authenticate the system components to each other?
• Where are the components' authentication credentials stored, and in what form?
• How are the different components' authorizations determined and enforced?
• Are any forms of privilege separation used to isolate different components running on the same host from each other, from user accounts, and from the operating system?
• If shared storage is used, how is access to it controlled?

Network Access Control Devices

• What technology is in place to protect network segments from hostile traffic (e.g., firewalls, router/switch ACLs, host-based IP filters)?  [PCI]
• Are firewall configuration standards and requirements in place and documented?  [PCI]
• Is all traffic that is not required denied?  [PCI]
• Is public traffic denied to hosts that contain Restricted Data?  [PCI]
• Is NAT used?  [PCI]
• What outbound access do the protected network segments have?  [PCI]

CONFIGURATION and MANAGEMENT

Host Configuration

• Is a standard procedure followed for building host machines?  [PCI]
• Is a standard procedure followed for hardening host machines? Are all unnecessary and insecure services and protocols disabled?  [PCI]
• What network service does each host provide? Give a complete list of open ports and their functions, and version information for each corresponding service.  [PCI]
• Are these procedures documented?
• Are these procedures periodically updated?
• Are default accounts and passwords disabled or removed from the machines?  [PCI]
• Is only one primary function deployed per host?  [PCI]

Network Device Configuration

• How are network devices administered? Are secure protocols used for administration?
• How are network device configurations documented?  [PCI]
• How are network device configuration changes documented?  [PCI]

Application and Database Configuration

• Is a standard procedure followed for hardening web, application, and database components?
• Are default accounts and passwords disabled or removed from the system components?
• Are sample code fragments and unused libraries or stored procedures removed from the system components?

Change Control

• Is there a change management system in place?
• How are change requests made?
• Who approves change requests?
• Are changes documented and tracked?
• Is there a documented maintenance window?
• Is there a back-out procedure?

Patching and Anti-virus

• What method is used to keep operating system and application patch levels current?  [GLBA, PCI]
• What method is used to determine when patching is required?  [GLBA, PCI]
• Is there a regular schedule for updates? Are there exceptions for system-freezes?
• What method is used to validate and test operating system and application patches before deployment?  [PCI]
• Who does testing and patching, and how long does it take?
• Does patching require external network access?
• Do any of the hosts employ anti-virus software? What kind?  [PCI]
• How often are AV signatures updated, and by what means?  [PCI]

System Validation

• Are initial and periodic tests performed to validate that network devices, host operating systems, applications, and patches are up to date, properly configured, and performing as expected?

APPLICATIONS

• Are all custom applications based on industry standards of secure coding guidelines?  [PCI]
• Are all custom applications code-reviewed to verify their security?  [PCI]
• Is the format of user-supplied data restricted on input?  [PCI]
• Is input data validated against the required formats?  [PCI]
• Are required formats designed to avoid unintentional code execution at all layers of the application?
• Are the required formats specified in positive terms (permissions) or negative terms (restrictions)?
• What user-supplied data passes through each system layer unmodified?
• Is any user-supplied data passed directly into HTML code?
• Is any user-supplied data passed directly into SQL code?
• Are application proxies used to protect any system components? What kind?
• Are applications tiered so back end data can be isolated from users?

DATA INTEGRITY AND SECURITY

• Is the data or user passwords encrypted while at rest?
• Is the data encrypted while transmitted over an untrusted network?  [GLBA, HIPAA]
• What type of encryption is used? How is it configured and deployed?  [HIPAA]
• Are there any electronic mechanisms in place to corroborate the integrity of data in the system (e.g. RAID, digital signatures, checksums)?
• Are there any procedural mechanisms in place to corroborate the integrity of data in the system (e.g. double entry, paper trails)?
• If integrity checking procedures are available, how often and to what extent are they performed?
• In the event of a system compromise, are the integrity checks sufficient to determine whether data has been compromised as well?
• How are the results of integrity checks reported?

MONITORING and LOGGING

Application, Database, System, Network, and Device Logs

• What logs are kept?  [GLBA, HIPAA]
• Is sensitive data contained in logs?
• Can logs link actions to individual users?
• Is there sufficient data to roll back transactions?
• Are clocks synchronized?
• Are successful/unsuccessful accesses logged?
• Are UID, event type, and timestamp logged?

Log Maintenance and Review

• Are logs kept in a central location, separate from the system components?
• How is access to the logs controlled?
• How long are logs retained?
• Are logs manually or automatically reviewed for anomalies? If so, how?  [HIPAA]
• How are error conditions reported and to whom?
• Are procedures in place for reporting and responding to possible security incidents?

Intrusion Detection

• Are automated methods used to check the integrity of operating system and application files?
• How does the integrity check provide notification to system administrators?
• Do any of the network segments employ an Intrusion Detection System? If so, what kind?
• How often are IDS signatures updated, and by what means?
• Does the IDS provide automatic notification to administrators?
• Is there other regular host or network monitoring?

Testing

• Are security controls regularly tested?
• Are host and network vulnerability scans run regularly?
• Are penetration tests run regularly?

PHYSICAL SECURITY

• Where are the end-users/developers/administrators physically located?
• Where are the host computers and network devices physically located?
• Is the information system housed in a secure managed data center (e.g., Forsythe, Sweet)? If not, describe the security features of the location.  [HIPAA]
• Where are the external feeder systems physically located?
• Is access to central systems physically controlled and restricted?  [HIPAA]
• How are people identified and authenticated?  [HIPAA]
• How are visitors handled? Are they logged?  [HIPAA]
• How is access to individual systems restricted?  [HIPAA]
• How is access to the network restricted?
• How is media with Restricted or Sensitive data destroyed or recycled?
• How are systems with Restricted or Sensitive data destroyed or recycled?
• How is movement of systems with Restricted or Sensitive data tracked?

CONTINGENCY PLANNING and DISASTER PREPAREDNESS

Contingency Planning

• Is there an established maintenance window?
• How are security events reported?
• Is there a documented downtime or business resumption plan?  [HIPAA]
• Is there a documented disaster recovery plan that addresses procedures to restore any lost data or functionality in the event of an emergency or other occurrence, the staff responsible for carrying out data restoration, emergency contact names and numbers, important business partners and other business supply information necessary for a temporary office setup to support data restoration?  [HIPAA]
• Does the information system have the ability to support temporary access changes during an emergency?  [HIPAA]

Non-production Environments

• Is there a separate development environment?
• Is live production data used in the development environment?
• How is access to the development environment regulated?
• Is there a separate test environment?
• Is it architecturally identical to production?
• Is live production data used in the test environment?
• How is access to the test environment regulated?

Backups

• What method is used to backup data and applications?
• Do backups contain sufficient information to be able to restore the information system to a recent, operable, and accurate state?
• How often are backups performed? How long are they retained?
• Is backup data stored separately from originating systems?
• Are local backups of critical data done?
• Are backups done before systems are moved??
• Is backup data encrypted, either in transit or in storage? If so, how are keys generated and stored?
• Are accurate and complete records kept of the backups and backup media?
• Are backups periodically validated?
• Is there a separate environment to test system restore procedures?

POLICY

• Are employees familiar with the University’s information security policies?
• Have requisite employees completed security awareness training?
• Have requisite employees completed security administration training?
• Have requisite employees completed HIPAA training?
• Are employees with access to concentrated amounts of Restricted Data required to have security screening?  [GLBA]

THIRD PARTIES

• Do all third party providers meet the requisite information security requirements?  [HIPAA]
• Are appropriate signed agreements in place?  [HIPAA]

Legend:

Source of Risk Assessment question is in green:
    PCI -            Payment Card Industry Data Security Standards
    HIPAA -        Health Insurance Portability and Accountability Act of 1996
    GLBA -         Gramm-Leach-Bliley Act of 1999
    FERPA -        Family Educational Rights and Privacy Act of 1974
    SB1386 -      California Civil Code 1798.82-85 (formerly California SB1386 of 2006)