Does the company require users to sign up to gain access?
Are account requests authorized before system access is granted?
Are access control lists used to restrict access to applications and data based on role and/or identity?
Do architectural solutions exist to control system data flow? (e.g., firewalls, proxies, encryption, and other security technologies).
Is there a division of responsibilities and separation of duties between individuals to avoid conflicts of interest?
Are users granted only enough privileges to do their jobs?
Do users with multiple accounts (privileged and non-privileged) typically log in with the least privileged account when not performing privileged functions?
Are non-privileged users prevented from performing privileged functions?
Is the system configured to lock the login mechanism after a certain number of invalid login attempts for a certain amount of time?
Is the system configured to terminate user sessions after a specified period of time based on the duration and/or inactivity of the session?
Are network and system monitoring applications used to monitor remote system access and log accordingly?
Is cryptography used to protect the confidentiality and integrity of remote access sessions?
Does the system route all remote access through a limited number of managed access control points?
Is remote access for privileged actions (e.g., software installation) allowed only for necessary operational functions?
Is WLAN access to the system authorized, monitored and managed
Is WLAN access encrypted according to industry best practices?
Has management established policies for the use of mobile devices?
Does the company encrypt CUI on mobile devices?
Are there policies and restrictions on the use of personal or external system access?
Are there restrictions on authorized individuals regarding the use of company-owned removable media on external systems?
Is the planned content of publicly available information reviewed prior to release?
Awareness and Training
Is basic security awareness training provided to all system users prior to authorizing access to the system, if required due to system changes, and at least annually thereafter?
Do all users, managers, and system administrators receive initial and annual training appropriate to their roles and responsibilities?
Do employees with security-related roles and responsibilities receive initial and annual training on their operational, managerial, and technical roles and responsibilities?
Do users, managers, and system administrators receive annual training on potential signs and possible harbingers of an insider threat?
Does security training include communication of employee and management concerns about potential signs of an insider threat?
Audit and Accountability
Does the company create, protect, and retain records of information system audits for a period of 30 days to one year (depending on the data source and applicable regulations) to enable monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activities?
Can the organization clearly track and hold accountable users who perform unauthorized actions?
Does the organization review and update audited events annually or when significant system changes occur or as needed?
Is there a real-time alarm when a defined event occurs?
Does the system alert employees with safety responsibility in the event of an audit processing error?
Does the company use mechanisms for integrating review, analysis, correlation, and reporting processes across multiple repository locations?
Does the system provide audit reduction and reporting capabilities?
Does the system protect audit information and audit tools from unauthorized access, modification, and deletion?
Does the system use internal system clocks to generate timestamps for audit records?
Is access to audit functionality management allowed only to a limited group of privileged users?
Are baseline configurations developed, documented, and maintained for each information system type?
Are changes tracked and documented in an approved IT service management (ITSM) system or equivalent tracking service?
Are configuration changes tested, validated, and documented before they are installed on the operational system?
Are authorized personnel approved and documented by the service owner and IT security?
Does the system employ processing components with minimal functionality and data storage)?
Are only applications and services configured and enabled that are needed for the system to function?
Is the information system configured to run only authorized software?
Are there user controls in place to prevent the installation of unauthorized software?
Identification and Authentication
Are company and service accounts centrally managed and automatically deleted when an employee leaves the company?
Do all passwords follow the best practice of at least 12 characters and require a mix of upper and lower case letters, numbers and special characters?
Is multifactor authentication used for local access to authorized accounts?
Are defined repeatable authentication mechanisms used for network access to privileged accounts?
Are account identifiers uniquely assigned to employees, contractors, and subcontractors?
Are user or device identifiers deactivated after a period of inactivity (e.g., 30 days)?
Does the organization specify a level of complexity, such as whether account passwords must be at least 12 characters long and contain a mix of upper and lower case letters, numbers, and special characters, including minimum requirements for each type?
Is password reuse limited to a certain number of generations?
Are temporary password activation links sent to authorized employees in case they need to reset or change a password?
Does the company follow the best practice of "salting" hashed passwords?
Do the authentication mechanisms hide the feedback of authentication information during the authentication process?
Is there a company incident response policy that specifically outlines requirements for handling incidents involving CUI?
Is there a company incident response policy that specifically outlines requirements for tracking and reporting incidents involving CUI to appropriate officials?
Does the company test its incident response capabilities?
Does the company perform maintenance on the information system?
Are controls in place that limit the tools, techniques, mechanisms, and employees used to maintain information systems, devices, and supporting systems?
Are media that are removed from the premises for maintenance, repair, or disposal sanitized per the company’s media sanitization policies?
Are media that are provided by authorized maintenance personnel (and not normal systems administrators/owners) for troubleshooting, diagnostics, or other maintenance run through an anti-virus/anti-malware/anti-spyware program prior to using in the company’s information system?
Does the system require multifactor authentication for remote access?
Are all activities of maintenance personnel (who do
not normally have access to a system) monitored?
Have responsible parties for data in these systems documented and ensured proper authorization controls for data in media and print?
Does the company limit CUI media access to authorized users?
Is system digital and non-digital media sanitized before disposal or release for reuse?
Are all CUI systems identified with an asset control identifier, for example, does each company laptop have an asset id tag with a unique number?
Are all CUI data on media encrypted or physically locked prior to transport outside of the company’s secure locations?
Are cryptographic mechanisms used to protect digital media during transport outside of controlled areas?
Is the use of writable, removable media restricted on the system?
Do all portable storage devices have identifiable owners?
Are data backups encrypted on media before removal from the company’s secured facility?
Are individuals requiring access screened before access is granted?
Does the company disable information system access prior to employee termination or transfer?
Has the facility/building manager designated building areas as “sensitive” and designed physical security protections (including guards, locks, cameras, card readers, etc.) to limit physical access to the area to only authorized employees?
Is physical access monitored to detect and respond to physical security incidents?
Are visitors escorted and monitored as required in security policies and procedures?
Are logs of physical access to sensitive areas maintained per retention policies? (This includes authorized access as well as visitor access.)
Are physical access devices (such as card readers, proximity readers, and locks) maintained and operated per the manufacturer's recommendations?
Do all alternate sites where CUI data is stored meet the same physical security requirements as the main site?
Does the company have a risk management policy?
Have initial and periodic risk assessments been conducted?
Are changes in use or infrastructure documented and assessed?
Are systems periodically scanned for common and new vulnerabilities?
Do system owners and company managers upon recognition of any vulnerability provide an action plan for remediation, acceptance, avoidance, or transference of the vulnerability risk?
Has a periodic (e.g., annual) security assessment been conducted to ensure that security controls are implemented correctly and meet the security requirements?
Does the assessment scope include all information systems and networks, including all security requirements and procedures necessary to meet the compliance requirements of the environment?
Does the assessment include, but is not limited to, vulnerability scanning, penetration testing, security control testing and reviews, configuration testing and reviews, log reviews, and talking with company employees?
Is the assessment conducted by an independent security auditor/consultant?
Is a final written assessment report and findings provided to company management after the assessment?
Is there an action plan to remediate identified weaknesses or deficiencies?
Are continuous monitoring reports and alerts reviewed frequently (e.g., daily)?
Is the system security plan reviewed and approved by company management prior to plan implementation?
Does the company update the system security plan to address changes to the system, environment of operation or problems identified during plan implementation or security assessments?
Systems and Communications Protection
Does the system monitor and manage communications at the system boundary and at key internal boundaries within the system?
Are the company’s information security policies (including architectural design, software development, and system engineering principles) designed to promote information security?
Are physical or logical controls used to separate user functionality from system management-related functionality (e.g., to ensure that administration [e.g., privilege] options are not available to general users)?
Does the system prevent unauthorized or unintended information transfer via shared system resources, e.g., register, main memory, secondary storage?
Does the company implement DMZs (Demilitarized Zones)?
Does the system deny network traffic by default and allow network traffic by exception?
Are controls in place to prevent split tunneling in remote devices, and to mandate VPN use when necessary for business functions?
Are cryptographic mechanisms used to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures?
Are processes and automated mechanisms used to provide key management within the information system?
Do communication cryptographic mechanisms comply with applicable policies, standards, and guidance?
Have collaborative computing devices (e.g., cameras, microphones, etc.) been configured so they cannot be remotely activated?
Is the use of VoIP authorized, and monitored?
Does the system provide mechanisms to protect the authenticity of device-to-device communications sessions?
Are there controls used to protect CUI while stored in company information systems?
System and Information Integrity
Are system errors detected, reported, and corrected within the timeframes defined by the organization?
Does the organization employ malicious code protection mechanisms at system entry and exit points to minimize the occurrence of malicious code? (System
Entry and exit points can include firewalls,
Email servers, web servers, proxy servers,
remote access servers, workstations, notebooks, and
Computers and mobile devices).
Does the company receive security alerts, recommendations and instructions from reputable external companies?
Does the company update information system protection mechanisms (e.g., antivirus signatures) within 5 days of new versions?
Does the company perform regular scans of the information system for malware?
Are scans performed within the timeframe that is in policy or within the system security plan?
Does the company monitor the information system to detect attacks and signs of potential attacks, as well as unauthorized local, network and remote connections?
Is unauthorized use of the system detected (e.g. log monitoring)?
Please note that this checklist template is a hypothetical appuses-hero example and provides only standard information. The template does not aim to replace, among other things, workplace, health and safety advice, medical advice, diagnosis or treatment, or any other applicable law. You should seek your professional advice to determine whether the use of such a checklist is appropriate in your workplace or jurisdiction.
Please, finish the registration to access the content of the checklist.