Professional Documents
Culture Documents
Security Checklist
Security Checklist
Security Checklist
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
Have there been any recent fraud incidents at the facility being used in the service engagement? Describe the incidents an
Have there been any recent security incidents (e.g., theft of property, vandalism, network intrusion, loss of personally identif
etc.)? Describe the incidents and actions to address them specifically and prevent future incidents.
Have there been any recent audit reviews? What were the issues? How were they remediated?
Have there been any recent network configuration changes?
Have there been any recent platform changes or are there any planned?
Have there been any changes to the facility, or are there any planned?
Are visitors signed into the building by an employee who accepts responsibility for the visitors during the course of their visit
Are all visitors issued numbered visitor badges or does badge include visitor name?
Are all visitors badges required to be turned in at the end of the day?
Are employees and contractors required to show proper identification (badge with photo ID) to gain entrance to the building
Are employees, contractors, and visitors required to have badges visible?
Do you utilize guard service?
Who is the guard service provider?
Are guards licensed through the state/territory/province?
If not licensed, are background checks conducted on the guards?
What is the guard staff turnover?
Is there a process for authorizing access to secured areas?
Is there an audit process in place to monitor who has access to secured areas on a periodic basis?
Is access to sensitive areas (server location, tape library, computer room, etc.) physically restricted to authorized personnel?
Are your facilities physically secured (all accesses are locked or guarded)?
Is there an access control system?
Are access control logs periodically reviewed and retained per retention requirements?
Are all emergency exits secured, alarmed, and functioning properly?
Is access to cable and wiring closets restricted? Explain how it is restricted.
Is there a security intruder or alarm system? If yes, is it deemed adequate for the operation?
Is the security intruder alarm system connected to a security company or a law enforcement agency?
Do you use cameras to monitor the facility on a 7x24-hour basis?
Are all cameras operating and positioned properly to view activity at all entrances/exits to the facility and sensitive areas (e.
What preventative measures do you have in place regarding portable systems? Cable locks for laptops? Other security me
Do Policies or Procedures include an Acceptable Use Policy (including computer resource use, fax, phone, Internet access,
Do Policies and Procedures include data and system authorization access criteria and mechanisms to ensure least-privilege
access, as well as procedures to validate and maintain user access rights (i.e. add new users, modify the access levels of e
Do Policies and Procedures include an Authorized Use Policy including user responsibilities for data confidentiality, privacy,
unauthorized access?
Do Policies and Procedures include a Network Security and Network Access control policy which includes (if applicable) pol
wireless access?
Do Policies or Procedures include a Change Control Policy including the assignment of responsibility and accountability for
components prior to implementation?
Do Policies or Procedures address ways to resolve complaints and requests relating to security, confidentiality, and availabi
agencies and use of 3rd party dispute resolution process?
Do you have policies and procedures to address handling security breaches and other incidents, including Notification of Af
Do Policies or Procedures address monitoring for compliance and exceptions to the security policies, standards, and proced
etc.)?
Do Policies and Procedures include a provision for the identification of, and compliance to, applicable laws and regulations
provide details on what procedures are in place to handle breaches or fraudulent activity once identified.
Do Policies and Procedures include data classification and procedures for labeling, retention, handling and destroying data
security controls based on the data classification?
Are security policies or procedures periodically reviewed, updated, and approved by a designated individual or group? How
Are policies or procedures accessible to employees, contractors, and sub-vendors and are changes to these policies comm
Is a data retention and disposal policy in place to limit storage amount and retention time of G4S proprietary data to that wh
documented in the G4S Data Retention Guidelines and Requirements?
Describe the types of G4S proprietary data including the format used that is processed, stored, accessed, and displayed. S
card member account numbers. Is this documented formally in an Asset Inventory which includes the type of data and stor
Is G4S proprietary information accessible to employees, contractors and/or sub-vendors based on business need to know o
controlled?
Is G4S proprietary information protected from unauthorized disclosure and not divulged without expressed approval?
Are safeguards in place for all G4S personalized material on-site including labels, reports, tapes and blank stock?
Is G4S data disseminated in a secure manner?
Is G4S data labeled in a manner that is appropriate to its classification?
Are obvious identifiers used to identify G4S information?
Does the application permit a user to save reports, capture screenshots, etc. and store the G4S data to a local system (wor
Is G4S work conducted in an area that has the necessary controls in place to ensure adequate protection of G4S informatio
If employees supporting G4S services have internet access, what controls are in place to protect G4S data from potential c
Are there internet usage polices documented that include provisions to protect data confidentiality (dissemination of sensitiv
representative of the company, etc.) and have employees been advised of and agree to such policies?
Are any system interfaces used that could potentially retain G4S data (i.e. databases, replication utilities, website cookies, w
the data? Is the data deleted after it is no longer needed and what is the process of deletion?
Is any of G4S sensitive data retained? Describe purpose and retention procedures.
If call recording is performed, is encryption, access controls and other security controls in place to protect the confidentiality
Are there procedures for Service Provider relationships with access to G4S data that include initial security due diligence, ri
compliance visits or audits, and compliance enforcement?
Is all G4S Data logically separate from other customers' data and identifiable as G4S Data?
Has a risk analysis been performed to identify the need for physical separation (i.e., separate servers) of G4S stored data?
Is a disposition strategy in place and documented (i.e., sensitive data disposal policy) which includes: sensitive trash and el
Is all sensitive computer room trash shredded or erased?
Are areas clear of sensitive material left lying around (FAX areas, down lines, printouts, etc)? Sensitive material is anything
number, SS number, spending info, Membership Rewards account info, etc.
Is sensitive trash contained in locked bins until disposed?
Are there procedures for secure destruction of sensitive data on tapes and other electronic media (including hard drives) tha
controls for the media prior to destruction?
Is a certified (i.e. NAID) external company being employed to remove sensitive waste for destruction and has their process
Are there procedures for secure handling of sensitive data on removable media (i.e., tape, CD, disk, USB devices, etc.) in s
encryption?
Do employees (or applications) accessing G4S data or systems currently require G4S-issued user IDs to access G4S syste
Are there any generic, temporary, guest, shared, application level, or group logins used? If so, describe associated controls
using these IDs.
Are User IDs reviewed periodically to ensure that inactive IDs (period of 90 days) are removed from the system?
Are screen savers activated after a period of inactivity requiring a password to reactivate? Alternatively, does the terminal s
reactivate?
Are there policies and security controls to prevent and detect unauthorized transfer of confidential information via mobile de
cameras, cell phones), instant messaging, email and other communication mechanisms?
Are terminal screens protected from viewing by unauthorized personnel?
Are hardware, operating system, and application software configuration tables restricted to appropriate personnel?
Are utility programs that can read, add, change or delete production data or programs restricted to authorized technical serv
computer operations?
Is access to network devices and storage media controlled, logged, and reviewed for unauthorized access? How often is th
Do all systems and devices (Servers, workstations, VPN, routers, RAS, etc.) have mechanisms in place to identify the syste
logon help messages?
Is the listing of all master passwords (System Level Passwords) stored in an encrypted database and an additional copy ma
Are there procedures in place to track and review user access activity?
Are there documented procedures in place to periodically review user access activity logs and/or reports which includes act
retained?
Are there thin-client (browser based) applications used for data processing? Elaborate on whether these are Internet facing
If the web applications are Intranet only, are these protected from being accessed from the Internet? Elaborate on details.
Is there a documented application development process or methodology for in-house developed applications? Does it inclu
backdoors, and coding vulnerabilities (e.g. invalidated input, cross-site scripting, insecure session management, etc).
Is access to production servers and/or data prohibited for developers with appropriate level of approvals, documentation, ov
controls, problem management procedures)?
Is access control and monitoring in place to ensure continued adherence to development and production separation policies
Does data used in the development and test system contain direct copies of production data?
Is an adequate active load balancing system implemented to support availability requirements?
Does a single point of failure exist in the production implementation of the application?
Is a tape backup system used and are tapes transferred to a secure offsite data repository as appropriate for the application
Do you have configuration and change management procedures that include the use of standard configuration builds, serve
and approval process, back-out procedures, monitoring system and application changes, etc.
Are there written procedures covering security patch and system updates?
Are there written procedures covering escalation procedures in the event of operational failures, or an intrusion being detec
Do you have documented security policies and procedures that are dedicated to work at home users including screening, p
network (including wireless) and telecommunications security, equipment restrictions such as company owned equipment a
support (i.e. configuration management and security patching), home-sourcing specific security training, audit and enforcem
Is host-based intrusion detection/prevention capabilities (HIDS/HIPS) used on high risk platforms? Provide details on produ
If HIDS/HIPS is used, are there procedures in place to document and maintain the security rules?
Do you have formal problem management procedures including: problem tracking, documentation, root cause analysis, int
For proprietary (in house developed) or purchased package applications with internal authentication mechanisms, are the p
Are laptop computers that contain sensitive data protected with PC encryption software?
Is there a comprehensive network management program including procedures for alerting on network failures and anomalie
devices and wireless access points, access and change audit log review, etc.?
Is there a documented procedure for the addition, removal, and transport of network devices? (e.g., change management p
Is there a documented network topology/register which includes phone (PBX), voice and wireless networks? How is it main
Is there a network Intrusion Detection System (IDS) implemented to detect unauthorized traffic on the internal network. Inclu
What is the immediate response? How are event management and forensics handled?
For all wireless networks, are transmissions encrypted using Wi-Fi Protected Access (WPA or WPA2) technology, IPSEC VP
If network IDS is implemented, are there Internet facing IDS sensors documented and maintained to detect attempted attac
Are first-level firewalls (in front of the web servers) implemented to protect the web servers from attack? Include information
Are second-level firewalls (in between the web servers and application servers) implemented to provide additional security t
web servers are compromised? Include information on how the firewall rules are documented and maintained.
Are all Internet systems implemented to ensure that sensitive data cannot be downloaded by an unauthorized person(s) wh
tier architectures, no sensitive data stored unencrypted on web tier, etc.)
Is there mechanism(s) such as firewalls in place to protect the internal network from exterior networks (Internet, other conne
Is virus and spyware detection software utilized on all susceptible platforms (desktops, laptops, email gateways, servers, pr
system? List platforms.
Is the virus protection managed on all platforms to ensure anti-virus engines and signature files remain current to provide m
Are all systems including network and storage devices maintained with up-to-date security patches for the operating system
and procedures for confirming these (vulnerability scanning, manual review, etc.).
Is there regular system and application vulnerability scanning performed using commercial scanning tools? How is the tool
Are independent security providers used to conduct periodic security reviews, vulnerability assessments, and/or penetration
Are there internal reviews conducted on system security controls as part of internal audit or other review functions? Are res
management?
Are there internal reviews conducted at remote or satellite company locations (including development and data centers, cus
policies, standards, and procedures?
Are logs analyzed to identify trends that may have a potential impact on the ability to achieve system security objectives?
Are regular IT staff meetings held to address system security concerns and trends? Are findings discussed at periodic man
Do you have procedures in place for periodic review of sensitive systems, infrastructure, and applications including frequen