LC System Test

<Service/Infrastructure Unit>
<System Name> (<System ID>) Security Test

& Evaluation Plan and Report
Version <X.X>
<Month DD, YYYY>
Information Categorization: Moderate

<SYSTEM NAME> SYSTEM TEST & EVALUATION PLAN <Month DD, YYYY>
Revision History
Revision Date Revised By Notes

August 8, 2005 Steve Elky Initial document
April 3, 2006 Steve Elky Updated to include Feb 2006 updates of ITSDir 02, 03 and
March 2006 update of ITSDir01
April 6, 2006 JHPoole Modified Table 7 to include column for SP800-53 control
mapping
April 18, 2006 Security Team Re-Organize Table 7 for 800-53 specific security class
groupings
April 20, 2006 Steve Elky Update introductory sections. Separate out test cases as
distinct test cases and provide guidance for when to use
which test cases. Review and update of test cases and test
elements.
April 25, 2006 Security Team Correct mistakes in the "Expected Result" and "I/D/O/T"
fields of Figures 7 through 19.
May 1, 2006 Steve Elky Addressed comments from Security Team to Section 1
May 2, 2006 Jeremy Katz Corrections based on Darren’s comments
May 8, 2006 Steve Elky Finalized template
i Information Categorization: Moderate

Table of Contents
1 Introduction..............................................................................................................................1
1.1 Purpose............................................................................................................................1
1.2 Scope................................................................................................................................1
1.3 System Background.........................................................................................................1
2 Testing Process........................................................................................................................2
2.1 Overview of the Testing Process.....................................................................................2
2.2 Personnel Roles, Responsibilities and Activities.............................................................3
2.3 Test Documentation.........................................................................................................3
2.3.1 Test Cases and Test Case Worksheets.........................................................................3
2.3.2 Problem Tracking Reports...........................................................................................5
2.3.3 ST&E Report...............................................................................................................6
2.4 Certification of ST&E Results.........................................................................................6
3 Library of Congress <system name> Test Case Summary.....................................................7
3.1 Description of Problem/Need..........................................................................................8
3.2 Testing Configuration......................................................................................................8
3.3 Test Schedule...................................................................................................................8
3.4 Configuration Management.............................................................................................8
4 <System Name> Security Test & Evaluation...........................................................................9
4.1 Questionnaire (Q) Test Case............................................................................................9
4.2 General System (GE) Test Case....................................................................................12
4.3 Hosted Application (HA) Test Case..............................................................................56
4.4 Hosting Environment (HE) Test Case...........................................................................59
4.5 Infrastructure General (IG) Support System Test Case.................................................78
4.6 Media (ME) Test Case...................................................................................................95
4.7 Office Automation (OA) Test Case...............................................................................97
4.8 Public E-authentication Systems (PE) Test Case........................................................117
4.9 Re-Accreditation (RA) Test Case................................................................................119
4.10 Remote Computing (RC) Test Case............................................................................130
4.11 Stand-Alone System (SA) Test Case...........................................................................142
4.12 Security Program (SP) Test Case................................................................................143
4.13 Wireless Computing (WC) Test Case..........................................................................182
5 <System Name> Problem Tracking Report..........................................................................185
Index of Figures
Figure 1 – Testing Process...............................................................................................................2

Figure 2 – Testing Personnel...........................................................................................................3
Figure 3 – Test Case Worksheet Fields...........................................................................................4
Figure 4 – Problem Tracking Report...............................................................................................5
Figure 5 – Test Cases in Scope........................................................................................................7
Figure 6 – Testing Configuration....................................................................................................8
Figure 7 – Questionnaire (Q) Test Case..........................................................................................9
Figure 8 – General System (GE) Test Case...................................................................................12
ii Information Categorization: Moderate

Figure 9 – Hosted Application (HA) Test Case.............................................................................56

Figure 10 – Hosting Environment (HE) Test Case........................................................................59
Figure 11 – Infrastructure General (IG) Support System Test Case.............................................78
Figure 12 – Media (ME) Test Case...............................................................................................95
Figure 13 – Office Automation (OA) Test Case...........................................................................97
Figure 14 – Public E-authentication Systems (PE) Test Case.....................................................117
Figure 15 – Re-Accreditation (RA) Test Case............................................................................119
Figure 16 – Remote Computing (RC) Test Case.........................................................................130
Figure 17 – Stand-Alone System (SA) Test Case.......................................................................142
Figure 18 – Security Program (SP) Test Case.............................................................................143
Figure 19 – Wireless Computing (WC) Test Case......................................................................182
Figure 20 – <System Name> Problem Tracking Report..............................................................185
iii Information Categorization: Moderate

1 Introduction
The Library of Congress (LC), an agency of the legislative branch of the government, is the
world’s largest and most comprehensive library, maintaining a collection of more than 124
million items – many of them unique and irreplaceable- in more than 450 languages. It directly
serves not only the Congress, but also the entire nation.
1.1 Purpose
This document sets forth a plan for verifying whether the Library of Congress <System Name>
has implemented necessary security measures and safeguards identified in the <System Name>
System Security Plan (SSP), Version <X.X>, dated <Month DD, YYYY>.
The Security Test and Evaluation (ST&E) Plan addresses the security of the Library of Congress
functional operations. It examines operational access issues, control and error checking, and
performance testing. A Security Test and Evaluation (ST&E) must be conducted and
documented at least every three years as part of the Certification and Accreditation (C&A)
process and when a significant change occurs to a system or application, including, but not
limited to the addition of new security controls. The ST&E tests that all security controls
function as designed and that the security design includes the needed security specifications
(controls) to meet the assurance level specified by the written security goals established for the
system.
The Library of Congress <System Name> ST&E Plan outlines the objectives, approaches, and
specific tests required to verify – from a security perspective – that the Library of Congress
<System Name> function as designed. The test plan serves as a detailed set of instructions, used
by the Library of Congress <System Name> Testing Team, to ensure that the functional
requirements of the <System Name> perform correctly.
1.2 Scope
This ST&E contains multiple test cases that cover all aspects of IT Security testing. However, a
particular system is only tested according to the areas within the security boundary. The security
boundary for <System Name> can be found in the <System Name> System Security Plan.
<This section describes the projected boundaries of the planned tests. Include a summary of any
constraints imposed on the testing. Describe constraints in detail.>
1.3 System Background
The <Service/Infrastructure Unit> <System Name> is the Library of Congress Office responsible
for <insert general function of Service/Infrastructure Unit>. The <System Name> provides
functionality for <insert system function(s).>
1 Information Categorization: Moderate

<System Name> is a Major Application hosted on the Library of Congress Application Hosting
Environment (AHE). The AHE serves as the General Support System (GSS) for multiple
applications. The AHE provides general services that are shared by multiple applications. As a
Hosted Application, <System Name> relies upon the security controls within the AHE. Many of
the security controls that would typically be documented in a System Security Plan (SSP) for a
Major Application can be found in the LC DMZ/Internet and LC Intranet SSPs.
<System Name> relies on the primary network for access to the Internet. There are no dial-up
lines that access <System Name> directly. There are no environmental or technical factors that
raise special security concerns for <System Name>. Since <System Name> runs on the
Application Hosting Environment (AHE), protection of <System Name> and information is
performed by AHE.
2 Testing Process
2.1 Overview of the Testing Process
Per ITSDir01, ST&E is a formal review that must be conducted by personnel having no stake or
responsibilities concerning the system. The ST&E Plan may be developed by the system owner,
but will always be reviewed by the Testers. The Test Team will typically be part of the
Certification Team.
For new systems ST&E is performed on a final production build of the system in the Library of
Congress Test Lab (LCTL) or another non-production area or the Library of Congress Data
Network. For systems already in production that are being re-accredited, this testing can be
performed on the production system, or an identical test system built in the LCTL for this
purpose. The <System Name> is being <tested for the initial accreditation in the LCTL/tested for
re-accreditation on a test system built in the LCTL/tested for re-accreditation on the production
system> and is physically located in <LCTL / Other non-production area / production area
located in______>.
The Testers, along with assistance from the system owner’s representatives, perform the actual
testing. The test cases determined to be relevant to the system are executed. Each test element is
tested and the results are recorded in the ST&E Report. Test elements that do not successfully
pass are also recorded in the problem tracking report. The Certifying Official will direct the
Testers and review and certify the results of the ST&E, and the problem tracking report.
The outcome of the ST&E is used to verify the System Security Plan and as a basis to the Risk
Assessment. The testing process will adhere to the high-level process flow shown in Figure 1 –
Testing Process.

Figure 1 – Testing Process

Create Test ST&E Report/ Certify ST&E
Create/
System/Prepare Validate Problem Report/
Update Perform
Start Production ST&E Tracking Problem End
ST&E ST&E
System for Plan Report Tracking
Plan
ST&E Report
Plan not approved
2.2 Personnel Roles, Responsibilities and Activities
The testing process involves resources other than the test plan. The delegation of responsibilities
and delineation of the participants involved during each phase of the test process is important to
ensure an efficient and forward moving test cycle. Figure 2 – Testing Personnel identifies the
roles, responsibilities, and activities of those involved during the various test phases of the
system.
Figure 2 – Testing Personnel

Task Role Test Planning Perform Testing Test Reports
Certifying - Provides direction and - Ensures progress of - Certifies ST&E Report
Official input to Test Case Creators testing
- Final approval of test plan

Test Team - Reviews and validates test - Performs ST&E, - Creates ST&E Report
plan and test cases documenting test results
Test Case - Ensures that adequate test - N/A - N/A
Creators cases are in place to
achieve the goals of the
ST&E
System Owner - Ensures that system is - N/A - Receives ST&E Report
prepared for ST&E
- Ensures that Test Cases

Creators are assigned.
(Note that the Testers and
Test Case Creators may be
the same personnel.)
2.3 Test Documentation
Throughout the entire testing process, the Test Team will maintain documentation. The Test
Team will maintain the testing results, including a list of non-compliant items (failed test items)
encountered during the tests. After testing is completed, the Test Team will generate the ST&E
Report.
2.3.1 Test Cases and Test Case Worksheets
The test cases will contain the specific tests to be carried out to ensure that the <System Name>
meets the security requirements and that all security controls operate as expected. Security
requirements are drawn from:

 LCR 1620 – IT Security Policy of the Library of Congress

 Library of Congress IT Security Directives
 NIST SP 800-53, Recommended Security Controls for Federal Information Systems
 Best practices in IT Security
The Test Team will fill out the test case worksheet as each test element is completed. The
Certifying Official will work closely with the Test Team to help resolve any issues or problems
that may occur during testing.
Figure 3 – Test Case Worksheet Fields

Test Requirement Test Expected Test Case SP800-53 Tester Full I D O T Pass /
Element Source Description Result Controls Name, Date, Failure
Number Initials, and Category
Comments
Name:
Initials:
□ Pass
□ Failure
1.1
□ N/A
Test Date:
Comments:
1 2 3 4 5 6 7 8 9 10 11 12
The test case worksheet will contain the following:
1. Test Element Number: Identifies the test element number.

2. Requirement Number: Maps test element back to the Requirements Source.
3. Test Description: Indicates the type of test that will be performed, including the
parameters for the tests (e.g., amount of data, time to complete, number of errors,
etc.)
4. Expected Result: Identifies the expected outcome for each test.

5. Test Case: Identifies particular test case or test cases to which the test element
belongs. If a test element is in more than one test case, it is noted here to ensure that
test element updates are consistent across all test cases.
6. SP 800-53 Controls: SP 800-53 control families related to the requirement.
7. Tester Full Name, Date, Initials, and Comments: Name of the person performing the
test, initials (signature) of the person performing the test, the date the test was
performed, and any relevant comments from the tester.
8. I: Test element is of type Interview. Test was conducted by interviewing an
individual.
9. D: Test element is of type Documentation. Test was conducted by reviewing
documentation.
10. O: Test element is of type Observation. Test was conducted by observing the actions
of an individual.
11. T: Test element is of type Technical. Test was conducted by executing a technical
test.
12. Pass / Failure Category: Identifies whether the test passed, failed, or was non-
applicable (N/A) with a checkmark (X) in the appropriate checkbox ☒. On failure,
the appropriate entry is made in the Comments field and a detailed explanation is
entered in the Problem Tracking Report.
2.3.2 Problem Tracking Reports
Any issues encountered during testing will be logged in the problem tracking report. The
problem tracking report must include the test case Element Number and give a detailed
description of the issue.
Figure 4 – Problem Tracking Report

<SYSTEM NAME>Problem Tracking Report
Test SP800- Test

Test Expected Actual Test Resulting
Element 53 Result
Description Result Result Case Action
Number Controls Comments
1 2 3 4 5 6 7 8
1. Test Element Number: Identifies the test element number.

2. Test Description: Indicates the type of test that will be performed, including the
parameters for the tests (e.g., amount of data, time to complete, number of errors,
etc.)
3. Expected Result: Identifies the expected outcome for each test.
4. Actual Result: Identified the actual outcome of the test. This will always be some
type of failure.
5. Test Case: Identifies particular test case or test cases to which the test element
belongs.

6. SP 800-53 Controls: SP 800-53 control families related to the requirement.

7. Test Result Comments: Any comments on the nature of the test outcome.
8. Resulting Action: This can be any action resulting from the test outcome: (e.g.,
acceptable failure communicated to management to Change Request CR123-2
submitted)
2.3.3 ST&E Report
The ST&E Report represents the output of the ST&E. It ties together all documents and
information produced during the ST&E. It incorporates the information contained within the test
plan, completed test case worksheets, and the problem tracking report.
2.4 Certification of ST&E Results
Per the IT Security Directives, the Certifying Official must review the ST&E results and certify
that they are accurate.

3 Library of Congress <system name> Test Case Summary
Figure 5 – Test Cases in Scope lists all the test cases developed for the ST&E by the IT Security
Group along with any additional test cases developed for this system. Test cases that are In
Scope are executed and included in the ST&E Report. Many of the test cases are outside the
security boundary of a particular system and are included for completeness.
To determine if a test case is in scope, use the following table.
Figure 5 – Test Cases in Scope

Test Case Determination Examples In
Scope
General System (GE) Always utilize this test case Technical authentication
Test Case controls
Hosted Application Utilize this test case for all major applications, Authentication and
(HA) Test Case regardless of whether or not they are hosted. authorization
Hosting Environment Utilize this test case for Hosting Environments. Operating system
(HE) Test Case Additionally, utilize this test case for major controls, backup
applications not hosted within a Hosting
Environment.
Infrastructure General Utilize this test case for systems providing Boundary protection,
(IG) Support System general IP network infrastructure to the Library. network device
Test Case Additionally, utilize this test case for major connection
applications not utilizing the LCDN.
Media (ME) Test Case Utilize this test case for systems that maintain Media library access
media Libraries controls
Office Automation Utilize this test case for file, print and message Browser settings,
(OA) Test Case systems and general-purpose workstations. protection of passwords
on workstations
Public E- Utilize this test case for systems that require Establishment of identity
Authentication (PE) identification of external non-Library users prior to issuing user
Test Case credentials
Questionnaire (Q) Utilize this test case when performing C&A on a General information on
Test Case legacy system, but do not include the results in system users, purpose,
the ST&E Report. The results are included in the etc.
System Security Plan. A legacy system is
defined as a production system that was not
certified and accredited prior to being placed into
production.
Re-accreditation (RA) Utilize this test case for all systems undergoing Log review
Test Case reaccredidation
Remote Computing Utilize this test case for system providing remote Personal firewall settings
(RC) Test Case access to Library systems or being used for
remote access to Library systems
Security Program (SP) Utilize this test case to evaluate the IT security Roles and responsibilities
Test Case program and policies of CISO
Stand Alone System Utilize this test case for stand alone systems not Systems with permanent
(SA) Test Case connected to the Library’s network modem connections
Wireless Computing Utilize this test case for systems providing 802.1x authentication
(WC) Test Case wireless access to Library systems
<Additional Test
Cases>

3.1 Description of Problem/Need
LCR 1620 requires that all IT systems undergo periodic certification and accreditation.
Moreover, IT Security Directive 01 requires that Security Test & Evaluation be part of this
process. The Library of Congress has chosen to follow the guidance given in the Federal
Information Security Management Act of 2002 (FISMA) and is completing a security
certification process to obtain authorization and approval to operate automated information
technology (IT) systems for the collection, processing, maintenance, transmission, and
dissemination of sensitive but unclassified (SBU) information.
The Library of Congress <System Name> is <currently accredited and undergoing re-
accreditation/being certified and accredited for the first time>. <System Name> The ST&E must
test that all security controls function as designed and that the security design includes the
needed security specifications (controls) to meet the assurance level specified by the written
security goals established for the system.
3.2 Testing Configuration
The testing will be performed on the following configuration, as shown in Figure 6 – Testing
Configuration. <This diagram should be fairly close to the diagram in the System Security Plan.
If there is no diagram available, please check with the Certifying Official before proceeding.>
Figure 6 – Testing Configuration
Insert: Test Configuration Diagram
3.3 Test Schedule
<This section shows the detailed schedule of dates and events for the testing by location. Events
should include familiarization, training, test data set generation, and collections, as well as the
volume and frequency of the input for testing.>
3.4 Configuration Management
Changes to test cases are controlled through the Revision History in the ST&E Plan and the
ST&E Report documents.

4 <System Name> Security Test & Evaluation
4.1 Questionnaire (Q) Test Case
Figure 7 – Questionnaire (Q) Test Case

Tester Full
Test Pass /
Requirement SP800-53 Name, Date,
Element Test Description Expected Result Test Case I D O T Failure
Source Controls Initials, and
Number Category
Comments
Name:
□ Pass
Verify by reviewing the SSP that the Initials:
The system/application components PS-2, CM-2,
Q-1A ISD Document system/application components Q D □ Failure
(inventory) are defined in the SSP. CA-4
(inventory) are defined. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify by reviewing the certification Initials:
The certification boundary for the
memorandum that the certification PS-2, CM-2,
Q-1B ISD Document system/application is defined in the Q D □ Failure
boundary for the system/application CA-4
certification memorandum. Test Date:
is defined.
□ N/A
Comments
Name:
□ Pass
Verify by reviewing the SSP or MOA All interfaces between the
that all interfaces between the system/application and other Initials:
Q-2 ISD Document system/application and other interconnected systems are identified, Q CA-3, CM-2 D □ Failure
interconnected systems are identified, documented and approved in the SSP Test Date:
documented and approved. or MOA.
□ N/A
Comments
Name:
□ Pass
Verify by reviewing the Initials:
The class of users is identified and
system/application SSP that the class
Q-3 ISD Document briefly described in the Q PS-2 D □ Failure
of users is identified and briefly
system/application SSP. Test Date:
described.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify by reviewing the □ Pass
The interface type and interface
system/application SSP or Initials:
mechanisms for both users and
requirement specification that the
Q-4 ISD Document administrators are addressed in the Q PS-2 D □ Failure
interface type and interface
system/application SSP or Test Date:
mechanisms for both users and
requirement specification
administrators are addressed. □ N/A
Comments
Verify by reviewing the
system/application contingency plan A formal Business Impact Analysis Name:
that a formal Business Impact (BIA) has been performed and the
□ Pass
Analysis (BIA) has been performed results are documented in the
and that the results are documented in Disaster Recovery Plan or any other Initials:
Q-5 ISD Document the Disaster Recovery Plan or any Continuity of Operations Plan. The Q CP-2 D □ Failure
other Continuity of Operations Plan. potential damages resulting from a Test Date:
Verify the potential damages failure, restoration priority, and
□ N/A
resulting from a failure, restoration Maximum Allowable Downtime
priority, and Maximum Allowable (MAD) are specified. Comments
Downtime (MAD) are specified.
Name:
□ Pass
The structure and contents of the BIA Initials:
Verify that the BIA is NIST SP 800-
Q-6 ISD Document report is compliant with requirements Q CP-2 D □ Failure
34 compliant.
specified in NIST SP 800-34 Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the BIA identifies all All system functions and services Initials:
system functions and services considered critical by the
Q-7 ISD Document Q CP-2 D □ Failure
considered critical by the organization are identified in the
organization. BIA. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the BIA identifies all Initials:
All interconnected systems that rely
interconnected systems that rely on
Q-8 ISD Document on the system in order to operate Q CP-2 D □ Failure
the system/application in order to
properly are identified in the BIA. Test Date:
operate properly.
□ N/A
Comments
Name:
□ Pass
Verify that the BIA associates system The BIA associates system and Initials:
Q-9 ISD Document and infrastructure resources with infrastructure resources with each Q CP-2 D □ Failure
each critical function or service. critical function or service Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the BIA identifies the The BIA identifies the damages to
damages to each user group within each user group within the user Initials:
Q-10 ISD Document the user community and prioritize the community and prioritize the Q CP-2 D □ Failure
restoration process to minimize restoration process to minimize Test Date:
damages to the most critical groups damages to the most critical groups
□ N/A
Comments
Name:
Verify by reviewing the official
A Certifying Official (CO) was □ Pass
designation letter, or by reviewing
designated for the system/application Initials:
the SSP that a Certifying Official
in the official designation letter or
Q-11 ISD Document (CO) was designated for the Q CA-4 D □ Failure
SSP. The name, title, phone, and
system/application. Verify that the Test Date:
e-mail address of the CO are
name, title, phone, and e-mail address
specified. □ N/A
are specified.
Comments
Name:
Verify by reviewing the official
A Designated Approving Authority □ Pass
designation letter, or by reviewing
(DAA) was designated for the Initials:
the SSP that a Designated Approving
system/application in the reviewing
Q-12 ISD Document Authority (DAA) was designated for Q CA-6 D □ Failure
the official designation letter or SSP.
the system/application. Verify that Test Date:
The name, title, phone, and e-mail
the name, title, phone, and e-mail
address of the DAA are specified. □ N/A
address are specified.
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify in the SSP that a FIPS 199 The SSP contains a FIPS 199 Initials:
analysis was performed on the analysis for the system/application
Q-13A ISD Document Q RA-2 D □ Failure
system/application to determine the and determines the type of
type of information handled. information handled. Test Date:
□ N/A
Comments
Name:
Verify that if information type(s) are □ Pass
If information types are considered
considered Privacy Identifiable Initials:
Privacy Identifiable Information
Information (PII), then a Privacy
Q-13B ISD Document (PII), a Privacy Impact Analysis Q RA-2 I D □ Failure
Impact Analysis (PIA) has been
(PIA) was performed, documented Test Date:
performed, documented and
and approved.
approved. □ N/A
Comments
Name:
Verify in the SSP that the FIPS 199 The SSP contains a FIPS 199 report □ Pass
report identifies the sensitivity of that identifies the sensitivity of each Initials:
each information type handled by the information type handled by the
Q-14 ISD Document Q RA-2 D □ Failure
system/application. Information types system/application. Information types
are based on the list provided in SP are consistent with the types listed in Test Date:
800-60 NIST SP 800-60 □ N/A
Comments
Name:
Verify in the SSP that the FIPS 199 The SSP contains a FIPS 199
□ Pass
specifies the system/application analysis (that uses the FIPS 199
security categorization in the areas of notation) specifies the Initials:
Q-15 ISD Document confidentiality, integrity, and system/application security Q RA-2 D □ Failure
availability. Verify the use of FIPS categorization in the areas of Test Date:
199 notation for security confidentiality, integrity, and
□ N/A
categorization. availability.
Comments

4.2 General System (GE) Test Case
Figure 8 – General System (GE) Test Case

Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that users requiring elevated Users requiring elevated privileges Initials:
privileges sign a Privileged User sign a Privileged User Acceptance, a SA-4, SA-5,
GE-1 ITSDir01-120 GE I D O □ Failure
Acceptance, a copy of which is copy of which is immediately PL-2, PL-4
immediately submitted to ITS. submitted to ITS. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that all LC IT systems have all All LC IT systems have all LC Initials:
PL-2, SA-2,
GE-2 ITSDir01-121 LC security requirements in the security requirements in the system GE D □ Failure
SA-4
system requirements. requirements. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the resources, including The resources, including budget, Initials:
budget, satisfy all system and LC satisfy all system and LC security
GE-3 ITSDir01-122 GE SA-2, SA-4 D □ Failure
security requirements are included in requirements are included in the
the business case for the IT system. business case for the IT system. Test Date:
□ N/A
Comments
Name:
Verify that the Service or Enabling The Service or Enabling □ Pass
Infrastructure Unit owning the Infrastructure Unit owning the Initials:
system ensures that the budget system ensures that the budget SA-2, SA-3,
GE-4 ITSDir01-125 GE I D □ Failure
request for the system includes the request for the system includes the SA-4
security resources required for the security resources required for the Test Date:
system. system. □ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Initials:
Verify that all LC IT systems has All LC IT systems have a unique
GE-5 ITSDir01-130 GE PL-2, CA-1 D □ Failure
unique identifier assigned by ITS. identifier assigned by ITS.
Test Date:
□ N/A
Comments
Name:
Verify that the Service or Enabling The Service or Enabling □ Pass
Infrastructure Unit determines the Infrastructure Unit determines the Initials:
adequacy of security requirements, adequacy of security requirements,
GE-6 ITSDir01-133 GE PL-1, SA-4 I D □ Failure
extending LCR 1620 and the IT extending LCR 1620 and the IT
Security Directives by documenting Security Directives by documenting Test Date:
any system specific requirements any system specific requirements □ N/A
Comments
Name:
Verify that all solicitations contain □ Pass
All solicitations contain language
language requiring the system to Initials:
requiring the system to comply with
comply with all LCRs and IT
GE-7 ITSDir01-135 all LCRs and IT Security Directives, GE SA-4 D □ Failure
Security Directives, including
including security requirements and Test Date:
security requirements and evaluation
evaluation and test procedures.
and test procedures. □ N/A
Comments
Name:
language requiring the system to Initials:
requiring the system to comply with
GE-8 ITSDir01-136 all LCRs and IT Security Directives, GE SA-4 D □ Failure
Security Directives, including
including security requirements and Test Date:
security requirements and evaluation
evaluation and test procedures.
and test procedures. □ N/A
Comments
Name:
language requiring the contractor to Initials:
requiring the contractor to comply
GE-9 ITSDir01-137 with all LCRs and IT Security GE SA-4 D □ Failure
Security Directives for offsite
Directives for offsite processing, data Test Date:
processing, data storage or other
storage or other hosting.
hosting. □ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
language permitting updating Initials:
permitting updating security controls
security controls as new
GE-10 ITSDir01-138 as new threats/vulnerabilities are GE SA-4 D □ Failure
threats/vulnerabilities are identified
identified and as new technologies Test Date:
and as new technologies are
are implemented
implemented □ N/A
Comments
Name:
□ Pass
Verify that all development and All development and integration is Initials:
integration is performed on systems performed on systems configured
GE-11 ITSDir01-142 GE SA-1 D □ Failure
configured with the relevant LC with the relevant LC technical
technical baseline for the systems. baseline for the systems. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that certification is performed Certification is performed by Initials:
by personnel other than those who personnel other than those who
GE-12 ITSDir01-160 GE CA-1, CA-6 D □ Failure
directly designed/ integrated/ directly designed/ integrated/
implemented the system. implemented the system. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that an IT responsibility is An IT responsibility is assigned to
assigned to staff using the principle staff using the principle of least Initials:
GE-13 ITSDir01-162 of least privilege, and the segregation privilege, and the segregation of GE PS-3, AC-6 I D □ Failure
of duties and the rotation of duties duties and the rotation of duties are Test Date:
are ensured. ensured.
□ N/A
Comments
Verify that Library personnel and Library personnel and non-Library
non-Library personnel (including personnel (including contractors, Name:
contractors, volunteers, etc.) using volunteers, etc.) using LC IT □ Pass
LC IT systems, undergo background systems, undergo background Initials:
screening including security screening including security
GE-14 ITSDir01-163 GE PS-2, PS-3 D □ Failure
investigations commensurate with the investigations commensurate with the
level of access accorded to them in level of access accorded to them in Test Date:
Library systems in accordance to Library systems in accordance to □ N/A
LCR 2024-3 before gaining access to LCR 2024-3 before gaining access to Comments
non-public Library systems. non-public Library systems.


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that documented IT system- Documented IT system-related job Initials:
related job descriptions are accurately descriptions are accurately reflect
GE-15 ITSDir01-166 GE PL-4, PS-2 D □ Failure
reflect assigned duties and assigned duties and responsibilities
responsibilities that segregate duties. that segregate duties. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that periodic job/shift Initials:
Periodic job/shift rotations occur for
rotations occur for employees in
GE-16 ITSDir01-168 employees in positions of significant GE PS-1 D □ Failure
positions of significant security
security sensitivity. Test Date:
sensitivity.
□ N/A
Comments
Name:
Verify that regularly scheduled Regularly scheduled vacations occur □ Pass
vacations occur for employees in for employees in positions of Initials:
positions of significant security significant security sensitivity, during PS-1, AC-2,
GE-17 ITSDir01-169 GE D □ Failure
sensitivity, during which, another which, another individual performs AC-3
individual performs the vacationing the vacationing employee’s job Test Date:
employee’s job responsibilities. responsibilities. □ N/A
Comments
Name:
Verify that system accounts are System accounts are removed in a □ Pass
removed in a timely manner in the timely manner in the case of Initials:
case of voluntary voluntary terminations/separations PS-4, AC-2,
terminations/separations (involves (involves the mutually acceptable AC-3
the mutually acceptable removal of removal of an employee from the Test Date:
an employee from the organization.) organization.) □ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Verify that system access is removed System access is removed at the same
at the same time (or just before) the time (or just before) the employees Name:
employees are notified of their are notified of their dismissal in the
□ Pass
dismissal in the case of involuntary case of involuntary terminations
terminations (involves the removal of (involves the removal of an employee Initials:
GE-19 ITSDir01-171 an employee under involuntary or under involuntary or adverse GE PS-4, AC-6 D □ Failure
adverse conditions) or when an conditions) or when an employee Test Date:
employee notifies an organization of notifies an organization of a
□ N/A
a resignation and it can be reasonably resignation and it can be reasonably
expected that it is on involuntary expected that it is on involuntary Comments
terms. terms.
Name:
□ Pass
Verify that individuals are not Individuals are not permitted to have
permitted to have elevated privileges elevated privileges on any LC IT Initials:
GE-20 ITSDir01-172 on any LC IT systems during the systems during the "notice of GE PS-4 D □ Failure
"notice of termination" period in the termination" period in the case of Test Date:
case of involuntary terminations. involuntary terminations.
□ N/A
Comments
Name:
Verify that individuals are not □ Pass
Individuals are not permitted to have
permitted to have physical access to Initials:
physical access to sensitive hardware,
sensitive hardware, software or data PL-4, PS-4,
GE-21 ITSDir01-173 software or data during the "notice of GE D □ Failure
during the "notice of termination" PS-6
termination" period in the case of Test Date:
period in the case of involuntary
involuntary terminations.
terminations. □ N/A
Comments
Name:
□ Pass
Initials:
Verify that confidentiality concerns Confidentiality concerns are
GE-22 ITSDir01-174 GE PS-4, AC-3 D □ Failure
are discussed with exiting personnel. discussed with exiting personnel.
Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that Annually Human Annually Human Resources □ Pass
Resources personnel files and personnel files and contract personnel Initials:
contract personnel lists are compared lists are compared with user accounts
GE-23 ITSDir01-175 GE PS-4, PS-5 D □ Failure
with user accounts to ensure that to ensure that terminated or
terminated or transferred employees transferred employees do not retain Test Date:
do not retain system access. system access. □ N/A
Comments
Name:
□ Pass
Initials:
Verify that account termination is Account termination is part of PS-4, AC-2,
part of employee out-processing. employee out-processing. AC-3
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that a list of authorized users Initials:
A list of authorized users and their
and their access is restricted to AC-2, AC-
GE-25 ITSDir01-177 access is restricted to administrators, GE D □ Failure
administrators, maintained, and kept 13
maintained, and kept current. Test Date:
current.
□ N/A
Comments
Name:
□ Pass
Verify that departing personnel
Departing personnel accounts are Initials:
accounts are disabled immediately
disabled immediately (and within 48
GE-26 ITSDir01-178 (and within 48 hours) and removed GE PS-4, AC-2 I D □ Failure
hours) and removed within 30 days
within 30 days of that person’s Test Date:
of that person’s departure.
departure.
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that accounts inactive for Accounts inactive for more than 30 AC-2, AC-
more than 30 days are disabled. days are disabled. 13
Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that inactive accounts are Inactive accounts are deleted after 60 □ Pass
deleted after 60 days of inactivity days of inactivity unless linked to Initials:
unless linked to personnel activity or personnel activity or the inactivity AC-2, AC-
the inactivity was initiated by the was initiated by the System 13
System Administrator due to a user’s Administrator due to a user’s leave or Test Date:
leave or duty status. duty status. □ N/A
Comments
Name:
Verify that after being reset, if an After being reset, if an account is not □ Pass
account is not accessed or a new accessed or a new password is not Initials:
IA-2, IA-4,
password is not selected within 48 selected within 48 hours of
GE-29 ITSDir01-181 GE IA-5, AC-2, I D □ Failure
hours of notification, that account is notification, that account is disabled
AC-13 Test Date:
disabled and a new initial password is and a new initial password is set
set before the user gains entry. before the user gains entry. □ N/A
Comments
Name:
Verify that initial passwords (one □ Pass
Initial passwords (one time use only),
time use only), are created and Initials:
are created and distributed by local
distributed by local system
GE-30 ITSDir01-182 system administrators or security GE AC-2, IA-5 I D □ Failure
administrators or security
administrators that have direct Test Date:
administrators that have direct
contact with system users.
contact with system users. □ N/A
Comments
Verify that temporary or emergency Temporary or emergency accounts Name:
accounts (e.g., for maintenance or (e.g., for maintenance or visitors) are
□ Pass
visitors) are authorized by the system authorized by the system owner or
owner or designate and created with a designate and created with a Initials:
AC-2, IA-1,
GE-31 ITSDir01-183 mandatory expiration of not longer mandatory expiration of not longer GE I D □ Failure
IA-5
than 5 days, deleted within 30 days than 5 days, deleted within 30 days Test Date:
and be shall be subject to full and be will be subject to full
□ N/A
oversight and direct observation by a oversight and direct observation by a
system administrator. system administrator. Comments
Name:
□ Pass
Initials:
Verify that password reset procedures Password reset procedures are
GE-32 ITSDir01-184 GE IA-1 D □ Failure
are documented. documented.
Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that password reset procedures Password reset procedures allow the Initials:
allow the individual resetting the individual resetting the password to
GE-33 ITSDir01-185 GE IA-1 D □ Failure
password to uniquely identify the uniquely identify the individual
individual requesting the password. requesting the password. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that password reset procedures Password reset procedures Initials:
GE-34 ITSDir01-186 specifically protect against Social specifically protect against Social GE IA-1 D □ Failure
Engineering. Engineering. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that media and hard copy Media and hard copy output
output containing sensitive containing sensitive information is Initials:
GE-35 ITSDir01-214 information is labeled according to labeled according to the highest GE MP-3 D □ Failure
the highest sensitivity level of sensitivity level of information stored Test Date:
information stored on the media. on the media.
□ N/A
Comments
Name:
□ Pass
Verify that (where appropriate) (Where appropriate) internal/external Initials:
MP-2, MP-
internal/external labeling is used and labeling is used and the external
GE-36 ITSDir01-215 GE 3, MP-4, D □ Failure
the external labeling includes special labeling includes special handling
MP-5 Test Date:
handling instructions. instructions.
□ N/A
Comments
Name:
□ Pass
Verify that media and hard copy
Media and hard copy output are Initials:
output are protected and handled
protected and handled according to
GE-37 ITSDir01-216 according to the highest sensitivity GE MP-1, MP-7 D □ Failure
the highest sensitivity level of
level of information stored on the Test Date:
information stored on the media.
media.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that media and hard copy Media and hard copy output are Initials:
output are disposed of according to disposed of according to the highest
GE-38 ITSDir01-217 GE MP-1, MP-7 I D □ Failure
the highest sensitivity level of sensitivity level of information stored
information stored on the media. on the media. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that there is a documented
There is a documented process to Initials:
process to ensure that unauthorized
ensure that unauthorized individuals
GE-39 ITSDir01-218 individuals cannot read, copy, alter, GE MP-1, MP-2 D □ Failure
cannot read, copy, alter, or steal
or steal printed or electronic Test Date:
printed or electronic information.
information.
□ N/A
Comments
Name:
□ Pass
Verify that there is a documented
There is a documented process for Initials:
process for ensuring that only
ensuring that only authorized users
GE-40 ITSDir01-219 authorized users pick up, receive, or GE MP-5, AU-1 D □ Failure
pick up, receive, or deliver input and
deliver input and output information Test Date:
output information and media.
and media.
□ N/A
Comments
Name:
□ Pass
Verify that audit trails are used for Initials:
Audit trails are used for the receipt of
GE-41 ITSDir01-220 the receipt of sensitive GE MP-1, MP-5 I D □ Failure
sensitive inputs/outputs.
inputs/outputs. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that documented controls are Documented controls are established Initials:
GE-42 ITSDir01-221 established for the transporting or for the transporting or mailing of GE MP-1, MP-5 D □ Failure
mailing of media or printed output. media or printed output. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that all LC IT systems have an □ Pass
All LC IT systems have an up-to-date
up-to-date IT Contingency Plan, Initials:
IT Contingency Plan, developed in
developed in accordance with NIST
GE-43 ITSDir01-228 accordance with NIST SP 800-34 GE CP-1, CP-2 I D □ Failure
SP 800-34 (Contingency Planning
(Contingency Planning Guide for Test Date:
Guide for Information Technology
Information Technology Systems).
Systems). □ N/A
Comments
Name:
□ Pass
Verify that each IT Contingency Plan Each IT Contingency Plan is Initials:
is integrated into the Service or integrated into the Service or
GE-44 ITSDir01-229 GE CP-2 D □ Failure
Enabling Infrastructure Unit Enabling Infrastructure Unit
Continuity of Operations Plan. Continuity of Operations Plan. Test Date:
□ N/A
Comments
Verify that each IT Contingency Plan Each IT Contingency Plan addresses Name:
addresses emergency outage emergency outage scenarios and the
□ Pass
scenarios and the required responses required responses so that the time to
so that the time to stabilize the stabilize the situation will be Initials:
GE-45 ITSDir01-230 situation will be minimized, damage minimized, damage to persons or GE CP-2 D □ Failure
to persons or property will be property will be minimized, and the Test Date:
minimized, and the likelihood that likelihood that the computer
□ N/A
the computer operations will continue operations will continue to function
to function will be maximized. will be maximized. Comments
Name:
□ Pass
Verify that each IT Contingency Plan Initials:
Each IT Contingency Plan contains
contains or reference documented,
GE-46 ITSDir01-231 or reference documented, detailed GE CP-5, CP-10 D □ Failure
detailed instructions for restoring
instructions for restoring operations. Test Date:
operations.
□ N/A
Comments
Name:
□ Pass
Verify that (per NIST SP 800-34) a (Per NIST SP 800-34) a Business Initials:
Business Impact Analysis (BIA) is Impact Analysis (BIA) is performed
GE-47 ITSDir01-233 GE CP-1 I D □ Failure
performed and included as part of the and included as part of the IT
IT Contingency Plan. Contingency Plan. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the system owner, data The system owner, data owner, and Initials:
GE-48 ITSDir01-234 owner, and the DAA for the system the DAA for the system formally GE CP-1, CP-4 I D □ Failure
formally accept the BIA. accept the BIA. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the resources supporting The resources supporting critical Initials:
critical operations and processing operations and processing priorities
priorities are identified in the IT are identified in the IT Contingency
Contingency Plan. Plan. Test Date:
□ N/A
Comments
Name:
Verify that multiple copies of the □ Pass
Multiple copies of the system and
system and application Initials:
application documentation and the IT
documentation and the IT
GE-50 ITSDir01-245 Contingency Plan are available with GE CP-2, CP-4 I D □ Failure
Contingency Plan are available with
at least one copy of each securely Test Date:
at least one copy of each securely
stored at the off-site location.
stored at the off-site location. □ N/A
Comments
Name:
□ Pass
Verify that the IT Contingency Plan The IT Contingency Plan is Initials:
is distributed to all appropriate distributed to all appropriate
GE-51 ITSDir01-249 GE CP-2 I D □ Failure
personnel as identified in the IT personnel as identified in the IT
Contingency Plan. Contingency Plan. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the key personnel
The key personnel responsible for Initials:
responsible for managing the IT
managing the IT Contingency Plan MA-1, MA-
GE-52 ITSDir01-250 Contingency Plan activation have GE I D □ Failure
activation have ready access to 5, CP-3
ready access to contingency plans Test Date:
contingency plans off-site.
off-site.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that maintenance and repair Maintenance and repair activities are Initials:
MA-1, MA-
GE-53 ITSDir01-255 activities are accomplished without accomplished without adversely GE I D □ Failure
4
adversely affecting system security. affecting system security. Test Date:
□ N/A
Comments
Name:
Verify that maintenance procedures Maintenance procedures account for □ Pass
account for both the on-site and off- both the on-site and off-site MA-1, MA- Initials:
site maintenance of systems and maintenance of systems and 5, PE-7, AC-
maintenance via remote maintenance via remote 2, AC-3,
communications connections, where communications connections, where AC-17 Test Date:
appropriate. appropriate. □ N/A
Comments
Name:
□ Pass
Verify that operating systems are RA-5, SI-2, Initials:
Operating systems are configured to
configured to prevent circumvention CM-6, SC-1,
GE-55 ITSDir01-258 prevent circumvention of security GE D □ Failure
of security software and application AC-19, AC-
software and application controls. Test Date:
controls. 20
□ N/A
Comments
Name:
□ Pass
Verify that an impact analysis is An impact analysis is conducted to
conducted to determine the effects determine the effects (on Initials:
CM-1, CM-
GE-56 ITSDir01-261 (on confidentiality, integrity, and confidentiality, integrity, and GE D □ Failure
3, CM-4
availability) of any proposed change availability) of any proposed change Test Date:
to the system. to the system.
□ N/A
Comments
Name:
□ Pass
Verify that impact analyses include Impact analyses include an analysis
an analysis to determine all necessary to determine all necessary training Initials:
SA-4, SA-
GE-57 ITSDir01-262 training for both technical and user for both technical and user GE D □ Failure
11, CM-4
communities associated with the communities associated with the Test Date:
changes in hardware/software. changes in hardware/software.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that system components
System components (hardware, □ Pass
(hardware, operating system, utility,
operating system, utility, and Initials:
and applications) are tested,
applications) are tested, documented,
GE-58 ITSDir01-263 documented, and approved prior to GE CM-1, CM-3 I D □ Failure
and approved prior to advancing to
advancing to production to prevent Test Date:
production to prevent unwarranted
unwarranted downtime of the
downtime of the production system. □ N/A
production system.
Comments
Name:
□ Pass
Verify that software and hardware Initials:
Software and hardware changes are
changes are processed through a
GE-59 ITSDir01-264 processed through a formal change GE CM-1, CM-3 D □ Failure
formal change management
management procedure. Test Date:
procedure.
□ N/A
Comments
Name:
□ Pass
Verify that the production data is not PL-2, CA-4, Initials:
The production data is not used for
GE-60 ITSDir01-265 used for the testing of software GE MP-4, MP- D □ Failure
the testing of software applications.
applications. 6, MP-7 Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the settings of security The settings of security features are
features are set to the most restrictive set to the most restrictive mode that Initials:
CA-2, RA-5,
GE-61 ITSDir01-266 mode that allows for normal system allows for normal system operation GE I D □ Failure
CM-2, SI-1
operation of the software applications of the software applications or Test Date:
or systems. systems.
□ N/A
Comments
Name:
□ Pass
Verify that software is properly Software is properly licensed to Initials:
licensed to ensure no illegal copies of ensure no illegal copies of SA-6, CM-2,
copyrighted software reside on any copyrighted software reside on any CM-3, CM-6
system in accordance with SA 98-14. system in accordance with SA 98-14. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that version control of Version control of hardware and
hardware and software are software are implemented to allow SA-6, CM-1, Initials:
GE-63 ITSDir01-268 implemented to allow association of association of system components to GE CM-2, CM- I D □ Failure
system components to the appropriate the appropriate system version of the 3, CM-5 Test Date:
system version of the hardware. hardware.
□ N/A
Comments
Name:
□ Pass
Verify that version control Version control documents are Initials:
CM-1, CM-
documents are updated with every updated with every hardware,
GE-64 ITSDir01-269 GE 2, CM-3, I D □ Failure
hardware, software, or configuration software, or configuration change on
CM-5 Test Date:
change on a system. a system.
□ N/A
Comments
Name:
□ Pass
Verify that the distribution and SA-3, SA-5, Initials:
The distribution and implementation
implementation of new or revised CM-1, CM-
GE-65 ITSDir01-270 of new or revised software are GE I D □ Failure
software are approved, documented 2, CM-3,
approved, documented and reviewed. Test Date:
and reviewed. CM-5
□ N/A
Comments
Name:
Verify that the all new software □ Pass
All new software packages, upgrades,
packages, upgrades, off-the-shelf Initials:
off-the-shelf products, or custom
products, or custom software are
GE-66 ITSDir01-271 software are inspected and tested GE SA-4, CM-3 I D □ Failure
inspected and tested before being
before being introduced into the Test Date:
introduced into the production
production environment.
environment. □ N/A
Comments
Verify that configuration Name:
Configuration management processes
management processes are □ Pass
are implemented that document the
implemented that document the Initials:
process of keeping track of changes CM-1, CM-
process of keeping track of changes
GE-67 ITSDir01-274 to the system and approving those GE 2, CM-3, D □ Failure
to the system and approving those
changes, ensuring that changes to the CM-4, SI-2 Test Date:
changes, ensuring that changes to the
system do not unintentionally or
system do not unintentionally or □ N/A
unknowingly diminish security.
unknowingly diminish security. Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the configuration The configuration management
management processes ensures that processes ensures that no changes are CM-1, CM- Initials:
GE-68 ITSDir01-275 no changes are placed into the placed into the production GE 3, CM-4, D □ Failure
production environment without environment without undergoing CM-6 Test Date:
undergoing proper testing. proper testing.
□ N/A
Comments
Name:
□ Pass
Verify that emergency changes are Initials:
Emergency changes are documented
documented and approved by
GE-69 ITSDir01-276 and approved by management, either GE CM-3 D □ Failure
management, either prior to or after
prior to or after the change. Test Date:
the change.
□ N/A
Comments
Name:
□ Pass
Verify that emergency change Emergency change procedures are Initials:
procedures are documented as part of documented as part of the
GE-70 ITSDir01-277 GE CM-1, CM-3 D □ Failure
the configuration management of the configuration management of the
software/systems. software/systems. Test Date:
□ N/A
Comments
Verify that configuration Name:
Configuration management processes
management processes are □ Pass
are implemented that ensures system
implemented that ensures system Initials:
security plans, contingency plans,
security plans, contingency plans,
GE-71 ITSDir01-278 risk analyses, security policies and GE CM-3, CM-4 I D □ Failure
risk analyses, security policies and
procedures and other associated Test Date:
procedures and other associated
documentation are updated to reflect
documentation are updated to reflect □ N/A
system changes.
system changes. Comments
Name:
□ Pass
Verify that inappropriate or unusual Inappropriate or unusual activity is Initials:
activity is reported, investigated, and reported, investigated, and IR-1, IR-4,
appropriate actions taken to resolve appropriate actions taken to resolve SI-7
the incident. the incident. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that integrity verification Integrity verification techniques (e.g.,
□ Pass
techniques (e.g., cryptographic-based cryptographic-based techniques,
techniques, secure hashes, etc) are secure hashes, etc) are used by SI-1, SI-2, Initials:
GE-73 ITSDir01-285 used by applications (when called for applications (when called for by the GE SI-3, SI-4, D □ Failure
by the sensitivity of the data) to look sensitivity of the data) to look for IR-4 Test Date:
for evidence of data tampering, evidence of data tampering, errors,
□ N/A
errors, and omissions. and omissions.
Comments
Name:
□ Pass
Verify that any intrusions detected Initials:
Any intrusions detected are reported
are reported to the appropriate
GE-74 ITSDir01-290 to the appropriate security office that GE IR-4, IR-5 I D □ Failure
security office that handles computer
handles computer security incidents. Test Date:
security incidents.
□ N/A
Comments
Name:
□ Pass
Verify that systems utilizing message Systems utilizing message Initials:
authentication technology use that authentication technology use that IR-5, IA-5,
technology in place of written technology in place of written IA-6
signatures on electronic documents. signatures on electronic documents. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the systems prevent Initials:
The systems prevent unauthorized
unauthorized and unintended CA-3, AC-3,
GE-76 ITSDir01-294 and unintended information transfer GE I D □ Failure
information transfer via shared AU-10
via shared system resources. Test Date:
system resources.
□ N/A
Comments
Name:
□ Pass
Verify that the System Security Plan The System Security Plan contains Initials:
GE-77 ITSDir01-296 contains the Security Requirements the Security Requirements for the GE PL-2, CM-7 D □ Failure
for the system. system. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the system owner has Initials:
The system owner has ensured that
ensured that an IT Contingency Plan
GE-78 ITSDir01-298 an IT Contingency Plan is developed GE PL-2, CP-2 D □ Failure
is developed and maintained for the
and maintained for the system. Test Date:
system.
□ N/A
Comments
Name:
□ Pass
Verify that the system owner has The system owner has ensured that Initials:
ensured that current vendor current vendor documentation of all SA-3, SA-4,
documentation of all hardware is hardware is obtained and retained for SA-5, CP-2
obtained and retained for the system. the system. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the system owner has
The system owner has ensured that Initials:
ensured that current vendor
current vendor documentation of all SA-3, SA-4,
GE-80 ITSDir01-300 documentation of all COTS software GE I D □ Failure
COTS software is obtained and SA-5
is obtained and retained for the Test Date:
retained for the system.
system.
□ N/A
Comments
Name:
□ Pass
Verify that the system owner has The System owner has ensured that Initials:
ensured that all software all software documentation is SA-3, SA-4,
documentation is developed and developed and maintained for the SA-5
maintained for the system system Test Date:
□ N/A
Comments
Verify that the system owner has Name:
The system owner has ensured that
ensured that documentation of □ Pass
documentation of systems, describing
systems, describing the network Initials:
the network configuration, system
configuration, system hardware and SA-3, SA-4,
GE-82 ITSDir01-302 hardware and software configuration, GE D □ Failure
software configuration, including all SA-5, CM-2
including all configuration details Test Date:
configuration details and parameters,
and parameters, also known as "As-
also known as "As-Built" □ N/A
Built" Documentation for the system.
Documentation for the system. Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
ensured that Standard Operating Standard Operating Procedures are CM-2, CP-
Procedures are developed and developed and maintained for the 10
maintained for the system. system. Test Date:
□ N/A
Comments
Name:
□ Pass
ensured that user manuals (if user manuals (if applicable) are
GE-84 ITSDir01-304 GE SA-5 D □ Failure
applicable) are developed and developed and maintained for the
maintained for the system. system. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that all required Initials:
All required documentation is
documentation is maintained in hard SA-4, SA-5,
GE-85 ITSDir01-305 maintained in hard copy at each GE I D □ Failure
copy at each facility housing the CP-2
facility housing the system. Test Date:
system.
□ N/A
Comments
Name:
□ Pass
Verify that all required Initials:
All required documentation is
documentation is maintained in soft SA-4, CP-2,
GE-86 ITSDir01-306 maintained in soft copy on an ITS or GE I D □ Failure
copy on an ITS or system owner CP-10
system owner managed server. Test Date:
managed server.
□ N/A
Comments
Name:
□ Pass
Verify that system owners ensure that System owners ensure that all system Initials:
GE-87 ITSDir01-311 all system users receive any system- users receive any system-specific GE AT-3, AT-4 I D □ Failure
specific security training. security training. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that the system owners ensure □ Pass
The system owners ensure that all
that all system administrators, ISSMs Initials:
system administrators, ISSMs and
and ISSOs receive specific job-
GE-88 ITSDir01-312 ISSOs receive specific job-related GE AT-2, AT-3 I □ Failure
related (e.g., technical, policy)
(e.g., technical, policy) training Test Date:
training commensurate with their
commensurate with their duties.
duties. □ N/A
Comments
Name:
□ Pass
Verify that the system is protected by The system is protected by access Initials:
IR-6, AC-2,
GE-89 ITSDir01-331 access controls that uniquely identify controls that uniquely identify an GE D □ Failure
AC-3, IA-2
an individual. individual. Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that the system does not The system does not utilize group AC-2, AC-3,
utilize group accounts. accounts. IA-2
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the system utilizes some The system utilizes some form of Initials:
form of authentication (e.g., authentication (e.g., passwords, IA-2, IA-5,
passwords, digital certificates, digital certificates, biometrics, IA-6
biometrics, tokens, etc.) tokens, etc.) Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that all vendor-provided or All vendor-provided or default access Initials:
CM-7, CP-
default access methods are disabled methods are disabled or have the
GE-92 ITSDir01-334 GE 10, IA-2, IA- I D □ Failure
or have the default authenticator default authenticator changed on the
5 Test Date:
changed on the system. system.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Verify that authentication occurs Name:
Authentication occurs before
before authorizing access to systems
authorizing access to systems and □ Pass
and enabling access to system
enabling access to system resources, Initials:
resources, with the exception of non-
with the exception of non-sensitive, IA-2, IA-4,
GE-93 ITSDir01-335 sensitive, read-only data that has GE D □ Failure
read-only data that has been IA-5, AC-14
been identified as accessible to the Test Date:
identified as accessible to the general
general public (i.e., publicly
public (i.e., publicly accessible □ N/A
accessible systems) or the Library
systems) or the Library community. Comments
community.
Name:
□ Pass
Verify that scripts with clear text Scripts with clear text embedded
embedded passwords are only used passwords are only used when Initials:
GE-94 ITSDir01-336 when absolutely necessary and then absolutely necessary and then only GE AC-3, IA-5 D □ Failure
only for batch processing and are not for batch processing and are not Test Date:
viewable or editable by users. viewable or editable by users.
□ N/A
Comments
Verify that all stored passwords are All stored passwords are encrypted Name:
encrypted using an encryption using an encryption method that, as
□ Pass
method that, as much as possible, much as possible, precludes the use
precludes the use of any tools or of any tools or operating system Initials:
GE-95 ITSDir01-337 operating system features that would features that would allow an GE IA-5, SC-13 D □ Failure
allow an administrator to view administrator to view passwords Test Date:
passwords (exception: keystroke (exception: keystroke monitoring, in
□ N/A
monitoring, in conjunction with an conjunction with an official
official investigation). investigation). Comments
Name:
□ Pass
Verify that the system defined guest, The system defined guest,
anonymous and other optional anonymous and other optional Initials:
GE-96 ITSDir01-339 generic user accounts (that allow generic user accounts (that allow GE AC-2, IA-5 D O □ Failure
non-unique account names) are non-unique account names) are Test Date:
removed or disabled and monitored. removed or disabled and monitored.
□ N/A
Comments
Name:
□ Pass
Verify that all authentication data is All authentication data is encrypted
encrypted and processed in a manner and processed in a manner that Initials:
AC-3, IA-5,
GE-97 ITSDir01-342 that prevents the cleartext capture of prevents the cleartext capture of GE D □ Failure
SC-13
passwords and replay attacks of passwords and replay attacks of Test Date:
ciphertext. ciphertext.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Verify that the system utilizes access Name:
The system utilizes access controls
controls that authorize or restrict the
that authorize or restrict the activities □ Pass
activities of users and system
of users and system personnel within Initials:
personnel within the system,
the system, permitting only
GE-98 ITSDir01-343 permitting only authorized access to GE AC-3, IA-5 I D □ Failure
authorized access to or within the
or within the system, restricting users Test Date:
system, restricting users to authorized
to authorized transactions and
transactions and functions, and/or □ N/A
functions, and/or detecting
detecting unauthorized activities. Comments
unauthorized activities.
Name:
Verify that the system utilizes access The system utilizes access controls □ Pass
controls that enforce the separation of that enforce the separation of duties Initials:
duties to prevent an individual from to prevent an individual from having
GE-99 ITSDir01-344 GE AC-3, AC-5 I D □ Failure
having sufficient authority or sufficient authority or information
information access to allow access to allow fraudulent activity Test Date:
fraudulent activity without collusion. without collusion. □ N/A
Comments
Name:
Verify that the system utilizes access The system utilizes access controls
□ Pass
controls that detect unauthorized that detect unauthorized transaction
transaction attempts by authorized attempts by authorized and/or AC-3, AC-5, Initials:
GE-100 ITSDir01-345 and/or unauthorized users and ensure unauthorized users and ensure that GE AC-7, AC- I D □ Failure
that each system has a designated each system has a designated number 11 Test Date:
number of log-on attempts before of log-on attempts before access is
□ N/A
access is denied. denied.
Comments
Verify that the encryption complies The encryption complies with
with applicable Federal Information applicable Federal Information
Processing Standards (FIPS) Processing Standards (FIPS) Name:
publications and guidelines for publications and guidelines for □ Pass
encryption. (Note: In those situations encryption. (Note: In those situations Initials:
where encryption products or where encryption products or
GE-101 ITSDir01-346 GE AC-7, SC-13 D □ Failure
technologies are prohibited from technologies are prohibited from
exportation or deployment in a exportation or deployment in a Test Date:
foreign country, across a national foreign country, across a national □ N/A
boundary, or in cooperation with a boundary, or in cooperation with a Comments
foreign country, a waiver is foreign country, a waiver is
obtained.) obtained.)


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that if encryption is used, If encryption is used, there are Initials:
there are procedures for key procedures for key generation, SC-1, SC-
generation, distribution, storage, use, distribution, storage, use, destruction, 12, SC-13
destruction, and archiving. and archiving. Test Date:
□ N/A
Comments
Name:
□ Pass
SC-8, SC-9, Initials:
Verify that sensitive data Sensitive data transmissions are
GE-103 ITSDir01-348 GE SC-12, SC- I D □ Failure
transmissions are encrypted. encrypted.
13 Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that information deemed to be Initials:
Information deemed to be sensitive
sensitive and for LC use only is not SC-14, AC-
GE-104 ITSDir01-354 and for LC use only is not accessible GE I D □ Failure
accessible through publicly 2, AC-3
through publicly accessible systems. Test Date:
accessible systems.
□ N/A
Comments
Name:
□ Pass
Verify that the access control Initials:
The access control mechanism AC-2, AC-3,
mechanism associates all activity to
GE-105 ITSDir01-360 associates all activity to the user once GE AU-2, AU- I D □ Failure
the user once access has been
access has been granted. 3, SC-7 Test Date:
granted.
□ N/A
Comments
Name:
□ Pass
Verify that access to security
Access to security software used to Initials:
software used to perform functions of
perform functions of system security AC-3, AC-5,
GE-106 ITSDir01-361 system security administration is GE I D □ Failure
administration is restricted to AC-6
restricted to authorized system Test Date:
authorized system administrators.
administrators.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Verify that within 15 minutes of Name:
Within 15 minutes of inactivity
inactivity (inactivity defined as the □ Pass
(inactivity defined as the mouse or
mouse or keyboard being untouched Initials:
keyboard being untouched for fifteen
for fifteen minutes), user AC-3, AC-
GE-107 ITSDir01-362 minutes), user workstations and GE I O □ Failure
workstations and server consoles 11, AC-12
server consoles performs an Test Date:
performs an automatic log-out or a
automatic log-out or a screensaver
screensaver with password protection □ N/A
with password protection activates.
activates. Comments
Name:
Verify that on those operating
On those operating systems that □ Pass
systems that cannot enforce
cannot enforce discretionary access Initials:
discretionary access controls,
controls, network connections are AC-11, AC-
GE-108 ITSDir01-363 network connections are terminated GE I O □ Failure
terminated within 30 minutes of 12
within 30 minutes of inactivity unless Test Date:
inactivity unless an approved 3rd
an approved 3rd party access control
party access control solution is used. □ N/A
solution is used.
Comments
Name:
Verify that the system prevents non- The system prevents non-privileged □ Pass
privileged accounts / users from accounts / users from modifying Initials:
modifying system configurations, system configurations, system level AC-3, AC-6,
system level files and accessing files and accessing system data and AC-12
system data and resources without a resources without a valid need-to- Test Date:
valid need-to-know. know. □ N/A
Comments
Name:
Verify that file or information access File or information access is
□ Pass
is restricted according to user role restricted according to user role
based on one or more of the based on one or more of the Initials:
GE-110 ITSDir01-365 following access control methods: following access control methods: GE AC-3, AC-6 I D □ Failure
Operating System Access Control, Operating System Access Control, Test Date:
OS- RBAC, RBAC or Policy Based OS- RBAC, RBAC or Policy Based
□ N/A
Access Controls. Access Controls.
Comments
Name:
□ Pass
Verify that all services and protocols All services and protocols necessary Initials:
necessary for operation are explicitly for operation are explicitly identified PL-2, CM-7,
identified and justified within the and justified within the system IA-1
system security plan. security plan. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that protocols that expose Protocols that expose authentication AC-6, SC-9, Initials:
GE-112 ITSDir01-369 authentication information in clear information in clear text are not GE SC-13, SC- D □ Failure
text are not utilized. utilized. 16 Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the vendor-supplied
The vendor-supplied default security Initials:
default security parameters are
parameters are configured to provide CM-2, CM-
GE-113 ITSDir01-370 configured to provide a secure GE D □ Failure
a secure environment consistent with 7, IA-5
environment consistent with LC Test Date:
LC Technical Baselines.
Technical Baselines.
□ N/A
Comments
Name:
□ Pass
Verify that remote access Initials:
Remote access connections to system
connections to system resources on CM-2, AC-
GE-114 ITSDir01-371 resources on the LC Internal Data GE D □ Failure
the LC Internal Data Network are 17, SC-13
Network are channel encrypted. Test Date:
channel encrypted.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Verify that the following banner is
The following banner is displayed
displayed prior to log on at the entry
prior to log on at the entry point of all
point of all LC IT systems (including
LC IT systems (including systems
systems that process SBU
that process SBU information and
information and national security
national security information)
information) requiring the user to
requiring the user to perform an Name:
perform an action to accept the terms
action to accept the terms of use of
of use of the system. This is notice □ Pass
the system. This is notice that the use
that the use of the Library's Initials:
of the Library's computers, terminals
computers, terminals and associated
GE-115 ITSDir01-381 and associated systems for email and GE AC-3, AC-8 I O □ Failure
systems for email and internet access
internet access are intended for Test Date:
are intended for employees to assist
employees to assist in accomplishing
in accomplishing their work. Such □ N/A
their work. Such usage may be
usage may be monitored or Comments
monitored or scrutinized by the
scrutinized by the Library of
Library of Congress and
Congress and inappropriate usage
inappropriate usage may result in
may result in limitation or revocation
limitation or revocation of usage
of usage and/or may subject the
and/or may subject the employee to
employee to administrative or
administrative or criminal penalties.
criminal penalties.
Name:
Verify that the system is configured □ Pass
The system is configured to limit
to limit information leakage, Initials:
information leakage, including, but
including, but not limited to, system
GE-116 ITSDir01-382 not limited to, system version, GE AC-8 D □ Failure
version, software name, hardware
software name, hardware type, patch Test Date:
type, patch levels and existence of
levels and existence of user accounts.
user accounts. □ N/A
Comments
Name:
□ Pass
Verify that the system, including AU-1, AU- Initials:
The system, including stand-alone
GE-117 ITSDir01-384 stand-alone systems, implement audit GE 2, AU-3, D O □ Failure
systems, implement audit trails.
trails. SC-5 Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the audit trails are Initials:
The audit trails are maintained for a
maintained for a timeframe sufficient AU-1, AU-
GE-118 ITSDir01-385 timeframe sufficient to reconstruct GE D □ Failure
to reconstruct security-relevant 9, AU-4
security-relevant events. Test Date:
events.
□ N/A
Comments
Name:
Verify that the audit trails identify The audit trails identify each entity □ Pass
each entity accessing the system, accessing the system, time and date AU-1, AU- Initials:
time and date of the access, time and of the access, time and date of 5, AU-6,
GE-119 ITSDir01-386 GE D O □ Failure
date of session termination, and for session termination, and for use of AU-8, AU-
use of elevated privileges, the elevated privileges, the entities' 11 Test Date:
entities' activities. activities. □ N/A
Comments
Name:
□ Pass
Verify that the audit trails are The audit trails are protected from Initials:
protected from unauthorized access, unauthorized access, modification,
GE-120 ITSDir01-387 GE AU-3, AU-9 D □ Failure
modification, and destruction that and destruction that could negate its
could negate its forensic value. forensic value. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that audit trail data is Audit trail data is reviewed in
reviewed in compliance with the compliance with the review period Initials:
PL-2, AU-5,
GE-121 ITSDir01-388 review period specified and specified and documented in the GE D □ Failure
AU-6, AU-9
documented in the system's security system's security plan for the audit Test Date:
plan for the audit trail. trail.
□ N/A
Comments
Name:
□ Pass
Verify that the personnel reviewing The personnel reviewing the audit Initials:
PS-2, AU-6,
GE-122 ITSDir01-389 the audit trails are not the personnel trails are not the personnel GE I D □ Failure
AU-9, AC-6
administering the system. administering the system. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Verify that in the event that a dial-in
In the event that a dial-in mechanism
mechanism are used to provide a Name:
are used to provide a service (e.g.,
service (e.g., vendor maintenance) an
vendor maintenance) an audit trail of □ Pass
audit trail of the dial-in session is
the dial-in session is maintained that Initials:
maintained that indicates at a MA-4, AU-
indicates at a minimum: date and
GE-123 ITSDir01-390 minimum: date and time of each GE 2, AC-5, D □ Failure
time of each access attempt, caller ID
access attempt, caller ID information AC-17 Test Date:
information if available, user or
if available, user or system associated
system associated with an inbound □ N/A
with an inbound call and the status
call and the status (success or failure) Comments
(success or failure) of access
of access attempts.
attempts.
Name:
□ Pass
Initials:
Verify that audit trails are retained Audit trails are retained on-line for a MA-4, AU-
on-line for a minimum of 30 days. minimum of 30 days. 11
Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that audit trails are retained Audit trails are retained for a period
GE-125 ITSDir01-392 GE AU-11 I D □ Failure
for a period of at least 180 days. of at least 180 days.
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the systems have their The systems have their time Initials:
GE-126 ITSDir01-394 time synchronized with the ITS synchronized with the ITS central GE AU-8, AU-9 D O □ Failure
central time source. time source. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Verify that there is a separation of There is a separation of duties Name:
duties between system security between system security personnel □ Pass
personnel who administer the access who administer the access control Initials:
control function and those who function and those who administer
GE-127 ITSDir01-398 GE AC-5, AU-3 I □ Failure
administer the audit trail. Computer the audit trail. Computer security
security managers, system managers, system administrators, or Test Date:
administrators, or managers have managers have access for review □ N/A
access for review purposes only. purposes only. Comments
Name:
□ Pass
Verify that the system has data The system has data reduction audit
reduction audit tools to help reduce tools to help reduce the amount of Initials:
AU-7, AU-
GE-128 ITSDir01-399 the amount of information contained information contained in audit GE D □ Failure
5, AC-5
in audit records, as well as to distill records, as well as to distill useful Test Date:
useful information from the raw data information from the raw data
□ N/A
Comments
Name:
Verify that the system has query
The system has query applications □ Pass
applications that have the ability for
that have the ability for an audit log Initials:
an audit log to be queried by user ID,
to be queried by user ID, terminal ID, AU-5, AU-
GE-129 ITSDir01-400 terminal ID, application name, date GE D □ Failure
application name, date and time, or 6, AU-7
and time, or some other set of Test Date:
some other set of parameters to run
parameters to run reports of selected
reports of selected information. □ N/A
information.
Comments
Name:
Verify that the ISSO, in conjunction The ISSO, in conjunction with the
□ Pass
with the system owner and the data system owner and the data owner,
owner, undertakes an investigation if undertakes an investigation if Initials:
IR-4, AU-6,
GE-130 ITSDir01-401 suspicious activity is noted in the suspicious activity is noted in the GE I □ Failure
AU-7
audit trail data, to determine if their audit trail data, to determine if their Test Date:
resources have been or are being resources have been or are being
□ N/A
misused. misused.
Comments
Name:
Verify that the following events are The following events are audited:
□ Pass
audited: successful and unsuccessful successful and unsuccessful
authentication, successful and authentication, successful and Initials:
AU-1, AU-
GE-131 ITSDir01-403 unsuccessful changes to user/group unsuccessful changes to user/group GE D □ Failure
2, AU-3
accounts and permissions, successful accounts and permissions, successful Test Date:
and unsuccessful changes to the and unsuccessful changes to the
□ N/A
auditing subsystem. auditing subsystem.
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that system passwords are System passwords are generated by a Initials:
GE-132 ITSDir02-30 generated by a random password random password generator approved GE IA-2 I □ Failure
generator approved by ITS. by ITS. Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that all SOPs are documented All SOPs are documented in
GE-133 ITSDir30-2 GE MA-3, SC-1 I D □ Failure
in electronic format. electronic format.
Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that system passwords are System passwords are changed at
GE-134 ITSDir02-31 GE IA-2 I □ Failure
changed annually. least annually.
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that where the underlying
When the underlying system cannot Initials:
system cannot support the
support the requirements of a system
GE-135 ITSDir02-32 requirements of a system password, GE IA-2 I □ Failure
password, all passwords follow the
all passwords follow the user Test Date:
user password requirements.
password requirements.
□ N/A
Comments
Name:
□ Pass
Verify that each IT system has at Each IT system has at least one Initials:
GE-136 ITSDir01-50 least one primary and one backup primary and one backup ISSO GE None D □ Failure
ISSO designated. designated. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that ISSOs are appointed in Initials:
ISSOs are appointed in writing by an
writing by an appropriate individual
GE-137 ITSDir01-51 appropriate individual within the GE None D □ Failure
within the Service or Infrastructure
Service or Infrastructure Unit. Test Date:
Unit.
□ N/A
Comments
Name:
□ Pass
Verify that ISSOs review all ISSOs review all proposed changes Initials:
proposed changes to their assigned IT to their assigned IT systems before
GE-138 ITSDir01-55 GE CM-3 D □ Failure
systems before the changes are the changes are placed into
placed into production. production. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ISSOs do not serve as the ISSOs do not serve as the DAA, Initials:
GE-139 ITSDir01-69 DAA, CISO, SO, IO or SA for any CISO, SO, IO or SA for any LC IT GE None D □ Failure
LC IT system. system. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the system owner ensures The system owner ensures IT
IT positions, including contract positions, including contract Initials:
GE-140 ITSDir01-72 positions are appropriately positions are appropriately GE PS-1, PS-2 D □ Failure
designated in writing in accordance designated in writing in accordance Test Date:
with position sensitivity criteria. with position sensitivity criteria.
□ N/A
Comments
Name:
□ Pass
Verify that the system owner ensures The system owner ensures Initials:
GE-141 ITSDir01-73 appropriate system-specific security appropriate system-specific security GE AT-3, PS-2 D □ Failure
training for system users. training for system users. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the system owner ensures The system owner ensures that
that critical file backups are made, critical file backups are made, Initials:
AT-3, CP-9,
GE-142 ITSDir01-74 maintained, safeguarded, and maintained, safeguarded, and GE D □ Failure
CP-6
available to be used in an emergency available to be used in an emergency Test Date:
situation. situation.
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that the system owner is a The system owner is a Library of
Library of Congress employee. Congress employee.
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the system owner does The system owner does not serve as Initials:
GE-144 ITSDir01-76 not serve as the CISO, CO, SPM, the ISSM or ISSO for any LC IT GE None D □ Failure
ISSO or SA for any LC IT system. systems. Test Date:
□ N/A
Comments
Name:
Verify that the information owner
The data owner has established □ Pass
establishes values for data and
values for data and information, e.g. Initials:
information, e.g. data sensitivities,
data sensitivities, and overall level of PL-2, PL-
GE-145 ITSDir01-78 and overall level of importance, GE D □ Failure
importance, addressing the impact in 5SA-2
addressing the impact in the event Test Date:
the event that data is lost, damaged,
that data is lost, damaged, stolen or
stolen or compromised, □ N/A
compromised.
Comments
Name:
□ Pass
Verify that the information owner (of The information owner (of Initials:
information owned by the Library of information owned by the Library of
GE-146 ITSDir01-81 GE None D □ Failure
Congress) is a Library of Congress Congress) is a Library of Congress
employee. employee. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the information owner Initials:
The data owner does not serve as the
does not serve as the CISO, CO,
GE-147 ITSDir01-82 CISO, CO, SPM, ISSO or SA for any GE AC-13 D □ Failure
SPM, ISSO or SA for any LC IT
LC IT system. Test Date:
system.
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that reporting is performed Reporting is performed using the
GE-148 ITSDir01-83 GE None D □ Failure
using the formats defined by ITS. formats defined by ITS.
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that a Memorandum of
A Memorandum of Understanding is Initials:
Understanding is established for any
established for any systems owned by
GE-149 ITSDir01-84 systems owned by external GE CA-3, AC-4 D □ Failure
external organizations that transfer
organizations that transfer data to or Test Date:
data to or from LC IT systems.
from LC IT systems.
□ N/A
Comments
Name:
□ Pass
Verify that a Memorandum of A Memorandum of Understanding is Initials:
Understanding is established between established between any internal
GE-150 ITSDir01-85 GE CA-3, AC-4 D □ Failure
any internal organizations sharing or organizations sharing or transferring
transferring data. data. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that Memorandums of Memorandums of Understanding
Understanding comply with NIST comply with NIST Special Initials:
GE-151 ITSDir01-86 Special Publication 800-47, Security Publication 800-47, Security Guide GE CA-3, AC-4 D □ Failure
Guide for Interconnecting for Interconnecting Information Test Date:
Information Technology Systems. Technology Systems.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that all connections to or from All connections to or from external
external systems are documented in systems are documented in the Initials:
GE-152 ITSDir01-88 the System Security Plan of the LC System Security Plan of the LC GE CA-3, RA-2 D □ Failure
system interfacing with that external system interfacing with that external Test Date:
system. system.
□ N/A
Comments
Verify that Information sensitivity is Information sensitivity is determined Name:
determined in accordance with FIPS in accordance with FIPS 199,
□ Pass
199, Standards for Security Standards for Security Categorization
Categorization of Federal of Federal Information and Initials:
GE-153 ITSDir01-89 Information and Information Systems Information Systems and NIST GE PL-2, RA-2 D □ Failure
and NIST Special Publication 800- Special Publication 800-60, Guide Test Date:
60, Guide for Mapping Types of for Mapping Types of Information
□ N/A
Information and Information Systems and Information Systems to Security
to Security Categories. Categories. Comments
Name:
□ Pass
OMB A-
Verify that information sensitivity is Information sensitivity is 130, Initials:
GE-154 ITSDir01-90 documented in the System Security documented in the System Security GE Appendix D □ Failure
Plan. Plan. III, Test Date:
PL-2, RA-3
□ N/A
Comments
Name:
Verify that security controls are Security controls are commensurate
□ Pass
commensurate with the information with the information security
security categorization of the system categorization of the system per the Initials:
RA-1, RA-3,
GE-155 ITSDir01-91 per the recommendations in NIST recommendations in NIST Special GE D □ Failure
CA-6, PL-2
Special Publication 800-53 Publication 800-53 (Recommended Test Date:
(Recommended Security Controls for Security Controls for Federal
□ N/A
Federal Information Systems). Information Systems).
Comments
Name:
□ Pass
Initials:
Verify that the LC IT system has a
GE-156 ITSDir01-1 The LC IT system have an SSP. GE PL-2 D □ Failure
System Security Plan (SSP).
Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Verify that SSPs are compliant with Name:
and in the format defined by NIST □ Pass
SSPs are compliant with and in the
Special Publication (SP) 800-18 Initials:
format defined by NIST Special
(Guide for Developing Security Plans
GE-157 ITSDir01-2 Publication (SP) 800-18 (Guide for GE Pl-2 D □ Failure
for Information Technology
Developing Security Plans for Test Date:
Systems). [In the case of <System
Name> SSP is compliant with the □ N/A
format of NIST (SP) 800-53 Comments
Name:
□ Pass
Verify that there is at least one DAA Initials:
There is at least one DAA for each
for each Service and Enabling
GE-158 ITSDir01-6 Service and Enabling Infrastructure GE CA-1, CA-6 D □ Failure
Infrastructure Unit that owns IT
Unit that owns IT systems. Test Date:
systems.
□ N/A
Comments
Name:
□ Pass
Verify that DAAs are appointed in DAAs are appointed in writing by the Initials:
GE-159 ITSDir01-7 writing by the head of the Service or head of the Service or Infrastructure GE None D □ Failure
Infrastructure Unit. Unit. Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
GE-160 ITSDir01-8 Verify that the IT system has a DAA. The IT system has a DAA. GE CA-6 D □ Failure
Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that DAAs are Library
GE-161 ITSDir01-14 DAAs are Library employees. GE CA-6 D □ Failure
employees.
Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that DAAs do not also serve DAAs do not also serve as the CO, Initials:
GE-162 ITSDir01-15 as the CO, CISO, SPM, ISSO or SA CISO, SPM, ISSO or SA for any LC GE CA-1 D □ Failure
for any LC IT system. IT system. Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that every IT system has a
GE-163 ITSDir01-17 Every IT system has a CO. GE CA-1 D □ Failure
CO.
Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that COs are appointed in COs are appointed in writing by the
GE-164 ITSDir01-18 GE CA-1 D □ Failure
writing by the DAA. DAA.
Test Date:
□ N/A
Comments
Name:
Verify that COs do not also serve as □ Pass
the DAA or SA for any LC IT Initials:
system. The CO does not also serve as a
GE-165 ITSDir01-23 GE AC-5 D □ Failure
DAA or SA for any LC IT system.
Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that SOPs are developed for SOPs are developed for all LC
all LC information system. information system.
Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the system enforces a Initials:
User passwords have a minimum of 8
GE-167 ITSDir02-15 minimum password length of 8 GE IA-5 I O □ Failure
characters.
characters for user passwords. Test Date:
□ N/A
Comments
Verify that the system enforces at The system enforces at least 3 of the Name:
least 3 of the following password following password complexity rules □ Pass
complexity rules for user passwords: for user passwords: (a.) at least 1 Initials:
(a.) at least 1 upper case alphabetic upper case alphabetic character, (b.)
GE-168 ITSDir02-16 GE IA-5 I O □ Failure
character, (b.) at least 1 lower case at least 1 lower case alphabetic
alphabetic character, (c.) at least 1 character, (c.) at least 1 numeric Test Date:
numeric character, (d.) at least 1 character, (d.) at least 1 special □ N/A
special character. character. Comments
Name:
□ Pass
Verify that the system locks the user Initials:
The system locks the user account if
account if three (3) failed password
GE-169 ITSDir02-17 three (3) failed password attempts GE AT-7, IA-5 I O □ Failure
attempts occur within a 15-minute
occur within a 15-minute period. Test Date:
period for user passwords.
□ N/A
Comments
Verify that the system locks user The system locks user accounts
accounts permanently, until unlocked permanently, until unlocked by a Name:
by a system administrator, with the system administrator, with the □ Pass
exception of Public E-Authentication exception of Public E-Authentication Initials:
system where the Public E- (PEA) system where the PEA
GE-170 ITSDir02-18 GE AC-11, IA-5 I O □ Failure
Authentication function has been function has been categorized as
categorized as Level 1 or 2 per NIST Level 1 or 2 per NIST SP 800-63, Test Date:
SP 800-63, which may be unlocked which may be unlocked as part of a □ N/A
as part of a self-service function that self-service function that also Comments
also involves resetting the password. involves resetting the password.


Tester Full
Test Pass /
Number Category
Comments
Verify that the system ensures that
The system ensures that user Name:
user passwords expire if not changed
passwords expire if not changed
every sixty (60) days, with the □ Pass
every sixty (60) days, with the
exception of Public E-Authentication Initials:
exception of Public E-Authentication
systems where the Public E-
GE-171 ITSDir02-19 (PEA) systems where the PEA GE IA-2, IA-5 I D □ Failure
Authentication function has been
function has been categorized as Test Date:
categorized as Level 1 or 2 per NIST
Level 1 or 2 per NIST SP 800-63,
SP 800-63, which ensure that user □ N/A
which ensure that user passwords
passwords expire if not changed Comments
expire if not changed annually.
annually.
Name:
Verify that if the following control is □ Pass
If the control is supported by a COTS
supported by a COTS system or the Initials:
system or the system is being custom
system is being custom developed,
GE-172 ITSDir02-20 developed, the system prevents GE IA-5 I D □ Failure
the system prevents passwords with
passwords with consecutive repeated Test Date:
consecutive repeated characters for
characters for user passwords.
user passwords. □ N/A
Comments
Name:
Verify that if the following control is
If the control is supported by a COTS □ Pass
supported by a COTS system or the
system or the system is being custom Initials:
system is being custom developed,
developed, the system prevents the
GE-173 ITSDir02-21 the system prevents the reuse of the GE IA-5 I D □ Failure
reuse of the 11 most recently used
11 most recently used passwords for Test Date:
passwords for a particular user
a particular user account for user
account for user passwords. □ N/A
passwords.
Comments
Name:
Verify that if the following control is If the control is supported by a COTS □ Pass
supported by a COTS system or the system or the system is being custom Initials:
system is being custom developed, developed, the system prevents the
GE-174 ITSDir02-22 GE IA-5 I D □ Failure
the system prevents the user from user from changing his or her
changing his or her password more password more than one time per Test Date:
than one time per day. day. □ N/A
Comments
Name:
Verify that if the following control is □ Pass
If the control is supported by a COTS
supported by a COTS system or the Initials:
system or the system is being custom
system is being custom developed, 7
GE-175 ITSDir02-23 developed, 7 days before the user GE IA-5 I D □ Failure
days before the user password is to
password is to expire the user Test Date:
expire the user receives a warning
receives a warning message.
message. □ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Initials:
Verify that the system never displays The system never displays
GE-176 ITSDir02-24 GE IA-5, IA-6 I O □ Failure
passwords. passwords.
Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that the system stores The system stores passwords in an
GE-177 ITSDir02-25 GE IA-5 I D □ Failure
passwords in an encrypted form. encrypted form.
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the system never The system never transmits Initials:
GE-178 ITSDir02-26 transmits unencrypted passwords unencrypted passwords over the GE IA-5 I D □ Failure
over the network. network. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that vendor supplied default Vendor supplied default passwords
passwords are changed immediately are changed immediately after Initials:
GE-179 ITSDir02-27 after software installation, before the software installation, before the GE IA-2, IA-5 I □ Failure
system is connected to the LC data system is connected to the LC data Test Date:
network. network.
□ N/A
Comments
Name:
□ Pass
Verify that end users do not utilize Initials:
End users do not utilize system
GE-180 ITSDir02-28 system accounts to interact with the GE IA-2 I □ Failure
accounts to interact with the system.
system. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that system passwords are a □ Pass
System passwords are a minimum of
minimum of 20 characters from a Initials:
20 characters from a character set
character set including upper and
GE-181 ITSDir02-29 including upper and lower case GE IA-2 I □ Failure
lower case alphabetic characters,
alphabetic characters, numeric Test Date:
numeric characters and special
characters and special characters.
characters. □ N/A
Comments
Name:
□ Pass
Verify that all SOPs are readily Initials:
All SOPs are readily available to all
GE-182 ITSDir30-3 available to all LC staff via electronic GE MA-3, SC-1 I O □ Failure
LC staff via electronic means.
means. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that all SOPs are reviewed on Initials:
All SOPs are reviewed on a yearly
GE-183 ITSDir30-4 a yearly basis and updated if GE MA-3, SC-1 D □ Failure
basis and updated if necessary.
necessary. Test Date:
□ N/A
Comments
Name:
Verify that an up-to-date hard copy An up-to-date hard copy of all SOPs □ Pass
of all SOPs related to information related to information systems Initials:
systems housed at the LC Data housed at the LC Data Center is
GE-184 ITSDir30-5 GE CP-2, SC-1 D □ Failure
Center is located at both the LC Data located at both the LC Data Center
Center and the Alternate Computing and the Alternate Computing Test Date:
Facility. Facility. □ N/A
Comments
Name:
□ Pass
Verify that for mobile computing the For mobile computing the employee Initials:
employee performs all installation performs all installation and SA-7, AC-
GE-185 ITSDir06-15 GE I □ Failure
and configuration of employee- configuration of employee-owned 20
owned equipment. equipment. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that before a new information Before a new information system is Initials:
system is deployed into the deployed into the production
GE-186 ITSDir30-6 GE SA-11, SC-1 D □ Failure
production environment, SOPs are environment, SOPs are developed
developed and tested in the ITS lab. and tested in the ITS lab. Test Date:
□ N/A
Comments
Verify that the Application Project Name:
The Application Project Manager or
Manager or the Collection Custodian □ Pass
the Collection Custodian does supply
does supply ITS with the backup Initials:
ITS with the backup criteria for all
criteria for all data as defined in ITS
GE-187 ITSDir15-7 data as defined in ITS Directive 15, GE CP-1, CP-9 D □ Failure
Directive 15, Backup Directive,
Backup Directive, AppendiX B, Test Date:
AppendiX B, Backup Criteria,
Backup Criteria, regardless of the
regardless of the method of □ N/A
method of submission.
submission. Comments
Name:
□ Pass
Verify that backup requests are
Backup requests are submitted using Initials:
submitted using the Storage
the Storage Allocation Request
GE-188 ITSDir15-8 Allocation Request (SAR) for those GE CP-1, CP-9 D □ Failure
(SAR) for those having access to that
having access to that Remedy Test Date:
Remedy application.
application.
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that new commercial software New commercial software is scanned
GE-189 ITSDir09-10 GE SI-3, AC-19 I D □ Failure
is scanned before it is installed. before it is installed.
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that backup requests are Backup requests are submitted using Initials:
GE-190 ITSDir15-9 submitted using e-mail from the e-mail from the Designated Signing GE CP-1, CP-9 I □ Failure
Designated Signing Authority (DSO). Authority (DSO). Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Initials:
Verify that Non-Library equipment is Non-Library equipment is not CA-3, AC-
not connected to the LC Network. connected to the LC Network. 20, SC-7
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that all test equipment All test equipment (including Initials:
(including workstations, servers and workstations, servers and network CA-3, AC-1,
network equipment) are connected to equipment) is connected to the LC SC-7
the LC Lab. Lab. Test Date:
□ N/A
Comments
Name:
Verify that network-attached devices, Network-attached devices, especially
□ Pass
especially PCs and servers, are kept PCs and servers, are kept current
current with security-related patches with security-related patches from the Initials:
CA-3, SI-2,
GE-193 ITSDir10-13 from the vendors of the system's vendors of the system's software, GE D □ Failure
SI-3
software, especially of the operating especially of the operating system, Test Date:
system, prior to connecting to the LC prior to connecting to the LC
□ N/A
Network. Network.
Comments
Name:
□ Pass
Verify that network attached devices Network attached devices do not
do not have modems installed or have modems installed or attached, Initials:
GE-194 ITSDir10-14 attached, nor may they use modems nor do they use modems or any other GE SC-1, AC-17 O □ Failure
or any other devices to connect to a devices to connect to a network Test Date:
network outside the Library. outside the Library.
□ N/A
Comments
Name:
□ Pass
Verify that all software installed on Initials:
All software installed on network-
GE-195 ITSDir10-16 network-attached devices is GE SA-6, CM-3 I D O □ Failure
attached devices is approved.
approved. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that individual SOP owners Individual SOP owners are Initials:
are responsible for the development responsible for the development and
and maintenance of individual maintenance of individual assigned
assigned SOP documents. SOP documents. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that all production and test Initials:
All production and test servers
servers deployed at the LC are
GE-197 ITSDir12-2 deployed at the LC are physically GE PE-1 I O □ Failure
physically housed in the ITS
housed in the ITS Computer Room. Test Date:
Computer Room.
□ N/A
Comments
Name:
□ Pass
Verify that only administrators have Only administrators have full Initials:
AC-3, AC-
GE-198 ITSDir12-6 full administrative privileges to administrative privileges to servers GE I D O □ Failure
17
servers via remote console access. via remote console access. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that only staff who manage Initials:
Only staff who manage server
server resources have limited access AC-3, AC-
GE-199 ITSDir12-7 resources have limited access rights GE I D O □ Failure
rights to servers via remote console 17
to servers via remote console access. Test Date:
access.
□ N/A
Comments
Name:
□ Pass
Verify that users access servers Initials:
Users access servers through client
through client applications and do not AC-3, AC-
GE-200 ITSDir12-8 applications and do not have direct GE I D O □ Failure
have direct console access for any 17
console access for any reason. Test Date:
reason.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that access to server resources Access to server resources is Initials:
GE-201 ITSDir12-13 is assigned to individual users via assigned to individual users via GE SC-1, AC-3 I D □ Failure
individual user accounts. individual user accounts. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that to obtain access to an To obtain access to an ITS’ server,
ITS’ server, the Service the Service Unit/Enabling Initials:
GE-202 ITSDir12-14 Unit/Enabling Infrastructure does Infrastructure does submit a Service GE SC-1, AC-1 I D □ Failure
submit a Service Request according Request according to procedures Test Date:
to procedures identified by ITS. identified by ITS.
□ N/A
Comments
Verify that access rights or
Access rights or permissions to Name:
permissions to server resources are
server resources are only assigned to
assigned to groups. Verify that users □ Pass
groups. Users are added to groups
are added to groups and groups are Initials:
and groups are assigned permissions.
assigned permissions. Verify that to
GE-203 ITSDir12-18 To update permissions or groups, a GE AC-2, AC-3 I D □ Failure
update permissions or groups, a
Service Request is submitted Test Date:
Service Request is submitted
according to procedures identified by
according to procedures identified by □ N/A
ITS for creation and maintenance of
ITS for creation and maintenance of Comments
groups
groups.
Name:
□ Pass
Verify that when a new user account Initials:
When a new user account is created,
GE-204 ITSDir12-19 is created, a unique password is GE AC-2, IA-5 I D □ Failure
a unique password is assigned.
assigned. Test Date:
□ N/A
Comments
Name:
Verify that prior to the deployment of Prior to the deployment of the
□ Pass
the production version of the hosted production version of the hosted
application, ITS and the sponsor application, ITS and the sponsor Initials:
GE-205 ITSDir12-22 organization do agree upon service organization do agree upon service GE CA-3, MA-1 I D □ Failure
requirements and maintenance requirements and maintenance Test Date:
support, signing a Memorandum of support, signing a Memorandum of
□ N/A
Understanding (MOU). Understanding (MOU).
Comments

4.3 Hosted Application (HA) Test Case
Figure 9 – Hosted Application (HA) Test Case

Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
CM-1, CM- Initials:
Verify that access to all program Access to all program libraries are 2, CM-5,
HA-1 ITSDir01-253 HA D □ Failure
libraries are restricted and controlled. restricted and controlled. MP-2, AC-2,
AC-3 Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the Program libraries are The Program libraries are contained Initials:
contained in versioning control in versioning control systems MA-1, MA-
systems accessible only by users with accessible only by users with the 5, MP-2
the proper access rights. proper access rights. Test Date:
□ N/A
Comments
Name:
Verify that reconciliation routines □ Pass
Reconciliation routines such as
such as checksums, hash totals, and Initials:
checksums, hash totals, and record
record counts are used by
HA-3 ITSDir01-283 counts are used by applications HA SI-3, SI-7 D □ Failure
applications (when called for by the
(when called for by the sensitivity of Test Date:
sensitivity of the data) to verify data
the data) to verify data integrity.
integrity. □ N/A
Comments
Name:
Verify that publicly accessible Publicly accessible system resources
□ Pass
system resources reside in the LC reside in the LC DMZ and are either
DMZ and are either read-only read-only resources that cannot be Initials:
HA-4 ITSDir01-353 resources that cannot be altered or altered or brokered by an HA, OA SC-9, SC-14 D □ Failure
brokered by an intermediate service, intermediate service, which resides Test Date:
which resides on a system that does on a system that does not directly
□ N/A
not directly contain the data. contain the data.
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that network connections Network connections automatically Initials:
automatically disconnect at the end disconnect at the end of the session SC-10, AC-
of the session and all authentication and all authentication tokens are 12, AC-17
tokens are destroyed. destroyed. Test Date:
□ N/A
Comments
Name:
Verify that LC and LC-owned □ Pass
LC and LC-owned "common off-the-
"common off-the-shelf" (COTS) web Initials:
shelf" (COTS) web applications
applications advise the user to close
HA-6 ITSDir01-374 advise the user to close the browser HA AC-8, SC-4 D □ Failure
the browser session to remove any
session to remove any session tokens Test Date:
session tokens in memory on the
in memory on the client system.
client system. □ N/A
Comments
Name:
Verify that the system deletes any The system deletes any local □ Pass
local authentication data specific to a authentication data specific to a Initials:
particular application session and particular application session and IA-4, IA-5,
HA-7 ITSDir01-376 HA, OA D □ Failure
explicitly closes application specific explicitly closes application specific IA-7, SC-4
network connections as part of the network connections as part of the Test Date:
application termination process. application termination process. □ N/A
Comments
Name:
Verify that the system explicitly
The system explicitly prevents the □ Pass
prevents the use of stale
use of stale authentication tokens Initials:
authentication tokens (i.e., the
(i.e., the timeout of a network IA-2, IA-5,
HA-8 ITSDir01-377 timeout of a network connection is HA, OA D □ Failure
connection is not an acceptable IA-7, SC-4
not an acceptable method of Test Date:
method of terminating application
terminating application specific
specific network connections.) □ N/A
network connections.)
Comments
Name:
□ Pass
Verify that either write-only devices Either write-only devices or logging
or logging systems that act as de- systems that act as de-facto write- Initials:
HA, OA, IG, AU-9, AU-
HA-9 ITSDir01-393 facto write-only systems are used to only systems are used to collect and D □ Failure
HE 11
collect and maintain logs from LC IT maintain logs from LC IT systems Test Date:
systems residing on the LC DMZ. residing on the LC DMZ.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that audit trails for database Audit trails for database applications
applications include: who accessed include: who accessed the database, Initials:
HA-10 ITSDir01-397 the database, what database was what database was accessed, which HA, HE AU-3 D □ Failure
accessed, which records were records were accessed, changed or Test Date:
accessed, changed or deleted. deleted.
□ N/A
Comments
Name:
□ Pass
Verify that all removable media and
All removable media and devices Initials:
devices brought in to the Library by MP-5, PE-
brought in to the Library by field IG, HA, HE,
HA-11 ITSDir09-12 field engineers or support personnel 16, SI-1, SI- I D □ Failure
engineers or support personnel are OA
are scanned before they are used on 3 Test Date:
scanned before they are used on site.
site.
□ N/A
Comments
Verify that in order to utilize ITS In order to utilize ITS server Name:
server resources, Service resources, Service Unit/Enabling
□ Pass
Unit/Enabling Infrastructures do Infrastructures do submit a request,
submit a request, via the Sponsor, via the Sponsor, including the Initials:
HA-12 ITSDir12-12 including the Sponsor’s organization, Sponsor’s organization, the name of HA MA-1, SC-1 I D □ Failure
the name of the Sponsor, and the the Sponsor, and the name of the Test Date:
name of the individual with sufficient individual with sufficient technical
□ N/A
technical skills to act as technical skills to act as technical liaison
liaison between ITS and the Sponsor. between ITS and the Sponsor. Comments
Name:
Verify that Service Unit/Enabling Service Unit/Enabling □ Pass
Infrastructures do administer access Infrastructures do administer access Initials:
to hosted applications depending on to hosted applications depending on CA-3, SC-1,
HA-13 ITSDir12-15 HA I D □ Failure
the Memorandum of Understanding the Memorandum of Understanding AC-1
(MOU) between the Service (MOU) between the Service Test Date:
Unit/Enabling Infrastructure and ITS. Unit/Enabling Infrastructure and ITS. □ N/A
Comments
Name:
□ Pass
Verify that Windows enterprise and Windows enterprise and Initials:
departmental servers used for departmental servers used for
HA-14 ITSDir12-4 HA, IG SC-3, SC-7 I D O □ Failure
Intranet/Internet applications are not Intranet/Internet applications are not
part of the LIB Active Directory. part of the LIB Active Directory. Test Date:
□ N/A
Comments

4.4 Hosting Environment (HE) Test Case
Figure 10 – Hosting Environment (HE) Test Case

Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the system and any The system and any associated
associated storage media are disposed storage media are disposed of or Initials:
CA-4, CA-5,
HE-1 ITSDir01-158 of or archived in a manner that archived in a manner that ensures HE D □ Failure
MP-7
ensures sensitive but unclassified sensitive but unclassified data is not Test Date:
data is not compromised. compromised.
□ N/A
Comments
Name:
□ Pass
Verify that Service and Enabling Service and Enabling Infrastructure
Infrastructure Units comply with the Units comply with the directives PE-1, PE-6, Initials:
HE-2 ITSDir01-187 directives issued by the Office of issued by the Office of Security for HE, OA, IG PE-14, PE- D □ Failure
Security for the physical security of the physical security of tangible IT 15, PE-9 Test Date:
tangible IT assets. assets.
□ N/A
Comments
Name:
Verify that LC IT systems and LC IT systems and tangible assets are □ Pass
tangible assets are monitored and monitored and environmentally Initials:
environmentally protected against protected against temperature,
HE-3 ITSDir01-188 HE, OA, IG PE-1, PE-3 D □ Failure
temperature, humidity, water, smoke, humidity, water, smoke, etc. and
etc. and against damage caused by against damage caused by Test Date:
fluctuations in electric power. fluctuations in electric power. □ N/A
Comments
Verify that access to facilities where Access to facilities where servers or Name:
servers or major network major network infrastructure (routers,
□ Pass
infrastructure (routers, WAN access WAN access points, entrance
points, entrance facilities, Internet facilities, Internet connection, etc) are Initials:
HE-4 ITSDir01-189 connection, etc) are located are located are controlled through the use HE, OA, IG PE-2, PE-3 D □ Failure
controlled through the use of unique of unique key locks, guards, Test Date:
key locks, guards, identification identification badges, or entry
□ N/A
badges, or entry devices such as key devices such as key cards or
cards or biometrics. biometrics. Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that management periodically Management periodically reviews the
reviews the list of all personnel with list of all personnel with physical Initials:
HE-5 ITSDir01-190 physical access to sensitive facilities, access to sensitive facilities, HE, OA, IG PE-2, PE-3 D □ Failure
removing access if it is no longer removing access if it is no longer Test Date:
warranted. warranted.
□ N/A
Comments
Name:
□ Pass
Verify that access to the tape/media Access to the tape/media library is Initials:
PE-1, PE-3,
HE-6 ITSDir01-191 library is controlled by use of locks, controlled by use of locks, keys, or HE, OA, IG D □ Failure
PE-2, MP-4
keys, or other access devices. other access devices. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that emergency exits and re- Emergency exits and re-entry
entry procedures ensure that only procedures ensure that only Initials:
HE-7 ITSDir01-192 authorized personnel are allowed to authorized personnel are allowed to HE, OA, IG PE-7 D □ Failure
re-enter after fire drills or other re-enter after fire drills or other Test Date:
emergency evacuations. emergency evacuations.
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that visitors to sensitive areas Visitors to sensitive areas are
HE-8 ITSDir01-193 HE, OA, IG PE-7 D □ Failure
are escorted. escorted.
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that visitors entering sensitive Visitors entering sensitive areas signs
areas signs in to a log containing, at a in to a log containing, at a minimum, Initials:
HE-9 ITSDir01-194 minimum, the date, time (entry and the date, time (entry and exit), full HE, OA, IG PE-7, PE-8 D □ Failure
exit), full name of visitor, full name name of visitor, full name of escort, Test Date:
of escort, and reason for access. and reason for access.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Initials:
Verify that upon exiting the sensitive Upon exiting the sensitive area, PE-1, PE-3,
HE-10 ITSDir01-195 HE, OA, IG D □ Failure
area, visitor signs out. visitor signs out. PE-8
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that entry codes are changed Entry codes are changed periodically Initials:
periodically to ensure that the entry to ensure that the entry codes have
codes have not fallen into the hands not fallen into the hands of
of unauthorized personnel. unauthorized personnel. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that physical accesses to Initials:
Physical accesses to sensitive areas PE-6, PE-3,
HE-12 ITSDir01-197 sensitive areas are monitored through HE, OA, IG D □ Failure
are monitored through audit trails. IR-4, IR-6
audit trails. Test Date:
□ N/A
Comments
Name:
□ Pass
activity is reported, investigated, and reported, investigated, and the PE-1, PE-7,
the appropriate actions taken to appropriate actions taken to resolve IR-4, IR-6
resolve the incident. the incident. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that visitors, contractors, and Visitors, contractors, and
maintenance personnel are maintenance personnel are Initials:
HE-14 ITSDir01-199 authenticated through the use of pre- authenticated through the use of pre- HE, OA, IG PE-7, PE-13 D □ Failure
planned appointments and planned appointments and Test Date:
identification checks. identification checks.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that appropriate fire
Appropriate fire suppression and □ Pass
suppression and prevention devices
prevention devices are installed and Initials:
are installed and working in all
working in all facilities to reduce fire
HE-15 ITSDir01-200 facilities to reduce fire damage, HE, OA, IG PE-1, PE-13 D □ Failure
damage, protect the lives of building
protect the lives of building Test Date:
occupants, and to limit the fire
damage to the building itself. □ N/A
damage to the building itself.
Comments
Name:
Verify that documented procedures to Documented procedures to □ Pass
periodically review fire ignition periodically review fire ignition Initials:
PE-1, PE-13,
sources, such as failures of electronic sources, such as failures of electronic
HE-16 ITSDir01-201 HE, OA, IG PE-11, PE- D □ Failure
devices or wiring, improper storage devices or wiring, improper storage
15, PE-12 Test Date:
materials, and the possibility of arson materials, and the possibility of arson
are in place. are in place. □ N/A
Comments
Verify that the following The following
Physical/Environmental controls are Physical/Environmental controls are
in place for a facility or computer in place for a facility or computer
room: automatic sprinklers, zoned room: automatic sprinklers, zoned Name:
dry pipe sprinkler system, smoke, dry pipe sprinkler system, smoke,
□ Pass
water, and heat detectors, fire water, and heat detectors, fire
extinguishers rated for electrical extinguishers rated for electrical Initials:
PE-1, PE-13,
HE-17 ITSDir01-202 fires, B/C rated fire extinguisher, fires, B/C rated fire extinguisher, HE, OA, IG D □ Failure
PE-14
power strips/suppressors for power strips/suppressors for Test Date:
computers and peripherals, computers and peripherals,
□ N/A
emergency power-off switch by exit emergency power-off switch by exit
door, emergency lighting in computer door, emergency lighting in computer Comments
room and anhydrous fire suppression room and anhydrous fire suppression
systems (when necessary and systems (when necessary and
merited). merited).
Name:
□ Pass
Verify that heating and air- Heating and air-conditioning systems Initials:
HE-18 ITSDir01-203 conditioning systems are subject to are subject to routine scheduled HE, OA, IG PE-1, PE-14 D □ Failure
routine scheduled maintenance. maintenance. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Initials:
Verify that computer rooms have a Computer rooms have a redundant
HE-19 ITSDir01-204 HE, OA, IG PE-14 D □ Failure
redundant air-cooling system air-cooling system
Test Date:
□ N/A
Comments
Name:
Verify that both the primary and Both the primary and alternate air- □ Pass
alternate air-cooling systems in cooling systems in computer rooms Initials:
computer rooms are supplied through are supplied through diverse and
diverse and separate power sources in separate power sources in the event
the event that the primary power that the primary power source is Test Date:
source is interrupted. interrupted. □ N/A
Comments
Name:
□ Pass
Verify that documented procedures to Documented procedures to
periodically review electric power periodically review electric power Initials:
HE-21 ITSDir01-206 distribution, heating plants, water, distribution, heating plants, water, HE, OA, IG PE-1, PE-15 D □ Failure
sewage, and other utilities for risk of sewage, and other utilities for risk of Test Date:
failure are in place. failure are in place.
□ N/A
Comments
Name:
□ Pass
Verify that building plumbing line Building plumbing line locations in Initials:
locations in computer rooms are computer rooms are identified and PE-11, PE-
identified and shall not endanger will not endanger systems if a failure 15
systems if a failure occurs. occurs. Test Date:
□ N/A
Comments
Name:
Verify that computer rooms have an Computer rooms have an □ Pass
uninterruptible power supply (UPS) uninterruptible power supply (UPS) Initials:
or backup generator sufficient to or backup generator sufficient to PE-2, PE-3,
ensure orderly shutdown of ensure orderly shutdown of PE-5, PE-11
equipment in the event of a power equipment in the event of a power Test Date:
failure. failure. □ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that computer monitors and Computer monitors and terminals are Initials:
HE-24 ITSDir01-209 terminals are located to eliminate located to eliminate viewing by HE, OA, IG PE-5, AC-19 D □ Failure
viewing by unauthorized personnel. unauthorized personnel. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that personal property Personal property controls, and
controls, and reporting of property reporting of property theft/loss are Initials:
HE-25 ITSDir01-213 theft/loss are managed according to managed according to LCR 1815-1, HE, OA, IG MP-3, PE-1 D □ Failure
LCR 1815-1, Reporting Missing or Reporting Missing or Stolen Library Test Date:
Stolen Library Property. Property.
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that audit trails are kept for Audit trails are kept for inventory HE, OA, IG, MP-1, MP-
HE-26 ITSDir01-222 D □ Failure
inventory management of media. management of media. ME 4, MP-5
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that deposits and withdrawals Deposits and withdrawals of tapes
of tapes and other storage media from and other storage media from the Initials:
HE, OA, IG, MP-1, MP-
HE-27 ITSDir01-223 the media library are authorized and media library are authorized and D □ Failure
ME 2, MP-4
logged to control and prevent logged to control and prevent Test Date:
unauthorized access to information. unauthorized access to information.
□ N/A
Comments
Name:
□ Pass
Verify that media are inventoried Media are inventoried yearly and/or Initials:
HE, OA, IG,
HE-28 ITSDir01-224 yearly and/or if any item is missing if any item is missing or in question MP-4 D □ Failure
ME
or in question in any way. in any way. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that each media inventory is
Each media inventory is recorded and Initials:
recorded and stored as an audit trail
stored as an audit trail for possible HE, OA, IG, MP-4, MP-
HE-29 ITSDir01-225 for possible future use or D □ Failure
future use or examination and ME 6, MP-7
examination and maintained in a Test Date:
maintained in a secure location.
secure location.
□ N/A
Comments
Name:
Verify that whether external or
Whether external or internal to a □ Pass
internal to a computer system, media
computer system, media such as hard Initials:
such as hard drives or disks are
drives or disks are properly sanitized HE, OA, IG,
HE-30 ITSDir01-226 properly sanitized before being re- MP-6, MP-7 D □ Failure
before being re-used or disposed, ME
used or disposed, including faulty Test Date:
including faulty media that may
media that may contain LC data (e.g.
contain LC data (e.g. bad tapes). □ N/A
bad tapes).
Comments
Name:
Verify that audit trails are kept
Audit trails are kept concerning all □ Pass
concerning all disposal, destruction
disposal, destruction and sanitization Initials:
and sanitization actions, including
actions, including date of action, HE, OA, IG, CP-1, CP-2,
HE-31 ITSDir01-227 date of action, personnel performing D □ Failure
personnel performing action and ME MP-7
action and item/data description of Test Date:
item/data description of item being
item being disposed of, destroyed or
disposed of, destroyed or sanitized. □ N/A
sanitized.
Comments
Name:
Verify that the alternate data
The alternate data processing site □ Pass
processing site contract or MOU with
contract or MOU with the Initials:
the organization managing the
organization managing the alternate
HE-32 ITSDir01-239 alternate site is in place, including HE, OA, IG CP-7 I □ Failure
site is in place, including detailed
detailed responsibilities for each Test Date:
responsibilities for each party with
party with regards to the contingency
regards to the contingency plan. □ N/A
plan.
Comments
Name:
□ Pass
The alternate data processing site Initials:
processing site MOUs be reviewed at
MOUs be reviewed at a minimum of CP-6, CP-7,
HE-33 ITSDir01-240 a minimum of once per year and HE, OA, IG I □ Failure
once per year and additionally when CP-9
additionally when critical functions Test Date:
critical functions change.
change.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that backup files are created Backup files are created on a
on a prescribed frequency and rotated prescribed frequency and rotated to a Initials:
HE-34 ITSDir01-241 to a documented off-site location, documented off-site location, such HE, OA, IG CP-6, CP-9 D □ Failure
such that disruption is avoided if that disruption is avoided if current Test Date:
current on-site files are damaged. on-site files are damaged.
□ N/A
Comments
Name:
Verify that critical data files are Critical data files are identified in the □ Pass
identified in the documentation and documentation and backed up at least Initials:
backed up at least once a day and once a day and stored at a secured CP-1, CP-6,
stored at a secured off-site location or off-site location or in an Cp-9
in an appropriately selected fire-rated appropriately selected fire-rated Test Date:
media container. media container. □ N/A
Comments
Name:
□ Pass
Initials:
Verify that the backup procedures are The backup procedures are
HE-36 ITSDir01-243 HE, OA, IG CP-2, CP-9 D □ Failure
documented. documented.
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that all system defaults are All system defaults are reset to Initials:
CP-2, CP-4,
HE-37 ITSDir01-246 reset to normal (secured) operating normal (secured) operating settings HE, OA, IG I □ Failure
CP-10
settings after restoring from backup. after restoring from backup. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that after rebuilding a system, After rebuilding a system, the Initials:
the Security Acceptance Test (the Security Acceptance Test (the
HE-38 ITSDir01-247 HE, OA, IG CP-6, SI-6 I □ Failure
technical test cases of the ST&E) is technical test cases of the ST&E) is
performed successfully. performed successfully. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that the backup storage site
The backup storage site and alternate □ Pass
and alternate site are physically
site are physically protected and Initials:
protected and geographically
geographically removed from the
HE-39 ITSDir01-248 removed from the primary site, such HE, OA, IG CP-2, CP-7 I □ Failure
primary site, such that these three
that these three sites will not be Test Date:
sites will not be affected by the same
affected by the same contingency
contingency event. □ N/A
event.
Comments
Name:
□ Pass
Verify that documented restrictions
Documented restrictions are Initials:
are established dictating who
established dictating who performs
HE-40 ITSDir01-251 performs maintenance and repair HE, OA, IG MA-5, PE-7 D □ Failure
maintenance and repair activities on
activities on system hardware and Test Date:
system hardware and software.
software.
□ N/A
Comments
Name:
□ Pass
Verify that maintenance personnel Maintenance personnel not cleared Initials:
PE-2, PE-3,
HE-41 ITSDir01-252 not cleared for unescorted access are for unescorted access are escorted at HE, OA, IG I □ Failure
PE-7
escorted at all times. all times. Test Date:
□ N/A
Comments
Verify that maintenance procedures Maintenance procedures include the Name:
include the escort of maintenance escort of maintenance personnel, □ Pass
personnel, sanitization of devices sanitization of devices removed from Initials:
removed from a site, disabling of a site, disabling of vendor
HE-42 ITSDir01-257 HE, OA, IG MA-1, SC-1 D □ Failure
vendor maintenance accounts, maintenance accounts, authentication
authentication of remote maintenance of remote maintenance personnel, Test Date:
personnel, and the use of system and the use of system diagnostic □ N/A
diagnostic ports. ports. Comments
Name:
□ Pass
Verify that operating System and Operating System and application Initials:
application patches are current and patches are current and updated
HE-43 ITSDir01-259 HE, OA, IG SI-2 D □ Failure
updated promptly according to a promptly according to a documented
documented procedure. procedure. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that documented procedures Documented procedures are Initials:
are established and maintained established and maintained CM-1, CM-
concerning using and monitoring the concerning using and monitoring the 3, AC-13
use of system utilities. use of system utilities. Test Date:
□ N/A
Comments
Name:
Verify that virus detection and □ Pass
Virus detection and elimination
elimination software is installed (on Initials:
software is installed (on all systems SA-7, SI-3,
all systems where virus detection HE, RC,
HE-45 ITSDir01-280 where virus detection software is SI-4, AC-19, D □ Failure
software is available) and the virus WC, OA
available) and the virus signature AC-20 Test Date:
signature files shall be routinely
files will be routinely updated.
updated. □ N/A
Comments
Name:
□ Pass
Verify that virus scans are run SI-3, SI-4, Initials:
Virus scans are run automatically and
HE-46 ITSDir01-282 automatically and keep a record of HE, OA, IG AC-19, AC- D □ Failure
keep a record of any viruses found.
any viruses found. 20 Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that when called for by the When called for by the sensitivity of Initials:
sensitivity of the data, host-based the data, host-based intrusion
HE-47 ITSDir01-287 IG, HE SI-4 D □ Failure
intrusion detection systems (HIDS) detection systems (HIDS) are used in
are used in addition to NIDS. addition to NIDS. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Verify that system performance System performance monitoring is
monitoring is used to analyze system used to analyze system performance
performance logs (i.e. remaining logs (i.e. remaining capacity on root
capacity on root file system; network, file system; network, CPU, and Name:
CPU, and memory utilization; total memory utilization; total processes □ Pass
processes running) in real time (or running) in real time (or near real- Initials:
near real-time) to look for availability time) to look for availability SA-9, IR-6,
HE-48 ITSDir01-291 HE, IG D □ Failure
problems, including active attacks problems, including active attacks AU-2, AU-3
and system slowdowns and crashes. and system slowdowns and crashes. Test Date:
Near real-time is defined as: within Near real-time is defined as: within □ N/A
24 hours at the low assurance level, 24 hours at the low assurance level, Comments
within 12 hours at the moderate within 12 hours at the moderate
assurance level, within 4 hours at the assurance level, within 4 hours at the
high assurance level. high assurance level.
Name:
Verify that the systems physically or □ Pass
The systems physically or logically
logically separate user interface Initials:
separate user interface services (e.g.,
services (e.g., public web pages) CM-7, AC-
HE-49 ITSDir01-295 public web pages) from information HE, OA D □ Failure
from information storage and 4, AC-14
storage and management services Test Date:
management services (e.g., database
(e.g., database management).
management). □ N/A
Comments
Name:
□ Pass
Verify that the Users and System The Users and System Initials:
Administrators are trained on the use Administrators are trained on the use AT-2, SI-3,
HE-50 ITSDir01-308 HE, OA, IG I □ Failure
of the particular virus detection and of the particular virus detection and SI-4
elimination software that is installed. elimination software that is installed. Test Date:
□ N/A
Comments
Name:
Verify that the mandatory (operating
The mandatory (operating system) □ Pass
system) generic accounts, such as
generic accounts, such as 'root' or Initials:
'root' or 'administrator' are renamed
'administrator' are renamed whenever
HE-51 ITSDir01-340 whenever possible and only be HE, OA, IG AC-2, IA-4 D □ Failure
possible and only be accessed from a
accessed from a current valid logon Test Date:
current valid logon that provides an
that provides an audit path with
audit path with explicit user identity. □ N/A
explicit user identity.
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that where direct login to Where direct login to mandatory Initials:
mandatory generic accounts is generic accounts is necessary, access
HE-52 ITSDir01-341 HE, OA, IG AC-3, IA-4 D □ Failure
necessary, access is restricted to the is restricted to the system's local
system's local console. console. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that modems are not attached Modems are not attached or installed Initials:
CM-2, AC-
HE-53 ITSDir01-357 or installed on the system if it is on the system if it is connected to the HE, OA, IG D □ Failure
17, SC-7
connected to the LC Data Network. LC Data Network. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the Data Base The Data Base Management Systems Initials:
Management Systems are capable of are capable of restricting information SA-8, SA-
HE-54 ITSDir01-366 HE D □ Failure
restricting information access at the access at the logical view or field 11, AC-3
logical view or field level. level. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that trust relationships are not Trust relationships are not utilized Initials:
HE-55 ITSDir01-378 utilized between LC systems and between LC systems and external HE CA-3, IA-5 D □ Failure
external entities. entities. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that trust relationships are not Trust relationships are not utilized Initials:
utilized between LC systems on the between LC systems on the LC DMZ
HE-56 ITSDir01-379 HE CA-3, AC-3 D □ Failure
LC DMZ and LC systems on the LC and LC systems on the LC Internal
Internal Data Network. Data Network. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that trust relationships are not
Trust relationships are not utilized Initials:
utilized between LC systems
between LC systems intended for
HE-57 ITSDir01-380 intended for public access and LC HE CA-3, AC-3 D □ Failure
public access and LC systems on the
systems on the LC Internal Data Test Date:
LC Internal Data Network.
Network.
□ N/A
Comments
Name:
□ Pass
Verify that the system is configured Initials:
The system is configured to limit CM-2, CM-
to limit Denial of Service attacks, if
HE-58 ITSDir01-383 Denial of Service attacks, if the HE, OA, IG 6, IR-4, SC- D □ Failure
the system provides this
system provides this functionality. 5 Test Date:
functionality.
□ N/A
Comments
Name:
□ Pass
HE-59 ITSDir01-393 facto write-only systems are used to only systems are used to collect and D □ Failure
HE 11
□ N/A
Comments
Name:
□ Pass
Verify that audit trails for e-mail Audit trails for e-mail applications
applications include: e-mail sender, include: e-mail sender, e-mail Initials:
HE-60 ITSDir01-396 e-mail recipient(s), the size of the recipient(s), the size of the message, OA, HE AU-3, AU-8 D □ Failure
message, and the size and name of and the size and name of any Test Date:
any attachment. attachment.
□ N/A
Comments
Name:
□ Pass
Verify that audit trails for database Audit trails for database applications
applications include: who accessed include: who accessed the database, Initials:
HE-61 ITSDir01-397 the database, what database was what database was accessed, which HA, HE AU-3 D □ Failure
accessed, which records were records were accessed, changed or Test Date:
accessed, changed or deleted. deleted.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that ISSOs ensure that storage ISSOs ensure that storage media is Initials:
HE-62 ITSDir01-68 media is properly purged of data or properly purged of data or HE, OA, IG MP-6, MP-7 D □ Failure
information prior to public release. information prior to public release. Test Date:
□ N/A
Comments
Name:
Verify that all LC computers (clients All LC computers (clients and
□ Pass
and servers), whether stand-alone or servers), whether stand-alone or
connected to the LC computer connected to the LC computer Initials:
HE-63 ITSDir09-1 network or networked resources, network or networked resources, HE, OA, IG SI-3 I D O □ Failure
have the LC enterprise standard, ITS have the LC enterprise standard, ITS Test Date:
supported anti-virus software supported anti-virus software
□ N/A
installed. installed.
Comments
Name:
□ Pass
HE-64 ITSDir09-12 field engineers or support personnel 16, SI-1, SI- I D □ Failure
site.
□ N/A
Comments
Name:
□ Pass
Verify that the anti-virus software is The anti-virus software is installed
installed and configured per ITS’ and configured per ITS’ Initials:
HE, OA, IG,
HE-65 ITSDir09-2 configuration parameters. Anti-virus configuration parameters. Anti-virus CM-3, SI-3 I D □ Failure
WC, RC
configuration parameters are configuration parameters are Test Date:
obtained from ITS. obtained from ITS.
□ N/A
Comments
Name:
□ Pass
Verify that mail servers are
Mail servers are configured with anti- Initials:
configured with anti-virus software
virus software that scans all incoming
HE-66 ITSDir09-4 that scans all incoming and outgoing OA, HE SI-3 I D □ Failure
and outgoing electronic mail and
electronic mail and blocks infected Test Date:
blocks infected attachments.
attachments.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that all LC computers (clients All LC computers (clients and Initials:
and servers) are periodically scanned servers) are periodically scanned to
HE-67 ITSDir09-6 HE, OA, IG SI-3 I D □ Failure
to detect infections and to identify detect infections and to identify
threats and patterns. threats and patterns. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that all new systems have
All new systems have anti-virus Initials:
anti-virus software installed and
software installed and configured per
HE-68 ITSDir09-9 configured per ITS guidance HE, OA, IG SI-3 I D O □ Failure
ITS guidance operation prior to their
operation prior to their connection to Test Date:
connection to the LC network
the LC network
□ N/A
Comments
Name:
□ Pass
Verify that all servers use reserved IP Initials:
All servers use reserved IP addresses
addresses allocated by DHCP or CA-3, SC-1,
HE-69 ITSDir10-11 allocated by DHCP or static IP HE I D □ Failure
static IP addresses configured on the IA-3
addresses configured on the server. Test Date:
server.
□ N/A
Comments
Name:
Verify that only the LC Data Only the LC Data Network is used to □ Pass
Network is used to interconnect interconnect Library-owned Initials:
Library-owned computers and related computers and related equipment, CA-3, AC-1,
HE-70 ITSDir10-2 HE, OA D □ Failure
equipment, with the exception of with the exception of mobile SC-7
mobile computing clients (see the computing clients (see the Mobile Test Date:
Mobile Computing directive). Computing directive). □ N/A
Comments
Name:
□ Pass
Verify that devices attached to the Devices are attached to the Library Initials:
CA-3, AC-1,
HE-71 ITSDir10-5 Library network use the Ethernet network using the Ethernet protocol HE, OA I D □ Failure
IA-3
protocol and interfaces. and interfaces. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that ITS personnel or their Initials:
ITS personnel or their designated
designated representatives perform CA-3, AC-1,
HE-72 ITSDir10-6 representatives perform attachment HE, OA I □ Failure
attachment of all devices to the IA-1, IA-3
of all devices to the network. Test Date:
network.
□ N/A
Comments
Name:
□ Pass
Verify that token-ring interfaces are Token-ring interfaces are required in Initials:
CA-3, AC-1,
HE-73 ITSDir10-7 required in parts of the Library where parts of the Library where token-ring HE, OA I □ Failure
IA-3
token-ring networks are installed. networks are installed.. Test Date:
□ N/A
Comments
Verify that network-connected Network-connected devices do not Name:
devices do not transmit data that transmit data that could disrupt □ Pass
could disrupt normal network normal network operation, including, Initials:
operation, including, but not limited but not limited to: running routing HE, OA, IG, CA-3, CM-
HE-74 ITSDir10-8 I D □ Failure
to: running routing protocols that protocols that advertise IP routes, WC, RC 6, SC-8
advertise IP routes, running BOOTP, running BOOTP, RARP, or DHCP Test Date:
RARP, or DHCP servers, or flooding servers, or flooding the network with □ N/A
the network with traffic. traffic. Comments
Name:
□ Pass
Verify that ITS provides cross ITS provides cross platform support Initials:
platform support including Unix including Unix (AIX, Solaris),
HE-75 ITSDir12-1 HE MA-2, SC-1 I D □ Failure
(AIX, Solaris), Windows NT/2000 Windows NT/2000 and OS/390 daily
and OS/390 daily operations. operations. Test Date:
□ N/A
Comments
Verify that ITS has disaster recovery ITS has disaster recovery procedures Name:
procedures in place which include in place which include hardware □ Pass
hardware RAID, mirrored or RAID, mirrored or clustered servers, Initials:
CP-2, CP-
clustered servers, Uninterruptible Uninterruptible Power Supplies
HE-76 ITSDir12-10 HE, OA, IG 10, PE-11, I D O T □ Failure
Power Supplies (UPSs), backup (UPSs), backup generators, an
PE-17 Test Date:
generators, an enterprise backup and enterprise backup and recovery
recovery system, and an Alternate system, and an Alternate Computing □ N/A
Computing Facility. Facility. Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that server operating system Server operating system and security □ Pass
and security updates are completed in updates are completed in a timely Initials:
a timely manner; and that utilities are manner; and that utilities are installed CA-7, SI-2,
HE-77 ITSDir12-11 HE, OA, GI I D □ Failure
installed to assist administrators with to assist administrators with the SI-3, SC-1
the monitoring and management of monitoring and management of Test Date:
server resources. server resources. □ N/A
Comments
Name:
□ Pass
Verify that ITS provide a complete ITS provide a complete server Initials:
server backup and recovery system to backup and recovery system to
HE-78 ITSDir12-25 HE, OA, IG CP-9, CP-10 I D O T □ Failure
prevent the loss of data from server prevent the loss of data from server
resources. resources. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that only staff who operate or
Only staff who operate or administer Initials:
administer the servers, or staff who
the servers, or staff who manage the
HE-79 ITSDir12-5 manage the ITS Computer Room HE, OA, IG PE-3 I D □ Failure
ITS Computer Room have access to
have access to the ITS Computer Test Date:
the ITS Computer Room.
Room.
□ N/A
Comments
Name:
□ Pass
Verify that services are available Initials:
Services are available online 24/7
online 24/7 except for periods of
HE-80 ITSDir12-9 except for periods of maintenance, HE MA-2, SC-1 I D □ Failure
maintenance, which are announced in
which are announced in advance. Test Date:
advance.
□ N/A
Comments
Name:
□ Pass
Verify that a full backup is performed A full backup is performed on all Initials:
on all Enterprise Servers and their Enterprise Servers and their
HE-81 ITSDir15-1 HE, OA, IG CP-9 I D □ Failure
associated storage resources weekly associated storage resources weekly
at a minimum. at a minimum. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that an incremental or
An incremental or differential backup Initials:
differential backup is performed on
is performed on all Enterprise
HE-82 ITSDir15-2 all Enterprise Servers and their HE, OA, IG CP-9 I D □ Failure
Servers and their associated storage
associated storage resources nightly Test Date:
resources nightly at a minimum.
at a minimum.
□ N/A
Comments
Name:
□ Pass
Verify that weekly full backup tapes Initials:
Weekly full backup tapes are rotated
HE-83 ITSDir15-3 are rotated to an offsite vaulting HE, OA, IG CP-6 I D □ Failure
to an offsite vaulting service.
service. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that, unless otherwise Unless otherwise requested, weekly Initials:
requested, weekly backup tapes are backup tapes are only retained for 90
HE-84 ITSDir15-4 HE, OA, IG CP-1, CP-9 I D □ Failure
only retained for 90 days, including days, including those at the offsite
those at the offsite vaulting service. vaulting service. Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that faulty backup media is Faulty backup media is destroyed
HE-85 ITSDir15-5 HE, OA, IG MP-7 I D □ Failure
destroyed before disposal. before disposal.
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that, unless otherwise Unless otherwise requested, daily Initials:
HE-86 ITSDir15-6 requested, daily backup tapes are backup tapes are only retained for 1 HE, OA, IG CP-1, CP-9 I □ Failure
only retained for 1 week. week. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the Director of ITS or Initials:
The Director of ITS or designate does
HE-87 ITSDir30-7 designate does identify and specify HE, OA, IG MA-3, SC-1 I D □ Failure
identify and specify LC SOP owners.
LC SOP owners. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the Director of ITS or The Director of ITS or designate does Initials:
HE-88 ITSDir30-8 designate does ensure that LC SOP ensure that LC SOP documents HE, OA, IG MA-3, SC-1 I □ Failure
documents accomplish their purpose accomplish their purpose Test Date:
□ N/A
Comments
Name:
□ Pass
HE-89 ITSDir30-9 designate does approve all SOP HE, OA, IG MA-3, SC-1 I D □ Failure
approve all SOP documents.
documents. Test Date:
□ N/A
Comments

4.5 Infrastructure General (IG) Support System Test Case
Figure 11 – Infrastructure General (IG) Support System Test Case

Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
IG-1 ITSDir01-187 directives issued by the Office of issued by the Office of Security for HE, OA, IG PE-14, PE- D □ Failure
□ N/A
Comments
Name:
IG-2 ITSDir01-188 HE, OA, IG PE-1, PE-3 D □ Failure
Comments
□ Pass
IG-3 ITSDir01-189 connection, etc) are located are located are controlled through the use HE, OA, IG PE-2, PE-3 D □ Failure
□ N/A
Name:
□ Pass
IG-4 ITSDir01-190 physical access to sensitive facilities, access to sensitive facilities, HE, OA, IG PE-2, PE-3 D □ Failure
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
PE-1, PE-3,
IG-5 ITSDir01-191 library is controlled by use of locks, controlled by use of locks, keys, or HE, OA, IG D □ Failure
PE-2, MP-4
□ N/A
Comments
Name:
□ Pass
IG-6 ITSDir01-192 authorized personnel are allowed to authorized personnel are allowed to HE, OA, IG PE-7 D □ Failure
□ N/A
Comments
Name:
□ Pass
Initials:
IG-7 ITSDir01-193 HE, OA, IG PE-7 D □ Failure
Test Date:
□ N/A
Comments
Name:
□ Pass
IG-8 ITSDir01-194 minimum, the date, time (entry and the date, time (entry and exit), full HE, OA, IG PE-7, PE-8 D □ Failure
□ N/A
Comments
Name:
□ Pass
Initials:
IG-9 ITSDir01-195 HE, OA, IG D □ Failure
Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
□ N/A
Comments
Name:
□ Pass
IG-11 ITSDir01-197 sensitive areas are monitored through HE, OA, IG D □ Failure
□ N/A
Comments
Name:
□ Pass
□ N/A
Comments
Name:
□ Pass
IG-13 ITSDir01-199 authenticated through the use of pre- authenticated through the use of pre- HE, OA, IG PE-7, PE-13 D □ Failure
□ N/A
Comments
Name:
IG-14 ITSDir01-200 facilities to reduce fire damage, HE, OA, IG PE-1, PE-13 D □ Failure
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
PE-1, PE-13,
IG-15 ITSDir01-201 HE, OA, IG PE-11, PE- D □ Failure
Comments
□ Pass
PE-1, PE-13,
IG-16 ITSDir01-202 fires, B/C rated fire extinguisher, fires, B/C rated fire extinguisher, HE, OA, IG D □ Failure
PE-14
□ N/A
merited). merited).
Name:
□ Pass
IG-17 ITSDir01-203 conditioning systems are subject to are subject to routine scheduled HE, OA, IG PE-1, PE-14 D □ Failure
□ N/A
Comments
Name:
□ Pass
Initials:
IG-18 ITSDir01-204 HE, OA, IG PE-14 D □ Failure
Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Comments
Name:
□ Pass
IG-20 ITSDir01-206 distribution, heating plants, water, distribution, heating plants, water, HE, OA, IG PE-1, PE-15 D □ Failure
□ N/A
Comments
Name:
□ Pass
□ N/A
Comments
Name:
Comments
Name:
□ Pass
IG-23 ITSDir01-209 terminals are located to eliminate located to eliminate viewing by HE, OA, IG PE-5, AC-19 D □ Failure
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
IG-24 ITSDir01-213 theft/loss are managed according to managed according to LCR 1815-1, HE, OA, IG MP-3, PE-1 D □ Failure
□ N/A
Comments
Name:
□ Pass
Initials:
IG-25 ITSDir01-222 D □ Failure
Test Date:
□ N/A
Comments
Name:
□ Pass
IG-26 ITSDir01-223 the media library are authorized and media library are authorized and D □ Failure
ME 2, MP-4
□ N/A
Comments
Name:
□ Pass
HE, OA, IG,
IG-27 ITSDir01-224 yearly and/or if any item is missing if any item is missing or in question MP-4 D □ Failure
ME
□ N/A
Comments
Name:
□ Pass
IG-28 ITSDir01-225 for possible future use or D □ Failure
secure location.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
IG-29 ITSDir01-226 properly sanitized before being re- MP-6, MP-7 D □ Failure
bad tapes).
Comments
Name:
IG-30 ITSDir01-227 date of action, personnel performing D □ Failure
sanitized.
Comments
Name:
IG-31 ITSDir01-239 alternate site is in place, including HE, OA, IG CP-7 D □ Failure
plan.
Comments
Name:
□ Pass
IG-32 ITSDir01-240 a minimum of once per year and HE, OA, IG D □ Failure
change.
□ N/A
Comments
Name:
□ Pass
IG-33 ITSDir01-241 to a documented off-site location, documented off-site location, such HE, OA, IG CP-6, CP-9 D □ Failure
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Comments
Name:
□ Pass
Initials:
IG-35 ITSDir01-243 HE, OA, IG CP-2, CP-9 D □ Failure
Test Date:
□ N/A
Comments
Name:
□ Pass
CP-2, CP-4,
IG-36 ITSDir01-246 reset to normal (secured) operating normal (secured) operating settings HE, OA, IG I D □ Failure
CP-10
□ N/A
Comments
Name:
□ Pass
IG-37 ITSDir01-247 HE, OA, IG CP-6, SI-6 I D □ Failure
□ N/A
Comments
Name:
IG-38 ITSDir01-248 removed from the primary site, such HE, OA, IG CP-2, CP-7 I D □ Failure
event.
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
IG-39 ITSDir01-251 performs maintenance and repair HE, OA, IG MA-5, PE-7 D □ Failure
software.
□ N/A
Comments
Name:
□ Pass
PE-2, PE-3,
IG-40 ITSDir01-252 not cleared for unescorted access are for unescorted access are escorted at HE, OA, IG I □ Failure
PE-7
□ N/A
Comments
IG-41 ITSDir01-257 HE, OA, IG MA-1, SC-1 D □ Failure
Name:
□ Pass
IG-42 ITSDir01-259 HE, OA, IG SI-2 D □ Failure
□ N/A
Comments
Name:
□ Pass
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
IG-44 ITSDir01-282 automatically and keep a record of HE, OA, IG AC-19, AC- D □ Failure
□ N/A
Comments
Name:
Verify that network intrusion □ Pass
Network intrusion detection systems
detection systems (NIDS) are Initials:
(NIDS) are installed on the system in
installed on the system in key
IG-45 ITSDir01-286 key network segments to identify IG SI-4, SI-7 D □ Failure
network segments to identify
attempts to penetrate a system and Test Date:
attempts to penetrate a system and
gain unauthorized access.
gain unauthorized access. □ N/A
Comments
Name:
□ Pass
Verify that when called for by the When called for by the sensitivity of Initials:
sensitivity of the data, host-based the data, host-based intrusion
IG-46 ITSDir01-287 IG, HE SI-4 D □ Failure
intrusion detection systems (HIDS) detection systems (HIDS) are used in
are used in addition to NIDS. addition to NIDS. Test Date:
□ N/A
Comments
Name:
Verify that intrusion detection logs Intrusion detection logs and audit
□ Pass
and audit trails are written to a "write trails are written to a "write once,
once, read many" device attached to read many" device attached to the Initials:
IG-47 ITSDir01-288 the system or sent to a separate system or sent to a separate device, IG SI-4 D □ Failure
device, with a separate authentication with a separate authentication and Test Date:
and access controls system via a access controls system via a secured
□ N/A
secured network connection. network connection.
Comments
Name:
□ Pass
Verify that intrusion detection reports Intrusion detection reports are Initials:
are routinely reviewed and suspected routinely reviewed and suspected SI-4, AU-5,
IG-48 ITSDir01-289 IG D □ Failure
incidents handled according to the incidents handled according to the AU-6
related standard operating procedure. related standard operating procedure. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Verify that system performance System performance monitoring is
monitoring is used to analyze system used to analyze system performance
performance logs (i.e. remaining logs (i.e. remaining capacity on root
capacity on root file system; network, file system; network, CPU, and Name:
CPU, and memory utilization; total memory utilization; total processes □ Pass
processes running) in real time (or running) in real time (or near real- Initials:
near real-time) to look for availability time) to look for availability SA-9, IR-6,
IG-49 ITSDir01-291 HE, IG D □ Failure
problems, including active attacks problems, including active attacks AU-2, AU-3
and system slowdowns and crashes. and system slowdowns and crashes. Test Date:
Near real-time is defined as: within Near real-time is defined as: within □ N/A
24 hours at the low assurance level, 24 hours at the low assurance level, Comments
within 12 hours at the moderate within 12 hours at the moderate
assurance level, within 4 hours at the assurance level, within 4 hours at the
high assurance level. high assurance level.
Name:
□ Pass
Verify that message authentication is Message authentication is Initials:
implemented as part of the LC Public implemented as part of the LC Public IA-5, IA-6,
IG-50 ITSDir01-293 IG D □ Failure
Key Infrastructure (PKI) Key Infrastructure (PKI) IA-7, AU-10
implementation. implementation. Test Date:
□ N/A
Comments
Name:
□ Pass
IG-51 ITSDir01-308 HE, OA, IG I □ Failure
□ N/A
Comments
Name:
IG-52 ITSDir01-340 whenever possible and only be HE, OA, IG AC-2, IA-4 D □ Failure
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
IG-53 ITSDir01-341 HE, OA, IG AC-3, IA-4 D □ Failure
□ N/A
Comments
Name:
□ Pass
Verify that boundary protection Boundary protection devices are Initials:
devices are present at the boundary present at the boundary between the
IG-54 ITSDir01-349 IG SC-7, SC-9 D □ Failure
between the LC Data Network and LC Data Network and any other
any other networks. networks. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that boundary protection Initials:
Boundary protection devices block
devices block all network traffic,
IG-55 ITSDir01-350 all network traffic, except that which IG SC-7 D □ Failure
except that which is explicitly
is explicitly allowed. Test Date:
allowed.
□ N/A
Comments
Verify that ITS notify Service and ITS notify Service and Enabling Name:
Enabling Infrastructure Units when Infrastructure Units when significant □ Pass
significant modifications to boundary modifications to boundary protection Initials:
protection devices that have the devices that have the potential of
IG-56 ITSDir01-351 IG CM-3, SC-7 I □ Failure
potential of significantly altering the significantly altering the security
security level or hindering the level or hindering the mission of the Test Date:
mission of the Service and Enabling Service and Enabling Infrastructure □ N/A
Infrastructure Units. Units. Comments
Name:
□ Pass
Verify that within the LC Data
Within the LC Data Network, all Initials:
Network, all network links between
network links between LC sites that
IG-57 ITSDir01-352 LC sites that traverse non LC-owned IG SC-7, SC-13 D □ Failure
traverse non LC-owned and managed
and managed equipment are Test Date:
equipment are encrypted.
encrypted.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that all software or web traffic
All software or web traffic is scanned Initials:
is scanned for malicious content and
for malicious content and intent at the SI-3, SI-4,
IG-58 ITSDir01-355 intent at the network level prior to IG D □ Failure
network level prior to crossing the SC-14
crossing the boundary protection Test Date:
boundary protection device.
device.
□ N/A
Comments
Name:
□ Pass
CM-2, AC-
IG-59 ITSDir01-357 or installed on the system if it is on the system if it is connected to the HE, OA, IG D □ Failure
17, SC-7
□ N/A
Comments
Name:
□ Pass
IG-60 ITSDir01-383 Denial of Service attacks, if the HE, OA, IG 6, IR-4, SC- D □ Failure
functionality.
□ N/A
Comments
Name:
□ Pass
IG-61 ITSDir01-393 facto write-only systems are used to only systems are used to collect and D □ Failure
HE 11
□ N/A
Comments
Name:
□ Pass
IG-62 ITSDir01-68 media is properly purged of data or properly purged of data or HE, OA, IG MP-6, MP-7 D □ Failure
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
IG-63 ITSDir09-1 network or networked resources, network or networked resources, HE, OA, IG SI-3 I D O □ Failure
□ N/A
Comments
Name:
□ Pass
IG-64 ITSDir09-12 field engineers or support personnel 16, SI-1, SI- I D □ Failure
site.
□ N/A
Comments
Name:
□ Pass
HE, OA, IG,
IG-65 ITSDir09-2 configuration parameters. Verify that configuration parameters. Anti-virus CM-3, SI-3 I D O □ Failure
WC, RC
Anti-virus configuration parameters configuration parameters are Test Date:
are obtained from ITS. obtained from ITS.
□ N/A
Comments
Name:
□ Pass
IG-66 ITSDir09-6 HE, OA, IG SI-3 I D □ Failure
□ N/A
Comments
Name:
□ Pass
Verify that all new systems have anti-
virus software installed and
IG-67 ITSDir09-9 configured per ITS guidance HE, OA, IG SI-3 I D O □ Failure
the LC network
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
IG-68 ITSDir10-8 I D O T □ Failure
CP-2, CP-
IG-69 ITSDir12-10 HE, OA, IG 10, PE-11, I D O T □ Failure
PE-17 Test Date:
Name:
IG-70 ITSDir12-11 HE, OA, IG I D □ Failure
Comments
Name:
□ Pass
Verify that ITS provides a complete ITS provides a complete server Initials:
IG-71 ITSDir12-25 HE, OA, IG CP-9, CP-10 I D O T □ Failure
□ N/A
Comments
Name:
□ Pass
departmental servers used for departmental servers used for
IG-72 ITSDir12-4 HA, IG SC-3, SC-7 I D O □ Failure
Intranet/Internet applications are not Intranet/Internet applications are not
part of the LIB Active Directory. part of the LIB Active Directory. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
IG-73 ITSDir12-5 manage the ITS Computer Room HE, OA, IG PE-3 I D O □ Failure
Room.
□ N/A
Comments
Name:
□ Pass
IG-74 ITSDir15-1 HE, OA, IG CP-9 I D □ Failure
□ N/A
Comments
Name:
□ Pass
IG-75 ITSDir15-2 all Enterprise Servers and their HE, OA, IG CP-9 I D □ Failure
at a minimum.
□ N/A
Comments
Name:
□ Pass
IG-76 ITSDir15-3 are rotated to an offsite vaulting HE, OA, IG CP-6 I D □ Failure
service. Test Date:
□ N/A
Comments
Name:
□ Pass
IG-77 ITSDir15-4 HE, OA, IG CP-1, CP-9 I D □ Failure
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Initials:
IG-78 ITSDir15-5 HE, OA, IG MP-7 I D □ Failure
Test Date:
□ N/A
Comments
Name:
□ Pass
IG-79 ITSDir15-6 requested, daily backup tapes are backup tapes are only retained for 1 HE, OA, IG CP-1, CP-9 I □ Failure
□ N/A
Comments
Name:
□ Pass
IG-80 ITSDir30-7 designate does identify and specify HE, OA, IG MA-3, SC-1 I D □ Failure
□ N/A
Comments
Name:
□ Pass
IG-81 ITSDir30-8 designate does ensure that LC SOP ensure that LC SOP documents HE, OA, IG MA-3, SC-1 I □ Failure
□ N/A
Comments
Name:
□ Pass
IG-82 ITSDir30-9 designate does approve all SOP HE, OA, IG MA-3, SC-1 I D □ Failure
□ N/A
Comments

4.6 Media (ME) Test Case
Figure 12 – Media (ME) Test Case

Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Initials:
Verify that audit trails are kept for Audit trails are kept for inventory MP-1, MP-
ME-1 ITSDir01-222 OA, IG, ME D □ Failure
inventory management of media. management of media. 4, MP-5
Test Date:
□ N/A
Comments
Name:
□ Pass
ME-2 ITSDir01-223 the media library are authorized and media library are authorized and D □ Failure
ME 2, MP-4
□ N/A
Comments
Name:
□ Pass
Verify that media is inventoried Media is inventoried yearly and/or if Initials:
HE, OA, IG,
ME-3 ITSDir01-224 yearly and/or if any item is missing any item is missing or in question in MP-4 D □ Failure
ME
or in question in any way. any way. Test Date:
□ N/A
Comments
Name:
□ Pass
ME-4 ITSDir01-225 for possible future use or D □ Failure
secure location.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
ME-5 ITSDir01-226 properly sanitized before being re- MP-6, MP-7 D □ Failure
bad tapes).
Comments
Name:
ME-6 ITSDir01-227 date of action, personnel performing D □ Failure
sanitized.
Comments
4.7 Office Automation (OA) Test Case
Figure 13 – Office Automation (OA) Test Case

Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
OA-1 ITSDir01-187 directives issued by the Office of issued by the Office of Security for HE, OA, IG PE-14, PE- D □ Failure
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
OA-2 ITSDir01-188 HE, OA, IG PE-1, PE-3 D □ Failure
Comments
□ Pass
OA-3 ITSDir01-189 connection, etc) are located are located are controlled through the use HE, OA, IG PE-2, PE-3 D □ Failure
□ N/A
Name:
□ Pass
OA-4 ITSDir01-190 physical access to sensitive facilities, access to sensitive facilities, HE, OA, IG PE-2, PE-3 D □ Failure
□ N/A
Comments
Name:
□ Pass
PE-1, PE-3,
OA-5 ITSDir01-191 library is controlled by use of locks, controlled by use of locks, keys, or HE, OA, IG D □ Failure
PE-2, MP-4
□ N/A
Comments
Name:
□ Pass
OA-6 ITSDir01-192 authorized personnel are allowed to authorized personnel are allowed to HE, OA, IG PE-7 D □ Failure
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Initials:
OA-7 ITSDir01-193 HE, OA, IG PE-7 D □ Failure
Test Date:
□ N/A
Comments
Name:
□ Pass
OA-8 ITSDir01-194 minimum, the date, time (entry and the date, time (entry and exit), full HE, OA, IG PE-7, PE-8 D □ Failure
□ N/A
Comments
Name:
□ Pass
Initials:
OA-9 ITSDir01-195 HE, OA, IG D □ Failure
Test Date:
□ N/A
Comments
Name:
□ Pass
□ N/A
Comments
Name:
□ Pass
OA-11 ITSDir01-197 sensitive areas are monitored through HE, OA, IG D □ Failure
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
□ N/A
Comments
Name:
□ Pass
OA-13 ITSDir01-199 authenticated through the use of pre- authenticated through the use of pre- HE, OA, IG PE-7, PE-13 D □ Failure
□ N/A
Comments
Name:
OA-14 ITSDir01-200 facilities to reduce fire damage, HE, OA, IG PE-1, PE-13 D □ Failure
Comments
Name:
PE-1, PE-13,
OA-15 ITSDir01-201 HE, OA, IG PE-11, PE- D □ Failure
Comments


Tester Full
Test Pass /
Number Category
Comments
□ Pass
PE-1, PE-13,
OA-16 ITSDir01-202 fires, B/C rated fire extinguisher, fires, B/C rated fire extinguisher, HE, OA, IG D □ Failure
PE-14
□ N/A
merited). merited).
Name:
□ Pass
OA-17 ITSDir01-203 conditioning systems are subject to are subject to routine scheduled HE, OA, IG PE-1, PE-14 D □ Failure
□ N/A
Comments
Name:
□ Pass
Initials:
OA-18 ITSDir01-204 HE, OA, IG PE-14 D □ Failure
Test Date:
□ N/A
Comments
Name:
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
OA-20 ITSDir01-206 distribution, heating plants, water, distribution, heating plants, water, HE, OA, IG PE-1, PE-15 D □ Failure
□ N/A
Comments
Name:
□ Pass
□ N/A
Comments
Name:
Comments
Name:
□ Pass
OA-23 ITSDir01-209 terminals are located to eliminate located to eliminate viewing by HE, OA, IG PE-5, AC-19 D □ Failure
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that sensitive data files are Sensitive data files are encrypted on
OA-24 ITSDir01-210 OA, RC AC-19 D □ Failure
encrypted on all portable systems. all portable systems.
Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that portable and mobile Portable and mobile systems, Initials:
OA-25 ITSDir01-211 systems, including laptop computers including laptop computers are stored OA IR-6, AC-19 D □ Failure
are stored securely when not in use. securely when not in use. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the theft or loss of a The theft or loss of a mobile or
mobile or portable system is portable system is immediately Initials:
AC-19, AC-
OA-26 ITSDir01-212 immediately reported to the reported to the designated entity OA, RC D □ Failure
20
designated entity within the Service within the Service Unit or Enabling Test Date:
Unit or Enabling Infrastructure Infrastructure
□ N/A
Comments
Name:
□ Pass
OA-27 ITSDir01-213 theft/loss are managed according to managed according to LCR 1815-1, HE, OA, IG MP-3, PE-1 D □ Failure
□ N/A
Comments
Name:
□ Pass
Initials:
OA-28 ITSDir01-222 D □ Failure
Test Date:
□ N/A
Comments
Name:
□ Pass
OA-29 ITSDir01-223 the media library are authorized and media library are authorized and D □ Failure
ME 2, MP-4
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
HE, OA, IG,
OA-30 ITSDir01-224 yearly and/or if any item is missing if any item is missing or in question MP-4 D □ Failure
ME
□ N/A
Comments
Name:
□ Pass
OA-31 ITSDir01-225 for possible future use or D □ Failure
secure location.
□ N/A
Comments
Name:
OA-32 ITSDir01-226 properly sanitized before being re- MP-6, MP-7 D □ Failure
bad tapes).
Comments
Name:
OA-33 ITSDir01-227 date of action, personnel performing D □ Failure
sanitized.
Comments
Name:
OA-34 ITSDir01-239 alternate site is in place, including HE, OA, IG CP-7 I D □ Failure
plan.
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
OA-35 ITSDir01-240 a minimum of once per year and HE, OA, IG I □ Failure
change.
□ N/A
Comments
Name:
□ Pass
OA-36 ITSDir01-241 to a documented off-site location, documented off-site location, such HE, OA, IG CP-6, CP-9 D □ Failure
□ N/A
Comments
Name:
Comments
Name:
□ Pass
Initials:
OA-38 ITSDir01-243 HE, OA, IG CP-2, CP-9 D □ Failure
Test Date:
□ N/A
Comments
Name:
□ Pass
CP-2, CP-4,
OA-39 ITSDir01-246 reset to normal (secured) operating normal (secured) operating settings HE, OA, IG I □ Failure
CP-10
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
OA-40 ITSDir01-247 HE, OA, IG CP-6, SI-6 I D □ Failure
□ N/A
Comments
Name:
OA-41 ITSDir01-248 removed from the primary site, such HE, OA, IG CP-2, CP-7 I D □ Failure
event.
Comments
Name:
□ Pass
OA-42 ITSDir01-251 performs maintenance and repair HE, OA, IG MA-5, PE-7 D □ Failure
software.
□ N/A
Comments
Name:
□ Pass
PE-2, PE-3,
OA-43 ITSDir01-252 not cleared for unescorted access are for unescorted access are escorted at HE, OA, IG I □ Failure
PE-7
□ N/A
Comments
OA-44 ITSDir01-257 HE, OA, IG MA-1, SC-1 D □ Failure


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
OA-45 ITSDir01-259 HE, OA, IG SI-2 D □ Failure
□ N/A
Comments
Name:
□ Pass
□ N/A
Comments
Name:
□ Pass
Verify that the users are not allowed
The users are not allowed to install Initials:
to install unlicensed, unapproved
unlicensed, unapproved software or SA-6, SA-7,
OA-47 ITSDir01-279 software or alter the security OA D □ Failure
alter the security configurations on CM-1
configurations on software currently Test Date:
software currently in place.
in place.
□ N/A
Comments
Name:
elimination software is installed (on Initials:
software is installed (on all systems SA-7, SI-3,
OA-48 ITSDir01-280 where virus detection software is SI-4, AC-19, D □ Failure
updated. □ N/A
Comments
Name:
Verify that IT systems that have been IT systems that have been offline for □ Pass
offline for more than 30 days are more than 30 days are patched and Initials:
patched and have their anti-virus have their anti-virus signatures
OA-49 ITSDir01-281 OA, RC SI-3, SI-4 D □ Failure
signatures updated offline before updated offline before being allowed
being allowed to re-connect to the LC to re-connect to the LC Internal Data Test Date:
Internal Data Network. Network. □ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
OA-50 ITSDir01-282 automatically and keep a record of HE, OA, IG AC-19, AC- D □ Failure
□ N/A
Comments
Name:
Verify that the systems physically or □ Pass
The systems physically or logically
logically separate user interface Initials:
separate user interface services (e.g.,
services (e.g., public web pages) CM-7, AC-
OA-51 ITSDir01-295 public web pages) from information HE, OA D □ Failure
from information storage and 4, AC-14
storage and management services Test Date:
management services (e.g., database
(e.g., database management).
management). □ N/A
Comments
Name:
□ Pass
OA-52 ITSDir01-308 HE, OA, IG I □ Failure
□ N/A
Comments
Name:
Verify that all passwords stored on □ Pass
All passwords stored on workstations
workstations are protected from Initials:
are protected from access by users of
access by users of the workstation,
OA-53 ITSDir01-338 the workstation, applications OA IA-5, SC-13 D □ Failure
applications operating on the
operating on the workstation, and Test Date:
workstation, and from any form of
from any form of network access.
network access. □ N/A
Comments
Name:
OA-54 ITSDir01-340 whenever possible and only be HE, OA, IG AC-2, IA-4 D □ Failure
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
OA-55 ITSDir01-341 HE, OA, IG AC-3, IA-4 D □ Failure
□ N/A
Comments
Name:
Verify that publicly accessible Publicly accessible system resources
□ Pass
system resources reside in the LC reside in the LC DMZ and are either
DMZ and are either read-only read-only resources that cannot be Initials:
OA-56 ITSDir01-353 resources that cannot be altered or altered or brokered by an HA, OA SC-9, SC-14 D □ Failure
brokered by an intermediate service, intermediate service, which resides Test Date:
which resides on a system that does on a system that does not directly
□ N/A
not directly contain the data. contain the data.
Comments
Name:
□ Pass
CM-2, AC-
OA-57 ITSDir01-357 or installed on the system if it is on the system if it is connected to the HE, OA, IG D □ Failure
17, SC-7
□ N/A
Comments
Name:
Verify that privileged accounts are
Privileged accounts are not utilized to □ Pass
not utilized to logon interactively to
logon interactively to production LC Initials:
production LC workstations,
workstations, excepting when the
OA-58 ITSDir01-367 excepting when the local OA AC-3, AC-6 D □ Failure
local administrator privileges are
administrator privileges are used to Test Date:
used to install software or configure
install software or configure the
the system. □ N/A
system.
Comments
Name:
□ Pass
Verify that client web browsers only Client web browsers only have Initials:
have session cookies enabled, and session cookies enabled, and static
OA-59 ITSDir01-373 OA CM-2, SC-4 D □ Failure
static (first party or long term) (first party or long term) cookies
cookies disabled. disabled. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the use of third party The use of third party cookies Initials:
cookies (cookies that communicate to (cookies that communicate to a
OA-60 ITSDir01-375 OA CM-2, SC-4 D □ Failure
a server other than originating server) server other than originating server)
is disabled on web browsers. is disabled on web browsers. Test Date:
□ N/A
Comments
Name:
Verify that the system deletes any The system deletes any local □ Pass
local authentication data specific to a authentication data specific to a Initials:
particular application session and particular application session and IA-4, IA-5,
OA-61 ITSDir01-376 HA, OA D □ Failure
explicitly closes application specific explicitly closes application specific IA-7, SC-4
network connections as part of the network connections as part of the Test Date:
application termination process. application termination process. □ N/A
Comments
Name:
Verify that the system explicitly
The system explicitly prevents the □ Pass
prevents the use of stale
use of stale authentication tokens Initials:
authentication tokens (i.e., the
(i.e., the timeout of a network IA-2, IA-5,
OA-62 ITSDir01-377 timeout of a network connection is HA, OA D □ Failure
connection is not an acceptable IA-7, SC-4
not an acceptable method of Test Date:
method of terminating application
terminating application specific
specific network connections.) □ N/A
network connections.)
Comments
Name:
□ Pass
OA-63 ITSDir01-383 Denial of Service attacks, if the HE, OA, IG 6, IR-4, SC- D □ Failure
functionality.
□ N/A
Comments
Name:
□ Pass
OA-64 ITSDir01-393 facto write-only systems are used to only systems are used to collect and D □ Failure
HE 11
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that audit trails for e-mail Audit trails for e-mail applications
applications include: e-mail sender, include: e-mail sender, e-mail Initials:
OA-65 ITSDir01-396 e-mail recipient(s), the size of the recipient(s), the size of the message, OA, HE AU-3, AU-8 D □ Failure
message, and the size and name of and the size and name of any Test Date:
any attachment. attachment.
□ N/A
Comments
Name:
□ Pass
OA-66 ITSDir01-68 media is properly purged of data or properly purged of data or HE, OA, IG MP-6, MP-7 D □ Failure
□ N/A
Comments
Name:
□ Pass
OA-67 ITSDir09-1 network or networked resources, network or networked resources, HE, OA, IG SI-3 I D O □ Failure
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that all removable media is All removable media is write- MP-1, MP-
OA-68 ITSDir09-11 OA I D □ Failure
write-protected wherever possible. protected wherever possible. 2, AC-19
Test Date:
□ N/A
Comments
Name:
□ Pass
OA-69 ITSDir09-12 field engineers or support personnel 16, SI-1, SI- I D □ Failure
site.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
HE, OA, IG,
OA-70 ITSDir09-2 configuration parameters. Anti-virus configuration parameters. Anti-virus CM-3, SI-3 I D O □ Failure
WC, RC
configuration parameters are configuration parameters are Test Date:
obtained from ITS. obtained from ITS.
□ N/A
Comments
Name:
□ Pass
Verify that stand-alone machines are Stand-alone machines are updated Initials:
updated manually with the latest scan manually with the latest scan engine
OA-71 ITSDir09-3 OA SI-3 I D O □ Failure
engine and virus (DAT) definitions at and virus (DAT) definitions at
regular intervals. regular intervals. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that mail servers are
Mail servers are configured with anti- Initials:
configured with anti-virus software
virus software that scans all incoming
OA-72 ITSDir09-4 that scans all incoming and outgoing OA, HE SI-3 I D O □ Failure
and outgoing electronic mail and
electronic mail and blocks infected Test Date:
blocks infected attachments.
attachments.
□ N/A
Comments
Name:
□ Pass
OA-73 ITSDir09-6 HE, OA, IG SI-3 I D O □ Failure
□ N/A
Comments
Name:
□ Pass
Verify that all new systems have anti-
virus software installed and
OA-74 ITSDir09-9 configured per ITS guidance HE, OA, IG SI-3 I D O □ Failure
the LC network
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that all client systems use All client systems use dynamically Initials:
CA-3, SC-1,
OA-75 ITSDir10-10 dynamically allocated IP addresses allocated IP addresses assigned by RC, WC, OA I D □ Failure
IA-3
assigned by DHCP. DHCP. Test Date:
□ N/A
Comments
Name:
Verify that only the LC Data Only the LC Data Network is used to □ Pass
Network is used to interconnect interconnect Library-owned Initials:
Library-owned computers and related computers and related equipment, CA-3, AC-1,
OA-76 ITSDir10-2 HE, OA D □ Failure
equipment, with the exception of with the exception of mobile SC-7
mobile computing clients (see the computing clients (see the Mobile Test Date:
Mobile Computing directive). Computing directive). □ N/A
Comments
Name:
□ Pass
Verify that devices attached to the Devices attached to the Library Initials:
CA-3, AC-1,
OA-77 ITSDir10-5 Library network use the Ethernet network use the Ethernet protocol HE, OA I D □ Failure
IA-3
protocol and interfaces. and interfaces. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ITS personnel or their Initials:
ITS personnel or their designated
designated representatives perform CA-3, AC-1,
OA-78 ITSDir10-6 representatives perform attachment HE, OA I □ Failure
attachment of all devices to the IA-1, IA-3
of all devices to the network. Test Date:
network.
□ N/A
Comments
Name:
□ Pass
Verify that Token-ring interfaces are Token-ring interfaces are used in Initials:
CA-3, AC-1,
OA-79 ITSDir10-7 used in parts of the Library where parts of the Library where token-ring HE, OA I D □ Failure
IA-3
token-ring networks are installed. networks are installed. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
OA-80 ITSDir10-8 I D O T □ Failure
CP-2, CP-
OA-81 ITSDir12-10 HE, OA, IG 10, PE-11, I D O T □ Failure
PE-17 Test Date:
Name:
OA-82 ITSDir12-11 HE, OA, IG I D □ Failure
Comments
Name:
Verify that workstations do have a Workstations do have a Windows
□ Pass
Windows Active Directory account Active Directory account to join the
to join the LIB domain and access LIB domain and access Windows Initials:
OA-83 ITSDir12-16 Windows server resources; and that server resources; and that these OA SC-1, IA-3 I D O □ Failure
these accounts are created when the accounts are created when the Test Date:
workstations are originally built by workstations are originally built by
□ N/A
ITS. ITS.
Comments
Name:
Verify that if a workstation is rebuilt If a workstation is rebuilt or installed
□ Pass
or installed by Service Unit/Enabling by Service Unit/Enabling
Infrastructure staff, a Service Request Infrastructure staff, a Service Request Initials:
OA-84 ITSDir12-17 is submitted according to procedures is submitted according to procedures OA SC-1, AC-1 I D □ Failure
identified by ITS requesting a identified by ITS requesting a Test Date:
computer account in the LIB domain computer account in the LIB domain
□ N/A
(also known as joining the domain). (also known as joining the domain).
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that ITS provides LC staff ITS provides LC staff with limited □ Pass
with limited amounts of computer amounts of computer storage space Initials:
storage space for personal and shared for personal and shared files, where
OA-85 ITSDir12-23 OA SC-2 I D O T □ Failure
files, where each user is assigned a each user is assigned a home folder
home folder (U: drive) for exclusive (U: drive) for exclusive use for Test Date:
use for storing personal files. storing personal files. □ N/A
Comments
Name:
□ Pass
Verify that shared space residing on a Shared space residing on a server and Initials:
server and used by a group may be used by a group may be allocated
OA-86 ITSDir12-24 OA None I □ Failure
allocated upon request and assigned a upon request and assigned a share for
share for access. access. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ITS provides a complete ITS provides a complete server Initials:
OA-87 ITSDir12-25 HE, OA, IG CP-9, CP-10 I D O T □ Failure
□ N/A
Comments
Name:
□ Pass
departmental servers used for office departmental servers used for office
OA-88 ITSDir12-3 OA IA-3, SC-3 I D O □ Failure
automation are part of the LIB Active automation are part of the LIB Active
Directory. Directory. Test Date:
□ N/A
Comments
Name:
□ Pass
OA-89 ITSDir12-5 manage the ITS Computer Room HE, OA, IG PE-3 I D □ Failure
Room.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
OA-90 ITSDir15-1 HE, OA, IG CP-9 I D □ Failure
□ N/A
Comments
Name:
□ Pass
OA-91 ITSDir15-2 all Enterprise Servers and their HE, OA, IG CP-9 I D □ Failure
at a minimum.
□ N/A
Comments
Name:
□ Pass
OA-92 ITSDir15-3 are rotated to an offsite vaulting HE, OA, IG CP-6 I D □ Failure
service. Test Date:
□ N/A
Comments
Name:
□ Pass
OA-93 ITSDir15-4 HE, OA, IG CP-1, CP-9 I D □ Failure
□ N/A
Comments
Name:
□ Pass
Initials:
OA-94 ITSDir15-5 HE, OA, IG MP-7 I D □ Failure
Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
OA-95 ITSDir15-6 requested, daily backup tapes are backup tapes are only retained for 1 HE, OA, IG CP-1, CP-9 I □ Failure
□ N/A
Comments
Name:
□ Pass
OA-96 ITSDir30-7 designate does identify and specify HE, OA, IG MA-3, SC-1 I D □ Failure
□ N/A
Comments
Name:
□ Pass
OA-97 ITSDir30-8 designate does ensure that LC SOP ensure that LC SOP documents HE, OA, IG MA-3, SC-1 I □ Failure
□ N/A
Comments
Name:
□ Pass
OA-98 ITSDir30-9 designate does approve all SOP HE, OA, IG MA-3, SC-1 I D □ Failure
□ N/A
Comments

4.8 Public E-authentication Systems (PE) Test Case
Figure 14 – Public E-authentication Systems (PE) Test Case

Tester Full
Test Pass /
Number Category
Comments
Verify that Public E-Authentication Public E-Authentication systems
systems utilize the following warning utilize the following warning banner,
banner, which is be displayed before which is displayed before login and
login and agreed to as part of the agreed to as part of the login
login procedure: For site security and procedure: For site security and to
to ensure that this service remains ensure that this service remains
available to all users, this government available to all users, this government Name:
computer system employs software computer system employs software
□ Pass
programs to monitor network traffic programs to monitor network traffic
to identify unauthorized attempts to to identify unauthorized attempts to Initials:
PE-1 ITSDir03-1 upload or change information, deny upload or change information, deny PE AC-8 D □ Failure
service, otherwise cause damage or service, otherwise cause damage or Test Date:
access non-public information. access non-public information.
□ N/A
Unauthorized attempts to upload Unauthorized attempts to upload
information or change information information or change information Comments
are strictly prohibited and may be are strictly prohibited and may be
punishable under the United States punishable under the United States
criminal code (18 U.S.C. 1030). criminal code (18 U.S.C. 1030).
Information regarding possible Information regarding possible
violations of law may be provided to violations of law may be provided to
law enforcement officials. law enforcement officials.
Verify that Public E-Authentication Name:
Public E-Authentication systems
systems utilizing web browser □ Pass
utilizing web browser interfaces
interfaces utilize 128-bit digital Initials:
utilize 128-bit digital certificates,
certificates, TLS 1.0 and FIPS
PE-2 ITSDir03-2 TLS 1.0 and FIPS approved PE SC-11 D □ Failure
approved algorithms (TDEA, AES,
algorithms (TDEA, AES, SHA-1) to Test Date:
SHA-1) to protect passwords,
protect passwords, personal and other
personal and other sensitive □ N/A
sensitive information in transit.
information in transit. Comments
Name:
□ Pass
systems utilizing web browser utilizing web browser interfaces Initials:
PE-3 ITSDir03-3 interfaces utilize at least a 1,024-bit utilize at least a 1,024-bit key size to PE SC-11 D □ Failure
key size to create the digital create the digital certificate used to Test Date:
certificate used to provide TLS. provide TLS.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that Public E-Authentication Public E-Authentication systems may □ Pass
systems may allow one grace login allow one grace login after a user Initials:
after a user account has expired account has expired because a
PE-4 ITSDir03-4 PE IA-5 D □ Failure
because a password was not changed, password was not changed, but not
but not after lockout due to repeated after lockout due to repeated Test Date:
incorrect login attempts. incorrect login attempts. □ N/A
Comments
systems implementing a self-service implementing a self-service password Name:
password and account reset feature and account reset feature utilize one
□ Pass
utilize one or more of the following or more of the following
methodologies: (a.) email to the methodologies: (a.) email to the Initials:
PE-5 ITSDir03-5 email account that is associated with email account that is associated with PE IA-5 D □ Failure
the user’s system account, (b.) the the user’s system account, (b.) the Test Date:
user provides a shared secret (e.g., user provides a shared secret (e.g.,
□ N/A
mother’s maiden name) that is mother’s maiden name) that is
associated with the user’s system associated with the user’s system Comments
account. account.
Verify that for Level 2 Public E- For Level 2 Public E-Authentication Name:
Authentication systems (per NIST SP systems (per NIST SP 800-63), to □ Pass
800-63), to establish identity and establish identity and create an Initials:
create an account remotely, the user account remotely, the user is required
PE-6 ITSDir03-6 PE IA-5 D □ Failure
is required to submit identifying to submit identifying information
information consisting of the ID consisting of the ID number from a Test Date:
number from a Driver’s License, Driver’s License, Passport or □ N/A
Passport or financial account. financial account. Comments
Verify that for Level 2 Public E- For Level 2 Public E-Authentication
Authentication systems (per NIST SP systems (per NIST SP 800-63), to
800-63), to create an account for a create an account for a remote
remote registrant, the application registrant, the application Name:
administrator inspects and verify the administrator inspects and verifies □ Pass
identifying information provided by the identifying information provided Initials:
applicant through record checks by applicant through record checks
PE-7 ITSDir03-7 PE AC-17 D □ Failure
either with the applicable agency or either with the applicable agency or
institution or through credit bureaus institution or through credit bureaus Test Date:
or similar databases, and confirms or similar databases, and confirms □ N/A
that the identifying information in that the identifying information in Comments
records are on balance consistent records are on balance consistent
with the application and sufficient to with the application and sufficient to
identify a unique individual. identify a unique individual.


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that for Level 2 Public E- For Level 2 Public E-Authentication
Authentication systems (per NIST SP systems (per NIST SP 800-63), the Initials:
PE-8 ITSDir03-8 800-63), the initial authenticator is initial authenticator is sent to the PE IA-2 D □ Failure
sent to the remote registrant via remote registrant via telephone, mail Test Date:
telephone, mail or email. or email.
□ N/A
Comments
Name:
□ Pass
Verify that the identifying The identifying information (ID Initials:
information (ID number from a number from a Driver’s License,
PE-9 ITSDir03-9 PE CP-9 D □ Failure
Driver’s License, Passport or Passport or financial account) is not
financial account) is not backed up. backed up. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that once an account is Once an account is created, the
created, the identifying information identifying information (ID number Initials:
PE-10 ITSDir03-10 (ID number from a Driver’s License, from a Driver’s License, Passport or PE CP-9 D □ Failure
Passport or financial account) is financial account) is purged from the Test Date:
purged from the system. system.
□ N/A
Comments

4.9 Re-Accreditation (RA) Test Case
Figure 15 – Re-Accreditation (RA) Test Case

Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the Statement of Residual The Statement of Residual Risk is Initials:
RA-1 ITSDir01-100 Risk is reported to and accepted by reported to and accepted by the RA RA-1, CA-5 D □ Failure
the DAA. DAA. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the Plan Of Action & The Plan Of Action & Milestones is Initials:
RA-1, RA-3,
RA-2 ITSDir01-101 Milestones is reported to and reported to and accepted by the RA D □ Failure
RA-4, RA-5
accepted by the DAA. DAA. Test Date:
□ N/A
Comments
Verify that all LC IT systems All LC IT systems perform an annual Name:
perform an annual Risk Review Risk Review consisting of either a □ Pass
consisting of either a formal Risk formal Risk Assessment or a Self Initials:
Assessment or a Self Assessment Assessment compliant with NIST SP
RA-3 ITSDir01-102 RA RA-5, CA-2 D □ Failure
compliant with NIST SP 800-26 800-26 (Security Self-Assessment
(Security Self-Assessment Guide for Guide for Information Technology Test Date:
Information Technology Systems) Systems) and a Vulnerability □ N/A
and a Vulnerability Assessment. Assessment. Comments
Name:
□ Pass
Verify that Vulnerability Vulnerability Assessments are Initials:
Assessments are conducted using an conducted using an automated
RA-4 ITSDir01-103 RA RA-5, CA-2 D □ Failure
automated vulnerability assessment vulnerability assessment tool (e.g.,
tool (e.g., Nessus) when possible. Nessus) when possible. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Verify that when an automated When an automated vulnerability Name:
vulnerability assessment tool is not assessment tool is not available, the
□ Pass
available, the Vulnerability Vulnerability Assessments contain a
Assessments contain a listing of the listing of the patches that have been Initials:
RA-5 ITSDir01-104 patches that have been applied and a applied and a listing of all new RA RA-5, CA-2 D □ Failure
listing of all new vulnerabilities vulnerabilities related to the system Test Date:
related to the system as identified in as identified in the NIST ICAT
□ N/A
the NIST ICAT database since the database since the last Vulnerability
last Vulnerability Assessment. Assessment. Comments
Verify that ITS uses an automated Name:
ITS uses an automated vulnerability
vulnerability assessment tool (e.g.,
assessment tool (e.g., Nessus) on a □ Pass
Nessus) on a quarterly basis on all
quarterly basis on all LC IT systems Initials:
LC IT systems to ensure compliance
to ensure compliance with LC RA-3, CA-2,
RA-6 ITSDir01-105 with LC technical baselines. This RA D □ Failure
technical baselines. This does not CA-5
does not exempt Service and Test Date:
exempt Service and Enabling
Enabling Infrastructure Units from
Infrastructure Units from performing □ N/A
performing Vulnerability
Vulnerability Assessment. Comments
Assessment.
Verify that when new risks are Name:
When new risks are discovered
discovered during a Risk Review, a □ Pass
during a Risk Review, a Plan of
Plan of Action and Milestones Initials:
Action and Milestones (POAM),
(POAM), which details the risk CA-2, CA-5,
RA-7 ITSDir01-106 which details the risk response and a RA D □ Failure
response and a schedule for SA-4, SA-11
schedule for implementing any Test Date:
implementing any mitigation, is
mitigation, is produced and is subject
produced and is subject to all □ N/A
to all directives related to POAMs.
directives related to POAMs. Comments
Verify that a Security Test and A Security Test and Evaluation Name:
Evaluation (ST&E) is conducted and (ST&E) is conducted and
□ Pass
documented at least every three years documented at least every three years
as part of the Certification and as part of the Certification and Initials:
CA-2, SA-4,
RA-8 ITSDir01-107 Accreditation (C&A) process and Accreditation (C&A) process and RA D □ Failure
SA-11
when a significant change occurs to a when a significant change occurs to a Test Date:
system or application, including, but system or application, including, but
□ N/A
not limited to the addition of new not limited to the addition of new
security controls. security controls. Comments
Name:
Verify that the ST&E tests that all The ST&E tests all security controls
□ Pass
security controls function as designed function as designed and the security
and that the security design includes design includes the needed security Initials:
RA-9 ITSDir01-108 the needed security specifications specifications (controls) to meet the RA CA-2 D □ Failure
(controls) to meet the assurance level assurance level specified by the Test Date:
specified by the written security written security goals established for
□ N/A
goals established for the system. the system.
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that a ST&E is a formal A ST&E is a formal review that is Initials:
review that is conducted by personnel conducted by personnel having no
RA-10 ITSDir01-109 RA CA-2 D □ Failure
having no stake or responsibilities stake or responsibilities concerning
concerning the system. the system. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the name, title, and Initials:
The name, title, and organization of
organization of the individuals who
RA-11 ITSDir01-110 the individuals who perform the self- RA CA-2 D □ Failure
perform the self-assessment or ST&E
assessment or ST&E is recorded. Test Date:
is recorded.
□ N/A
Comments
Name:
□ Pass
Verify that the start date and The start date and completion date of Initials:
RA-12 ITSDir01-111 completion date of the self- the self-assessment or ST&E is RA CA-2, PL-4 D □ Failure
assessment or ST&E is recorded. recorded. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that all hardware and software All hardware and software acquired Initials:
RA-13 ITSDir01-139 acquired comply with all LCRs and comply with all LCRs and IT RA SA-4 D □ Failure
IT Security Directives. Security Directives. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that all security controls are All security controls are cost- Initials:
SA-3, SA-4,
cost-effective and documented in the effective and documented in the Risk
RA-14 ITSDir01-146 RA RA-1, CP-1, D □ Failure
Risk Assessment as mitigating one or Assessment as mitigating one or
CP-2 Test Date:
more risks. more risks.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that all IT Contingency Plans □ Pass
All IT Contingency Plans and
and Service or Enabling Initials:
Service or Enabling Infrastructure
Infrastructure Unit Continuity of CP-1, CP-2,
RA-15 ITSDir01-232 Unit Continuity of Operations Plans RA D □ Failure
Operations Plans are reviewed CP-5
are reviewed annually, at a minimum, Test Date:
annually, at a minimum, and updated
and updated if necessary.
if necessary. □ N/A
Comments
Name:
□ Pass
Verify that the IT Contingency Plan The IT Contingency Plan is tested at Initials:
RA-16 ITSDir01-235 is tested at least annually and updated least annually and updated as RA CP-4 D □ Failure
as necessary. necessary. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the IT Contingency Plan The IT Contingency Plan testing Initials:
testing minimizes simulation and minimizes simulation and
RA-17 ITSDir01-236 RA CP-3, CP-4 D □ Failure
emphasizes realism and does not emphasizes realism and does not
disrupt normal system operations. disrupt normal system operations. Test Date:
□ N/A
Comments
Name:
Verify that the IT Contingency Plan The IT Contingency Plan testing
□ Pass
testing employs various scenarios to employs various scenarios to ensure
ensure that the maximum numbers of that the maximum numbers of the Initials:
RA-18 ITSDir01-237 the responsible personnel are exposed responsible personnel are exposed to RA CP-3, CP-4 D □ Failure
to the training, ensuring that the training, ensuring that employees Test Date:
employees are trained in their roles are trained in their roles and
□ N/A
and responsibilities. responsibilities.
Comments
Name:
□ Pass
Verify that the IT Contingency Plan
The IT Contingency Plan subject Initials:
subject matter training is
matter training is incorporated into
RA-19 ITSDir01-238 incorporated into initial and ongoing RA CP-3, CP-7 D □ Failure
initial and ongoing IT security
IT security training and documented Test Date:
training and documented accordingly.
accordingly.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that all systems are annually All systems are annually audited to □ Pass
audited to ensure that software is ensure that software is properly Initials:
properly licensed and no illegal licensed and no illegal copies of SA-6, CM-2,
RA-20 ITSDir01-272 RA D □ Failure
copies of copyrighted software are copyrighted software are being used, CM-3
being used, reporting detailed license reporting detailed license and usage Test Date:
and usage information to ITS. information to ITS. □ N/A
Comments
Name:
Verify that all Service and Enabling
□ Pass
Infrastructure Units maintain
The hardware and software Initials:
hardware and software maintenance SA-6M MA-
maintenance contracts are maintained
RA-21 ITSDir01-273 contracts for all hardware and RA 1, MA-2, D □ Failure
for all hardware and software making
software owned and managed by that MA-6 Test Date:
up the system.
Service Unit or Enabling
□ N/A
Infrastructure.
Comments
Name:
□ Pass
Verify that ISSOs respond to IT ISSOs respond to IT security-related Initials:
security-related requests from the requests from the SPM for
RA-22 ITSDir01-53 RA None D □ Failure
SPM for information regarding their information regarding their assigned
assigned systems. systems. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ISSOs perform or audit
ISSOs perform or audit all security- Initials:
all security-related activities as
related activities as documented by
RA-23 ITSDir01-54 documented by the System Security RA AU-6 D □ Failure
the System Security Plan for each
Plan for each system under his or her Test Date:
system under his or her purview.
purview.
□ N/A
Comments
Name:
Verify that ISSOs review audit logs ISSOs review audit logs of user, □ Pass
of user, system and network activity system and network activity on a Initials:
on a regular basis in order to isolate regular basis in order to isolate
RA-24 ITSDir01-56 RA AU-6 D □ Failure
questionable activity and identify questionable activity and identify
anomalies in a timely manner, so that anomalies in a timely manner, so that Test Date:
appropriate action can be taken. appropriate action can be taken. □ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that ISSOs ensure that all user ISSOs ensure that all user requests □ Pass
requests and accesses are and accesses are documented, Initials:
documented, approved by an approved by an authorized
RA-25 ITSDir01-59 RA AC-2 D □ Failure
authorized Government supervisor, Government supervisor, and
and protected according to the protected according to the provisions Test Date:
provisions of the Privacy Act. of the Privacy Act. □ N/A
Comments
Name:
□ Pass
Verify that ISSOs ensure that user Initials:
ISSOs ensure that user accounts are
accounts are disabled in a timely
RA-26 ITSDir01-60 disabled in a timely manner if the RA AC-2, AC-3 D □ Failure
manner if the user no longer requires
user no longer requires access. Test Date:
access.
□ N/A
Comments
Name:
□ Pass
Verify that ISSOs ensure that ISSOs ensure that passwords are Initials:
RA-27 ITSDir01-61 passwords are assigned and changed assigned and changed per the IT RA AC-2, IA-5 D □ Failure
per the IT Security Directives. Security Directives. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ISSOs conduct an annual ISSOs conduct an annual review and Initials:
review and monitor the System monitor the System Security Plan for
RA-28 ITSDir01-62 RA PL-2 D □ Failure
Security Plan for effectiveness of effectiveness of each system under
each system under their purview. their purview. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ISSOs ensure that each ISSOs ensure that each System Initials:
System Security Plan is updated to Security Plan is updated to accurately
RA-29 ITSDir01-63 RA PL-3 D □ Failure
accurately reflect each of the current reflect each of the current systems
systems under their purview. under their purview. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that ISSOs have conducted an Initials:
The ISSO has conducted an annual
RA-30 ITSDir01-64 annual Risk Review (see Review of RA RA-3, RA-4 D □ Failure
Risk Review on this system.
Security Controls) on this system. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ISSOs ensure that each IT ISSOs ensure that each IT Initials:
Contingency Plan is updated to Contingency Plan is updated to
RA-31 ITSDir01-65 RA CP-5 D □ Failure
accurately reflect each of the current accurately reflect each of the current
systems under their purview. systems under their purview. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ISSOs ensure that regular ISSOs ensure that regular security Initials:
security testing is occurring to ensure testing is occurring to ensure
RA-32 ITSDir01-66 RA RA-5, SI-6 D □ Failure
compliance with technical baseline compliance with technical baseline
controls. controls. Test Date:
□ N/A
Comments
Name:
Verify that ISSOs establish and □ Pass
ISSOs establish and administer a
administer a security awareness- Initials:
security awareness-training program
training program for any aspects of
RA-33 ITSDir01-67 for any aspects of the system not RA AT-2 D □ Failure
the system not covered under the
covered under the general LC Test Date:
general LC security awareness
security awareness training.
training. □ N/A
Comments
Name:
Verify that the system owner plans The system owner plans for and □ Pass
for and provide adequate protection provides adequate protection by Initials:
by budgeting adequate resources to budgeting adequate resources to
RA-34 ITSDir01-71 RA SA-2 D □ Failure
fulfill all LC security requirements fulfill all LC security requirements
throughout the entire lifetime of the throughout the entire lifetime of the Test Date:
system. system. □ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the information owner The data owner determines and Initials:
determines and ensures compliance ensures compliance with any PL-5, CP-6,
with any standards regarding data standards regarding data retention PL-5, SI-12
retention and privacy. and privacy. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the information owner Initials:
The data owner has established
establish sguidelines for the
RA-36 ITSDir01-79 guidelines for the dissemination of RA RA-2 D □ Failure
dissemination of any data under his
any data under his or her purview. Test Date:
or her purview.
□ N/A
Comments
Name:
□ Pass
Verify that the information owners or Data owners, or their designees, Initials:
their designees review user access review user access privileges AC-2, AC-3,
privileges annually to ensure annually to ensure appropriate AC-6
appropriate access. access. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that Memorandums of Memorandums of Understanding
Understanding authorizing authorizing connection to external Initials:
RA-38 ITSDir01-87 connection to external systems are systems are signed by the DAA and RA PL-2, CA-3 D □ Failure
signed by the DAA and reviewed reviewed with each system Test Date:
with each system reaccredidation. reaccredidation.
□ N/A
Comments
Name:
□ Pass
Verify that the Risk Assessment is
The Risk Assessment is compliant Initials:
compliant with NIST Special
with NIST Special Publication 800- RA-1, RA-3,
RA-39 ITSDir01-92 Publication 800-30 (Risk RA D □ Failure
30 (Risk Management Guide for CA-6
Management Guide for Information Test Date:
Technology Systems).
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the LC IT system has
The LC IT system has undergone a Initials:
undergone a Risk Assessment, prior
Risk Assessment, prior to being
RA-40 ITSDir01-93 to being granted Authorization to RA RA-3, RA-4 D □ Failure
granted Authorization to Operate or
Operate or Interim Authorization to Test Date:
Interim Authorization to Operate.
Operate.
□ N/A
Comments
Name:
□ Pass
Verify that the LC IT system has The LC IT system has undergone a Initials:
undergone a Risk Assessment, when Risk Assessment when a significant
RA-41 ITSDir01-94 RA RA-3 D □ Failure
a significant change occurs to a change occurs to a system or
system or application. application. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the Risk Assessment
Risk Assessments contain a Initials:
contains a Statement of Residual
Statement of Residual Risk, which CA-5, RA-1,
RA-42 ITSDir01-95 Risk, which summarizes the current RA D □ Failure
summarizes the current level of risk RA-3
level of risk associated with the Test Date:
associated with the system.
system.
□ N/A
Comments
Name:
□ Pass
Verify that each risk identified within Each risk identified within the Risk Initials:
CA-5, RA-1,
RA-43 ITSDir01-96 the Risk Assessment is mitigated, Assessment is mitigated, accepted or RA D □ Failure
RA-3
accepted or transferred. transferred. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that all Risk Assessments Risk Assessments contain a Plan Of
contain a Plan Of Action & Action & Milestones (POAM), which Initials:
RA-44 ITSDir01-97 Milestones (POAM), which details details the risk response and a RA CA-5 D □ Failure
the risk response and a schedule for schedule for implementing any Test Date:
implementing any mitigation. mitigation.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Initials:
Verify that all High risks are All High risks are mitigated within
RA-45 ITSDir01-98 RA RA-1 D □ Failure
mitigated within six months. six months.
Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that all Moderate risks are All Moderate risks are mitigated in RA-1, RA-3,
mitigated in one year. one year. CA-6
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that SSPs are reviewed Initials:
SSPs are reviewed annually or when
annually or when a significant PL-1, PL-2,
RA-47 ITSDir01-3 a significant change has occurred and RA D □ Failure
change has occurred and updated if PL-3
updated if necessary. Test Date:
necessary.
□ N/A
Comments
Name:
□ Pass
Verify that the DAA evaluates the The DAA evaluates the certification Initials:
RA-48 ITSDir01-9 certification findings and assess findings and assess vulnerabilities RA CA-1, CA-5 D □ Failure
vulnerabilities and residual risks. and residual risks. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the DAA approves Initials:
The DAA approves corrective action
RA-49 ITSDir01-10 corrective action and ensures RA CA-5 D □ Failure
and ensures implementation.
implementation. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that DAAs either accept the The DAA accepts the statement of Initials:
RA-50 ITSDir01-11 statement of residual risks or refuse residual risks or refuses to issue an RA CA-6 D □ Failure
to issue an authorization to operate. authorization to operate. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the DAA accepts Initials:
The DAA accepts responsibility for
responsibility for any breach in
RA-51 ITSDir01-12 any breach in security on a system RA CA-6 D □ Failure
security on a system accredited by
accredited by that DAA. Test Date:
that DAA.
□ N/A
Comments
Name:
Verify that the DAA determines The DAA determines which action to □ Pass
which action to follow: accredit the follow: accredit the system, terminate Initials:
system, terminate the system the system operation if currently
RA-52 ITSDir01-13 RA CA-5 D □ Failure
operation if currently operational, operational, grant interim approval to
grant interim approval to operate, or operate, or not place the system into Test Date:
not place the system into production. production. □ N/A
Comments

4.10 Remote Computing (RC) Test Case
Figure 16 – Remote Computing (RC) Test Case

Tester Full
Test Pass /
Number Category
Comments
Name:
elimination software are installed (on Initials:
software are installed (on all systems SA-7, SI-3,
RC-1 ITSDir01-280 where virus detection software is SI-4, AC-19, D □ Failure
updated. □ N/A
Comments
Name:
□ Pass
Initials:
Verify that sensitive data files are Sensitive data files are encrypted on
RC-2 ITSDir01-210 OA, RC AC-19 D □ Failure
encrypted on all portable systems. all portable systems.
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the theft or loss of a The theft or loss of a mobile or
mobile or portable system is portable system is immediately Initials:
AC-19, AC-
RC-3 ITSDir01-212 immediately reported to the reported to the designated entity OA, RC D □ Failure
20
designated entity within the Service within the Service Unit or Enabling Test Date:
Unit or Enabling Infrastructure Infrastructure
□ N/A
Comments
Name:
Verify that IT systems that have been IT systems that have been offline for □ Pass
offline for more than 30 days are more than 30 days are patched and Initials:
patched and have their anti-virus have their anti-virus signatures
RC-4 ITSDir01-281 OA, RC SI-3, SI-4 D □ Failure
signatures updated offline before updated offline before being allowed
being allowed to re-connect to the LC to re-connect to the LC Internal Data Test Date:
Internal Data Network. Network. □ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that employee-owned PCs are
Employee-owned PCs are not used □ Pass
not be used for accessing any LC
for accessing any LC resources with Initials:
resources with the exception of the
the exception of the following: LC e- AC-19, AC-
RC-5 ITSDir06-1.1 following: LC e-mail using webmail, RC D □ Failure
mail using webmail, LC public web 20
LC public web sites, LC resources Test Date:
sites, LC resources presented by the
presented by the SSL-VPN and for
SSL-VPN and for stand-alone work. □ N/A
stand-alone work.
Comments
Name:
□ Pass
Verify that in order to utilize the In order to utilize the SSL-VPN, the Initials:
SSL-VPN, the employee-owned PC employee-owned PC uses the AC-19, AC-
RC-6 ITSDir06-1.2 RC D □ Failure
is using the Windows 2000 operating Windows 2000 operating system or 20
system or later. later. Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that LC staff do not install or LC staff does not install or service AC-19, AC-
RC-7 ITSDir06-1.3 RC I D □ Failure
service employee-owned equipment. employee-owned equipment. 20
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that LC-issued workstations Initials:
LC-issued workstations (typically
(typically standardized laptops) are AC-17, AC-
RC-8 ITSDir06-1.4 standardized laptops) are utilized for RC D □ Failure
utilized for any telework or offsite 19
any telework or offsite work. Test Date:
work.
□ N/A
Comments
Name:
□ Pass
Verify that ITS do not issue LC ITS does not issue LC equipment Initials:
AC-1, AC-
RC-9 ITSDir06-1.5 equipment simply to provide remote simply to provide remote access to RC D □ Failure
19
access to LC staff web pages. LC staff web pages. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that ITS or Service ITS or Service Units/Enabling □ Pass
Units/Enabling Infrastructure do Infrastructure provides the necessary Initials:
provide the necessary hardware hardware (compliant with ITS AC-17, AC-
(compliant with ITS requirements for requirements for telecommunications 19
telecommunications and security) for and security) for telework and offsite Test Date:
telework and offsite work. work. □ N/A
Comments
Verify that all employees approved to All employees approved to use a LC- Name:
use a LC-issued workstation have the issued workstation have the ability to □ Pass
ability to choose to provide their own choose to provide their own Initials:
peripheral devices (e.g., printers, peripheral devices (e.g., printers, AC-19, AC-
mice, or monitors) with prior mice, or monitors) with prior 20
approval of such device by the approval of such device by the Test Date:
Service Units/Enabling Infrastructure Service Units/Enabling Infrastructure □ N/A
support staff. support staff. Comments
Name:
□ Pass
Verify that supplies such as paper Supplies such as paper and toner are Initials:
and toner are not supplied to staff not supplied to staff owned printers. AC-17, AC-
owned printers nor will they be Staff is not reimbursed for such 19, AC-20
reimbursed for such supplies. supplies. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that employee owned printers Employee owned printers are Initials:
AC-19, AC-
RC-13 ITSDir06-2.3 are compatible with Windows compatible with Windows operating RC D □ Failure
20
operating systems. systems. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that all software meets LC Software meets LC standards and Initials:
standards. Software not meeting LC that software not meeting LC SA-6, AC-
requirements or not properly licensed requirements or not properly licensed 19
may not be used. is not being used. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that nonstandard software is Non-standard software is not used □ Pass
not used without prior approval and without prior approval and Initials:
authorization of ITS and the Service authorization of ITS and the Service SA-6, SA-7,
Support Unit and such software Support Unit and that such software AC-19
comply with the LC software policy, complies with the LC software Test Date:
SA 98-14. policy, SA 98-14 □ N/A
Comments
Name:
□ Pass
Verify that LC licensed applications LC-licensed applications are not Initials:
are not loaded onto employee-owned loaded onto employee-owned SA-6, AC-
equipment, unless previously equipment, unless previously 19
authorized. authorized. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ITS and Service ITS and Service Units/Enabling Initials:
Units/Enabling Infrastructure do not Infrastructure do not install any SA-6, AC-
install any software on employee- software on employee-owned 19
owned equipment. equipment. Test Date:
□ N/A
Comments
Verify that any LC-issued
Any LC-issued workstation or Name:
workstation or employee-owned PC
employee-owned PC used for mobile
used for mobile computing (i.e., □ Pass
computing (i.e., accessing any LC
accessing any LC resources) is not Initials:
resources) is not capable of being
capable of being remotely controlled AC-17, AC-
RC-18 ITSDir06-4.5 remotely controlled from another RC I D □ Failure
from another system. This includes 19
system including Terminal Services Test Date:
Terminal Services or Remote
or Remote Assistance being enabled
Assistance being enabled and the □ N/A
and the pcAnywhere or NVC host
pcAnywhere or NVC host software Comments
software being installed and enabled.
being installed and enabled.
Name:
Verify that any LC-issued □ Pass
Any LC-issued workstation used for
workstation used for mobile Initials:
mobile computing (i.e., accessing any
computing (i.e., accessing any LC AC-17, AC-
RC-19 ITSDir06-4.6 LC resources) limits remote control RC D □ Failure
resources) limit remote control client 19
client software to remotely control Test Date:
software to remotely control only LC
only LC systems.
systems. □ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that all remote access to the
All remote access to the LC internal Initials:
LC internal data network is
data network is accomplished via a SC-8, SC-9,
RC-20 ITSDir06-5.1 accomplished via a VPN connection RC D D □ Failure
VPN connection to the LC VPN AC-17
to the LC VPN Gateway owned and Test Date:
Gateway owned and operated by ITS.
operated by ITS.
□ N/A
Comments
Name:
□ Pass
Verify that mobile computing does Mobile computing does not occur via Initials:
not occur via non-ITS terminal non-ITS terminal servers, non-ITS AC-17, AC-
servers, non-ITS VPN gateways or VPN gateways, or LC machines 19
LC machines having modems. having modems. Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that connectivity for telework Connectivity for telework and offsite AC-17, AC-
and offsite work uses broadband. work is broadband. 19
Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that satellite links are not AC-17, AC-
RC-23 ITSDir06-5.4 Satellite links are not utilized. RC D □ Failure
utilized. 19
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that employees are responsible Initials:
Employees are responsible for SA-6, AC-
RC-24 ITSDir06-5.5 for loading any ISP-provided RC D □ Failure
loading any ISP provided software. 17, AC-19
software. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that ISP costs are paid for by ISP costs are paid for by the staff Initials:
AC-17, AC-
RC-25 ITSDir06-5.6 the staff member and are not member and are not reimbursable by RC D □ Failure
19
reimbursable by the agency. the agency. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that LC-issued workstations LC-issued workstations used for Initials:
used for mobile computing are mobile computing are configured AC-17, AC-
configured according to ITS security according to ITS security 19
requirements. requirements. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that all connections between Initials:
All connections between the client
the client machine used for mobile AC-17, AC-
RC-27 ITSDir06-5.8 machine used for mobile computing RC I D □ Failure
computing and the Internet are hard- 19
and the Internet are hard-wired. Test Date:
wired.
□ N/A
Comments
Name:
□ Pass
Verify that all hardware utilized for Initials:
All hardware utilized for mobile
mobile computing complies with AC-17, AC-
RC-28 ITSDir06-1 computing complies with ITSDir06- RC □ Failure
ITSDir06-1.1 – 19
1.1–ITSDir06-1.6. Test Date:
ITSDir06-1.6.
□ N/A
Comments
Name:
□ Pass
Verify that all peripherals installed Initials:
All peripherals installed on systems
on systems used for mobile AC-17, AC-
RC-29 ITSDir06-2 used for mobile computing comply RC □ Failure
computing comply with 19
with ITSDir06-2.1–ITSDir06-2.3. Test Date:
ITSDir06-2.1 – ITSDir06-2.3.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that all LC-issued LC-issued workstations using
workstations using broadband broadband communications use a 2- Initials:
AC-17, AC-
RC-30 ITSDir06-3 communications use a 2-port router port router issued by ITS or the RC D □ Failure
19
issued by ITS or the Service Service Units/Enabling Test Date:
Units/Enabling Infrastructure. Infrastructure.
□ N/A
Comments
Name:
□ Pass
Software installed on systems used
systems used for mobile computing SA-6, AC-
RC-31 ITSDir06-4 for mobile computing does comply RC □ Failure
comply with 19
with ITSDir06-4.1–ITSDir06-4.6. Test Date:
ITSDir06-4.1 – ITSDir06-4.6.
□ N/A
Comments
Name:
□ Pass
Verify that all mobile computing All mobile computing Initials:
AC-17, AC-
RC-32 ITSDir06-5 telecommunications comply with telecommunications comply with RC □ Failure
19
ITSDir06-5.1 – ITSDir06-5.8. ITSDir06-5.1–ITSDir06-5.8. Test Date:
□ N/A
Comments
Verify that employee-owned Name:
Employee-owned equipment has
equipment is configured with current □ Pass
current anti-virus software installed
anti-virus software. The anti-virus Initials:
and is configured to perform
software is configured to perform SA-3, AC-
RC-33 ITSDir06-6 automatic anti-virus signature and RC I □ Failure
automatic anti-virus signature and 19, AC-20
engine updates, scan the system hard Test Date:
engine updates, scan the system hard
drives weekly (at a minimum), and
drives weekly, at a minimum, and □ N/A
scan incoming and outgoing files.
scan incoming and outgoing files. Comments
Name:
□ Pass
Verify that all mobile computing Initials:
All mobile computing equipment is
equipment are protected with a SI-3, SI-8,
RC-34 ITSDir06-7 protected with a personal firewall, RC I D O □ Failure
personal firewall, hardware, software AC-19, SC-7
hardware, software, or both. Test Date:
or both.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that all LC-issued Initials:
All LC-issued workstations are
RC-35 ITSDir06-8 workstations are protected with a RC SI-3, SC-7 I D O □ Failure
protected with a personal firewall.
personal firewall. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that all LC-issued All LC-issued workstations using Initials:
workstations using broadband broadband connections use a 2-port
RC-36 ITSDir06-9 RC SI-3, SC-7 I D □ Failure
connections use a 2-port router, router, which serves as a hardware
which serves as a hardware firewall. firewall. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that all personal firewalls used All personal firewalls used with Initials:
with mobile computing for telework mobile computing for telework and AC-4, AC-
RC-37 ITSDir06-10 RC □ Failure
and offsite work comply with offsite work comply with ITSDir06- 17, AC-19
ITSDir06-10.1 – ITSDir06-10.5. 10.1–ITSDir06-10.5. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the VPN is utilized for all The VPN is utilized for all remote
remote access to servers on the LC access to servers on the LC Intranet Initials:
RC-38 ITSDir06-11 Intranet and for all non-public access and for all non-public access to RC AC-17 I O □ Failure
to servers in the DMZ, e.g., servers in the DMZ, e.g., Test Date:
maintenance, LC staff web pages. maintenance, LC staff web pages.
□ N/A
Comments
Name:
□ Pass
Verify that a VPN connection is not A VPN connection is not required for Initials:
AC-3, AC-
RC-39 ITSDir06-12 required for accessing web-based e- accessing web-based e-mail and LC RC O □ Failure
17
mail and LC public web sites. public web sites. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that LC-issued equipment is LC-issued equipment is used for Initials:
AC-3, AC-
RC-40 ITSDir06-13 used for accessing the LC internal accessing the LC internal data RC I D □ Failure
17
data network. network. Test Date:
□ N/A
Comments
Name:
Verify that software Software installation/configuration □ Pass
installation/configuration for LC- for LC-issued equipment is Initials:
SA-6, SA-7,
issued equipment is performed either performed either in ITS or the
RC-41 ITSDir06-14 RC CM-5, AC- I D □ Failure
in ITS or the Service Unit/Enabling Service Unit/Enabling Infrastructure
3, AC-17 Test Date:
Infrastructure prior to issuing the prior to issuing the equipment to the
equipment to the employee. employee. □ N/A
Comments
Name:
□ Pass
Verify that the employee keeps all The employee keeps all mobile
mobile computing clients patched computing clients patched and up-to- SA-7, SI-2, Initials:
RC-42 ITSDir06-16 and up-to-date with the latest date with the latest operating system RC AC-17, AC- I D O □ Failure
operating system and application and application security patches 19 Test Date:
security patches approved by ITS. approved by ITS.
□ N/A
Comments
Name:
□ Pass
Verify that ITS or the Service For teleworking, ITS or the Service
Unit/Enabling Infrastructure installs Unit/Enabling Infrastructure install SA-6, CM-5, Initials:
RC-43 ITSDir06-17 and configures the VPN client and configure the VPN client RC AC-3, AC- I D □ Failure
software (SecuRemote) on LC-issued software (SecuRemote) on LC-issued 17 Test Date:
equipment. equipment.
□ N/A
Comments
Name:
□ Pass
Verify that house calls are not made House calls are not made by ITS or Initials:
AC-1, AC-3,
RC-44 ITSDir06-18 by ITS or Service Unit/Enabling Service Unit/Enabling Infrastructure RC I D □ Failure
AC-17
Infrastructure staff. staff. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Periodically, the operating system,
Periodical upgrades of operating □ Pass
anti-virus software, and other
system, anti-virus software, and other Initials:
software may require upgrades or
software or service packs are SI-2, AC-17,
RC-45 ITSDir06-19 service packs. Verify that this is RC I D □ Failure
performed by the user, ITS or Service AC-19
performed by the user, ITS or Service Test Date:
Units/Enabling Infrastructure for LC-
Units/Enabling Infrastructure for LC-
issued hardware. □ N/A
issued hardware.
Comments
Verify that all employees using LC-
All employees using LC-issued Name:
issued equipment perform updates or
equipment have a reasonable time
bring the machine in on a regular □ Pass
period to perform updates by doing it
basis or when major security updates Initials:
themselves or bringing the machine
are required. All employees will have SI-2, AC-17,
RC-46 ITSDir06-20 in on a regular basis or when major RC I D □ Failure
a reasonable time period in which to AC-19
security updates are required, and Test Date:
do this. Failure to perform updates or
that offsite work or telework
bring the machine in for updating is a □ N/A
privileges are cancelled if they fail to
cause for canceling offsite work or Comments
do this.
telework privileges.
Verify that all employees make their All employees make their own Name:
own arrangements to pick up the arrangements to pick up the hardware □ Pass
hardware from LC and bring it back from LC and return it for Initials:
for troubleshooting or at the end of troubleshooting when it is necessary AC-3, AC-
RC-47 ITSDir06-21 RC I D □ Failure
either offsite work or the telework or at the end of either offsite work or 17
Pilot. Verify that all employees the telework pilot; and that they Test Date:
follow LCR 1815 concerning the follow LCR 1815 concerning the □ N/A
protection of government property. protection of government property. Comments
Name:
Verify that when an LC employee When an LC employee leaves
□ Pass
leaves employment or ends offsite employment or ends offsite work or
work or telework, all LC equipment, telework, all LC equipment, (e.g., Initials:
AC-3, AC-
RC-48 ITSDir06-22 (e.g., desktop, laptop, router) is desktop, laptop, router) is returned to RC I D □ Failure
17
returned to ITS or to the issuing ITS or to the issuing Service Test Date:
Service Units/Enabling Infrastructure Units/Enabling Infrastructure for
□ N/A
for reassignment. reassignment.
Comments
Name:
□ Pass
HE, OA, IG,
RC-49 ITSDir09-2 configuration parameters. Verify that configuration parameters. Anti-virus CM-3, SI-3 I D O □ Failure
WC, RC
the anti-virus configuration configuration parameters are Test Date:
parameters is obtained from ITS. obtained from ITS.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that firewalls allow all Firewalls allow all outgoing Initials:
AC-4, AC-
RC-50 ITSDir06-10.1 outgoing connections originating connections originating from a RC T □ Failure
17, AC-19
from a mobile computing client. mobile computing client. Test Date:
□ N/A
Comments
Verify that firewalls allow incoming Firewalls allow incoming Name:
connections originating from the LC connections originating from the LC □ Pass
Firewall (140.147.249.2) on the Firewall (140.147.249.2) on the Initials:
following ports (these are necessary following ports (necessary for the AC-4, AC-
RC-51 ITSDir06-10.2 RC T □ Failure
for the VPN client software, VPN client software, SecuRemote, to 17, AC-19
SecuRemote, to function): IP function): IP Protocol 50, TCP Port Test Date:
Protocol 50, TCP Port 500, UDP Port 500, UDP Port 500, and UDP Port □ N/A
500, and UDP Port 2746. 2746. Comments
Name:
□ Pass
Verify that firewalls allow incoming Firewalls allow incoming
connections on the below ports from connections on the below ports from Initials:
AC-4, AC-
RC-52 ITSDir06-10.3 any LC host to which you require any LC host to requiring RC T □ Failure
17, AC-19
"X-Windows" access: TCP Port "X-Windows" access: TCP Port Test Date:
6000. 6000.
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that firewalls allow packet AC-4, AC-
RC-53 ITSDir06-10.4 Firewalls allow packet fragments. RC I D O □ Failure
fragments. 17, AC-19
Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that firewalls block all other AC-4, AC-
RC-54 ITSDir06-10.5 Firewalls block all other traffic. RC I D O □ Failure
traffic. 17, AC-19
Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
RC-55 ITSDir10-8 I D O T □ Failure
Name:
□ Pass
CA-3, SC-1,
RC-56 ITSDir10-10 dynamically allocated IP addresses allocated IP addresses assigned by RC, WC, OA I D O □ Failure
IA-3
□ N/A
Comments
4.11 Stand-Alone System (SA) Test Case
Figure 17 – Stand-Alone System (SA) Test Case

Tester Full
Test Pass /
Number Category
Comments
Verify that devices not connected to Devices not connected to the LC Name:
the LC Data Network but connected Data Network but connected to □ Pass
to external networks or systems external networks or systems through Initials:
through a modem, telephone line, or a modem, telephone line, or a CM-2, AC-
SA-1 ITSDir01-358 SA I □ Failure
a wireless connection, do not store wireless connection, do not store LC 17
LC data deemed to require moderate data deemed to require moderate or Test Date:
or high confidentiality by the data high confidentiality by the data □ N/A
owner. owner. Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that systems requiring modem Systems requiring modem access to Initials:
access to external services are external services are disconnected
SA-2 ITSDir10-15 SA SC-1, AC-17 I D O □ Failure
disconnected permanently from the permanently from the Library’s
Library’s network. network. Test Date:
□ N/A
Comments
4.12 Security Program (SP) Test Case
Figure 18 – Security Program (SP) Test Case

Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the Rules of Behavior Initials:
The Rules of Behavior hold users
hold users accountable for their
SP-1 ITSDir01-112 accountable for their actions and SP PL-4 D □ Failure
actions and responsible for
responsible for information security Test Date:
information security
□ N/A
Comments
Name:
□ Pass
Verify that all users receive a copy of Initials:
All users receive a copy of the Rules
SP-2 ITSDir01-113 the Rules of Behavior upon SP PL-4 D □ Failure
of Behavior upon employment.
employment. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that the Rules of Behavior
The Rules of Behavior extend to all □ Pass
extend to all personnel (including
personnel (including contractors, Initials:
contractors, volunteers, etc.) using IT
volunteers, etc.) using IT equipment
SP-3 ITSDir01-114 equipment or accessing LC SP PL-4 D □ Failure
or accessing LC information and
information and systems, or under Test Date:
systems, or under formally
formally established agreements and
established agreements and contracts. □ N/A
contracts.
Comments
Verify that the Service or Enabling The Service or Enabling
Infrastructure Unit requires all users Infrastructure Unit requires all users Name:
to sign or otherwise uniquely to sign or otherwise uniquely □ Pass
acknowledge a User Acceptance, acknowledge a User Acceptance, Initials:
which may also state causes for which may also state causes for
SP-4 ITSDir01-115 SP PL-4 D □ Failure
dismissal or prosecution under the dismissal or prosecution under the
Computer Fraud and Abuse Act and Computer Fraud and Abuse Act and Test Date:
other applicable state and local laws other applicable state and local laws □ N/A
if the Rules of Behavior are not if the Rules of Behavior are not Comments
followed. followed.
Name:
□ Pass
Verify that access to LC IT systems Access to LC IT systems is not Initials:
SP-5 ITSDir01-116 is not granted unless the user has read granted unless the user has read and SP PL-4 D □ Failure
and accepted the Rules of Behavior. accepted the Rules of Behavior. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the Rules of Behavior are The Rules of Behavior are read and Initials:
SP-6 ITSDir01-117 read and accepted annually to accepted annually to maintain access SP PL-4 D □ Failure
maintain access to LC IT systems. to LC IT systems. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that users without a valid, up- Initials:
Users without a valid, up-to-date
to-date User Acceptance are
SP-7 ITSDir01-118 User Acceptance are immediately SP PL-4 D □ Failure
immediately forbidden system
forbidden system access. Test Date:
access.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that system owners ensure that System owners ensure that all users Initials:
all users of LC IT systems under their of LC IT systems under their control PL-4, PS-6,
SP-8 ITSDir01-119 SP D □ Failure
control have valid, up-to-date User have valid, up-to-date User PS-2
Acceptances. Acceptances. Test Date:
□ N/A
Comments
Name:
Verify that the Investment Review The Investment Review Board □ Pass
Board ensures that any project that ensures that any project that needs Initials:
needs approval has adequately approval has adequately determined SA-2, SA-3,
determined the security resources the security resources required to CM-3
required to meet the security meet the security requirements of the Test Date:
requirements of the system system □ N/A
Comments
Name:
□ Pass
Verify that authorizations for system Authorizations for system and Initials:
and software modifications are software modifications are
SP-10 ITSDir01-124 SP SA-2, SA-4 D □ Failure
documented and maintained by the documented and maintained by the
Investment Review Board Investment Review Board Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the data sensitivity is Initials:
The data sensitivity is established
SP-11 ITSDir01-126 established during the initiation SP SA-1, RA-2 D □ Failure
during the initiation phase.
phase. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the system boundary is Initials:
The system boundary is established
SP-12 ITSDir01-127 established during the initiation SP SA-1, CA-1 D □ Failure
during the initiation phase.
phase. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the system The system interconnection is Initials:
SA-1, RA-3,
SP-13 ITSDir01-128 interconnection is determined during determined during the initiation SP D □ Failure
CA-3
the initiation phase. phase. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that an initial Risk Initials:
An initial Risk Assessment is
SP-14 ITSDir01-129 Assessment is performed during the SP PL-2, RA-1 D □ Failure
performed during the initiation phase.
initiation phase. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ITS maintains unique Initials:
ITS maintains unique system
SP-15 ITSDir01-131 system identifiers for all LC IT SP CA-1 D □ Failure
identifiers for all LC IT systems.
systems. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the DAA, CO and ISSM The DAA, CO and ISSM are Initials:
SP-16 ITSDir01-132 are determined during the initiation determined during the initiation SP PL-2, CA-1 D □ Failure
phase. phase. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that appropriate security Appropriate security controls with Initials:
controls with associated evaluation associated evaluation and test
SP-17 ITSDir01-134 SP SA-4 D □ Failure
and test procedures are developed procedures are developed before the
before the procurement action. procurement action. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that all security controls are All security controls are designed or Initials:
SP-18 ITSDir01-140 designed or acquired during the acquired during the SP SA-1, CM-2 D □ Failure
development/acquisition phase development/acquisition phase Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that all security controls are All security controls are consistent Initials:
SP-19 ITSDir01-141 consistent with and an integral part of with and an integral part of the IT SP SA-1 D □ Failure
the IT architecture of the Library. architecture of the Library. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that any new technical Any new technical baselines are Initials:
PL-2, SA-3,
SP-20 ITSDir01-143 baselines are developed during the developed during the SP D □ Failure
SA-4
development/acquisition phase. development/acquisition phase. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the System Security Plan The System Security Plan is Initials:
SA-3, SA-4,
SP-21 ITSDir01-144 is completed and approved during the completed and approved during the SP D □ Failure
CA-1
development/acquisition phase development/acquisition phase Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the Risk Assessment is The Risk Assessment is completed Initials:
SP-22 ITSDir01-145 completed and approved during the and approved during the SP RA-1 D □ Failure
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the IT Contingency Plan The IT Contingency Plan is Initials:
SA-3, SA-4,
SP-23 ITSDir01-147 is completed and approved during the completed and approved during the SP D □ Failure
CA-2, CP-1
□ N/A
Comments
Name:
□ Pass
Verify that the Security Test and Initials:
The Security Test and Evaluation is
Evaluation is completed and
SP-24 ITSDir01-148 completed and approved during the SP CA-4 D □ Failure
approved during the development/
development/ acquisition phase. Test Date:
acquisition phase.
□ N/A
Comments
Name:
□ Pass
Verify that all Memorandums of Initials:
All Memorandums of Understanding
Understanding are developed and SA-3, SA-4,
SP-25 ITSDir01-149 are developed and signed during the SP D □ Failure
signed during the development/ CA-3
development/ acquisition phase. Test Date:
acquisition phase.
□ N/A
Comments
Name:
□ Pass
Verify that the Certification process The Certification process takes place PL-2, CA-4, Initials:
SP-26 ITSDir01-150 takes place during the development/ during the development/ acquisition SP MP-4, MP- D □ Failure
acquisition phase. phase. 6, MP-7 Test Date:
□ N/A
Comments
Name:
Verify that processes to support the □ Pass
Processes to support the disposal and
disposal and archiving of media, Initials:
archiving of media, information and
information and the IT system are
SP-27 ITSDir01-151 the IT system are documented in the SP CA-6, SA-3 D □ Failure
documented in the System Security
System Security Plan during the Test Date:
Plan during the
development/acquisition phase.
development/acquisition phase. □ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the DAA grants either an The DAA grants either an
Authorization to Operate (ATO) or Authorization to Operate (ATO) or Initials:
SP-28 ITSDir01-152 an Interim Authorization to Operate an Interim Authorization to Operate SP CA-6 D □ Failure
(IATO) before the system can be (IATO) before the system can be Test Date:
placed onto the LC Data Network. placed onto the LC Data Network.
□ N/A
Comments
Name:
Verify that the technical test cases of The technical test cases of the ST&E □ Pass
the ST&E are executed again upon are executed again upon the Initials:
the production system as soon as it is production system as soon as it is
SP-29 ITSDir01-153 SP CA-2 D □ Failure
placed onto the LC Data Network. placed onto the LC Data Network.
This process is known as Security This process is known as Security Test Date:
Acceptance Testing. Acceptance Testing. □ N/A
Comments
Name:
□ Pass
Initials:
Verify that ITS monitors Security ITS monitors Security Acceptance SA-4, SA-
Acceptance Testing. Testing. 11, CA-2
Test Date:
□ N/A
Comments
Name:
Verify that (in order to pass Security (In order to pass Security Acceptance
□ Pass
Acceptance Testing) all test elements Testing) all test elements pass, with
pass, with the exception of those the exception of those corresponding Initials:
SA-4, SA-
SP-31 ITSDir01-155 corresponding to an accepted risk by to an accepted risk by the DAA SP D □ Failure
11, CA-2
the DAA reflected in the signed reflected in the signed Authorization Test Date:
Authorization to Process or Interim to Process or Interim Authorization
□ N/A
Authorization to Process. to Process.
Comments
Name:
□ Pass
Verify that LC IT systems that fail LC IT systems that fail Security
Security Acceptance Testing are Acceptance Testing are removed Initials:
SP-32 ITSDir01-156 removed from the LC Data Network from the LC Data Network until such SP PL-2, CA-2 D □ Failure
until such time as the failed test time as the failed test elements are re- Test Date:
elements are re-tested successfully. tested successfully.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the system is managed The system is managed according to Initials:
SP-33 ITSDir01-157 according to the controls documented the controls documented in the SP SA-3, MP-7 D □ Failure
in the System Security Plan. System Security Plan. Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that all LC IT systems follow All LC IT systems follow NIST
SP-34 ITSDir01-159 SP CA-1, CA-4 D □ Failure
NIST Special Publication 800-37. Special Publication 800-37.
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that there is at least one Initials:
There is at least one CO for each
Certifying Official (CO) for each
SP-35 ITSDir01-16 Service and Infrastructure Unit that SP None D □ Failure
Service and Infrastructure Unit that
owns IT systems. Test Date:
owns IT systems.
□ N/A
Comments
Name:
□ Pass
Verify that all LC IT systems are All LC IT systems are accredited Initials:
CA-6, AC-5,
SP-36 ITSDir01-161 accredited before being placed into before being placed into production SP D □ Failure
AC-6
production on the LC Data Network. on the LC Data Network. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that each position of system Each position of system Initials:
responsibilities is reviewed and responsibilities is reviewed and
SP-37 ITSDir01-164 SP PS-2, PS-3 D □ Failure
classified in terms of its sensitivity in classified in terms of its sensitivity in
accordance with LCR 2024-2. accordance with LCR 2024-2. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that employment of non- Initials:
Employment of non-citizens is in
SP-38 ITSDir01-165 citizens is in accordance with LCR SP PS-1, PS-2 D □ Failure
accordance with LCR 2010- 7.
2010- 7. Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that users are held responsible Users are held responsible for their
SP-39 ITSDir01-167 SP PS-8 D □ Failure
for their actions on LC IT systems. actions on LC IT systems.
Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that COs ensure that system COs ensure that system security
security plans are prepared. plans are prepared.
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that COs complete COs complete certification actions,
certification actions, to include including issuing certification Initials:
SP-41 ITSDir01-20 issuing certification statements and statements and preparing SP CA-4 D □ Failure
preparing accreditation packages in accreditation packages in accordance Test Date:
accordance with LC standards. with LC standards.
□ N/A
Comments
Name:
□ Pass
Verify that the CO drafts the Initials:
The CO drafts the accreditation
accreditation memorandum for the
SP-42 ITSDir01-21 memorandum for the DAA’s SP CA-4 D □ Failure
Designated Approving Authority’s
signature. Test Date:
signature.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the CO submits the Initials:
The CO submits the accreditation
SP-43 ITSDir01-22 accreditation package to the DAA for SP CA-4, CA-6 D □ Failure
package to the DAA for approval.
approval. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the EC designates an Initials:
The EC designates an executive
executive agent to report matters
SP-44 ITSDir01-24 agent to report matters regarding IT SP PL-1 D □ Failure
regarding IT security to their
security to their attention. Test Date:
attention.
□ N/A
Comments
Name:
□ Pass
Verify that each Service and Each Service and Enabling Initials:
Enabling Infrastructure Unit selects Infrastructure Unit selects its
its representatives and determines the representatives and determines the
duration of their appointment. duration of their appointment. Test Date:
□ N/A
Comments
Name:
Verify that the Computer Security □ Pass
The CSCG serves in an advisory
Coordination Group (CSCG) serves Initials:
capacity making recommendations to
in an advisory capacity making CA-2, CA-7,
SP-46 ITSDir01-26 the CIO concerning IT security and SP D □ Failure
recommendations to the CIO PL-1
promoting the LC IT Security Test Date:
concerning IT security and promoting
Program.
the LC IT Security Program. □ N/A
Comments
Name:
□ Pass
Verify that the CSCG ensures that the The CSCG ensures that the Initials:
SP-47 ITSDir01-27 curriculum for IT Security curriculum for IT Security SP AT-1 D □ Failure
Awareness Training is maintained. Awareness Training is maintained. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that the CISO is a dedicated The CISO is a dedicated duty, □ Pass
duty, without non-IT security-related without non-IT security-related Initials:
SP-48 ITSDir01-28 collateral duties. collateral duties. SP None D □ Failure
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the CISO conducts The CISO conducts security Initials:
security compliance reviews to assess compliance reviews to assess the CA-2, PE-7
the overall effectiveness of security overall effectiveness of security (1)
program implementation across LC. program implementation across LC. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the System Security Plan The System Security Plan contains or Initials:
contains or references security references security controls that
controls that fulfill all the Security fulfill all the Security Requirements
Requirements of the system. of the system. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the CISO assists the The CISO assists the Director, ITS in Initials:
SP-51 ITSDir01-30 Director, ITS in implementing a LC- implementing a LC-wide IT Security SP PL-1 D □ Failure
wide IT Security Program. Program. Test Date:
□ N/A
Comments
Name:
Verify that ITS will provide all □ Pass
ITS will provide all individuals who
individuals who have access to LC IT Initials:
have access to LC IT assets
assets mandatory annual refresher
SP-52 ITSDir01-307 mandatory annual refresher general SP AT-2, CP-10 I D □ Failure
general IT security awareness
IT security awareness training in Test Date:
training in accordance with NIST
accordance with NIST guidelines.
guidelines. □ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the Service and Enabling The Service and Enabling
Infrastructure Units ensure that all Infrastructure Units ensure that all Initials:
SP-53 ITSDir01-309 individuals having access to LC IT individuals having access to LC IT SP AT-2 I D □ Failure
systems receive IT security systems receive IT security Test Date:
awareness training. awareness training.
□ N/A
Comments
Name:
□ Pass
The CISO assesses Service and Initials:
Verify that the CISO assesses Service
Enabling Infrastructure Unit
SP-54 ITSDir01-31 and Infrastructure Unit compliance SP PL-1, PL-2 D □ Failure
compliance with the LC IT Security
with the LC IT Security Plan. Test Date:
Plan.
□ N/A
Comments
Name:
□ Pass
Verify that the Service and Enabling The Service and Enabling Initials:
Infrastructure Units ensure that Infrastructure Units ensure that
SP-55 ITSDir01-310 SP AT-2, AT-4 D □ Failure
records of IT security awareness records of IT security awareness
training for their staff are maintained training for their staff are maintained Test Date:
□ N/A
Comments
Name:
□ Pass
Infrastructure Units will notify ITS Infrastructure Units will notify ITS Initials:
SP-56 ITSDir01-313 via email or in writing of any unit via email or in writing of any unit SP AT-3, PS-2 I □ Failure
personnel whose work involves personnel whose work involves Test Date:
technical support or IT security. technical support or IT security.
□ N/A
Comments
Name:
Verify that ITS will recommend □ Pass
ITS will recommend additional role-
additional role-based IT security Initials:
based IT security training for Service
training for Service and Enabling
SP-57 ITSDir01-314 and Enabling Infrastructure Units SP AT-3, AT-4 I □ Failure
Infrastructure Units personnel whose
personnel whose work involves Test Date:
work involves technical support or IT
technical support or IT security.
security. □ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Infrastructure Units maintain records Infrastructure Units maintain records Initials:
SP-58 ITSDir01-315 of role-based IT security training for of role-based IT security training for SP AT-3, AT-4 D □ Failure
Service and Enabling Infrastructure Service and Enabling Infrastructure Test Date:
Units staff. Units staff.
□ N/A
Comments
Name:
Verify that the ITS provides a central
ITS provides a central incident □ Pass
incident handling capability
handling capability compliant with Initials:
compliant with NIST SP 800-61 to
NIST SP 800-61 to coordinate IR-1, IR-4,
SP-59 ITSDir01-316 coordinate between external entities SP I □ Failure
between external entities and Service AT-4
and Service and Enabling Test Date:
and Enabling Infrastructure Unit
Infrastructure Unit incident handling
incident handling capabilities. □ N/A
capabilities.
Comments
Verify that the Each Service and Each Service and Enabling Name:
Enabling Infrastructure Unit either Infrastructure Unit either □ Pass
immediately report all incidents to immediately report all incidents to Initials:
the ITS-provided central incident the ITS-provided central incident
SP-60 ITSDir01-317 SP IR-1, IR-4 I □ Failure
handling capability or have handling capability or have
implemented an incident handling implemented an incident handling Test Date:
capability compliant with NIST SP capability compliant with NIST SP □ N/A
800-61. 800-61. Comments
Name:
□ Pass
Verify that the Service Initials:
The Service Unit/Automation Liaison
Unit/Automation Liaison is the initial IR-1, IR-4,
SP-61 ITSDir01-318 is the initial point of contact to report SP I □ Failure
point of contact to report security IR-6
security incidents. Test Date:
incidents.
□ N/A
Comments
Name:
□ Pass
Verify that the Service
The Service Unit/Automation Initials:
Unit/Automation Liaisons report all
Liaisons report all security incidents IR-4, IR-5,
SP-62 ITSDir01-319 security incidents to the ITS hotline SP I D □ Failure
to the ITS hotline within 1 hour of IR-6
within 1 hour of receiving the initial Test Date:
receiving the initial report.
report.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the CISO develops a LC- The CISO develops a LC-wide IT Initials:
SP-63 ITSDir01-32 wide IT Security Plan for the Security Plan for the approval of the SP PL-1, PL-2 D □ Failure
approval of the Director, ITS. Director, ITS. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the Service Initials:
The Service Unit/Automation Liaison
Unit/Automation Liaison or designee
SP-64 ITSDir01-320 or designee serves as the response SP IR-4, IR-6 I □ Failure
serves as the response lead for any
lead for any incident. Test Date:
incident.
□ N/A
Comments
Name:
□ Pass
Verify that ITS supports the Service ITS supports the Service
Unit/Automation Liaisons in Unit/Automation Liaisons in Initials:
IR-4, IR-5,
SP-65 ITSDir01-321 responding to incidents ensuring that responding to incidents ensuring that SP I □ Failure
IR-6
incidents are monitored and tracked incidents are monitored and tracked Test Date:
until resolved. until resolved.
□ N/A
Comments
Name:
□ Pass
Verify that the ITS hotline notifies The ITS hotline notifies the CISO of Initials:
IR-5, IR-6,
SP-66 ITSDir01-322 the CISO of any security incidents any security incidents that are SP I D □ Failure
IR-7
that are reported. reported. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the CISO reports The CISO reports incidents to the Initials:
SP-67 ITSDir01-323 incidents to the proper reporting proper reporting destinations, SP IR-6 I □ Failure
destinations, including US-CERT. including US-CERT. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that ITS will promptly ITS will promptly disseminates Initials:
SP-68 ITSDir01-324 disseminates incident information to incident information to all owners of SP IR-6 I □ Failure
all owners of interconnected systems interconnected systems Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ITS disseminates security ITS disseminates security advisories Initials:
advisories and mandatory security and mandatory security activities and
SP-69 ITSDir01-325 SP IR-6 I □ Failure
activities and tracks compliance with tracks compliance with mandatory
mandatory security activities. security activities. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that, if required, an affected If required, an affected system is Initials:
SI-5, IR-4,
SP-70 ITSDir01-326 system is immediately removed from immediately removed from the LC SP I □ Failure
IR-7
the LC Data Network. Data Network. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ITS will, at its discretion, ITS will, at its discretion, hold Initials:
IR-4, IR-5,
SP-71 ITSDir01-327 hold affected systems for forensic affected systems for forensic SP I □ Failure
IR-7
investigation. investigation. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the Systems held for The Systems held for forensic Initials:
IR-4, IR-5,
SP-72 ITSDir01-328 forensic investigation are not altered investigation are not altered or SP I □ Failure
IR-7
or tampered with in any way. tampered with in any way. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that if a virus is found, the
If a virus is found, the security office Initials:
security office and the Help Desk or
and the Help Desk or technical office IR-5, IR-6,
SP-73 ITSDir01-329 technical office that handles SP I □ Failure
that handles computer security SI-3
computer security incidents is Test Date:
incidents is notified.
notified.
□ N/A
Comments
Name:
□ Pass
Verify that the CISO works with The CISO works with Service and Initials:
Service and Infrastructure Unit to Enabling Infrastructure Unit to
identify the Library’s IT security identify the Library’s IT security
issues. issues. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that upon notification of a
Upon notification of a security Initials:
security incident, ITS will notify
incident, ITS will notify personnel of
SP-75 ITSDir01-330 personnel of all interconnected SP IR-6 I D □ Failure
all interconnected systems to aid in
systems to aid in containment and Test Date:
containment and recovery efforts.
recovery efforts.
□ N/A
Comments
Name:
□ Pass
Verify that the CISO provides advice The CISO provides advice and Initials:
SP-76 ITSDir01-34 and recommendations to the Director, recommendations to the Director, SP PL-1 D □ Failure
ITS on waiver requests. ITS on waiver requests. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the CISO does not serve The CISO does not serve as the Initials:
SP-77 ITSDir01-35 as the DAA, ISSO, SO, IO or SA for DAA, ISSO, SO, IO or SA for any SP None D □ Failure
any LC IT system. LC IT system. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that access to external data Access to external data networks, Initials:
SI-3, SI-4,
SP-78 ITSDir01-356 networks, including the Internet, is including the Internet, is brokered by SP D □ Failure
SI-7, SI-8
brokered by ITS provided services. ITS provided services. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that access to LC IT systems Access to LC IT systems is only via Initials:
SP-79 ITSDir01-359 is only via ITS provided services ITS provided services (e.g. LC Data SP AC-17 D □ Failure
(e.g. LC Data Network, SSL-VPN). Network, SSL-VPN). Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that every Service or Every Service or Infrastructure Unit
Infrastructure Unit has one ITSPM has one ITSPM
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ITSPMs is appointed in ITSPMs are appointed in writing by Initials:
SP-81 ITSDir01-37 writing by the head of the Service or the head of the Service or SP PL-1 D □ Failure
Infrastructure Unit. Infrastructure Unit. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ITSPMs manage the IT ITSPMs manage the IT security Initials:
SP-82 ITSDir01-38 security program for the Service or program for the Service or SP PL-1 D □ Failure
Infrastructure Unit. Infrastructure Unit. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that ITSPMs develop and ITSPMs develop and maintain the Initials:
SP-83 ITSDir01-39 maintain the Service or Infrastructure Service or Infrastructure Unit IT SP PL-2 D □ Failure
Unit IT Security Plan. Security Plan. Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that ITS provides a central ITS provides a central time source for
SP-84 ITSDir01-395 SP AU-8 D □ Failure
time source for all LC IT systems. all LC IT systems.
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that all applications and All applications and systems are Initials:
systems are categorized as either a categorized as either a “General
SP-85 ITSDir01-4 SP CA-1 D □ Failure
“General Support System” or as a Support System” or as a “Major
“Major Application”. Application”. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ITSPMs oversee the ITSPMs oversee the implementation Initials:
SP-86 ITSDir01-40 implementation of the Service or of the Service or Infrastructure Unit SP PL-1, PL-2 D □ Failure
Infrastructure Unit IT Security Plan. IT Security Plan. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ITS grants permission for ITS grants permission for any Initials:
any Service or Enabling Service or Enabling Infrastructure
SP-87 ITSDir01-402 SP AU-6 I D □ Failure
Infrastructure Unit to perform Unit to perform keystroke
keystroke monitoring. monitoring. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that ITSPMs act as the point
ITSPMs act as the point of contact Initials:
of contact between IT Security Group
between IT Security Group (ITSG)
SP-88 ITSDir01-41 (ITSG) and the Service or SP None D □ Failure
and the Service or Infrastructure Unit
Infrastructure Unit IT security Test Date:
IT security program.
program.
□ N/A
Comments
Name:
Verify that ITSPMs act as the □ Pass
ITSPMs act as the primary point of
primary point of contact between the Initials:
contact between the Service or
Service or Infrastructure Unit
SP-89 ITSDir01-42 Infrastructure Unit security program SP None D □ Failure
security program and the Library’s
and the Library’s Security Operations Test Date:
Security Operations Center (LC
Center (LC SOC).
SOC). □ N/A
Comments
Name:
□ Pass
Verify that ITSPMs respond to Initials:
ITSPMs respond to requests for
requests for information and updated
SP-90 ITSDir01-43 information and updated IT security- SP None D □ Failure
IT security-related documentation
related documentation from ITSG. Test Date:
from ITSG.
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that ITSPMs provide reports
SP-91 ITSDir01-44 ITSPMs provide reports to ITSG. SP None D □ Failure
to ITSG.
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ITSPMs ensure that all IT
ITSPMs ensure that all IT security- Initials:
security-related roles within the
related roles within the Service or
SP-92 ITSDir01-45 Service or Infrastructure Unit have SP None D □ Failure
Infrastructure Unit have been filled
been filled appropriately and in Test Date:
appropriately and in writing.
writing.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that ITSPMs ensure that IT ITSPMs ensure that IT security- Initials:
security-related role holders within related role holders within the
SP-93 ITSDir01-46 SP None D □ Failure
the Service or Infrastructure Unit are Service or Infrastructure Unit are
fulfilling their responsibilities. fulfilling their responsibilities. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ITSPMs notify ITSG of ITSPMs notify ITSG of changes in Initials:
changes in IT security-related role IT security-related role holders
SP-94 ITSDir01-47 SP None D □ Failure
holders within the Service or within the Service or Infrastructure
Infrastructure Unit. Unit. Test Date:
□ N/A
Comments
Verify that ITSPMs ensure that an Name:
ITSPMs ensure that an objective,
objective, independent review and □ Pass
independent review and approval
approval process exists for all system Initials:
process exists for all system security
security plans and procurement
SP-95 ITSDir01-48 plans and procurement requests SP PL-2, CA-4 D □ Failure
requests within the Service or
within the Service or Infrastructure Test Date:
Infrastructure Unit in order to
Unit in order to validate the adequacy
validate the adequacy of the proposed □ N/A
of the proposed security safeguards.
security safeguards. Comments
Name:
□ Pass
Verify that ITSPMs do not serve as Initials:
ITSPMs do not serve as DAA, SO,
SP-96 ITSDir01-49 DAA, SO, IO or SA for any LC IT SP None D □ Failure
IO or SA for any LC IT system.
system. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that General Support Systems General Support Systems consist of
consist of interconnected information interconnected information resources Initials:
SP-97 ITSDir01-5 resources under the same direct under the same direct management SP CA-1 D □ Failure
management control that share control that share common Test Date:
common functionality. functionality.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that ISSOs ensure IT security ISSOs ensure IT security □ Pass
requirements are met throughout each requirements are met throughout each Initials:
IT system’s lifecycle, while IT system’s lifecycle, while
maintaining effective maintaining effective
communications with the DAA, CO, communications with the DAA, CO, Test Date:
SPM, SO, IO and SAs. SPM, SO, IO and SAs. □ N/A
Comments
Name:
□ Pass
Verify that ISSOs report and record
ISSOs report and record suspected Initials:
suspected and actual IT security
and actual IT security incidents to the
SP-99 ITSDir01-57 incidents to the Library of Congress SP IR-6, IR-4 D □ Failure
Library of Congress Security
Security Operations Center (LC Test Date:
Operations Center (LC SOC).
SOC).
□ N/A
Comments
Name:
□ Pass
Verify that ISSOs respond to IT
ISSOs respond to IT security Initials:
security incidents; act to prevent
incidents; act to prevent further
SP-100 ITSDir01-58 further damage, record actions taken SP IR-4 D □ Failure
damage, record actions taken and
and report the outcome to the LC Test Date:
report the outcome to the LC SOC.
SOC.
□ N/A
Comments
Verify that the system owner
The system owner determines the
determines the security Name:
security categorization of the system
categorization of the system per FIPS
per FIPS 199 (Standards for Security □ Pass
199 (Standards for Security
Categorization of Federal Initials:
Categorization of Federal
Information and Information
SP-101 ITSDir01-70 Information and Information SP RA-2 D □ Failure
Systems) using the methodology in
Systems) using the methodology in Test Date:
NIST SP 800-60 (Guide for Mapping
NIST SP 800-60 (Guide for Mapping
Types of Information and □ N/A
Types of Information and
Information Systems to Security Comments
Information Systems to Security
Categories.)
Categories.)


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that every user with an Initials:
Users with an account on a LC
account on a LC IT system is
SP-102 ITSDir02-1 system are responsible for SP IA-5 I □ Failure
responsible for safeguarding access
safeguarding access to that account. Test Date:
to that account.
□ N/A
Comments
Name:
□ Pass
Verify that users ensure that their Initials:
Passwords do not include the names
passwords do not include the names
SP-103 ITSDir02-10 of a spouse, children, pets or user’s SP IA-5 I □ Failure
of their spouse, children, pets or their
own name. Test Date:
own name.
□ N/A
Comments
Name:
□ Pass
Passwords do not include any
SP-104 ITSDir02-11 passwords do not intentionally SP IA-5 I □ Failure
regional sports teams or players.
include any sports teams or players. Test Date:
□ N/A
Comments
Name:
□ Pass
Users do not include any office
passwords do not intentionally
SP-105 ITSDir02-12 symbols when creating their SP IA-5 I □ Failure
include any office symbols (e.g.,
passwords. Test Date:
ITS).
□ N/A
Comments
Name:
□ Pass
Verify that users ensure that their Users do not include the user’s social
passwords do not include their social security number or any subset of the Initials:
SP-106 ITSDir02-13 security numbers or any subset of user’s social security number that is SP IA-5 I □ Failure
their social security numbers that is more than a single number when Test Date:
more than a single number. creating their passwords.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that users ensure that their
Users do not include words that can Initials:
passwords do not intentionally
be found in any dictionary, whether
SP-107 ITSDir02-14 include words that can be found in SP IA-5 I □ Failure
English or any language when
any English or foreign-language Test Date:
creating their passwords.
dictionary.
□ N/A
Comments
Name:
□ Pass
Verify that a password is never Initials:
A passwords is never shared with
SP-108 ITSDir02-2 shared with anyone, including help SP IA-5 I □ Failure
anyone, including the ITS hotline.
desk personnel. Test Date:
□ N/A
Comments
Name:
Verify that supervisors do not request Supervisors do not request or keep
□ Pass
or keep lists of passwords used by lists of passwords used by
subordinates, with the exception of subordinates, with the exception of Initials:
SP-109 ITSDir02-3 specific mandatory system accounts, specific mandatory system accounts, SP IA-5 I □ Failure
in which case, the password is placed in which case, the password is placed Test Date:
in a sealed envelope and stored in a in a sealed envelope and stored in a
□ N/A
secure (locked) physical container. secure (locked) physical container..
Comments
Name:
□ Pass
Verify that group passwords (i.e., Initials:
shared accounts where all group
SP-110 ITSDir02-4 Group passwords are not utilized. SP IA-4, IA-5 I □ Failure
members use the same account and
passwords) are never utilized. Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that users do not change their An account can be changed at a
SP-111 ITSDir02-5 SP IA-2, IA-5 I □ Failure
passwords more than once per day. maximum of once per day.
Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that users change their Account owners change his or her Initials:
SP-112 ITSDir02-6 passwords when prompted by the passwords when prompted by the SP IA-2 I □ Failure
system. system. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that users ensure that
Minimum password length is 8 Initials:
minimum password length is at least
characters, and consists of at least 2
SP-113 ITSDir02-7 8 characters and their passwords SP IA-5 I □ Failure
alpha characters, 1 number, and 1
consist of at least 2 alpha characters, Test Date:
special character.
1 number and 1 special character.
□ N/A
Comments
Name:
□ Pass
Passwords cannot have consecutive
SP-114 ITSDir02-8 passwords have no consecutive SP IA-5 I □ Failure
repeated characters.
repeated characters. Test Date:
□ N/A
Comments
Name:
□ Pass
Passwords cannot include the user
SP-115 ITSDir02-9 passwords do not include their user SP IA-5 I □ Failure
name or any part thereof.
names or any part thereof. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that non-DID extensions can Non-DID extensions only receive Initials:
only receive calls originating or calls originating or transferred from
SP-116 ITSDir04-1 SP None I □ Failure
transferred from stations residing on stations residing on the LC voice
the LC voice network. network. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Initials:
Verify that LC extensions begin with LC extensions begin with the digits
the digits "7" or "2". "7" or "2".
Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that Senate extensions begin Senate extensions begin with the
with the digits "4" or "8". digits "4" or "8".
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that House of Representatives Initials:
extensions begin with the digits "5" House of Representatives extensions
or "6". begin with the digits "5" or "6".
Test Date:
□ N/A
Comments
Verify that calls to the LC main
Calls to the LC main published
published telephone number, 202- Name:
telephone number are greeted by a
707-5000, are greeted by a recorded
recorded announcement that sends □ Pass
announcement that sends them to an
them to an "automated attendant", a Initials:
"automated attendant", a recorded
recorded menu of options from which
SP-120 ITSDir04-13 menu of options from which the SP None I □ Failure
the caller makes selections using a
caller makes selections using a Test Date:
touchtone phone and that During LC
touchtone phone. During LC business
business hours, callers have the □ N/A
hours, callers have the option of
option of pressing "0" to be routed to Comments
pressing "0" to be routed to LC
LC operators.
operators.


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that to access directory Initials:
assistance services, dial "9 + 411". Dialing "9 + 411" accesses directory-
Every call placed to 411 incurs a assistance services.
charge to the LC. Test Date:
□ N/A
Comments
Name:
□ Pass
Initials:
Verify that a user dials"911" to reach Dialing "911” reaches Emergency
Emergency Services. Services.
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the LC Police Command The LC Police Command Center Initials:
Center responds to 911 calls from the responds to 911 calls from the
Madison, Adams, and Jefferson Madison, Adams, and Jefferson
buildings. buildings. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that the local emergency Initials:
The local emergency services handle
services will handle emergency calls
SP-124 ITSDir04-17 emergency calls (911) placed from SP None I □ Failure
(911) placed from the LC remote
the LC remote locations. Test Date:
locations.
□ N/A
Comments
Name:
□ Pass
Verify that using pay-per-call Initials:
Using pay-per-call services (e.g.,
services (e.g.., “900” numbers) is
SP-125 ITSDir04-18 “900” numbers) is prohibited other SP None I □ Failure
prohibited other than directory
than directory assistance. Test Date:
assistance.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Verify that a LC caller must dial "9" A caller must dial "9" to reach a Name:
to reach a destination outside of the destination outside of the LC/Capitol
□ Pass
LC/Capitol Hill voice network but Hill voice network but within the
within the local calling area. To reach local calling area. To reach an Initials:
SP-126 ITSDir04-2 an outside destination that is also outside destination that is also SP None I □ Failure
outside of the local calling area outside of the local calling area Test Date:
(Long Distance) a caller must dial "9 (Long Distance) a caller must dial "9
□ N/A
+ 1" or "9+1+011" for (International + 1" or "9+1+011" for (International
calling). calling). Comments
Local calls are non-toll calls to Name:
Verify that local calls are non-toll
destinations in the Washington □ Pass
calls to destinations in the
Metropolitan Area (D.C., Virginia, Initials:
Washington Metropolitan Area
and Maryland) and that the
SP-127 ITSDir04-3 (D.C., Virginia, and Maryland.) The SP None I □ Failure
permissions request made by the
permissions requested by the Service Test Date:
Service Unit/ Enabling Infrastructure
Unit/Enabling Infrastructure Liaison
are utilized to grant the appropriate □ N/A
determine local calling privileges.
local calling privileges. Comments
Name:
□ Pass
Verify that Washington, D.C. Initials:
telephone numbers do not require an Phone calls to Washington, D.C. do
area code. not require an area code.
Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that Northern Initials:
Northern Virginia/Suburban
Virginia/Suburban Maryland
SP-129 ITSDir04-5 Maryland telephone numbers require SP None I □ Failure
telephone numbers require the
the appropriate 3-digit area code. Test Date:
appropriate 3-digit area code.
□ N/A
Comments
Name:
Verify that toll free calls are calls to Toll free calls are calls to telephone □ Pass
telephone numbers in non-geographic numbers in non-geographic "area Initials:
"area codes" 800, 855, 866, 877, and codes" 800, 855, 866, 877, and 888,
888. The caller does not incur a where the caller does not incur a
charge for placing calls to numbers in charge for placing calls to numbers in Test Date:
these "area codes." these "area codes." □ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Verify that long distance calls are Long distance calls are calls to
calls to destinations outside the local destinations outside the local calling Name:
calling area. These calls incur long area that incur in long distance □ Pass
distance charges. The permissions charges and that the permissions Initials:
requested by the Service requested by the Service
Unit/Enabling Infrastructure Liaison Unit/Enabling Infrastructure Liaison
determine the long distance calling determine the long distance calling Test Date:
privileges, as well as the range of privileges, as well as the range of □ N/A
long distance privileges (U.S. only, long distance privileges (U.S. only, Comments
all of North America, international). all of North America, international).
Name:
□ Pass
Verify that, for International dialing Initials:
assistance, dial "0" to connect to a A caller needs to dial “0” for
LC Operator who can help place the International dialing assistance.
call. Test Date:
□ N/A
Comments
Name:
Verify that 5-digit dialing should be
used to reach staff/offices in all LC A 5-digit dialing is used to reach □ Pass
buildings (including Taylor Street, staff/offices in all LC buildings Initials:
Landover, New Carrollton, Ft. (including Taylor Street, Landover,
Meade, and Site3). Senate and House New Carrollton, Ft. Meade, and
Site3), and Senate and House of Test Date:
of Representatives offices may also
be reached by dialing 5 digits. Representatives offices. □ N/A
Comments
Name:
Verify that any activities with the □ Pass
Any activities with the intention to
intention to create and/or distribute Initials:
create and/or distribute malicious
malicious programs into the Library's
SP-134 ITSDir09-13 programs into the Library's networks SP PL-4, SI-3 I D □ Failure
networks (e.g., viruses, worms,
(e.g., viruses, worms, Trojan horses, Test Date:
Trojan horses, e-mail bombs, etc.) are
e-mail bombs, etc.) are prohibited.
prohibited. □ N/A
Comments
Name:
Verify that files stored on servers that
Files stored on servers that have been □ Pass
have been identified as a virus or
identified as a virus or other Initials:
other malicious file type will be
malicious file type is immediately
SP-135 ITSDir09-14 immediately removed from the server SP SI-3, SI-4 I D □ Failure
removed from the server and the
and the corresponding Service Test Date:
corresponding Service Unit/Enabling
Unit/Enabling Infrastructure will be
Infrastructure is notified. □ N/A
notified.
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that anti-virus dissemination Initials:
Anti-virus dissemination activities
SP-136 ITSDir09-5 activities is centrally managed by SP SI-3 I D □ Failure
are centrally managed by ITS.
ITS. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that virus-infected computers Virus-infected computers are Initials:
IR-4, SI-3,
SP-137 ITSDir09-7 are removed from the network until removed from the network until they SP I D □ Failure
SI-4
they are verified as virus-free. are verified as virus-free. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ITS will track and analyze ITS tracks and analyzes infection Initials:
IR-4, SI-3,
SP-138 ITSDir09-8 infection patterns to identify chronic patterns to identify chronic internal SP I D □ Failure
SI-4
internal and external threats. and external threats. Test Date:
□ N/A
Comments
Verify that the LC Data Network (LC Name:
Network) is divided into the □ Pass
following sections: LC De- Initials:
It is verified that the LC Data
Militarized Zone (LC DMZ), LC
SP-139 ITSDir10-1 Network (LC Network) is divided SP CA-3, SC-7 D □ Failure
Wireless Network (LC-WN), LC
into the appropriate sections. Test Date:
Internal Data Network (LC Intranet),
LC Lab and the Vendor Development □ N/A
Lab. Comments
Name:
□ Pass
Verify that ITS is the sole manager of ITS is the sole manager of IP
IP addresses on the LC data network, addresses on the LC data network, Initials:
CA-3, SC-1,
SP-140 ITSDir10-12 including managing DHCP servers including managing DHCP servers SP I D □ Failure
IA-1
and allocating static IP addresses to and allocating static IP addresses to Test Date:
servers. servers.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
All software installed on network-
SP-141 ITSDir10-16 network-attached devices is SP, OA, HE SA-6, CM-3 I D □ Failure
attached devices is approved.
approved. Test Date:
□ N/A
Comments
Name:
□ Pass
Verify that ITS will remove or block Initials:
ITS removes or blocks any host from
any host from the network when that
SP-142 ITSDir10-9 the network when that host is SP CA-3, SC-1 I □ Failure
host is disrupting normal network
disrupting normal network operation. Test Date:
operation.
□ N/A
Comments
Name:
□ Pass
Verify that hosted applications do Hosted applications do follow the Initials:
SP-143 ITSDir12-20 follow the ITS Systems Development ITS Systems Development Life SP SA-3 I D □ Failure
Life Cycle (SDLC) process. Cycle (SDLC) process. Test Date:
□ N/A
Comments
Name:
Verify that hosted applications do □ Pass
Hosted applications do follow the LC
follow the LC Certification and Initials:
Certification and Accreditation
Accreditation (C&A) process and CA-1, CA--
SP-144 ITSDir12-21 (C&A) process and receive SP I D □ Failure
receive Authorization to Operate 4, CA-6
Authorization to Operate before Test Date:
before being deployed into
being deployed into production.
production. □ N/A
Comments
Name:
Verify that the Library of Congress □ Pass
The Library of Congress IT Security
IT Security Plan is developed under Initials:
Plan is developed under the direction
the direction of the Director, ITS, and PL-2, RA-1,
SP-145 LCR1620-5.A.1 of the Director, ITS, and will provide SP D □ Failure
shall provide for risk management RA-3
for risk management throughout the Test Date:
throughout the system life cycle of all
system life cycle of all IT systems.
IT systems. □ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the Library of Congress The Library of Congress IT Security
IT Security Plan is developed under Plan is developed under the direction Initials:
SP-146 LCR1620-5.A.2 the direction of the Director, ITS, and of the Director, ITS, and provide for SP CA-1, PL-1 D □ Failure
provide for Triennial Certification Triennial Certification and Test Date:
and Accreditation of all IT systems. Accreditation of all IT systems.
□ N/A
Comments
Name:
Verify that the Library of Congress The Library of Congress IT Security □ Pass
IT Security Plan is developed under Plan is developed under the direction Initials:
the direction of the Director, ITS, and of the Director, ITS, and provides for
SP-147 LCR1620-5.A.3 SP PL-2, SA-3 D □ Failure
provides for adherence to Library of adherence to Library of Congress
Congress System Development Life System Development Life Cycle Test Date:
Cycle (SDLC) methodologies. (SDLC) methodologies. □ N/A
Comments
Name:
the direction of the Director, ITS, and PL-2, AT-2,
SP-148 LCR1620-5.A.4 of the Director, ITS, and will provide SP D □ Failure
shall provide for IT security AT-3
for IT security education, training, Test Date:
education, training, and awareness
and awareness programs.
programs. □ N/A
Comments
Name:
□ Pass
IT Security Plan is developed under Plan is developed under the direction
the direction of the Director, ITS, and of the Director, ITS, and provides for Initials:
PL-2, CP-2,
SP-149 LCR1620-5.A.5 provides for prevention and response prevention and response programs SP D □ Failure
IR-4, IR-7
programs that coordinate with the IT that coordinate with the IT Computer Test Date:
Computer Emergency Response Emergency Response Team
□ N/A
Team activities/efforts. activities/efforts.
Comments
Name:
□ Pass
Verify that the Library of Congress
The Library of Congress IT Security Initials:
IT Security Plan is developed under
Plan is developed under the direction PL-2, CP-1,
SP-150 LCR1620-5.A.6 the direction of the Director, ITS, and SP D □ Failure
of the Director, ITS, and provides for CP-2
provides for Continuity of Operations Test Date:
Continuity of Operations Plans.
Plans.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
the direction of the Director, ITS, and PL-2, CP-2,
SP-151 LCR1620-5.A.7 of the Director, ITS, and provides for SP D □ Failure
provides for administration of unique IA-4
administration of unique identities for Test Date:
identities for access to IT systems
access to IT systems and services.
and services. □ N/A
Comments
Name:
□ Pass
Verify that the Director, ITS, issues, The Director, ITS, issues, as needed,
PL-2, ALL Initials:
as needed, IT Security Policy and IT IT Security Policy and IT Security
800-53
SP-152 LCR1620-5.B Security Directives implementing or Directives implementing or SP D □ Failure
CONTROLS
amending the Library of Congress IT amending the Library of Congress IT Test Date:
-1
Security Plan. Security Plan.
□ N/A
Comments
Name:
□ Pass
IT Security Plan is reviewed and Plan is reviewed and updated Initials:
PL-2, CM-2,
SP-153 LCR1620-5.C updated whenever a configuration or whenever a configuration or SP D □ Failure
CM-3
technology change impacts the technology change impacts the Test Date:
security posture of the system. security posture of the system.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Verify that: a) Each Service and a) Each Service and Infrastructure
Infrastructure Unit develops an IT Unit develops an IT Security Plan for
Security Plan for systems used by systems used by that Service Unit or
that Service Unit or enabling enabling infrastructure, which are not
infrastructure, which are not residing residing on ITS operated and
on ITS operated and maintained maintained platforms; b) Each
platforms; b) Each Service and Service and Support Unit is Name:
Support Unit is responsible for the responsible for the creation and □ Pass
creation and implementation of a implementation of a modified IT Initials:
modified IT Security Plan for Security Plan for Systems that reside PL-2, PL-3,
SP-154 LCR1620-6.A SP D □ Failure
Systems that reside on ITS Operated on ITS Operated and Maintained CA-4
and Maintained Platforms; c) Service Platforms; c) Service and Test Date:
and Infrastructure Unit IT Security Infrastructure Unit IT Security Plans □ N/A
Plans are developed, at a minimum, are developed, at a minimum, in Comments
in conjunction with the Certification conjunction with the Certification
and Accreditation of the system prior and Accreditation of the system prior
to deployment; and d) All Service to deployment; and d) All Service
and Infrastructure Unit IT Security and Infrastructure Unit IT Security
Plans are in compliance with the Plans are in compliance with the
Library of Congress IT Security Plan. Library of Congress IT Security Plan.
Name:
Verify that each Service and Each Service and Infrastructure Unit □ Pass
Infrastructure Unit submits a draft of submits a draft of its IT Security Plan Initials:
its IT Security Plan to the Director, to the Director, ITS, for review to
SP-155 LCR1620-6.B SP PL-2 D □ Failure
ITS, for review to ensure that the ensure that the Plan complies with
Plan complies with the Library of the Library of Congress IT Security Test Date:
Congress IT Security Plan. Plan. □ N/A
Comments
Name:
□ Pass
Verify that the Librarian has specific The Librarian has specific Initials:
SP-156 LCR1620-7.A.1 responsibility for approving the responsibility for approving the SP PL-2 D □ Failure
Library of Congress IT Security Plan Library of Congress IT Security Plan Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that the Librarian has specific The Librarian has specific □ Pass
responsibility for ensuring the responsibility for ensuring the Initials:
Library of Congress IT Security Plan Library of Congress IT Security Plan
SP-157 LCR1620-7.A.2 SP PL-2 D □ Failure
is established and implemented in is established and implemented in
compliance with Federal laws and compliance with Federal laws and Test Date:
regulations. regulations. □ N/A
Comments
Name:
□ Pass
Verify that the Librarian has specific The Librarian has specific
responsibility for reporting to responsibility for reporting to Initials:
SP-158 LCR1620-7.A.3 congressional oversight committees congressional oversight committees SP PL-1, PL-2 D □ Failure
on the status of the Library of on the status of the Library of Test Date:
Congress IT Security Plan. Congress IT Security Plan.
□ N/A
Comments
Name:
□ Pass
Verify that the Deputy Librarian is The Deputy Librarian is responsible Initials:
SP-159 LCR1620-7.B responsible for enforcing the Library for enforcing the Library of Congress SP PL-1, PL-2 D □ Failure
of Congress IT Security Plan. IT Security Plan. Test Date:
□ N/A
Comments
Name:
Verify that the Chief Information The Chief Information Officer (CIO),
□ Pass
Officer (CIO), Office of Strategic Office of Strategic Initiatives, is
Initiatives, is responsible for responsible for oversight of the Initials:
SP-160 LCR1620-7.C oversight of the Library of Congress Library of Congress IT Security Plan SP PL-1, PL-2 D □ Failure
IT Security Plan and for reviewing and for reviewing appeals regarding Test Date:
appeals regarding waiver decisions waiver decisions on IT Security Plan
□ N/A
on IT Security Plan requirements. requirements.
Comments
Name:
□ Pass
Verify that the Director, ITS, or The Director, ITS, or his/her Initials:
ALL 800-53
his/her designee, is responsible for designee, is responsible for
SP-161 LCR1620-7.D.1 SP CONTROLS D □ Failure
recommending security policies for recommending security policies for
-1 Test Date:
adoption by the Library. adoption by the Library.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
Verify that the Director, ITS, or The Director, ITS, or his/her
his/her designee, is responsible for designee, is responsible for SA-4, CM-1, Initials:
SP-162 LCR1620-7.D.10 establishing Configuration establishing Configuration SP CM-2, CM- D □ Failure
Management procedures for Management procedures for 3, SC-7 Test Date:
enterprise-wide systems. enterprise-wide systems.
□ N/A
Comments
Verify that the Director, ITS, or Name:
The Director, ITS, or his/her
his/her designee, has the authority to □ Pass
designee, has the authority to issue IT
issue IT Security Directives in Initials:
Security Directives in support of the
support of the Library of Congress IT
SP-163 LCR1620-7.D.2 Library of Congress IT Security Plan, SP CM-1 D □ Failure
Security Plan, approve waivers to the
to approve waivers to the IT Security Test Date:
IT Security Plan, and appeal
Plan, and to appeal decisions made
decisions made by the Director, ITS, □ N/A
by the Director, ITS, to the CIO.
to the CIO. Comments
Name:
□ Pass
his/her designee, is responsible for designee, is responsible for ensuring Initials:
SP-164 LCR1620-7.D.3 ensuring that enterprise-wide systems that enterprise-wide systems comply SP PL-1, AU-1 D □ Failure
comply with the Library of Congress with the Library of Congress IT Test Date:
IT Security Plan. Security Plan.
□ N/A
Comments
Name:
□ Pass
his/her designee, is responsible for designee, is responsible for
SP-165 LCR1620-7.D.4 SP PL-2 D □ Failure
developing the annual Library of developing the annual Library of
Congress IT Security Plan. Congress IT Security Plan. Test Date:
□ N/A
Comments
Name:
□ Pass
his/her designee, is responsible for designee, is responsible for reviewing
SP-166 LCR1620-7.D.5 SP PL-1, PL-2 D □ Failure
reviewing Service and Infrastructure Service and Infrastructure Unit IT
Unit IT Security Plans. Security Plans. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that the Director, ITS, or □ Pass
The Director, ITS, or his/her
his/her designee, is responsible for Initials:
designee, is responsible for ensuring
ensuring best practices are
SP-167 LCR1620-7.D.6 best practices are implemented and SP PL-1, PL-2 D □ Failure
implemented and maintained
maintained throughout the life cycle Test Date:
throughout the life cycle for
for enterprise-wide systems.
enterprise-wide systems. □ N/A
Comments
Name:
Verify that the Director, ITS, or The Director, ITS, or his/her □ Pass
ensuring separation of duties and separation of duties and assigning
SP-168 LCR1620-7.D.7 SP SA-3 D □ Failure
assigning appropriate system appropriate system permissions and
permissions and responsibilities for responsibilities for enterprise-wide Test Date:
enterprise-wide Systems. Systems. □ N/A
Comments
Name:
Verify that the Director, ITS, or The Director, ITS, or his/her □ Pass
ensuring continuity of operations continuity of operations (system CP-10, AC-
SP-169 LCR1620-7.D.8 SP D □ Failure
(system back-ups, redundancy, and back-ups, redundancy, and disaster 5, AC-6
disaster recovery) for enterprise-wide recovery) for enterprise-wide Test Date:
systems. systems. □ N/A
Comments
Name:
□ Pass
his/her designee, is responsible for designee, is responsible for Initials:
SP-170 LCR1620-7.D.9 approving non-standard devices that approving non-standard devices that SP CP-2 D □ Failure
are used to connect to the Library are used to connect to the Library Test Date:
Network. Network.
□ N/A
Comments
Name:
□ Pass
Verify that the Director, Office of The Director, Office of Security and
Security and Emergency Emergency Preparedness, is Initials:
SP-171 LCR1620-7.E.1 Preparedness, is responsible for responsible for establishing physical SP PE-1 D □ Failure
establishing physical security security standards for all Library IT Test Date:
standards for all Library IT assets. assets.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that the Director, Office of
The Director, Office of Security and □ Pass
Security and Emergency
Emergency Preparedness, is Initials:
Preparedness, is responsible for
responsible for making final agency
SP-172 LCR1620-7.E.2 making final agency determinations SP PS-2, PS-3 D □ Failure
determinations regarding suitability
regarding suitability of Library Test Date:
of Library employees and contractors
employees and contractors for IT
for IT positions. □ N/A
positions.
Comments
Name:
□ Pass
Verify that Service and Infrastructure Service and Infrastructure Units are
Units are responsible for ensuring responsible for ensuring Initials:
SP-173 LCR1620-7.F.1 implementation of, and compliance implementation of, and compliance SP PL-2 D □ Failure
with, the Library of Congress IT with, the Library of Congress IT Test Date:
Security Plan within the unit. Security Plan within the unit.
□ N/A
Comments
Name:
□ Pass
Units are responsible for ensuring the responsible for ensuring the Service Initials:
SP-174 LCR1620-7.F.2 Service and Infrastructure Unit IT and Infrastructure Unit IT Security SP PL-2 D □ Failure
Security Plan is consistent with the Plan is consistent with the Library of Test Date:
Library of Congress IT Security Plan. Congress IT Security Plan.
□ N/A
Comments
Name:
Verify that Service and Infrastructure Service and Infrastructure Units are □ Pass
Units are responsible for ensuring responsible for ensuring best security Initials:
best security practices are practices are implemented and
SP-175 LCR1620-7.F.3 SP SA-3, SA-8 D □ Failure
implemented and maintained maintained throughout the system life
throughout the system life cycle of cycle of each IT system under their Test Date:
each IT system under their control. control. □ N/A
Comments
Name:
Verify that Service and Infrastructure Service and Infrastructure Units are □ Pass
Units are responsible for ensuring responsible for ensuring separation of Initials:
separation of duties and assigning duties and assigning appropriate
SP-176 LCR1620-7.F.4 SP AC-5, AC-6 D □ Failure
appropriate system permissions and system permissions and
responsibilities for Service or responsibilities for Service or Test Date:
Enabling Infrastructure system users. Enabling Infrastructure system users. □ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that Service and Infrastructure □ Pass
Service and Infrastructure Units are
Units are responsible for ensuring Initials:
responsible for ensuring continuity of
continuity of operations (system back
SP-177 LCR1620-7.F.5 operations (system back -ups, SP CP-2 D □ Failure
-ups, redundancy, and disaster
redundancy, and disaster recovery) Test Date:
recovery) for IT systems under their
for IT systems under their control.
control. □ N/A
Comments
Name:
□ Pass
Verify that Service and Infrastructure Service and Infrastructure Units are Initials:
SA-4, CM-1,
Units are responsible for requesting responsible for requesting approval
SP-178 LCR1620-7.F.6 SP CM-2, CM- D □ Failure
approval for all devices that are used for all devices that are used to
3, AC-1 Test Date:
to connect to the Library Network. connect to the Library Network.
□ N/A
Comments
Name:
□ Pass
Units are responsible for establishing responsible for establishing Initials:
SP-179 LCR1620-7.F.7 configuration management configuration management SP CM-1 D □ Failure
procedures for IT systems under their procedures for IT systems under their Test Date:
control. control.
□ N/A
Comments
Name:
Verify that all Service and
All Service and Infrastructure Units □ Pass
Infrastructure Units ensure the
ensure the Triennial Certification and Initials:
Triennial Certification and
Accreditation (C&A), as specified by
SP-180 LCR1620-8.A Accreditation (C&A), as specified by SP CA-1, CA-4 D □ Failure
applicable IT Security Directives, of
applicable IT Security Directives, of Test Date:
all IT systems under their operational
all IT systems under their operational
control. □ N/A
control.
Comments
Name:
All Service and Infrastructure Units □ Pass
Infrastructure Units identify
identify Designated Approving Initials:
Designated Approving Authority
Authority (DAA) and Certifying CA-1, CA-4,
SP-181 LCR1620-8.A.1 (DAA) and Certifying Official (CO) SP D □ Failure
Official (CO) individuals responsible CA-6
individuals responsible for Service Test Date:
for Service and Infrastructure Unit
and Infrastructure Unit C&A
C&A activities. □ N/A
activities.
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
Verify that all Service and □ Pass
Service and Infrastructure Units
Infrastructure Units provide an up-to- Initials:
provide an up-to-date inventory of
date inventory of systems (both CA-2, CM-
SP-182 LCR1620-8.A.2 systems (both developmental and in SP D □ Failure
developmental and in production) 2, CM-3
production) used by the Service or Test Date:
used by the Service or Infrastructure
Infrastructure Unit.
Unit. □ N/A
Comments
Name:
Service and Infrastructure Units will □ Pass
Infrastructure Units shall have
have safeguards in place to detect and Initials:
safeguards in place to detect and
minimize inadvertent or malicious SC-1, SI-3,
SP-183 LCR1620-8.A.3 minimize inadvertent or malicious SP D □ Failure
modification or destruction of each SI-4, SI-8
modification or destruction of each Test Date:
IT system for which they have C&A
IT system for which they have C&A
responsibility. □ N/A
responsibility.
Comments
Verify that all Service and Service and Infrastructure Units Name:
Infrastructure Units certify that all certify that all software and hardware
□ Pass
software and hardware products used products used by IT systems for
by IT systems for which they have which they have C&A responsibility Initials:
CA-2, SA-4,
SP-184 LCR1620-8.A.4 C&A responsibility contain no contain no features that might be SP D □ Failure
SI-6
features that might be detrimental to detrimental to the security of an Test Date:
the security of an automated Library automated Library system according
□ N/A
system according to current Library to current Library IT security
IT security standards. standards. Comments
Name:
□ Pass
Service and Infrastructure Units Initials:
Infrastructure Units report on the
report on the reasons for any changes
SP-185 LCR1620-8.A.5 reasons for any changes to the C&A SP PL-3, CA-5 D □ Failure
to the C&A of any production system
of any production system for which Test Date:
for which they have responsibility.
they have responsibility.
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Verify that each Service and
Each Service and Infrastructure Unit:
Infrastructure Unit: a) Evaluates its
a) Evaluates its IT Security Plan and
IT Security Plan and system
system protection mechanisms
protection mechanisms according to
according to Library guidelines and
Library guidelines and report
report deficiencies to the Deputy
deficiencies to the Deputy Librarian Name:
Librarian of Congress whenever a
of Congress whenever a
configuration or technology change □ Pass
configuration or technology change
impacts the security posture of the Initials:
impacts the security posture of the
system; b) An annual report, based PL-1, SA-4,
SP-186 LCR1620-8.B system; b) An annual report, based SP D □ Failure
on fiscal year, will be provided to the SI-6
on fiscal year, will be provided to the Test Date:
Deputy Librarian of Congress if there
Deputy Librarian of Congress if there
has been no configuration or □ N/A
has been no configuration or
technology change impacting the Comments
technology change impacting the
security posture of the system for the
security posture of the system for the
previous reporting period; and c) the
previous reporting period; and c) the
report includes actions and
report includes actions and
milestones for addressing any
milestones for addressing any
deficiencies.
deficiencies.
Verify that a) IT security incidents
a) IT security incidents are reported
are reported to the appropriate
to the appropriate government
government entities and the IT
entities and the IT Computer Name:
Computer Emergency Response
Emergency Response Team promptly
Team promptly upon recognition of □ Pass
upon recognition of the occurrence;
the occurrence; b) The Office of Initials:
b) The Office of Investigations in the
Investigations in the Office of
SP-187 LCR1620-9 Office of Security and Emergency SP IR-6 D □ Failure
Security and Emergency
Preparedness is contacted promptly Test Date:
Preparedness is contacted promptly
regarding any event which may
regarding any event which may □ N/A
require investigation; and c) All
require investigation; and c) All Comments
efforts are made to preserve evidence
efforts are made to preserve evidence
that may be necessary to complete a
that may be necessary to complete a
thorough investigation.
thorough investigation.

4.13 Wireless Computing (WC) Test Case
Figure 19 – Wireless Computing (WC) Test Case

Tester Full
Test Pass /
Number Category
Comments
Name:
elimination software are installed (on Initials:
software are installed (on all systems SA-7, SI-3,
WC-1 ITSDir01-280 where virus detection software is SI-4, AC-19, D □ Failure
updated. □ N/A
Comments
Name:
□ Pass
Verify that ITS maintain sole
ITS maintains sole responsibility for Initials:
responsibility for installing and
installing and managing all wireless
WC-2 ITSDir05-1 managing all wireless devices and WC AC-18 D □ Failure
devices and access points connected
access points connected to the LC Test Date:
to the LC data network.
data network.
□ N/A
Comments
Name:
□ Pass
Verify that any LC Service
The LC Service Units/Enabling Initials:
Units/Enabling Infrastructure
Infrastructure requiring or planning
WC-3 ITSDir05-2 requiring or planning for installation WC AC-18 D □ Failure
for installation of a wireless network
of a wireless network submits a Test Date:
submits a written request to ITS.
written request to ITS.
□ N/A
Comments
Name:
□ Pass
Verify that all wireless devices used All wireless devices used within the Initials:
WC-4 ITSDir05-3 at LC conform to the IEEE 802.11a system conform to the IEEE 802.11a WC AC-18 D T □ Failure
wireless protocol. wireless protocol. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
All wireless devices used within the Initials:
Verify that all wireless devices used system conform to either Wi-Fi
WC-5 ITSDir05-4 WC AC-18 D □ Failure
within the LC network conform to Protected Access (WPA) or IEEE
802.11i (WPA2). Test Date:
either Wi-Fi Protected Access (WPA)
or IEEE 802.11i (WPA2). □ N/A
Comments
Name:
□ Pass
Verify that all wireless devices used All wireless devices used within the
within the LC network employ AES system network employ AES Initials:
WC-6 ITSDir05-5 (Advanced Encryption Standard) and (Advanced Encryption Standard) and WC AC-18 D O □ Failure
TKIP (Temporal Key Integrity TKIP (Temporal Key Integrity Test Date:
Protocol). Protocol).
□ N/A
Comments
Name:
□ Pass
Verify that all wireless devices used All wireless devices used within the Initials:
within the LC network do not utilize system do not utilize Wired
WC-7 ITSDir05-6 WC AC-18 D O □ Failure
Wired Equivalency Privacy (WEP) Equivalency Privacy (WEP)
encryption. encryption. Test Date:
□ N/A
Comments
Verify that all wireless devices use All wireless devices used within the Name:
802.1x /Extensible Authentication system use 802.1X /Extensible
□ Pass
Protocol (EAP) authentication Authentication Protocol (EAP)
mechanism to a Remote authentication mechanism to a Initials:
WC-8 ITSDir05-7 Authentication Dial-In User Service Remote Authentication Dial-In User WC AC-18 D O □ Failure
(RADIUS) infrastructure owned and Service (RADIUS) infrastructure Test Date:
operated by ITS to ensure that owned and operated by ITS to ensure
□ N/A
unauthorized devices do not connect that unauthorized devices do not
to the network. connect to the network. Comments
Name:
□ Pass
Verify that wireless devices do not Wireless devices used within the Initials:
WC-9 ITSDir05-8 reside on subnets allocated to wired system do not reside on subnets WC AC-18 D □ Failure
network segments. allocated to wired network segments. Test Date:
□ N/A
Comments


Tester Full
Test Pass /
Number Category
Comments
Name:
□ Pass
HE, OA, IG,
WC-10 ITSDir09-2 configuration parameters. Verify that configuration parameters. Anti-virus CM-3, SI-3 I D O □ Failure
WC, RC
the anti-virus configuration configuration parameters are Test Date:
parameters are obtained from ITS. obtained from ITS.
□ N/A
Comments
WC-11 ITSDir10-8 I D O T □ Failure
Name:
□ Pass
CA-3, SC-1,
WC-12 ITSDir10-10 dynamically allocated IP addresses allocated IP addresses assigned by RC, WC, OA I D □ Failure
IA-3
□ N/A
Comments
5 <System Name> Problem Tracking Report
Figure 20 – <System Name> Problem Tracking Report

Test SP800-
Test
Case 53 Resulting
Element Test Description Expected Result Actual Result Test Result Comments
Control Action
Number
s


Test SP800-
Test
Case 53 Resulting
Element Test Description Expected Result Actual Result Test Result Comments
Control Action
Number
s

LC System Test

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LC System Test

Uploaded by

Copyright:

Available Formats

<Service/Infrastructure Unit>

<System Name> (<System ID>) Security Test

<Month DD, YYYY>

Information Categorization: Moderate

Revision Date Revised By Notes

i Information Categorization: Moderate

Figure 1 – Testing Process...............................................................................................................2

ii Information Categorization: Moderate

Figure 9 – Hosted Application (HA) Test Case.............................................................................56

iii Information Categorization: Moderate

1.3 System Background

1 Information Categorization: Moderate

2.1 Overview of the Testing Process

2 Information Categorization: Moderate

Figure 1 – Testing Process

Plan not approved

2.2 Personnel Roles, Responsibilities and Activities

Figure 2 – Testing Personnel

- Final approval of test plan

- Ensures that Test Cases

2.3 Test Documentation

2.3.1 Test Cases and Test Case Worksheets

3 Information Categorization: Moderate

 LCR 1620 – IT Security Policy of the Library of Congress

Figure 3 – Test Case Worksheet Fields

The test case worksheet will contain the following:

1. Test Element Number: Identifies the test element number.

4 Information Categorization: Moderate

2.3.2 Problem Tracking Reports

Figure 4 – Problem Tracking Report

Test SP800- Test

1. Test Element Number: Identifies the test element number.

5 Information Categorization: Moderate

6. SP 800-53 Controls: SP 800-53 control families related to the requirement.

2.3.3 ST&E Report

2.4 Certification of ST&E Results

6 Information Categorization: Moderate

3 Library of Congress <system name> Test Case Summary

To determine if a test case is in scope, use the following table.

Figure 5 – Test Cases in Scope

7 Information Categorization: Moderate

3.1 Description of Problem/Need

3.2 Testing Configuration

Figure 6 – Testing Configuration

Insert: Test Configuration Diagram

3.3 Test Schedule

3.4 Configuration Management

8 Information Categorization: Moderate

4 <System Name> Security Test & Evaluation

4.1 Questionnaire (Q) Test Case

Figure 7 – Questionnaire (Q) Test Case

9 Information Categorization: Moderate

Figure 7 – Questionnaire (Q) Test Case

10 Information Categorization: Moderate

Figure 7 – Questionnaire (Q) Test Case

11 Information Categorization: Moderate

Figure 7 – Questionnaire (Q) Test Case

12 Information Categorization: Moderate

4.2 General System (GE) Test Case

Figure 8 – General System (GE) Test Case

13 Information Categorization: Moderate

Figure 8 – General System (GE) Test Case

14 Information Categorization: Moderate

Figure 8 – General System (GE) Test Case