Page 1 of 8

Best PracticesFor Department Server and Enterprise System Checklist

INSTRUCTIONS

Information Security Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT) resourcesagainst Information Security related threats such as hacker attacks, worms, viruses, and other malicious activities. The Best Practices forDepartment Server and Enterprise System Checklist will be used to determine if an organizational unit of The George WashingtonUniversity is using standard Information Security Best Practices to secure their Departmental Servers and Enterprise Systems.

To use this checklist, review each individual Department Server Best Practice Requirement and each Enterprise System Best PracticeRequirement listed to the right of each category in the first column (Physical Security, Security Administration, Operating System Security,Database Security, Network Security, Anti-Virus, and Security Documentation). Place a check mark in the “Check if Complete” column foreach best practice requirement met in the Department Server Best Practice column and/or a check mark in the “Check if Complete” columnfor each best practice requirement met in the Enterprise System Best Practice column. If you are not able to comply with the requirement,please provide a business case justification in the “Justification for Non-Completion” column.

Best Practice Requirements For Department Servers and Enterprise Systems

Check ifComplete

Department ServerBest Practice Requirement

Check ifComplete

Enterprise SystemBest Practice Requirement

Justification for Non-Completion

Have entry and exit to equipmentand wiring closets been restricted tounauthorized personnel?

Have entry and exit to equipment and wiringclosets been restricted to unauthorizedpersonnel?

PhysicalSecurity

Physically lock equipment to astationary durable device such as anoffice desk or inside a computercabinet.

Physically lock equipment to a stationarydurable device such as an office desk orinside a computer cabinet.

Page 2 of 8

Ensure the temperature in the roomis appropriate for the equipment(check user guide for equipment).

Ensure the temperature in the room isappropriate for the equipment (check userguide for equipment).

Attach devices to an UninterruptiblePower Supply Device (UPS) and/orsurge protector.

Attach devices to an Uninterruptible PowerSupply Device (UPS) and/or surge protector.

Ensure that fire, smoke, and heatdetectors are installed to protectpeople and equipment.

Ensure that fire, smoke, and heat detectorsare installed to protect people and equipment.

Apply software patches to allsoftware programs on the systemwhen available subject to the changemanagement process.

Apply software patches to all softwareprograms on the system when availablesubject to the change management process.

Apply operating system patches onthe system when available subject tothe change management process.

Apply operating system patches on thesystem when available subject to the changemanagement process.

Ensure the system is protected by aproperly configured firewall.

Ensure the system is protected by a properlyconfigured firewall.

Ensure the system is protected byupdated anti-virus software.

Ensure the system is protected by updatedanti-virus software.

SecurityAdministration

Establish accounts for eachindividual user and grant theappropriate level of access necessaryto perform job.

Establish accounts for each individual userand grant the appropriate level of accessnecessary to perform job.

Page 3 of 8

Ensure that each user isauthenticated before access isgranted.

Ensure that each user is authenticated beforeaccess is granted.

Have process in place to clean upaccounts once the user no longerrequires access to the database.

Have process in place to clean up accountsonce the user no longer requires access to thedatabase.

Enable auditing and logging featureson the system to capture pertinentinformation pertaining to all useractivities.

Enable auditing and logging features on thesystem to capture pertinent informationpertaining to all user activities.

Have a security assessmentperformed on the system, includingpenetration testing.

Have a security assessment performed on thesystem, including penetration testing.

Install host-based security tools suchas Intrusion Detection and FileIntegrity Checkers for informationthat contain mission critical dataand/or confidential data.

Install host-based security tools such asIntrusion Detection and File IntegrityCheckers for information that containmission critical data and/or confidential data.

Disable all unnecessary services onsystem.

Disable all unnecessary services on system.

OperatingSystemSecurity

Use Minimum SecurityConfiguration Benchmarks – fromthe Center for Internet Security(supported by NSA, DISA, DHS,and NIST and security experts frommore than 100 other organizations).

Use Minimum Security ConfigurationBenchmarks – from the Center for InternetSecurity (supported by NSA, DISA, DHS,and NIST and security experts from morethan 100 other organizations).

Page 4 of 8

There are currently minimumsecurity configurations for 14 typesof systems. There are also toolsavailable to test systems against thebenchmarks -http://www.cisecurity.org/index.html

There are currently minimum securityconfigurations for 14 types of systems.There are also tools available to test systemsagainst the benchmarks -http://www.cisecurity.org/index.html

Have a security assessmentperformed on the system that willcontain the database.

Have a security assessment performed on thesystem that will contain the database.

Establish accounts for eachindividual user and grant theappropriate level of access necessaryto perform job.

Establish accounts for each individual userand grant the appropriate level of accessnecessary to perform job.

Ensure that each user isauthenticated before access isgranted.

Ensure that each user is authenticated beforeaccess is granted.

Have process in place to clean upaccounts once the user no longerrequires access to the database.

Have process in place to clean up accountsonce the user no longer requires access to thedatabase.

Update patches, subject to changemanagement process, on the systemas they become available and afterpatches have been tested in a non-production environment

Update patches, subject to changemanagement process, on the system as theybecome available and after patches have beentested in a non-production environment

DatabaseSecurity

Encrypt information stored in thedatabase.

Encrypt information stored in the database.

Page 5 of 8

Enable auditing and logging featureson the system to capture pertinentinformation pertaining to all useractivities.

Enable auditing and logging features on thesystem to capture pertinent informationpertaining to all user activities.

Monitor network for maliciousand/or abnormal activity

Monitor network for malicious and/orabnormal activity

Apply patches to network devices,operating systems, and software onnetwork subject to changemanagement process.

Apply patches to network devices, operatingsystems, and software on network subject tochange management process.

Encrypt transmissions that containsensitive and/or confidentialinformation.

Encrypt transmissions that contain sensitiveand/or confidential information.

Regularly review logs from networkdevices such as VPN, Routers, IDS,IPS, and Firewalls for suspiciousactivity.

Regularly review logs from network devicessuch as VPN, Routers, IDS, IPS, andFirewalls for suspicious activity.

Update IDS/IPS signatures regularly Update IDS/IPS signatures regularly

Ensure strong passwords are set andchanged regularly on routers.

Ensure strong passwords are set and changedregularly on routers.

Remove default passwords from allnetworking devices.

Remove default passwords from allnetworking devices.

NetworkSecurity

Disable all unnecessary services onnetwork devices.

Disable all unnecessary services on networkdevices.

Page 6 of 8

Use stronger more secure protocolsto security network devices such asSSH instead of telnet.

Use stronger more secure protocols tosecurity network devices such as SSH insteadof telnet.

Have a security assessmentperformed at least annually onnetwork devices such as routers andfirewall.

Have a security assessment performed atleast annually on network devices such asrouters and firewall.

Download Anti-Virus softwareprogram and instructions fromhttp://helpdesk.gwu.edu/nav/

Download Anti-Virus software program andinstructions fromhttp://helpdesk.gwu.edu/nav/

Update Anti-Virus Definitionsregularly.

Update Anti-Virus Definitions regularly.

Anti-Virus

Scan system regularly for virus,worm, and Trojan activity.

Scan system regularly for virus, worm, andTrojan activity.

Document description of systemssoftware and hardware.

Document description of systems softwareand hardware.

Document contingency plan forsystem in the event the systembecomes unavailable.

Document contingency plan for system in theevent the system becomes unavailable.

SecurityDocumentation

Document and maintain backupprocedures for system.

Document and maintain backup proceduresfor system.

Page 7 of 8

Keep user manuals from vendors forsystems that were pre-built ordevelop documentation on systemsthat have been developed in house.

Keep user manuals from vendors for systemsthat were pre-built or develop documentationon systems that have been developed inhouse.

Keep software license catalog ofsystem software and applications onhand.

Keep software license catalog of systemsoftware and applications on hand.

Keep risk and security assessmentsfor system on hand.

Keep risk and security assessments forsystem on hand.

BEST PRACTICE CHECKLIST SIGN-OFF

1) I have reviewed the Department Server and/or the Enterprise System against this Best Practice checklist.

2) Best Practice requirements that could not be met for a business justifiable reason has been documented in the “Justification for Non-Completion” column of this document.

System Administrator Sign-off

Name:_____________________________

Signature:_____________________________

System Owner Sign-off

Name:_____________________________

Signature:_____________________________

Page 8 of 8

Title:_____________________________

Date:_____________________________

Title:_____________________________

Date:_____________________________