Justice Security Grant Project – County Checklist.doc

CCAP Security GuidelinesAnd Checklist 2.0

Table of ContentsDisclaimer................................................................................................3Summary.................................................................................................4

Priority Key...............................................................................................................4General Network Security.........................................................................5

Physical Security.......................................................................................................5

- - 1

Change Management Security..................................................................................6Network Policies & Procedures..................................................................................7VPN/Remote connectivity..........................................................................................8

External Network Security........................................................................9Border Router...........................................................................................................9Border Firewall........................................................................................................11Intrusion Prevention System...................................................................................13Wireless Access point/bridge..................................................................................15Laptops / Mobile Devices........................................................................................17

Internal Network Security.......................................................................19Servers...................................................................................................................19

Physical Security..................................................................................................19Event Logs...........................................................................................................20

Anti-Virus................................................................................................................22Patches and Updates..............................................................................................24Backups..................................................................................................................25

- - 2

Disclaimer

This document contains confidential information regarding the setup and configuration of the county network. Disclosure of this document may reveal information regarding the network that could lead to a compromise of network security. As such, the distribution of this document should be limited to only necessary parties.

While every effort has been made to ensure accuracy and completeness of the content of this assessment, Continental Technologies, Inc. expressly does not accept responsibility for any errors or omissions. Continental Technologies, Inc. has engaged in a review of the processes and settings of your network, we expressly do not make any representations that our review and assessment of your network makes it secure. This assessment was made at a particular point in time, and given the dynamic and ever-changing environment of network security, the county should be aware that findings herein might be outmoded. Before taking any action in response to, or reliant upon the information contained in this assessment, you are advised to confirm all information with Continental Technologies, Inc. The county hereby acknowledges that Continental Technologies, Inc. will not accept liability for any action or remedy taken by the county in reliance on the information provided by this document.

To the fullest extent permissible pursuant to the applicable law, Continental Technologies, Inc. disclaims all warranties expressed or implied, including but not limited to, implied warranties of merchantability and fitness for a particular purpose. Continental Technologies, Inc. does not warrant or make any representations regarding the Findings of this assessment or the use of the materials herein. The county assumes the entire cost of all necessary servicing, repair or correction resulting from the recommendations herein.

Under no circumstances, including but not limited to negligence, shall Continental Technologies, Inc. be liable for any special or consequential damages that result from the use of, or the inability to use the materials in this assessment.

- - 3

Summary

This document is intended to provide the forms and checklists to be used on a regular basis. The forms and checklists are not vendor specific and should be adjusted by the user as needed.

Priority KeyEach section of this checklist will be categorized with a priority. Each item’s priority will give the user an idea of the level of risk and importance of the item. The three levels of priority and their definition are:

High: This level indicates that the item represents a risk, by itself, if it was not checked or configured.

Medium: This level indicates that the item does not necessarily pose a security risk by itself, but it does increase the risk of a network compromise in some way.

Low: This level indicates that the item does not represent a risk nor does it necessarily increase the risk. It remains important for other reasons however. Those reasons will be explained on each item.

- - 4

General Network Security

Physical SecurityPriority: HIGHPhysical security entails the protection of computer resources from physical access. It is important because if an attacker is able to gain physical access to equipment, it is assumed that the attacker was able to compromise the system. All wiring closets and server rooms should have some level of physical security to prevent unauthorized access. In most cases, this includes access by internal users as well as the public. Physical security also encompasses the well being of the computer equipment from disaster such as fire and flood.

Best Practice Guidelines:1. All server rooms and wiring closets should be behind locked doors with only

authorized personnel having access.2. All windows and alternative access to the room should be locked.3. Consider monitoring equipment such as cameras as an added deterrence.4. Review the fire suppression system in the room. Is it water based? If so,

consider replacing or augmenting with an inert gas system. Water can cause more damage to computer systems than the fire it is putting out.

Current Setup:For all current devices answer the following questions and determine if they meet the guidelines set above.

List the security methods or devices that are between the public (people from outside the building) and physical access to the servers or server room. (i.e. Security guards, locked doors, monitoring cameras, badges)

List the security methods or devices that are between the public (people from outside the building) and physical access to each wiring closets.

- - 5

Change Management Security Priority: MediumThe process of securing personnel changes is important to ensure computer resources are not gained unnecessarily and removed expediently when a user leaves. Counties want to ensure that ex-employees do not retain the ability to gain access to the network after their dismissal.

Best Practice Guidelines:1. Ensure there is a paper or electronic document that details a new user,

their position, their needs on the network, and their immediate supervisor.2. Any changes to a user’s account in regards to added access should include

a paper or electronic form approved by the user’s supervisor.3. A process should be in place that ensures IT is aware of any changes in

employment for speedy account removal. This may include:a. Immediate account disabling or removing.b. Ensuring all additional access and equipment is retained.c. Forwarding email to the immediate supervisor of the person leaving

employment.


Explain the current process used to ensure the security of the data once a person (who had access to passwords and other privileged information) leaves your employment.

What documents, policies or processes occur for a new employee that helps to ensure data integrity?

- - 6

Network Policies & ProceduresPriority: HighPolicies are the defining documents for a computer network. They state the overall objective and need for network security and define responsibilities for users and administrators. Policies are one of the most important aspects of network security because they come from top management. They are the directives that allow administrators to enact security procedures on the network. The more complete and thorough the policies are, the easier it is to secure, delegate and maintain network security. Under many federal regulations, including HIPPA which the counties must follow, policies must be defined for many aspects of network security. Procedures are the specific details regarding the technology that is covered under the policy.

Example: Anti-virusA policy will state that the county is responsible for maintaining a current anti-virus product for the protection against computer viruses. An anti-virus procedure would be the documented procedure that an administrator needs to conduct on their particular anti-virus product in order to make that happen.

Best Practice Guidelines:1. Does the county have an ‘Acceptable Use Policy’ (AUP)? An AUP is a defining

document that details users rights and responsibilities on the computer network.

2. Does the county have policies in place that cover laptop security and includes laptop encryption? Laptops are prone to theft and loss and extra protective measures should be enacted to ensure their data is not compromised if stolen.

3. Are there any policies in place that cover email security and encryption? A policy should be enacted by the counties that state any confidential material exchanged through email should be encrypted.

4. Does the county have a Disaster Recovery Plan (DRP)? A DRP is the counties policy regarding worst case scenarios and potential data loss.

5. Are there any procedures in place that cover wireless security? Wireless access should be heavily monitored and restricted. A policy should state that no wireless devices can be placed on the network without county approval.

6. Are there any procedures in place that cover anti-virus settings and maintenance? The county should document how their anti-virus system is setup and how it functions. This will allow any administrator to check and update anti-virus signatures quickly and efficiently.

7. Are there any procedures in place that cover vendor or partner access? All vendor and partner access should be documented for easy discovery of accessible resources and the ability to change the access as needed.

8. Are there any policies in place that covers dial-in, VPN or remote access? Administrators may restrict external access or allow it within certain guidelines. This should be defined in a policy.

9. Are there any procedures in place that cover backup maintenance, security or redundancy? As with anti-virus, backups should be documented to allow functionality from multiple administrators.

Current Setup:List any additional policies and procedures depending on their specific setup and guidelines.

- - 7

VPN/Remote connectivityPriority: HighAllowing VPN or remote access changes the border of a network. Traditionally, the border of a network is defined as the firewall where the public side is restricted from access to the trusted side of the network. When allowing access from outside the network, then the border becomes the point from which the external connection is made. This may be an unsecured system that is not under the administration of the county. As such, each county should restrict and regulate the access of remote users because allowing remote access can open the door for attackers to hijack the connection from the remote computer side and thereby bypass the firewall and other border security measures. It would also be harder to detect a compromise in this area as the connection is encrypted.

Best Practice Guidelines:VPN access:

1. Only allow the VPN client to be installed on a county system. This will ensure that anti-virus and other protections are in place if the system is managed by the county network.

2. Restrict access through the VPN to only the necessary services or servers that the client needs access to.

3. If the VPN is to a partner, ensure that traffic is only allowed from or to specific systems to restrict access. Do not allow access from anywhere on the Internet for a partner connection because the county will not know if the partner lets people go who know username and passwords to get into the county.

4. Document any access to ensure that access Other access types:

1. If access is allowed to email or other resources through the firewall via a web page, ensure the web page is secured with an SSL certificate. This prevents username and passwords from being send in clear text.

2. Consider a strong authentication technology such as RSA SecureID tokens for remote access. Secure tokens add an additional layer to access preventing brute force attacks.


Do you allow anyone to connect into the network from the outside? (workers from home , vendors, support contractors,)

Yes No

If yes to the previous question: For each group you allow access, define the method used to secure the connection and what they are given access to once they connect to the network

- - 8

External Network Security

Border RouterPriority: MediumRouter security is important because routers control the traffic moving into and exiting your network.

Best Practice Guidelines :1. Maintain a written policy for securing all routers. This will ensure all

routers are configured consistently and securely.2. Organize offline configurations and maintain security (encryption) for

those files. This will allow for easy replacement should a router fail. Routers are very reliable devices and many times are forgotten about until they fail and then no one remembers how it was originally set up.

3. Keep the latest firmware on the routers. Vulnerabilities on routers are often overlooked when reviewing patches and maintenance. A procedure should be in place to ensure router versions are reviewed on a regular basis for security.

4. Maintain support from the manufacturer of the router. Maintenance is important in case of failure. A timely replacement to critical resources such as routers will ensure uptime and availability of line of business applications.

5. Ensure there are router passwords maintained for all access methods (console, telnet)? Passwords should be maintained on all network devices to prevent unauthorized access.

6. Is logging enabled and recipient hosts identified and configured? Each router should log to a central syslog server to for security and maintenance purposes.

7. Are the routers time set properly and maintained with NTP? The correct time is important in correlating events on any network device.

8. Is SNMP used on the network. If not router SNMP should be disabled. If so, SNMP should be enabled with good community strings and ACL? SNMP allows for the easy gathering of utilization statistics on the network but could also be used for gaining access to configurations and setup information if not setup properly.

9. Consider adding an access control list (ACL) that restricts traffic through the router. An ACL will stop traffic before it hits the firewall preventing unnecessary burden on the firewall device and ensuring certain traffic can not get through.

Current Setup:For all current devices answer the following questions and determine if they meet the guidelines set above.Is there a router security policy written?

Yes No (if not, consider writing one)

Is the router IOS up to date?

Yes No (if not, check to determine if there are any security considerations)

Is the router configuration kept off-line and up to date?

Yes No (if not, keep an offline copy secure for easy recovery)

- - 9

- - 10

Is access to the configuration secured?

Yes No

Router passwords maintained for all access methods (console, VTY, Aux)?

Yes No (apply them to all router interfaces used)

Are unneeded network services and facilities disabled?

Yes No (define the services that are needed so they can be compared to the services actually running and then remove/disable those that don’t have justification)

Are unused interfaces and VTY’s shut down or disabled?

Yes No (administratively shut down any unused interface)

Are access lists applied to all outbound traffic (from the LAN side out)?In general, the filter for traffic should be applied on the interface that would drop the unauthorized traffic before reaching any other interface.

Yes No (always use access control lists on routing devices for each direction traffic flows)

Access list applied to all inbound traffic (from the WAN side in)?In general, the filter for traffic should be applied on the interface that would drop the unauthorized traffic before reaching any other interface.

Yes No (always use access control lists on routing devices for each direction traffic flows)

Are access list blocking reserved and inappropriate addresses?

Yes No (include the typical IP ranges to the filtering)

Logging enabled and recipient hosts identified and configured?

Yes No (enable logging and implement a process to secure the logs)

Routers time set properly and maintained with NTP?

Yes No

Is logging set to include accurate time information?

Yes No

Logs check, reviewed and maintained according to the security policy?

Yes No

SNMP disabled or enabled with good community strings and ACL?

Yes No

- - 11

Border FirewallPriority: HighFirewall security is important because the firewall is often the last line of defense between the public Internet and the private trusted network. The firewall controls the traffic moving into and exiting your network. A firewall is the primary device that is used to control the border.

Best Practice Guidelines :1. Ensure the all firewalls are running the most current firmware available. Like

any network device, vulnerabilities are occasionally found in firewalls and updated firmware will ensure the county is not vulnerable to attack.

2. Ensure the firewall is logging properly. All firewalls should log to a central server that will allow for review of the logs should an event occur.

3. Maintain support from the manufacturer of the firewall. Maintenance is important in case of failure and getting security updates. A timely replacement to critical resources such as routers will ensure uptime and availability of line of business applications.

4. Document all the firewall rules to ensure accurate knowledge of what is entering or leaving the network.

5. Restrict outbound access to only those ports which are necessary for business to occur. Often open access is allowed out opening the potential for exploits that move from the outside to a central server.

6. Only specific and restrictive rules inbound to prevent opening access to more resources than anticipated.

7. Maintain a copy offline of firewall configurations and maintain security (encryption) for those files. This will allow for easy replacement should firewall fail.

8. Restrict access to the firewall to only users that need to administer it.

Current Setup:For all current devices answer the following questions and determine if they meet the guidelines set above.Is there a security policy in place that governs the firewall?

Yes No

Is there current manufacturer support for this hardware/software?

Yes No

Is the access to the firewall passwords and policy match that of the security policy?

Yes No

Is the OS/Firmware up to date on the firewall?

Yes No

Is there a secured offline copy of the firewalls current configuration?

Yes NoIs the access to the firewall information limited to match the policy? Restrict access to the firewall to only parties that need to administer it.

Yes No

- - 12

Are access list blocking reserved and inappropriate addresses? (The address ranges of 192.168.0.0, 172.16-31.0.0, and 10.0.0.0 should never be seen on the outside of a private network)

Yes No

Is egress (outbound) filtering applied to all outbound traffic (from the LAN side out)?

Yes No


Yes No

Is the firewall time set properly and maintained with NTP to ensure accurate log times?

Yes No

Are the firewall logs check, reviewed and maintained according to the security policy?

Yes No

- - 13

Intrusion Prevention SystemPriority: MediumIntrusion Prevention Systems are advanced protocol aware solutions that evaluate network traffic on a higher level than firewalls do. They are very good at reviewing traffic that is typically allowed by firewalls to production servers, for instance, examining port 80 traffic to an internal web server. IPS can alert the IT staff if suspicious traffic is detected and stop it before it affects a server.

Best Practice Guidelines :1. If there is no IPS in place, consider a device that sits in-line on your network to

evaluate traffic entering and leaving your network. Avoid traditional IDS systems that only log potentially malicious traffic.

2. Ensure there is an update process to the IPS system. An IPS system may only protect against current attacks if there is an updated signature base on the device.

3. Someone should be reviewing the IPS regularly to ensure false-positives are identified and managed. False positives is valid traffic that has been marked malicious for some reason.

9. Maintain support from the manufacturer of the IPS. Maintenance is important in case of failure and getting security updates. A timely replacement to critical resources such as an IPS will ensure uptime and availability of line of business applications.

4. Document the IPS configuration and keep a copy offline for easy recovery and review.

Current Setup:For all current devices answer the following questions and determine if they meet the guidelines set above.Is there a security policy in place that governs the IDS/IPS?

Yes No


Yes No

Is the access to the IDS/IPS passwords and ability to change settings match that of the security policy?

Yes No

Is the OS/Firmware up to date on the IDS/IPS?

Yes No

Is there an offline copy of the IDS/IPS current configuration?

Yes No

Is the access to the IDS/IPS information limited to match the policy?

Yes No

Is the device monitoring the network needed to gather the expected information?

- - 14

Yes NoAre unneeded network services and facilities disabled?

Yes No


Yes No

Is the IDS/IPS time set properly and maintained with NTP?

Yes No


Yes No

Are the logs checked, reviewed and maintained according to the security policy?

Yes No

SNMP disabled or enabled with good community strings and access control?

Yes No

- - 15

Wireless Access point/bridgePriority: HighWireless access has allowed users and administrators to be free of the burden of a physically wired connection. Unlike a wired connection, however, there is no control over the direction the wireless transmits data. As such, it is very important to ensure security on the wireless connection. In addition, well known flaws in some wireless protocols make wireless a tricky technology to implement.

Best Practice Guidelines :1. All wireless access points should have all default settings changed. This

includes at the least all access passwords, SNMP settings, and SSID.2. Do not use WEP as the encryption method for access points. WEP is an

encryption standard that has been cracked and is not reliable for protecting your network. Instead use WPA with TKIP or AES encryption.

3. Do not broadcast your SSID. It is possible to determine an SSID for a wireless system that is not broadcasting it, but this keeps the casual scanner from easily discovering your access point. Do not rely on this alone as it is very easy to overcome.

4. If possible, restrict system access by MAC address. Like SSID, it is possible to determine valid addresses and forge a MAC address, but this keeps casual scanners from attaching.

5. For large installs, implement a central authentication system such as Cisco ACS or RADIUS to manage access. This will allow administrators to restrict wireless access at the same time they deactivate a network account.

Current Setup:For all current devices answer the following questions and determine if they meet the guidelines set above.Is there a policy written that governs the wireless equipment?

Yes No


Yes No

Is access to the device passwords and ability to change device settings match that of the security policy?

Yes No

Is the OS/Firmware up to date on the device?

Yes No

Is there an offline copy of the device current configuration?

Yes No

Are there access control list in place for the associated (authorized) users?

Yes No

- - 16

Is the device using AD or other network database to authenticate its users?

Yes No

Is the access to the device information limited to match the policy?

Yes No

Does the device use encryption of the traffic that passes it. (WPA, WPA2)

Yes No

Is the device broadcasting its SSID?If the access point is meant for company access only (no public access) then the SSID should not be broadcast. Wireless Clients should have their systems manually configured.

Yes No

Has the area been audited to find rogue access points?

Yes No

Are unneeded network services and facilities disabled?

Yes No


Yes No

Is the device time set properly and maintained with NTP?

Yes No


Yes No

Are the logs checked, reviewed and maintained according to the security policy?

Yes No

SNMP disabled or enabled with good community strings and ACL?

Yes No

- - 17

Laptops / Mobile DevicesPriority: MediumLaptops can be stolen easily and the potential data on that laptop may represent a security risk if stolen or lost. In addition, laptops leave the trusted network, thus are exposed to unsecured networks not under the control of county administrators. For these reasons extra security should be taken for laptops.

Best Practice Guidelines :1. All laptops should have a personal firewall installed. At a minimum, the

Microsoft firewall that comes with XP or better should be enabled.2. All laptops should have current anti-virus software and signatures on their

system. Since laptops are often aware from the office, they should be able to update automatically.

3. Consider full hard drive encryption on all laptops. This will ensure any confidential information on the laptop will not be disclosed should the laptop be lost or stolen.

4. Laptops should be able to download and update patches automatically since there is the possibility of them being off the network for a length of time.

Current Setup:For all current devices answer the following questions and determine if they meet the guidelines set above.Are the laptops drive encrypted so that, if stolen they would not allow the reading of the hard drive?

Yes No

Is the system up to date with its antivirus software?

Yes No

Is the system up to date with its OS patches and service packs?

Yes No

Is there a company policy in place that governs the security and use of the device?

Yes No

Is there a training process for the device users?Determine if the organization includes information about the security of laptop devices in its security awareness training. This training should cover:- Physical security of the device- The laptop security policy- Information that may be stored on the device- The procedure to follow if a device is lost or stolen

Yes No

Is there a current manufacture support contract supporting the device?

Yes NoIs the device synchronizing securely?

- - 18

Determine if a password is required in order to synchronize the hand held device to the desktop.

Yes No

Is there an employee termination procedure in place?Determine if the return of laptop is included in the organization’s employee termination procedures.

Yes No

Is there theft protection?Determine if sensitive information on the device is protected if the device is lost or stolen. In order to protect sensitive information that may be stored on the device, all information on the device should be permanently deleted if eight consecutive failed login attempts are made.

Yes No

Is the device secured with corporate antivirus software?Determine if AV software is loaded on each laptop. This software should be configured to examine files as they are opened. Updated signatures should be installed on the device every time the device synchronizes to its home PC or at regular intervals via a network connection.

Yes No

Is the device up to date with all firmware and OS patches and hot fixes?

Yes No

Does the device maintain any data deemed business critical?

Yes No

- - 19

Internal Network Security

ServersServers house critical data and line of business applications. These systems are important to protect to ensure confidentiality, availability and integrity of data systems on the network.

Best Practice Guidelines :1. All servers should be reviewed on a regular basis to ensure updates and

compliance with policy as described below.

Date checked: _________________________________

Date of last documented check: _________________________________

Auditor: _____________________________________________________

Physical SecurityPhysical access to network equipment allows attackers to attack devices more easily and in ways that they would not otherwise be able.

Best Practice Guidelines :1. Physical access to all server systems should be restricted to authorized

personnel.2. All servers should be behind an automatically locking door in a private area.3. Areas housing server equipment should be monitored in some fashion so that

administrators can determine who had access to server equipment if something should occur.

Current Setup:For all current devices answer the following questions and determine if they meet the guidelines set above

Are all systems physically secured from public and unauthorized access?

Yes NoExplain the methods employed to secure them:

Are the servers and other equipment located in a secured room?

Yes No (relocate them into secured areas)

Is access to these rooms logged and/or monitored in some way?

Yes (Explain method below) No

- - 20

Event LogsPriority: MediumEvent logs contain critical information regarding issues and potential security problems with servers. IT staff should review information in the on a regular basis.

Best Practice Guidelines :1. All servers should be logging failure events at a minimum.2. Consider logging successful events also. This will take more log space but is

necessary for the ability to have audit trails of user activity.3. Consider consolidating logs using a 3rd party tool. These tools will alert

administrators to issues that may be lost in large logs.4. Review the security logs on each server on a weekly basis.


For each Windows 2000 system the standard event logs questions apply to the “Application” “System” and “Security”. For each Windows 2003 system the standard event logs apply to the “Application, System, Security and DNS” log types.Does the local system policy audit success and failure of all nine (9) events types shown in the next figure?

Yes No

Fill out the checkboxes to match the settings for the server

Audit account logon events Success Failure

Audit account management Success Failure

Audit directory service access Success Failure

Audit logon events Success Failure

Audit object access Success Failure

Audit policy change Success Failure

Audit privilege use Success Failure

Audit process tracking Success Failure

Audit system events Success Failure

Are all event logs (Applications, Security, System) settings adjusted with the following settings?

Yes No (match the settings shown)

- - 21

For Windows 2003, 2000 and NT ServersCheck the Application event logs for any “Error” types within the last cycle period.

Completed Not Completed

Check all the events of this category (errors) and ensure no other actions are required


Check the Security event logs for any “Failure Audit” types within the last cycle period


Check all the events of this category (Audit Failures) and ensure no other actions are required?


Check the System log for any “Error” types within the cycle period.




For Windows 2003 ServersCheck the DNS log for any “Error” types within the cycle period.




- - 22

Anti-VirusPriority: HighAnti-virus solutions are critical on servers just as they are on clients. If a single client gets infected and is on the network, the infection can quickly spread to production servers and cause downtime. Virus activity in the corporate world is a high profile method of attack. Much like wireless security, it demands the attention of the IT staff as a result.

Best Practice Guidelines :1. All servers should have the most current anti-virus signature running on them.2. An automated process should be in place that allows servers to update

signatures automatically. This process should occur no less than once a day and should occur early in the morning to ensure any updates from the previous night are distributed before employees are on the network.

3. Anti-virus should be centrally managed allowing administrators to quickly and easily determine who has been updated and when the last update occurred.


Is antivirus software running on the system?

Yes No (ensure that client level AV is installed per the manufactures recommendations)

Is the host-level antivirus software current with its virus definitions?

Yes No (Explain below)

Are the updates being performed automatically and on a daily basis?

Yes No (Explain below)

Is the host-level antivirus software being managed through another parent server?

Yes No (make this system a managed client)

Are the applicable directories and or file excluded from the antivirus real-time scanning?

Yes (Define below) No

Is there any other antivirus software running on this system (i.e. Antivirus for Exchange)?


- - 23

Are the virus definitions up to date for this antivirus software?

Yes No

Is the AV software configured to scan and filter email attachments?

Yes No (enable this feature)

Were any virus events found during the last cycle period?


- - 24

Patches and Updates Priority: HighAn unpatched Windows PC connected to the Internet will last for only an average of 20 minutes before it's compromised by malware, according to The SANS Institute's Internet Storm Center. That startling fact underscores the importance of patches. But successful patch management is more than just plugging holes and hoping for the best. It's a continual and systematic process. Maintaining updates and patches is one of the most effective ways to prevent a successful attack on your network.

Best Practice Guidelines :1. An automated patch management system should be implemented on the

network. IT administrators rarely have enough time to physically visit every workstation and update patches on a regular basis.

2. All workstations should be set to download and update critical patches automatically. Users can not be relied upon to update their systems and will often bypass updates for convenience.

3. All servers should be configured to automatically download updates, but not install them. An administrator should be present when a server patch is installed to ensure there is a valid backup before proceeding.

4. IT staff should set a regular schedule for updating servers with critical patches so that they do not linger with potential vulnerabilities.


Is there a system being used to deploy Microsoft (or other OS) level patches and updates?

Yes No

Is the system currently up to date with patches and updates?

Yes No

Is the system current with the up to date Service Pack?

Yes No

Are the settings for this system such that it downloads is updates and does not install them until manually installed?

Yes No

Are there any pending update installations waiting for the system to reboot? If so, reboot and allow updates to be installed.

Yes No

- - 25

Backups Priority: HighIt is essential to have a planned backup strategy to prevent loss of vital information in the event of fire, flood, hardware failure, or theft. Ensuring a good backup of critical data will ensure the speedy recovery of files or systems should a failure event occur.

Best Practice Guidelines :1. Backups tapes should be on a grandfather-father-son rotation. This rotation

methodology allows for recovery of data up to a year ago. This ensures all deleted data that may be needed will be accessible.

2. Consider standardizing backups to a single solution to ensure compatibility during recovery. Having multiple tape solutions can become a management nightmare.

3. Consider backing up to disk and then to tape. Backing up to disk will allow for easy and fast recovery of data.

4. Since disk backup is normally limited by space, always backup to tape in addition.

5. Have a rotation to take tapes offsite. Tapes should not be stored in the same location with the servers they backed up. A fire or other disaster could affect both.

6. Take care with the security of backup tapes. They contain all the confidential data of your network and should be considered with the same security consciousness as the physical security of servers.

7. All backups should complete in a successful state. Any other state may mask potential issues that should be taken care of.


Are all the critical files and directories defined (documented) in a network wide policy?

Yes No

Does the backup job include all the critical files and directories?

Yes No

If this server is performing a backup, is the software up to date with all patches and hot fixes as needed?

Yes No

Do you have current manufacturer support for this software?

Yes No

- - 26

Check the backup logs for any errors within the backup jobs that have occurred during the last cycle. If there are no errors then skip this section.

If there are errors in the backup log each needs to be either addressed or accepted as non-critical. Non-critical errors are those that have been determined not to prevent a successful restoration of data to the system if it were lost.

For each error found in the backup log list the “error code/number”, “error description” and “solution” in the table below.

Error Number

Error Description Solution

Has all the error described in the chart above been addressed?

Yes No

Is the error non-critical?

Yes No

Is the error going to be accepted and not be remedied?

Yes NoIf the error is addressed, describe what was done to correct the error:

Are the backup tapes or media being removed from the site each night?

Yes No

Are there regular testing of the restore process on a server level?A test should be performed regularly that would test your ability to restore a complete server failure.

Yes No

- - 27

Documents

Justice Security Grant Project – County Checklist.doc