Why Security Assessments?
For years the Computer and Network Usage and Security Policy has required that systems administrators complete an annual self assessment of their policy compliance. This survey, however, has never existed.
We have implemented this survey, rather than simply removing the requirement, because there is not a central picture of what risk and compliance looks like across campus. The hope is that this survey will:
- help campus Risk Management to get a more accurate picture of what our risk looks like,
- help Cyber Security target resources to best reduce campus risk, both by unit and by policy area
- help systems administrators understand where they are non-compliant and how they are doing relative to others.
With this first iteration I also hope to learn how we can better conduct future surveys to better evaluate our posture.
How do we answer the questions?
The questions are mostly aligned to the elements of the Data Protection Safeguards, though there are questions that reference other best practices. Most questions have one of two answer schemes, depending on whether or not the respondent has “Sensitive” systems as defined by the Data Categorization standard.
Without Sensitive Data
If you have asserted you do not have sensitive data then the options are:
- All Systems : The statement is true for every system you administer
- Most : The statement is true for most systems you maintain
- Some : The statement is true for some systems you maintain
- None : The statement is true for no system you administer
- Not Sure : You do not know how widely this statement is true in your environment
- Not Applicable : You do not have any of the systems affected by the statement
If you have systems with a formal policy exception filed through the Policy Exception Form then consider the point true for those systems.
With Sensitive Data
If you have asserted that you do have sensitive data then the options are:
- All Systems : The statement is true for every system you administer
- All Sensitive : The statement is true for all systems housing or providing unencrypted access to category 3 data as defined in the Institute Data Categorization standard
- Nearly All Sensitive : The statement is true for nearly all of the above, but there are a few exceptions
- Most Sensitive : The statement is generally true for sensitive systems you maintain
- Some : The statement is true for some systems you maintain
- None : The statement is true for no system you administer
- Not Sure : You do not know how widely this statement is true in your environment
- Not Applicable : You do not have any of the systems affected by the statement
If you have systems with a formal policy exception filed through the Policy Exception Form then consider the point true for those systems.
What are the questions?
Of the servers you manage, how many implement the following?
Server is located in a permanently secured location controlled by a badge reader or key lock
- Access to server location is periodically reviewed
- Server location is monitored by video camera
- ID badges must be displayed in data center
- All access to server location is logged
For virtual machines, this would include the host of any guest dealing with sensitive information.
If ID Badges must be displayed in data center: For ID badges in data centers (Yes/No)
- Badges clearly distinguish employees from visitors
- Visitor badges contain an expiration date
- Visitor badges are surrendered upon departure or at expiration
Of the servers you manage, how many implement the following?
- Network based firewalls block all ports except those needed for provided services
- Host based firewalls block all ports except those needed for provided services
Category 3 Data: Sensitive data is encrypted:
- When transmitted outside the Georgia Tech network
- When transmitted inside the Georgia Tech network
- At Rest
Of the servers you manage, how many meet the following?
- All Security patches are tested before deployment to production
- All security patches are installed within one month of release
- If security patches are not installed within one month, an exception is documented
Of the servers you manage, how many meet the following?
- Anti-virus scans all servers storing user files (file servers or mail systems)
- Anti-virus scans all Windows servers
- Anti-virus signatures are automatically kept up to date
Of the servers you manage, how many meet the following?
- Only users with a documented business need are granted elevated access to systems
- Category 3 Data: Only users with a documented business need have access to sensitive data
- Elevated access is removed when no longer appropriate
- Category 3 Data: Access to sensitive data is removed when no longer appropriate
Of the servers you manage, how many meet the following?
- Either central authentication is used, or identity is validated before issuing credentials
- All usernames identify a single individual
- All console and remote administrative access is secured by a password
- All administrative access is secured by 2-factor
- All access to non-public data is secured by a password or cryptographic authentication mechanism
- All access to non-public data is secured by two-factor
- All passwords comply with the institute password policy
- All locally stored passwords are hashed before storage
- Failed logins are monitored and action is taken on excessive failed logins
- Terminal or administrative access requires re-authentication after 15 minutes of idleness
Of the servers you manage, how many meet the following?
- Vendor-supplied default access credentials (passwords, SNMP community strings, unnecessary accounts, etc) are changed
- Only one application or service is implemented on each server
- All services are reviewed and unnecessary services are disabled
- Audit and security logs are enabled
- Logs are maintained for six months
- Logs are maintained on a separate server to preserve integrity
- Logs are reviewed for inappropriate activity
- A process exists to identify and remediate security vulnerabilities
Of the servers you manage, how many meet the following?
- Deploy File integrity monitoring to alert personnel to unauthorized modification of critical files
- Document backup and disaster recovery procedures
- Backup data to physical tapes or a solution protected from compromise by the primary system
- Critical systems are installed in failover or redundant pairs or sets.
- Backups are tested at least annually to ensure correct recovery
- Media is securely disposed at the end of life
- All paper and portable electronic media backups of sensitive data must be stored in a physically secured location or encrypted
- A Change Control process is followed before changes are made to the production environment
Are all sensitive servers you maintain marked as sensitive within the firewall page or otherwise documented with Cyber Security?
- Yes
- No
OS Which of the following operating systems are run on the servers you maintain?
- Windows
- Linux
Linux Servers: How many of your Linux servers implement the following best practices?
- SELinux is implemented in enforcing mode
- constrained SELinux contexts are written for all active services
- The GT login banner is displayed on the SSH server
- An automated control (e.g. fail2ban or pam_tally) limits failed login attempts to ssh
- root cannot ssh with only a password
- non-root accounts cannot ssh with only a password
- kernel parameters are tuned according to system need
Windows Servers: How many of your Windows servers implement the following best practices?
- local logon is limited to Server Administrators
- guests are disabled
- Users are blocked from logging in with Microsoft accounts
- Microsoft Network Client always digitally signs communications
- Unencrypted SMB passwords are disabled to third-party servers
- automatic login to recovery console is disabled
- shutdown without logon is disabled
- the GT login banner is displayed on interactive login
- Anonymous enumeration of SAM accounts and shares is disabled
- Anonymous share access is disabled
- Remote registry access is disabled if not required
- anonymous access to name pipes is disabled
- LAN Manager hashes are not stored
- LM and NTLM authentication is disabled
- strong session keys are required
- registry permissions are configured
- screen-saver locks console screen automatically
Do you administer endpoints hosting Category 3 data as defined in the Institue Data Categorization Standards? Common examples of this are student information and unpublished research data.
- Yes
- No
If job function is Sys Admin or IT Support: What percentage of endpoints for the listed departments are managed by CSRs? (as opposed to self-administered machines)
Approximately how many endpoints do you manage?
For which endpoints that you manage are the following true?
- Endpoint is in the asset owner’s possession or a physically secured location at all times
- Endpoints located in public areas are secured by a security cable
- device location and recovery software (e.g. LoJack for Laptops or Find My Mac) is installed on portable endpoints
- Software is installed allowing remote wipe if endpoint is stolen (including above software)
- All lost endpoints must be reported to the Georgia Tech Police department and to management
- internal policy requires that personally owned endpoints containing GT data are reported if lost
For which endpoints that you manage are the following true?
- A host based firewall (e.g. Windows Firewall) is enabled and incoming connections are limited to those needed for provided services
- Security patches are installed within one month of release
- All software is a currently supported version
For which endpoints are the following true?
- Portable systems run whole disk encryption to protect data
- Disk encryption keys are stored in a location accessible by the department customer support representative
- Category 3 Data: Sensitive endpoints run whole disk encryption or are permanently located in a physically secure location
- Category 3 Data: Sensitive data is encrypted when transmitted outside the Georgia Tech network
- Category 3 Data: Sensitive data is encrypted when transferred over any network
For which endpoints that you manage are the following true?
- If remote access is allowed, it takes place over secured, encrypted channels and authentication is done using Georgia Tech credentials.
- Anti-virus is running where appropriate and automatically updated to the latest signatures
- Where possible login requires a unique username and password
- Where possible console screens lock after 15 minutes of inactivity
- Accounts are limited to those who need access and access is deprovisioned when no longer necessary.
- Administrative accounts are used for administration only
For which endpoints that you manage are the following true?
- Backups of critical files occur on a regular basis
- Backups cannot be altered or destroyed from the endpoint
- All electronic media (including internal media) is securely wiped or destroyed prior to disposal
- All Georgia Tech owned devices are disposed of consistent with Georgia Tech surplus policy
- All Georgia Tech endpoints are returned to the department prior to termination of employment
How much do you agree with the following statements about your endpoint environment? (Strongly Agree, Somewhat Agree, Neither Agree nor Disagree, Somewhat disagree, Strongly disagree)
- Client endpoints used for web-browsing are separated from servers by a firewall
- Client endpoints used for web browsing are separated by servers housing sensitive information by a firewall
- Servers housing sensitive information require access through an application server that limits requests.
- Printers are separated from clients and servers by a firewall
How would you modify this survey for future iterations?
Please enter any general comments about either the survey or the state of policy or compliance