Escolar Documentos
Profissional Documentos
Cultura Documentos
Assessment Checklist
A score is not assigned based on the results, but rather a report on compliance is provided as
an output from this checklist.
Usage
All questions are to be answered as yes, no, or not applicable. Any questions resulting in a
no are to include details as to why compliance was not achieved.
Completion
The completed checklist is to be completed by the assigned Security Architect.
Details:
Details:
6 .2 External Parties
The security of the Government of Saskatchewan information and information processing facilities will not be reduced by
the introduction of external party products or services.
Any access to the Government of Saskatchewan information processing facilities and processing and communication of
information by external parties will be controlled.
Where there is a business need for working with external parties that may require access to the organizations
information and information processing facilities, or in obtaining or providing a product and service from or to an external
party, a risk assessment will be carried out to determine security implications and control requirements. Controls will be
agreed to and defined in a written agreement with the third party.
Description Yes No
6.2.1.1 Was a risk assessment carries out prior to providing contractor access to
government assets or data?
Details:
Details:
Details:
Details:
8.1.1.1 Have specific roles for security been defined for the project?
Details:
8.1.2.1 Have background checks been performed for all project staff with access to
government data or assets?
Details:
8.1.2.2 Have all relevant terms and conditions been included in employment contracts
for project staff?
Details:
8.2.1.1 Have all project staff been provided with a copy of the security policies,
standards, and specifications?
Details:
8.2.2.1 Have all project staff been provided with relevant security training?
Details:
8.3.1.1 Have processes been implemented to properly remove project staff access to
data and assets?
Details:
9.1.1.1 Have physical security measures been implemented to deter access to areas
containing sensitive information or physical assets?
Details:
Details:
9.2.1.1b Have project staff been provided with the Mobile Device Policy?
Details:
Details:
9.2.2.4 Have project staff been provided with the Government of Saskatchewan
Disposal Guidelines?
Details:
10.1.1.1 Has access to project operating procedures been restricted to only the
required project staff?
Details:
10.1.2.1 Does the project follow the approved change management process?
Details:
Details:
10.1.2.3 Does the project ensure the separation of development, testing, and
production facilities and data?
Details:
Security arrangements
Service definitions
Aspects of service management that relate to business continuity
A transition plan to internal delivery (where appropriate)
Details:
10.2.2.1 Has an owner for third party service delivery management been defined?
Details:
10.3.1.1 Has a plan been developed to monitor for utilization and make periodic
capacity requirement projections?
Details:
10.3.2.1 Has appropriate acceptance testing been carried out in accordance with the
criteria documented in the operating procedures?
Details:
10.4.1.1 Has the project considered actions to prevent against malicious code.
Details:
10.5.1.1 Has a plan been developed to backup the solution that meets the
requirements of the business continuity plan?
Details:
10.6.1.1a Has a project implemented logical network zones that organize nodes based
on function, data services offered, and ownership of information?
Details:
10.6.1.1b Is access restricted based upon defined rules that restrict connections to
only the ports and services required to perform the business function?
Details:
10.6.1.1c Are all devices connected to the ITO network authorized according to
defined procedures?
Details:
10.7.1.1a Does the project use any removable media such as backup tapes or USB
thumb drives?
Removable media drives should not be relied upon for primary storage,
it should be used for backup or transport purposes only
Details:
10.7.2.1 Has media that is no longer required been disposed of in accordance with the
SPM Disposal Policy?
Details:
10.8.2.2 Have procedures been implemented to ensure that physical media containing
sensitive information is protected against unauthorized access, misuse, or corruption
while in transit outside of ITO-secured physical boundaries that include:
10.9.1.1 Has the project team considered the following security requirements for
electronic commerce and addresses some of these through the application of security
controls:
Electronic signatures
User credential verification
Confidentiality
Privacy
Encryption
Secured protocols
Information storage medium
Physical and logical security of stored transaction information
When using a trusted authority, integrate and embed security
throughout the entire process
Adopt controls commensurate with the level of the risk
Legal and regulatory compliance
Details:
10.9.2.2 Has a plan been developed to test the publicly accessible system for
weaknesses and failures prior to the information being made available?
Details:
10.10 Monitoring
The Government of Saskatchewan has implemented processes to detect unauthorized information processing activities.
Systems are monitored and information security events are recorded. Operator logs and fault logging are used to ensure
information system problems are identified. The Government of Saskatchewan complies with all relevant legal and policy
requirements applicable to its monitoring and logging activities. System monitoring is used to check the effectiveness of
controls adopted and to verify conformity to an access policy model.
Description Yes No
10.10.1.1a Has the project team ensured audit logs recording user activities,
exceptions, and information security events are produced for all supported information
systems?
Details:
10.10.1.1b Has a procedure been implemented to ensure audit logs are retained for a
period of time specified by the [SaskArch], and the audit logging process is reviewed
annually?
Details:
User IDs
Dates, times, and details of key events
Terminal identity or location
Records of successful and rejected system access attempts
Records of successful and rejected data and other resource access
attempts
Changes to system configuration
Use of elevated privileges
Use of system utilities and applications
Files accessed and the kind of access
Network addresses and protocols
Alarms raised by the access control system
Activation and de-activation of protection systems, such as anti-virus
systems and intrusion detection systems
Details:
10.10.1.1d Audit logs may contain confidential information that would be of value to
potential intruders. Have audit logs been inventoried and classified, and has a formal
approval process been developed before information in logs is made publically
available? Have privacy measures been implemented to protect log file integrity and
confidentiality?
Details:
10.10.1.2 Have procedure for monitoring system use been developed and the
following criteria been evaluated:
Authorized access, including details such as: user ID, date and time of
key events, types of events, files accessed, programs or utilities used
Privileged operations, such as:
o Use of privileged accounts (for example: supervisor, root,
administrator)
o System start-up and shut-down
o I/O device attachment and detachment
Unauthorized access attempts, such as:
o Failed or rejected user actions
o Failed or rejected actions involving data and other resources
o Access specification violations and notifications for network
gateways and firewalls
o Alerts from intrusion detection systems
Details:
10.10.2.1 Have procedures been developed to ensure that logging facilities and log
information are protected against tampering and unauthorized access?
Details:
10.10.2.2 Does the project ensure system administrator and system operator activities
are logged congruent with the classification of the computing asset and data residing on
the computing asset and the log will at a minimum include:
10.10.2.4 Has the project ensured, where enabled by the underlying technology, all
information processing systems with the same security domain are synchronized with
an agreed accurate time source?
Details:
11.1.1.1a Has the project team been provided with the GOS Access Control
specification?
Details:
11.1.1.1b Has the project been implemented in compliance with the GOS Access
Control Specification?
Details:
11.2.1.1 Has the project developed procedures for, or referenced existing procedures
for, the registration and de-registration of access privileges for all information systems
and services that include:
Approval process
Unique identity
Minimal privileges necessary to meet business requirements are issued
Authorization and level of access must be driven by a business purpose
Users should receive a written statement describing their access
privileges
Registration and de-registration actions must be recorded
Details:
Details:
Details:
11.3.1.1a Does the project ensure that end-users are required to follow the password
specification by using technologies that enforce strong passwords?
Details:
11.3.1.1b Has the project provided the Service Desk with documented methods to
assist GOS staff with password problems in a secure fashion?
Details:
11.3.2.1 Has the project provided procedures and (where necessary) supporting
physical security equipment to ensure that mobile devices and equipment have
appropriate protection?
Details:
11.3.2.2 Has the project team and any third party service providers been advised of
the active and approved document that defines a clear desk and clear screen
policy?
Details:
11.4.1.1 Does the project implement technological controls to ensure only authorized
services are provided with access to the network, following the principle of least
privilege, and that those services have been specifically authorized to use by the
privilege management section of [AccessPol] and/or the firewall change management
process?
Details:
11.4.2.1 Does the project ensure that authentication technology solutions are highly
secure to provide reliable confidence in authentication credentials which, at a
minimum, will:
11.4.2.4a Has the project identified, by risk assessment, networks required for
segregation and their associated information assets and services, especially wireless
networks?
Details:
11.4.2.4b Does the project ensure that Network access controls between domains are
implemented, appropriate to the level of risk, value of the information assets, and
performance requirements within the domain?
Details:
11.5.2.2 Does the project use the provided password management system or
implement a password management system able to enforce specific password
standards. The password management system, at a minimum, enforces:
11.5.2.4 Does the project, where made possible by the technology in use,
implemented the use of automatic log-out or screen locking for sessions that exceed a
reasonable period of inactivity? ( Technologies that do not permit session time-outs
should be used only where no feasible alternative exists)
Details:
11.5.2.5a Has the project, where made possible by the technology in use, implemented
the use of connection time limitations (such as time-of-day and session duration) for
sensitive applications in high-risk locations?
Details:
11.5.2.5b Has the project formally considered re-authentication at timed intervals for
sensitive applications in high-risk locations?
Details:
11.6.1.1 Does the project ensure that methods to bypass access control restrictions
are removed or disabled from applications?
Details:
11.6.2.1 Has the project provide considered, on a per asset basis, physically or logically
isolating information processing assets that are identified as sensitive?
Details:
11.6.2.1 Has the project, for environments that must be shared, performed a risk
assessment and implemented appropriate controls to reduce risk to shared
environments?
Details:
12.1.1.1a Has the project formally assessed the risk and considered additional controls
where security requirements cannot be satisfied?
Details:
12.1.1.1b Was a formal testing and acquisition process followed and security
requirements identified, prior to purchasing technology products, to include in the
contract with the supplier? (Security resources must be consulted throughout the
process of any acquisition which may affect the security posture of the organization)
Details:
12.2.1.1a Has the project ensured data input validation has be applied to:
Business transactions
Standing data
Parameter tables
Details:
Out-of-range values
Invalid characters or data type in data fields
Missing or incomplete data
Exceeding upper and lower data volume limits
Unauthorized or inconsistent control data
Error messages are appropriate for the type of error encountered
Details:
Details:
12.2.2.1d Has the project formally consider these specific areas to minimize
processing failures:
Details:
12.3.2.1a Has the project utilized encryption and has the key management system
been based on an agreed set of standards, procedures, and secure methods for:
12.3.2.1b Has the project used a certification authority to ensure the authenticity of
public keys that addresses liability, reliability of services, and response times in the
contract?
Details:
12.4.1.1a Has the project followed these guidelines to control the installation of
software on operational systems:
12.4.1.1b Has the project ensured vendor software will be maintained at the
supported level, and vendor access will be authorized and monitored?
Details:
12.4.1.1c Has the project ensured security software patches have been applied as
recommended by the vendor?
Details:
12.4.1.1d Has the project ensured operating systems will only be upgraded when
there is a requirement to do so?
Details:
12.5.1.1a Has the project tested new software (including patches, service packs, and
other updates) in an environment that is segregated from the development and
production environments? (Automated updates will not be used on critical systems)
Details:
12.5.1.1b Has the project, when introducing new systems and major changes to
existing systems, ensured that it:
12.5.2.1a Has the project implemented a process for technical review of application
control and integrity procedures which will test the impact of operating system changes
on business critical applications that at minimum, formally considers the following:
12.5.2.1b Has the project ensured a specific group or individual has been given
responsibility for monitoring vulnerabilities and vendors releases of patches and fixes?
Details:
12.5.2.3 Has the project formally considered the following when outsourcing software
development:
Licensing arrangements
Code ownership
Intellectual property rights
Audit and certification of the quality and accuracy of the development
Escrow arrangements
Quality and security contractual requirements
Testing for malicious code
Details:
13.1.1.1 Has the project communicated to employees, contractors and third party
users of information systems and services that they are required to report any
suspicious events to the service desk?
Details:
13.1.2.1 Has the project notified employees, contractors and third party users not to
attempt to validate suspected weaknesses without specific management approval?
Details:
14.1.1.1 Has the project provided documentation to identify and provide for the
continued availability of:
15 Compliance
15.1 Compliance with Legal Requirements
The design, operation, use, and management of information systems are subject to statutory, regulatory, and contractual
security requirements. The Government of Saskatchewan has procedures in place to avoid breaches of any legal,
statutory, regulatory, or contractual obligations, and of any security requirements.
Advice on specific legal requirements is sought from the Ministry of Justice, or suitably qualified legal practitioners.
Legislative requirements vary from country to country and may vary for information created in one country that is
transmitted to or through another country (i.e. trans-border data flow).
Description Yes No
15.1.1.1 Has the project received approval from the ministry compliance owner
(tasked with defining, documenting, and keeping updated all relevant legal, regulatory,
and contractual requirements for each information system identified as critical) that the
project meets the following compliance criteria:
Details:
15.1.2.3 Has the project communicated the data protection and privacy specification
to all personnel processing personal information?
Details:
15.1.2.4 Has the project ensured all users are made aware of the precise scope of their
permitted access and of the monitoring in place to detect unauthorized use through the
signing of written authorizations?
Details:
15.2.1.1 Has the project ensured all information processing facilities have been
assessed for compliance with appropriate security policies, standards, and any other
security requirements, and ITO Security Services has a record of the assessment?
Details:
15.2.2.1a Has the project ensured penetration tests or vulnerability assessments are
planned, documented, and repeatable, and caution is exercised (as such activities can
lead to a compromise of the security of the system)?
Details:
15.2.2.1b Has the project ensured information gathered from security testing is
analyzed and recommendations are made based on the results?
Details:
15.2.2.1 Has the project addressed the risk of misuse by third party auditing, by
formally considering: