Checklist: IT Security Policy Version 1.

0
April 27, 2005

By David M Davis, CCIE, MCSE

Every organization, large or small, needs a solid IT Security Policy. The following comprehensive checklist can
help you get started in creating a policy, or it can help audit the one you already have. This checklist, based on
suggestions submitted by TechRepublic members, covers a wide variety of technologies and issues, and provides
some helpful recommendations.

Planning Item Notes

Web browsing
‰ Document the central point of control for Web browsing.
Perhaps it is a proxy server, a router, or a firewall.

‰ Document who has access to determine who can perform

Web browsing, what Web sites users can access, and when
they can access those sites. Some newer Web browsing
content control systems can even categorize sites and control
who can access certain categories of sites and for how long
(i.e. Joe can only access news sites for 20 minutes per day).

‰ Document the method for reporting who is browsing the Web,

what sites they are visiting, who those reports will be delivered
to, and how often.

‰ Document what the process is if an employee visits improper

sites or engages in excessive Web browsing, and define those
two actions. Also, is it the job of IT to notify their supervisor?

‰ Log all Web browsing activity, making sure to record the

username, and make it clear in the policy that this is a
company practice.

‰ Ensure that all employees are aware of the company’s Web

browsing policy. This is important since most employees will
browse the Web everyday and the security policy about Web
browsing is something that will most likely affect them.

‰ Implement Windows Group Policy settings (if using Active

Directory) on Internet Explorer to strengthen end user systems
and protect from some malicious Web content. For example,
using GPO you can standardize Windows IE settings
throughout the company to that browsers do not download
unsigned ActiveX components. Make it a company policy not
to download unsigned ActiveX controls unless they are
approved by IT

‰ Put download security software in place to prevent adware,

malware, and spyware from being unknowingly installed on
users’ machines. Use this download security software to
block/quarantine certain types of downloads (perhaps MP3s or
videos) and to scan other downloads for viruses.

Page 1
Copyright ©2005 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
Checklist: IT Security Policy

Username and passwords

‰ Implement complex password requirements. This can be done
with a Windows policy. Using a Group Policy (if possible),
force passwords to be reasonable long, to expire every few
months, to prevent the reuse of old passwords, and to lock out
users with too many failed logins.

‰ Log successful and failed logins and logouts. This is especially

important for administrator accounts.

‰ Consider renaming the default "Administrator" account so that

it is less of a target for password cracking.

‰ Consider using Single-Sign-On (SSO) so that all users only

have one username/password to remember for all
applications. This is only important if you have multiple
username/password databases for authentication (such as
Windows, Linux/UNIX, and Novell) or if you have different
applications with their own username/password database.

‰ Document your policy on usernames and passwords and

educate users on the proper use of them.

‰ Periodically perform in-house password cracking attempts on

administrator accounts to test the strength of passwords. This
can be done with a tool such as L0ptcrack.

Instant Messaging
‰ Seriously consider blocking all instant messaging (IM) unless
it is needed for business reasons.

‰ If IM is needed for business reasons, implement a program to

control who can use it, what software they can use, and log all
conversations. Programs that do this can also control the
content that is passed through the IM conversations and
whether they can send/receive downloads through IM (which
can open up the company to virus, malware, and privacy
concerns).

‰ Document and educate users on your IM policies.

E-Mail
‰ Document what level of storage will be required from each e-
mail user. Determine what will be the consequences when an
e-mail user exceeds their quota (such as preventing them
from sending and/or receiving email).

‰ Control external access to internal groups (such as “all

employees”).

‰ Consider performing e-mail content control to prevent trade

secrets or confidential information from exiting the company.

Page 2
Copyright ©2005 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
Checklist: IT Security Policy

‰ Implement a corporate e-mail anti-spam program.

‰ Educate users on the proper use of e-mail and how they

should not give out their e-mail address to companies that
might send them spam. Educate users on what to do if they do
receive spam.

‰ Implement e-mail antivirus scanning

‰ Implement an email archiving program. Depending on the

advice of your company’s legal team, the archive program
may be used more to destroy email at set expiration dates
instead of preserving email. The other function of the archiving
program is to control the size of the email database.

‰ Develop a policy on using company e-mail for personal use

(including the forwarding of jokes and chain letters) and
decide what is "acceptable use." Educate users on this policy.

‰ Educate users on “phishing” scams to help prevent identity

theft.

File access permissions

‰ Document who the owners are for critical files. These will be
the persons who determine who has access to what.
Determining who has access to what should not be an IT
function. The function of IT is to configure that access within
the operating system or application once it is determined.

‰ Watch out for shares with the default permission "Everyone."

‰ Consider logging success and failure access and

modifications to files.

Backups

‰ Document what data needs to be backed up, how often it

should be backed up, and how long it should be retained.
Document how often a test should be done to ensure that the
backups are restorable.

‰ Consider encrypting backup tapes so that the data cannot be

recovered if they are lost or stolen.

‰ Ensure that backups are taken offsite. Consider a service that

will do this for you.

Crisis management and Disaster recovery

‰ Develop a crisis management plan. This plan should cover not
just an IT crisis but any crisis that may occur. This should
include natural disasters and terrorist attacks.

Page 3
Copyright ©2005 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
Checklist: IT Security Policy

‰ Develop an IT disaster recovery plan. This plan must be

periodically tested. We won’t go into how to create a disaster
recovery plan, as that is outside of the scope of this document.
However, this document can help.

Physical
‰ Document what physical security controls are in place for IT
security. Does the datacenter/server room have locks on the
doors? Are they electronic locks with a log of who goes in and
out? Does the room have windows that could be broken? How
resilient would it be to a flood, tornado, or power outage? Are
there UPS and generators in place? What sort of fire
protection does the datacenter/server room have? Also,
consider video surveillance. Keep in mind that this only covers
IT assets and does not cover physical security for the entire
company.

‰ Ensure against physical access to a console that can connect

to servers, routers, and/or switches.

PCs and laptops

‰ Document the controls on PCs and laptops.

‰ Users should not have administrator privilege on their local

PCs, unless there is a stated business need for it (e.g. to run a
business application). Users should always log onto the
domain and not have a local account, if possible.

‰ Use file encryption so that if a PC or laptop is lost or stolen, its

data cannot be read.

‰ Run antivirus and anti-spyware on all PCs and laptops

‰ Consider a personal firewall on laptops because they will

travel from network to network.

‰ Implement Windows Group Policy security controls to lock

down what users can do on PCs and laptops. For instance,
preventing users from being able to install programs.

‰ Develop a procedure to ensure that PCs and laptops have the

latest patches installed.

‰ Develop a policy on USB removable devices. These are a

major security risk because they can easily be used to remove
large amounts of data, including corporate secrets.

Remote access
‰ Control who has access to dial-up and VPN remote access.
Only set up permissions for those who truly need it. The list
should be as short as possible.

‰ Document the company’s policy on remote access

Page 4
Copyright ©2005 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
Checklist: IT Security Policy

‰ Log the success and failure of logins for remote access

‰ Periodically have a 3rd party company perform a penetration

test on any dial-up remote access methods.

‰ Implement a method to ensure that clients connecting through

remote access have the proper antivirus and patches installed
to prevent them from infecting the company’s systems.
Document whether remote VPN users can have a split tunnel.

‰ Consider using access tokens as a secondary authentication

method for remote access. This way, if a username and
password are stolen, they still cannot be used to gain access
to the network without the token.

Servers, routers, and switches

‰ Run antivirus anti-spyware software on servers

‰ Ensure that servers, routers, and switches have the latest

patches installed.

‰ Log the events from these devices to a central logging server.

‰ Run performance monitoring software so that you can be

alerted if something abnormal happens on the servers or the
network. Many times, this can be an indication of a security
breach or another critical problem.

‰ Document who has administrator/root level access on these

devices and how often the password is changed.

‰ Document what privilege and access method will be given to

vendors who need access to support and/or change servers
and network devices.

‰ Document the security around the software development and

testing environment, as well as the server and network device
testing environment.

‰ Harden servers and network devices based on guidelines that

are available from sites like the NSA.

Internet / external network

‰ Periodically (I suggest quarterly) have a 3rd party company
perform a penetration test on your Internet connection (or
connections).

‰ Protect the internal network and the DMZ from the external
network with a stateful firewall. Log what the firewall denies
from coming into the network.

‰ Document the firewall rules with explanations, and make

firewall configurations consistent across different segments.

‰ Use an Intrusion Prevention System to stop malicious attacks

that would have, otherwise, gotten through the firewall.

Page 5
Copyright ©2005 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
Checklist: IT Security Policy

‰ Ensure that you have the fewest number of Internet

connections as possible (including dial-up connections). Every
Internet connection is an avenue for a malicious attacker to
get into your network.

‰ Consider implementing a Security Information Management

(SIM) in your network as a central repository for security
information that will do event correlation and alerting.

Wireless
‰ Periodically have a 3rd party company perform a penetration
test on your wireless networks.

‰ Ensure that you are using the strongest form of WEP

encryption possible.

‰ Consider a wireless security product that will help to prevent

wireless signals from leaving your building or office and will
control rogue access points on your network.

‰ Consider using 802.1X authentication as a secondary

authentication method for any wireless users (besides WEP
key).

‰ Consider putting the wireless network in the DMZ and forcing

users to connect to it via a VPN connection.

‰ Document the wireless security policy and educate users on it.

Logging
‰ Implement a centralized logging server

‰ Document how information is logged, who can view the logs,

and how long those logs are kept. Various sections above
cover what specifically should be logged.

PDA and cell phone

‰ Document proper and improper company use of cellular
phones and PDA’s.

‰ Consider using a product that will “remote kill” a lost PDA or

cell phone and render its data useless.

‰ Document what types of cellular phones will be supported and

who will support them.

Documentation and change management

‰ Document who will control the changes made to the security
policy and who will keep the documentation up to date.

‰ Document the process that changes must go through before

they can be implemented.

Page 6
Copyright ©2005 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
Checklist: IT Security Policy

David Davis manages a group of systems/network administrators for a privately owned retail
company. He also does networking/systems consulting on a part-time basis. His certifications
include IBM Certified Professional-AIX Support, MCSE+Internet, Sun Certified Solaris Admin
(SCSA), Certified Information Systems Security Professional (CISSP), Cisco CCNA, CCDA, and
CCNP. He is also Cisco CCIE #9369.

Additional resources
• Sign up for our Security Solutions newsletter, delivered on Fridays
• Sign up for our IT Management newsletter, delivered on Tuesdays, Thursdays, and Fridays
• Check out all of TechRepublic's newsletter offerings.
• Information Security Policy (TechRepublic download)
• Sample PDA IT support policy (TechRepublic download)
• Disaster recovery plan template (TechRepublic download)
• Crisis communications policy (TechRepublic download)

Version history
Version: 1.0
Published: April 27, 2005

Tell us what you think

TechRepublic downloads are designed to help you get your job done as painlessly and effectively as possible.
Because we're continually looking for ways to improve the usefulness of these tools, we need your feedback.
Please take a minute to drop us a line and tell us how well this download worked for you and offer your suggestions
for improvement.

Thanks!

—The TechRepublic Downloads Team

Page 7
Copyright ©2005 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html