Documente Academic
Documente Profesional
Documente Cultură
Operations
Checklist Defense Information
Systems Agency
Checklist
Reviewer: Date:
System:
Totals: Comments:
Description:
Documentation:
Documentation:
Total:
1
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
General
Vulnerability IA Description Criteria Documentation Demonstration
Control Criteria Criteria
1 Does the vendor have a DCSD-1 Does not have a Does not have a Does not have a
documented and provable policy or cannot policy or policy is policy or Site
security policy for IT? describe policy = 0 not documented or cannot demonstrate
documented but policy = 0
List of Items to be Included Can describe does not include any
1. Statement of Purpose policy = 1 of the noted Site can
2. Organization structure items = 0 demonstrate policy
3. Physical Security
but does not include
4. Hiring & termination
procedures
Documented & any of the noted
5. Data Classification includes 1-9 of 18 items = 1
6. Access Control items = 1
7. Operating Systems Site can
8. Hardware & Software Documented & demonstrate policy
9. Internet Use included 10 – 18 & it includes 1-9 of
10. Email
11. Technical Support
items = 2 18 items = 2
12. Virus protection, firewall,
VPN, remote access Site can
13. Backups & disaster recovery demonstrate policy
14. Intrusion detection & incident & it includes 10 –
response 18 of 18 items = 3
15. Personnel Security
16. Software Development
17. Outsourcing (off shore)
18. Help Desk Development
Score
2
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Can provide
documentation for
review & update to
be completed yearly
or more frequently
=2
Score
3
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
4
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Access Control
Vulnerability IA Description Criteria Documentation Demonstration
Control Criteria Criteria
4 Is the application PKI enabled DCBP-1 Application is not Cannot provide Cannot demonstrate
for the client? DCMC- PKI enabled for the documentation that the application is
1 client= 0 describes PKI enabled = 0
Question to Ask DCNR-1 application PKI
1. Does the application use DoD IAKM-1 Can describe enabled for the Can demonstrate
PKI or non-DoD PKI? IATS-1 how their application client = 0 the application uses
uses PKI for their non-DoD PKI = 1
client = 1 Can provide
documentation the Can demonstrate
application uses the application uses
non-DoD PKI = 1 DoD PKI = 2
Can provide
documentation the
application uses
DoD PKI = 2
Score
5
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
6
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
7
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
8
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
9
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
10
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
11
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Score
12
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
13
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
14
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Confidentiality
Vulnerability IA Description Criteria Documentation Demonstration
Control Criteria Criteria
15 Does the vendor utilize DCSR-2 Does not have Does not have Does not have
appropriate file permissions ECCD-1 appropriate file appropriate file appropriate file
on sensitive data? ECIC-1 permissions on permissions on permissions on
ECPA-1 sensitive data or sensitive data or sensitive data or
Question to Ask ECTP-1 cannot describe their cannot provide cannot demonstrate
1. Are file permissions based on file permissions on documentation on file permissions on
roles & need to know? sensitive data = 0 sensitive data file sensitive data = 0
permissions = 0
Can describe their Can demonstrate
file permissions & Can provide that system file
they are appropriate documentation that permissions are
for sensitive data = 1 system file appropriate for
permissions are sensitive data = 2
appropriate for
sensitive data = 1
Can demonstrate
Can provide that system file &
documentation that application file
system file & permissions are
application file appropriate for
permissions are sensitive data = 3
appropriate for
sensitive data = 2
Score
15
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
16
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
17
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
18
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
19
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
20
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Integrity
Vulnerability IA Description Criteria Documentation Demonstration
Control Criteria Criteria
21 Does the vendor have a trust Does not have a trust Does not have a Does not have a
mark or site seal to validate mark or site seal or trust mark or site trust mark or site
users have reached the vendor cannot describe their seal or this seal or cannot show
site? trust mark or site seal requirement is not their trust meal or
=0 documented = 0 site seal = 0
21
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
22
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
23
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Score
24
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Score
25
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Availability
Vulnerability IA Description Criteria Documentation Demonstration
Control Criteria Criteria
27 Does the vendor have a policy COED-1 Does not have a Does not have a Does not have a
for backups? CODB-1 policy for backups or policy for backups policy for backups
CODB-2 cannot describe or cannot provide or cannot
List of Items to be Included COTR-1 backup policy = 0 documentation of demonstrate
1. Schedule for regular backups policy or policy backups = 0
2. Backups to be stored off-site Vendor can describe does not include any
3. Recovery Plan
4. Clearly defined activities &
policy for backups of the items listed Can demonstrate
responsibilities of individuals = 1 =0 that Vendor has
5. Policy should be tested policy and it
annually Can provide includes 1 – 2 of
6. Personnel trained annually documentation that listed items = 1
7. Backups should maintain
separation of DoD data
Vendor has policy
& it includes 1 – 3 Can demonstrate
of listed items = 1 that Vendor has
policy and it
Can provide includes 3 - 4 of
documentation that listed items = 2
Vendor has policy
& it includes 4 - 7 of Can demonstrate
listed items = 2 that Vendor has
policy and it
includes 5 - 7 of
listed items = 3
Score
26
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Score
27
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Score
28
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
29
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
30
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
31
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
32
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
33
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
34
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
35
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
36
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
37
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
38
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
39
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Non-repudiation
Vulnerability IA Description Criteria Documentation Demonstration
Control Criteria Criteria
42 Does the vendor use NIST DCNR-1 Does not use FIPS Does not use FIPS Does not use FIPS
FIPS 140-2 validated 140-2 or cannot 140-2 or cannot 140-2 or cannot
cryptography to implement describe how it used provide demonstrate use of
encryption, key exchange, in their application documentation of FIPS 140-2 = 0
digital signature, and hash? =0 using FIPS 140-2 in
their application = 0 Can demonstrate
Things to Consider Can describe how use of FIPS 140-2
1. Cryptography – DoD PKI they use FIPS 140-2 Can provide =3
class 3 or 4 token =1 documentation of
2. Encryption – AES, 3DES,
DES, Skipjack
FIPS 140-2 = 2
3. Key Exchange – FIPS 171
4. Digital Signature – DSA,
RSA, ECDSA
5. Hash – SHA-1, SHA-256,
SHA-384, SHA-512
Score
40
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
41
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
42
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
43
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
44
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
45
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Protection
Vulnerability IA Description Documentation Demonstration
Control Criteria Criteria Criteria
48 Does the vendor follow some DCCS-1 Follows no guidance Follows no Follows no
type of guidance to secure the ECND-1 for securing their guidance for guidance for
vendor computing and computing & securing their securing their
network infrastructure? network computing & computing &
infrastructure or network network
Things to Consider cannot describe what infrastructure or infrastructure or
1. Defense in Depth guidance they follow cannot provide cannot demonstrate
=0 documentation of guidance = 0
guidance = 0
Follows guidance for Can demonstrate
securing their Can provide copy their security
computing & of guidance but it guidance but it
network does not include does not include
infrastructure & can defense in depth = 1 defense in depth
describe what that =2
guidance is = 1 Can provide copy
of guidance & it Can demonstrate
includes defense in their security
depth = 2 guidance & it
includes defense in
depth = 3
Score
46
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
47
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
48
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
49
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
50
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
51
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
52
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
53
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
54
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Score
55
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
56
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
57
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Score
58
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
59
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
60
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Detection
Vulnerability IA Description Documentation Demonstration
Control Criteria Criteria Criteria
63 Does the vendor’s security ECMT-1 Does not contain Does not contain Does not contain
policy contain guidance for VIVM-1 guidance for guidance for guidance for
regularly scheduled routine regularly scheduled regularly scheduled regularly scheduled
security audits performed by routine security routine security routine security
an external party? audits performed by audits performed by audits performed
an external party or external party or by external party or
List of Items to be Included cannot describe cannot provide cannot demonstrate
1. Operating Systems policy = 0 documentation of policy = 0
2. Web Servers policy = 0
3. Browsers
4. Web Services
Can describe Can demonstrate
5. Database security policy & it Can provide a copy security policy
6. Network sensors contain guidance for of security policy which requires
7. Firewalls regularly scheduled which requires routine security
8. Applications routine security routine security audits performed
9. Wireless
audits performed by audits performed by by external party
an external party = 1 external party but but policy includes
policy does not only operating
include all of listed systems = 1
items = 1
Can demonstrate
Can provide a copy security policy
of security policy which requires
which requires routine security
routine security audits performed
audits performed by by external party
external party & but policy includes
61
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Can demonstrate
security policy
which requires
routine security
audits performed
by external party &
policy includes all
of listed items = 3
Score
62
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
63
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
verification is done
monthly or more
frequently than
monthly = 3
Score
64
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
65
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
66
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
67
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Can demonstrate
how they routinely
review HIDs,
NIDs, & firewall
rules but review
occurs monthly or
more frequently
than monthly = 3
Score
68
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Reaction
Vulnerability IA Description Documentation Demonstration
Control Criteria Criteria Criteria
69 Does the vendor have a VIIR-1 Does not have Does not have Does not have
documented Incident documented Incident documented documented
Response Program? Response Program Incident Response Incident Response
or cannot describe Program or cannot Program or cannot
Incident Response provide demonstrate the
Program = 0 documentation of Incident Response
Incident Response Program = 0
Can describe Program = 0
Incident Response Can demonstrate
Program = 1 Can provide Incident Response
documentation of Program = 3
the Incident
Response Program
=2
Score
69
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Can demonstrate
Incident Response
policy & it includes
8 – 10 of listed
70
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
items = 3
Score
71
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
72
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
73
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
74
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
75
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
76
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
77
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
78
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
79
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
80
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Can demonstrate
requirement for
reports to be sent to
management on
regular basis &
reports are sent
monthly or less
frequently than
monthly but more
frequently than
quarterly = 3
Score
81
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
82
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
83
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
84
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Configuration Management
Vulnerability IA Description Documentation Demonstration
Control Criteria Criteria Criteria
82 Does the configuration DCID-1 Does not exist or it Does not exist or it Does not exist or it
management plan include DCII-1 does not include all does not include all does not include all
hardware, operating system, DCPR-1 of the items or of the items or of the items or
utility software, cannot describe the cannot provide cannot demonstrate
communication, network configuration documentation of the configuration
device changes, application management plan the configuration management plan
and facilities? =0 management plan =0
=0
Can describe the Can demonstrate
configuration Can provide the configuration
management plan & documentation of management plan
it includes all of the the configuration =3
items = 1 management plan
=2
Score
85
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
86
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
87
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Vulnerability Management
Vulnerability IA Description Documentation Demonstration
Control Criteria Criteria Criteria
85 Does the vendor’s security VIVM-1 Does not require Does not require Does not require
policy contain guidance for regularly scheduled regularly scheduled regularly scheduled
regularly scheduled internal internal vulnerability internal internal
vulnerability audits? audits or cannot vulnerability audits vulnerability audits
describe the or cannot describe or cannot describe
Question to Ask requirement = 0 the requirement = 0 the requirement = 0
1. How often are vulnerability
audits performed? Can describe the Can provide Can demonstrate
requirement for documentation requirement for
regularly scheduled which requires regularly scheduled
vulnerability audits regularly scheduled vulnerability audits
=1 internal & audits are
vulnerability audits performed yearly or
& audits are less frequently than
performed less yearly = 1
frequently than
monthly = 1 Can demonstrate
requirement for
Can provide regularly scheduled
documentation vulnerability audits
which requires & audits are
regularly scheduled performed
internal quarterly or less
vulnerability audits frequently than
& audits are quarterly but more
performed monthly frequently than
88
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
89
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Can demonstrate
how their scanner
is used & scans are
90
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
performed monthly
or less frequently
than monthly but
more frequently
than quarterly = 3
Score
91
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
92
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
93
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
94
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
95
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
96
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Score
97
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Can demonstrate
98
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
99
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
100
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
101
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
102
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
103
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Personnel Security
Vulnerability IA Description Documentation Demonstration
Control Criteria Criteria Criteria
99 Does the vendor have a PRAS-1 Does not have Does not have Does not have
documented requirement for PRMP-2 requirement for requirement for background
a background security PRNK-1 background security background security security
investigation? investigation or investigation or investigation or
cannot describe their cannot provide cannot demonstrate
Question to Ask background security documentation of background
1. What type of background investigation = 0 requirement for security
security investigation is background security investigation has
required?
Can describe their investigation = 0 been done = 0
background security
investigation = 1 Can provide Can demonstrate
documentation of background
the requirement for security
background security investigation has
investigation & been done &
investigation is investigation is
commercial or commercial = 1
DoD/OPM= 1
Can demonstrate
Can provide background
documentation of security
requirement for investigation has
background security been done &
investigation & investigation is
investigation is DoD/OPM = 2
SSBI = 2
104
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Can demonstrate
background
security
investigation has
been done &
investigation is
SSBI = 2
Score
105
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
106
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Score
107
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
108
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Can demonstrate
their background
check & all 5 of
109
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
110
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
111
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
112
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Physical Security
Vulnerability IA Description Documentation Demonstration
Control Criteria Criteria Criteria
106 Is there access control at PEPF-1 Does not have access Does not have Does not have
every physical access point to control at every access control at access control at
the vendor facility? access point or every access point every access point
cannot describe how or cannot provide or cannot
every physical documentation demonstrate how
access point has requiring access every physical
access control = 0 control at every access point has
physical access access control = 0
Can describe how point = 0
every physical Can demonstrate
access point has Can provide access control at
access control = 1 documentation every physical
requiring access access point to the
control at every facility = 3
physical access
point = 2
Score
113
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
114
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
Can demonstrate
their additional
security measures
on facility housing
equipment & all
doors have
CCTV/motion
detector = 2
Can demonstrate
their additional
security measures
115
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
on facility housing
equipment & area
is manned 24X7 or
area is alarmed
when not manned
or area is locked
with GSAapproved
combination lock
when not manned
=3
Score
116
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
117
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
118
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
119
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
120
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
121
UNCLASSIFIED