Security Controls Review Policy

Version: 1.00Issue Date: 3/23/2015

This Security Controls Review Policy is supplemental to the Auditing Policy and ensures that auditors perform audits to be sure security controls in the organization are in place and effective.

1.0 Overview

This Security Controls Review Policy will help ensure that required security control policies and processes in effect, are followed, and are effective.

2.0 Purpose

This Security Controls Review Policy is intended to ensure that security controls are effective in keeping the organization secure.

3.0 Scope

This Security Controls Review Policy applies to all security controls in the organization, all policies that enforce security controls, and all equipment, computers, employees, contractors, and policies that are affected by security controls. This policy is effective as of the issue date and does not expire unless superseded by another policy.

4.0 Security Controls

The below listed security controls must be audited no less than every six months to determine both compliance and effectiveness. The audit should answer the listed questions or accomplish the listed tasks.

  • Account creation and management - Accounts must be created and removed with authorization by management. Accounts of employees that have left or been moved in positions must be removed or modified in a timely manner in accordance with the Account Management Policy.
  • Check for account sharing where possible.
  • Check for active guest accounts.
  • Check accounts to be sure the principle of least privileges is applied to them.
  • Is the password policy being enforced by systems?
  • Can a password be modified without confirmation of the user?
  • Are dangerous sites being blocked by surf control?
  • System Lockdown - Was the server lockdown process documented for each server including documentation of which services are required for operation.
  • Server Monitoring - Are daily monitoring reports being submitted on time? Are they complete and accurate?
  • Are corrective actions for system problems being taken within the expected timeframes?
  • Are minimum activities specified in the Audit Trail Policy being monitored?
  • Are audit logs being retained for the specified period of time?
  • Check and record audit log permissions.
  • Is password information transmitted in approved encrypted form to systems and applications?
  • Is authentication required for mail relaying on systems capable of sending email? Check where possible.
  • Are dangerous file attachments blocked and users informed about which files are blocked?
  • Are workstations properly configured? Are file extensions for known file types viewable to users?
  • Are workstations being updated within the designated timeframe according to the Patch Management Policy?
  • Do users have administrative rights on their workstations?
  • Is user access to the control panel, administrative tools, and system registry limited according to the Workstation Configuration Policy?
  • Are workstation browsers configured securely according to the Workstation Configuration Policy?
  • Does any unapproved software exist on servers or workstations?
  • Are updates being applied to systems within appropriate timeframes according to the Patch Management Policy?
  • Virus Protection Policy - Are systems operating the latest anti-virus program?
  • How old are the virus definition files on the audited systems?
  • Change Management Policy - Is access control used to control changes to data?
  • Is data monitored to be sure unauthorized changes are not made according to the Change Management Policy?
  • Are software patches centrally distributed?
  • Changes made to software distribution points shall be monitored and logged. Auditors shall have read access to the logs.
  • Security Incident Response Policy - Were security incidents handled in a timely manner? Were security incidents documented and completed?
  • Incident Response Policy - Are incidents logged?, concluded?, solved? prevented?, evidence preserved?
  • Are computer forensics policies and procedures being followed? (Computer forensics Policy)
  • Is two factor authentication used when remotely accessing devices in the DMZ?
  • Is remote access connectivity rules for administration of devices in the DMZ limited to trusted source addresses rather than allowing any remote connection for the purposes of administration?
  • Are the Perimeter security policy and the Internet DMZ security policy being followed?
  • Is a list of applications operating on each server available to authorized staff?
  • Is contact information for the administrators, business owners, and managers of each server maintained?
  • The system must be setup and configured to require login credentials or a secure and current method to identify a user and a valid and secure way to determine user authentication to access the system and it must be protected against unauthorized access.
  • Encryption or a secure channel should be used if possible when administrative or privileged access is used to manage systems. In all cases account ID and password must be encyrpted using approved current encryption methods and protocols.
  • The ability to install software and modify the server logs should not be possessed by a single account.
  • Is data adequately encrypted based on its sensitivity level and using approved encryption protocols and key lengths? (Encryption Policy)
  • Are data owners identified?
  • Is data classified according to sensitivity? (Data Classification Policy)
  • Is data handled according to its classification? (Information Sensitivity Policy)
  • Is data properly marked?
  • Are databases adequately protected?
  • Do database passwords and accounts meet standards? (Database Passwords Policy)
  • Are servers located in a physically secure environment where access to the facility is logged and unauthorized personnel do not have access?
  • Are physical security measures followed?
  • Is logging used for secure areas?
  • Are IDs worn?
  • Are records of people with access kept by proper authorities? (Physical Security Policy)
  • Do applications meet proper coding and security standards?
  • Is the Development Life Cycle Policy and Change Management Policy followed?
  • Is proper testing done to assure propery application quality according to a test plan?
  • Are external connections properly evaluated and approved?(Extranet Policy)
  • Are third parties properly identified to be secure based on the nature of the connection and data being accessed? (Third Party Identification Policy)
  • Is there any unapproved of wireless devices or networks?
  • Is the Remote Access Policy being followed including authentication mechanisms, business justification, security of remote systems, sensitive resource access and encryption?
  • Is the Mobile Computer Policy and Mobile Device Policy being followed?

5.0 Enforcement

Since following the Security Controls Review Policy is important for ensuring the security and proper operation of the organization, employees that purposely violate this policy by willingly refusing to cooperate with an audit, or falsifying documents, may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

6.0 Other Policies

  • Auditing Policy
  • Mobile Computer Policy and Mobile Device Policy
  • Remote Access Policy
  • Database Passwords Policy
  • Information Sensitivity Policy
  • Data Classification Policy
  • Security Incident Response Policy
  • Development Life Cycle Policy
  • Change Management Policy
  • Third Party Identification Policy
  • Physical Security Policy
  • Extranet Policy
  • Password Policy
  • Account Management Policy
  • User Privilege Policy
  • Virus Protection Policy
  • Server Monitoring Policy
  • Audit Trail Policy
  • Authentication Mechanism Policy
  • Computer Center Operations Policy
  • Computer Forensics Policy
  • Email Policy
  • Patch Management Policy
  • Server Security Policy
  • Server Setup and configuration Policy
  • System Lockdown Policy
  • Workstation Configuration Policy

7.0 Additional Requirements

  • Processes for auditing the security controls must be developed.


Approved by:__________________________ Signature:_____________________ Date:_______________