Anda di halaman 1dari 33

Security Compliance

Assessment Checklist

ITO Security Services


January 2011 V0.2
Intro
This checklist is used to evaluate project compliance with the Government of Saskatchewan
IT Security Standards 2010. The purpose is to assist project teams in ensuring compliance,
and to report on compliance to ministry security officers and ITO management.

A score is not assigned based on the results, but rather a report on compliance is provided as
an output from this checklist.

Usage
All questions are to be answered as yes, no, or not applicable. Any questions resulting in a
no are to include details as to why compliance was not achieved.

Completion
The completed checklist is to be completed by the assigned Security Architect.

Security Compliance Assessment Checklist


Jan 2011 V.02 1
Table of Contents
Intro ......................................................................................................................................... 1
Usage....................................................................................................................................... 1
Completion.............................................................................................................................. 1
6 ORGANIZING INFORMATION SECURITY ................................................................... 4
6 .1 Internal Organization ................................................................................................. 4
6 .2 External Parties .......................................................................................................... 4
7 ASSET MANAGEMENT ....................................................................................................... 5
7.1 Responsibility for Assets ............................................................................................ 5
7.2 Information Classification .......................................................................................... 5
8 HUMAN RESOURCES SECURITY ....................................................................................... 6
8.1 Prior to Employment .................................................................................................. 6
8.2 During Employment .................................................................................................... 6
8.3 Termination or Change of Employment .................................................................... 7
9 PHYSICAL AND ENVIRONMENTAL SECURITY ................................................................ 7
9.1 Secured Areas .............................................................................................................. 7
9.2 Equipment Security..................................................................................................... 7
10 COMMUNICATIONS AND OPERATIONS MANAGEMENT ............................................. 8
10.1 Operational Procedures and Responsibilities ........................................................ 8
10.2 Third Party Service Delivery Management ............................................................. 9
10.3 System Planning and Acceptance ............................................................................ 9
10.4 Protection against Malicious and Mobile Code....................................................... 9
10.5 Back-up .................................................................................................................... 10
10.6 Network Security Management ............................................................................. 10
10.7 Media Handling ....................................................................................................... 10
10.8 Exchange of Information ........................................................................................ 12
10.9 Electronic Commerce Services............................................................................... 13
10.10 Monitoring ............................................................................................................. 14
11 ACCESS CONTROL .......................................................................................................... 17
11.1 Access Control Policy .............................................................................................. 17
11.2 User Access Management ....................................................................................... 17
11.3 User responsibilities ............................................................................................... 18
11.4 Network Access Control ......................................................................................... 19
11.5 Operating System Access Control .......................................................................... 20
11.6 Application and Information Access Control ........................................................ 21
11.7 Mobile computing and teleworking ...................................................................... 21
12 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND MAINTENANCE ... 22
12.1 Security requirements of information systems .................................................... 22
12.2 Correct processing in applications ........................................................................ 22
12.3 Cryptographic controls ........................................................................................... 24
12.4 Security of system files ........................................................................................... 25
12.5 Security in development and support processes ................................................. 26
12.6 Technical vulnerability management .................................................................... 28
13 INFORMATION SECURITY INCIDENT MANAGEMENT ............................................... 29
Security Compliance Assessment Checklist
Jan 2011 V.02 2
13.1 Reporting Information Security Events and Weaknesses ................................... 29
14 BUSINESS CONTINUITY MANAGEMENT ..................................................................... 29
14.1 Information Security Aspects of Business Continuity Management .................. 29
15 Compliance ..................................................................................................................... 30
15.1 Compliance with Legal Requirements .................................................................. 30
15.2 Compliance with Security Policies and Standards, and Technical Compliance ..... 31
15.3 Information System Audit Considerations ............................................................... 32

Security Compliance Assessment Checklist


Jan 2011 V.02 3
6 ORGANIZING INFORMATION SECURITY
6 .1 Internal Organization
The Government of Saskatchewan has established a framework to initiate and control the implementation of information
security within the organization.
The Government of Saskatchewan has approved the information security policies, assigned security roles and will co-
ordinate and review the implementation of security across the organization.
A source of specialist information and security advice has been established and made available within the organization.
Contacts with external security specialists and groups, including relevant authorities, has been developed to keep up with
industrial trends, monitor standards and assessment methods, and provide suitable liaison points when handling
information security incidents. A multi-disciplinary approach to information security has been encouraged.
Description Yes No

6.1.2.1 Is the solution being hosted at an approved information processing facility?

Details:

6.1.2.2 Have confidentiality clauses been included in vendor contracts?

Details:

6 .2 External Parties
The security of the Government of Saskatchewan information and information processing facilities will not be reduced by
the introduction of external party products or services.
Any access to the Government of Saskatchewan information processing facilities and processing and communication of
information by external parties will be controlled.
Where there is a business need for working with external parties that may require access to the organizations
information and information processing facilities, or in obtaining or providing a product and service from or to an external
party, a risk assessment will be carried out to determine security implications and control requirements. Controls will be
agreed to and defined in a written agreement with the third party.
Description Yes No

6.2.1.1 Was a risk assessment carries out prior to providing contractor access to
government assets or data?

Details:

6.2.2.2 Does a written agreement exist to provide vendor or contractor access to


government assets or data?

Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 4
7 ASSET MANAGEMENT
7.1 Responsibility for Assets
The Government of Saskatchewan ensures all assets are accounted for and have a nominated owner.
Owners are identified for all assets and the responsibility for the maintenance of appropriate controls is assigned. The
implementation of specific controls may be delegated by the owner as appropriate but the owner remains responsible for
the proper protection of the assets.
Description Yes No

7.1.1.1 Have the following been defined for the project:

All information necessary to recover from a disaster


The ownership of the asset (owner is responsible for asset classification and
review)
The classification of the information
The business value of the asset (or group of related assets)
For physical assets, which employee has signed out the asset for use (via an
asset sign-out agreement) if leaving an approved government facility
Details:

7.2 Information Classification


Information is classified to indicate the need, priorities and expected degree of protection when handling the information.
Information has varying degrees of sensitivity and criticality. Some items may require an additional level of protection or
special handling. An information classification scheme is used to define an appropriate set of protection levels and
communicate the need for special handling measures.
Description Yes No

7.2.1.1 Has the data within the solution been classified?

Details:

7.2.2.1 Do agreements with external parties or organizations that include information


sharing include clauses governing the classification of shared information and mapping
external classifications to Government of Saskatchewan classifications?

Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 5
8 HUMAN RESOURCES SECURITY
8.1 Prior to Employment
To reduce the risk of theft, fraud, or misuse of facilities, ministries ensure that employees, contractors and third party
users understand their responsibilities and are suitable for the roles they are assigned. Security responsibilities are
identified in job descriptions and in the terms and conditions of employment prior to employment. All candidates for
employment, contractors, and third party users are adequately screened, especially for sensitive jobs. Employees,
contractors and third party users of information processing facilities sign an agreement on their security roles and
responsibilities.
(Explanation: The word employment covers all the following situations: employment of people (temporary and
otherwise), appointment of job roles, change of job roles, assignment of contracts, and the termination of any of these
arrangements).
Description Yes No

8.1.1.1 Have specific roles for security been defined for the project?

Details:

8.1.2.1 Have background checks been performed for all project staff with access to
government data or assets?

Details:

8.1.2.2 Have all relevant terms and conditions been included in employment contracts
for project staff?

Details:

8.2 During Employment


Each ministrys Security Officer ensures that employees, contractors and third party users are aware of information
security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security
policy in the course of their normal work, and to reduce the risk of human error.
Management responsibilities are defined to ensure that security is applied throughout an individuals employment within
the organization.
An adequate level of awareness, education, and training in security procedures and the correct use of information
processing facilities are provided to all employees, contractors and third party users to minimize possible security risks. A
formal disciplinary process for handling security breaches has been established.
Description Yes No

8.2.1.1 Have all project staff been provided with a copy of the security policies,
standards, and specifications?

Details:

8.2.2.1 Have all project staff been provided with relevant security training?

Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 6
8.3 Termination or Change of Employment
Each ministrys Security Officer ensures that employees, contractors and third party users exit an organization or change
employment in an orderly manner. Responsibilities are in place to ensure employees, contractors, or third party users
exit from the organization is managed, and that the return of all equipment and the removal of all access rights are
completed. Change of responsibilities and employments within an organization is managed as the termination of the
previous position or employment in line with Objective 8.3 Termination or change of employment, and any new position
or employment is managed as described in Objective 8.1 Prior to Employment.
Description Yes No

8.3.1.1 Have processes been implemented to properly remove project staff access to
data and assets?

Details:

9 PHYSICAL AND ENVIRONMENTAL SECURITY


9.1 Secured Areas
The Government of Saskatchewan has implemented security measures to prevent unauthorized access, damage, and
interference to premises and information. Additionally, critical or sensitive information processing facilities are housed in
secure areas, protected by defined security perimeters, with appropriate security barriers and entry controls. They are
physically protected from unauthorized access, damage, and interference. The protection provided is commensurate with
the identified risks as determined by a formal security assessment.
Description Yes No

9.1.1.1 Have physical security measures been implemented to deter access to areas
containing sensitive information or physical assets?

Details:

9.2 Equipment Security


Equipment is protected from physical and environmental threats.
Protection of equipment, including equipment siting and disposal, (including that used off-site, and the removal of
property) is necessary to reduce the risk of unauthorized access to information and to protect against loss or damage.
Special controls are required to protect against physical threats, and to safeguard information processing facilities,
including the electrical supply and cabling infrastructure.
Description Yes No

9.2.1.1a Have mobile devices been physically secured?

Details:

9.2.1.1b Have project staff been provided with the Mobile Device Policy?

Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 7
9.2.2.2 Is all cabling secured and not routed through publically accessible areas?

Details:

9.2.2.4 Have project staff been provided with the Government of Saskatchewan
Disposal Guidelines?

Details:

10 COMMUNICATIONS AND OPERATIONS MANAGEMENT


10.1 Operational Procedures and Responsibilities
Responsibilities and appropriate operating procedures for the management and operation of all information processing
facilities are established.
Segregation of duties is implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.
Description Yes No

10.1.1.1 Has access to project operating procedures been restricted to only the
required project staff?

Details:

10.1.2.1 Does the project follow the approved change management process?

Details:

10.1.2.2 Does the project ensure the separation of duties?

Details:

10.1.2.3 Does the project ensure the separation of development, testing, and
production facilities and data?

Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 8
10.2 Third Party Service Delivery Management
The Government of Saskatchewan checks the implementation of agreements, monitors compliance with the agreements
and manages changes to ensure that the services delivered meet all requirements agreed with the third party.
Description Yes No

10.2.1.1 Do third party service delivery agreements include:

Security arrangements
Service definitions
Aspects of service management that relate to business continuity
A transition plan to internal delivery (where appropriate)
Details:

10.2.2.1 Has an owner for third party service delivery management been defined?

Details:

10.3 System Planning and Acceptance


As availability is understood to be a corner stone of the Information Security (Confidentiality, Integrity, Availability), the
Government of Saskatchewan ensures advance planning and preparations are made to ensure the availability of
adequate capacity and resources to deliver the required system performance.
In addition, projections of future capacity requirements are made to reduce the risk of system overload.
The operational requirements of new systems are established, documented and tested prior to their acceptance and use.
Description Yes No

10.3.1.1 Has a plan been developed to monitor for utilization and make periodic
capacity requirement projections?

Details:

10.3.2.1 Has appropriate acceptance testing been carried out in accordance with the
criteria documented in the operating procedures?

Details:

10.4 Protection against Malicious and Mobile Code


The Government of Saskatchewan ensures users are aware of the dangers of malicious code.
The Government of Saskatchewan, where appropriate, has introduced controls to prevent, detect, and remove malicious
code and control mobile code.
Description Yes No

10.4.1.1 Has the project considered actions to prevent against malicious code.

Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 9
10.5 Back-up
The Government of Saskatchewan has procedures established for taking back-up copies of data and rehearsing their
timely restoration.
Description Yes No

10.5.1.1 Has a plan been developed to backup the solution that meets the
requirements of the business continuity plan?

Details:

10.6 Network Security Management


The Government of Saskatchewan ensures the protection of information in networks and the protection of the supporting
infrastructure.
To ensure the secure management of networks, which may span organizational boundaries, ITO provides careful
consideration to dataflow, legal implications, monitoring, and protection.
The Government of Saskatchewan provides additional controls required to protect sensitive information passing over
public networks.
Description Yes No

10.6.1.1a Has a project implemented logical network zones that organize nodes based
on function, data services offered, and ownership of information?

Details:

10.6.1.1b Is access restricted based upon defined rules that restrict connections to
only the ports and services required to perform the business function?

Details:

10.6.1.1c Are all devices connected to the ITO network authorized according to
defined procedures?

Details:

10.7 Media Handling


The Government of Saskatchewan prevents unauthorized disclosure, modification, removal or destruction of assets, and
interruption to business activities, caused by inappropriate media handling or failure.
Media is controlled and physically protected.
Appropriate operating procedures are established to protect documents, computer media (e.g. tapes, disks), input/output
data, and system documentation for unauthorized disclosure, modification, removal, and destruction.
Description Yes No

10.7.1.1a Does the project use any removable media such as backup tapes or USB
thumb drives?

Security Compliance Assessment Checklist


Jan 2011 V.02 10
Details:

10.7.1.1b If removable media is used, does it meet the following requirements:

If no longer required, the contents of any re-usable media that are to be


removed from the organization must be made unrecoverable

Where necessary (as defined by the information classification of the


data contained on the media) and practical, authorization must be
required for media removed from the organization and a record of such
removals must be kept in order to maintain an audit trail

All media must be stored in a safe, secure environment, in accordance


with manufacturers specifications

Information stored on media that needs to be available longer than the


media lifetime (in accordance with the manufacturers specifications)
should be also stored elsewhere to avoid information loss due to media
deterioration

Removable media drives should only be enabled if there is a business


reason for doing so

Removable media drives should not be relied upon for primary storage,
it should be used for backup or transport purposes only

Sensitive or confidential documents are not to be stored on removable


media unless encrypted.

Details:

10.7.2.1 Has media that is no longer required been disposed of in accordance with the
SPM Disposal Policy?

Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 11
10.8 Exchange of Information
The Government of Saskatchewan maintains the security of information and software exchanged within an organization
and with any external entity. Exchanges of information and software between organizations are based on a formal
exchange policy, carried out in line with exchange agreements, and are compliant with any relevant legislation (see also
the Compliance chapter). The Government of Saskatchewan has established procedures and standards to protect
information and physical media containing information in transit.
Description Yes No

10.8.1.1 Have all electronic exchanges of information been implemented in


compliance with Government of Saskatchewan Information Exchange specifications
outlined below:

Procedures to protect exchanged information from interception,


copying, modification, misrouting, and destruction
Use of cryptographic techniques, for example to protect the
confidentiality, integrity and authenticity of information as per
objective 12.3 of [ISO27002] Cryptographic controls
Controls and restrictions associated with the forwarding of
communications facilities (for example, automatic forwarding of
electronic mail to external mail addresses)
Details:

10.8.2.2 Have procedures been implemented to ensure that physical media containing
sensitive information is protected against unauthorized access, misuse, or corruption
while in transit outside of ITO-secured physical boundaries that include:

Encryption requirements for electronic data protection


Authorized couriers or approved reliable transport methods
Confirmation of identification for couriers
Where necessary, hand-delivery of packages
Sufficiently protective packaging to prevent physical damage
Sufficiently protective packaging to detect tampering or, where
necessary, physically prevent unauthorized disclosure (locked
containers, etc)
In exceptional cases, splitting the consignment into more than one
delivery and dispatch by different means
Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 12
10.8.2.3 Have procedures been implemented to ensures that information exchanged
with external parties via electronic messaging is appropriately protected and includes:

Protecting messages from unauthorized access, modification, or denial


of service
Ensuring correct addressing and transport of the message
Obtaining approval prior to using external public services such as
instant messaging or file sharing
Stronger levels of authentication controlling access from publicly
accessible networks
Details:

10.9 Electronic Commerce Services


The ministry ensures the security of electronic commerce services, and their secure use.
The security implications associated with using electronic commerce services, including the on-line transactions, and the
requirements for controls, should be considered. The integrity and availability of information electronically published
through publicly available systems should also be considered.
Description Yes No

10.9.1.1 Has the project team considered the following security requirements for
electronic commerce and addresses some of these through the application of security
controls:

The level of confidence in the identity of each party required


Authorization processes for price setting and the issuing and signing of
key trading documents
Fully informing commerce partners of their authorizations and agreed
terms of commerce in a documented agreement
The level of protection required to maintain the confidentiality and
integrity of any order transactions, payment information, delivery
address details, confirmation of receipts, and any other sensitive data
or information
Degree of verification appropriate to check payment information
Guard against fraud with the appropriate settlement form of payment
Avoidance of loss or duplication of transaction information
Fraudulent transaction liability
Legal, regulatory, and insurance requirements
Resilience to attack of the host(s)
The security implications of any network interconnection
Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 13
10.9.2.1 Has the project team ensured electronic commerce services include the
following technical security considerations for on-line transactions:

Electronic signatures
User credential verification
Confidentiality
Privacy
Encryption
Secured protocols
Information storage medium
Physical and logical security of stored transaction information
When using a trusted authority, integrate and embed security
throughout the entire process
Adopt controls commensurate with the level of the risk
Legal and regulatory compliance
Details:

10.9.2.2 Has a plan been developed to test the publicly accessible system for
weaknesses and failures prior to the information being made available?

Details:

10.10 Monitoring
The Government of Saskatchewan has implemented processes to detect unauthorized information processing activities.
Systems are monitored and information security events are recorded. Operator logs and fault logging are used to ensure
information system problems are identified. The Government of Saskatchewan complies with all relevant legal and policy
requirements applicable to its monitoring and logging activities. System monitoring is used to check the effectiveness of
controls adopted and to verify conformity to an access policy model.
Description Yes No

10.10.1.1a Has the project team ensured audit logs recording user activities,
exceptions, and information security events are produced for all supported information
systems?

Details:

10.10.1.1b Has a procedure been implemented to ensure audit logs are retained for a
period of time specified by the [SaskArch], and the audit logging process is reviewed
annually?

Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 14
10.10.1.1c Do audit logs include, where relevant:

User IDs
Dates, times, and details of key events
Terminal identity or location
Records of successful and rejected system access attempts
Records of successful and rejected data and other resource access
attempts
Changes to system configuration
Use of elevated privileges
Use of system utilities and applications
Files accessed and the kind of access
Network addresses and protocols
Alarms raised by the access control system
Activation and de-activation of protection systems, such as anti-virus
systems and intrusion detection systems
Details:

10.10.1.1d Audit logs may contain confidential information that would be of value to
potential intruders. Have audit logs been inventoried and classified, and has a formal
approval process been developed before information in logs is made publically
available? Have privacy measures been implemented to protect log file integrity and
confidentiality?

Details:

10.10.1.2 Have procedure for monitoring system use been developed and the
following criteria been evaluated:

Authorized access, including details such as: user ID, date and time of
key events, types of events, files accessed, programs or utilities used
Privileged operations, such as:
o Use of privileged accounts (for example: supervisor, root,
administrator)
o System start-up and shut-down
o I/O device attachment and detachment
Unauthorized access attempts, such as:
o Failed or rejected user actions
o Failed or rejected actions involving data and other resources
o Access specification violations and notifications for network
gateways and firewalls
o Alerts from intrusion detection systems

Security Compliance Assessment Checklist


Jan 2011 V.02 15
System alerts or failures, especially on the monitoring system itself,
such as:
o Console alerts or messages
o System log exceptions
o Network management system alarms
o Alarms raised by the access control system
o Changes to, or attempts to change, system security settings and
controls
Details:

Details:

10.10.2.1 Have procedures been developed to ensure that logging facilities and log
information are protected against tampering and unauthorized access?

Details:

10.10.2.2 Does the project ensure system administrator and system operator activities
are logged congruent with the classification of the computing asset and data residing on
the computing asset and the log will at a minimum include:

A timestamp showing when an event occurred


Information about the event or error
Which account and which administrator was involved
Which applications were involved
Details of what was accessed during a session
Details of what was denied during a session
Details:

10.10.2.4 Has the project ensured, where enabled by the underlying technology, all
information processing systems with the same security domain are synchronized with
an agreed accurate time source?

Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 16
11 ACCESS CONTROL
11.1 Access Control Policy
Ministries control access to information and business processes are controlled on the basis of business and security
requirements. The Government of Saskatchewan controls access to information processing facilities and equipment.
Access control rules take into account policies for information dissemination and authorization.
Description Yes No

11.1.1.1a Has the project team been provided with the GOS Access Control
specification?

Details:

11.1.1.1b Has the project been implemented in compliance with the GOS Access
Control Specification?

Details:

11.2 User Access Management


Ministries, in cooperation with the ITO, have processes to ensure authorized user access and prevent unauthorized access
to information systems. Ministries, in cooperation with the ITO, have formal procedures in place to control the allocation
of access rights to information systems and services. The procedures cover all stages in the life-cycle of user access, from
the initial registration of new users to the final de-registration of users who no longer require access to information
systems and services. Special attention is given, where appropriate, to the need to control the allocation of privileged
access rights, which allow users to override system controls.
Description Yes No

11.2.1.1 Has the project developed procedures for, or referenced existing procedures
for, the registration and de-registration of access privileges for all information systems
and services that include:

Approval process
Unique identity
Minimal privileges necessary to meet business requirements are issued
Authorization and level of access must be driven by a business purpose
Users should receive a written statement describing their access
privileges
Registration and de-registration actions must be recorded
Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 17
11.2.1.2 Has the project been implemented in compliance with the GOS Password
Specification?

Details:

11.2.2.1 Has a procedure been developed to periodically, and upon change in


employment status of a user, review the access rights?

Details:

11.3 User responsibilities


The Government of Saskatchewan has implemented procedures to prevent unauthorized user access, and compromise or
theft of information and information processing facilities. The co-operation of authorized users is essential for effective
security as such users are made aware of their responsibilities for maintaining effective access controls, particularly
regarding the use of passwords and the security of user equipment. A clear desk and clear screen policy has been
implemented to reduce the risk of unauthorized access or damage to papers, media, and information processing facilities.
Description Yes No

11.3.1.1a Does the project ensure that end-users are required to follow the password
specification by using technologies that enforce strong passwords?

Details:

11.3.1.1b Has the project provided the Service Desk with documented methods to
assist GOS staff with password problems in a secure fashion?

Details:

11.3.2.1 Has the project provided procedures and (where necessary) supporting
physical security equipment to ensure that mobile devices and equipment have
appropriate protection?

Details:

11.3.2.2 Has the project team and any third party service providers been advised of
the active and approved document that defines a clear desk and clear screen
policy?

Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 18
11.4 Network Access Control
The Government of Saskatchewan prevents unauthorized access to networked services. The Government of Saskatchewan
ensures access to networks and related network services do not compromise the security of the network by ensuring
appropriate interfaces are in place between the organizations network and networks operated by other organizations,
public networks, and that authentication mechanisms are applied for users and equipment with control of user access to
information services enforced.
Description Yes No

11.4.1.1 Does the project implement technological controls to ensure only authorized
services are provided with access to the network, following the principle of least
privilege, and that those services have been specifically authorized to use by the
privilege management section of [AccessPol] and/or the firewall change management
process?

Details:

11.4.2.1 Does the project ensure that authentication technology solutions are highly
secure to provide reliable confidence in authentication credentials which, at a
minimum, will:

Use multi-factor authentication methods for remote users


Utilize secure encryption methods for data passed in the authentication
process
Details:

11.4.2.4a Has the project identified, by risk assessment, networks required for
segregation and their associated information assets and services, especially wireless
networks?

Details:

11.4.2.4b Does the project ensure that Network access controls between domains are
implemented, appropriate to the level of risk, value of the information assets, and
performance requirements within the domain?

Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 19
11.5 Operating System Access Control
The Government of Saskatchewan prevents unauthorized access to operating systems.Security facilities are used to
restrict operating systems access to authorized users. The facilities are capable of the following:
Authenticating authorized users, in accordance with a defined access control policy;
Recording successful and failed system authentication attempts;
Recording the use of special system privileges;
Issuing alarms when system security policies are breached;
Providing appropriate means for authentication;
Where appropriate, restricting the connection time of users.
Description Yes No

11.5.2.2 Does the project use the provided password management system or
implement a password management system able to enforce specific password
standards. The password management system, at a minimum, enforces:

Unique IDs for users


The ability of users to choose their own password
The use of high-quality passwords (determined by length, complexity of
character set used, and resistance to dictionary attacks)
Periodic changing of passwords, including the prevention of password
re-use for a period of time
The storage and transmission of passwords in a protected form
(including display when typing) and separated from application system
data
Details:

11.5.2.4 Does the project, where made possible by the technology in use,
implemented the use of automatic log-out or screen locking for sessions that exceed a
reasonable period of inactivity? ( Technologies that do not permit session time-outs
should be used only where no feasible alternative exists)

Details:

11.5.2.5a Has the project, where made possible by the technology in use, implemented
the use of connection time limitations (such as time-of-day and session duration) for
sensitive applications in high-risk locations?

Details:

11.5.2.5b Has the project formally considered re-authentication at timed intervals for
sensitive applications in high-risk locations?

Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 20
11.6 Application and Information Access Control
The Government of Saskatchewan prevents unauthorized access to information held in application systems.
Security facilities are used to restrict access to authorized users. Application systems:
Control user access to information and application system functions.
Provide protection from unauthorized access by any utility, operating system software, and malicious
software that is capable of overriding or bypassing system or application controls;
Do not compromise other systems with which information resources are shared.
Description Yes No

11.6.1.1 Does the project ensure that methods to bypass access control restrictions
are removed or disabled from applications?

Details:

11.6.2.1 Has the project provide considered, on a per asset basis, physically or logically
isolating information processing assets that are identified as sensitive?

Details:

11.6.2.1 Has the project, for environments that must be shared, performed a risk
assessment and implemented appropriate controls to reduce risk to shared
environments?

Details:

11.7 Mobile computing and teleworking


The Government of Saskatchewan ensures information security when using mobile computing and teleworking facilities.
The protection required is commensurate with the risks these specific ways of working cause. When using mobile
computing the risks of working in an unprotected environment are considered and appropriate protection applied. In the
case of teleworking ITO applies protection to the teleworking site and ensures that suitable arrangements are in place for
this way of working.
Description Yes No

11.7.2.1 Has the project developed procedures, authorization processes, and


operational documents to support teleworking activities that at a minimum consider:

The use of non-ITO equipment such as home networking equipment or


computers, including support considerations and insurance
Any legislation or other regulations preventing ITO from performing
intrusive
security assessments on non-ITO equipment
Software licensing
Business use requirements to determine teleworking access, and
revocation of teleworking access when no longer required
Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 21
12 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND
MAINTENANCE
12.1 Security requirements of information systems
The Government of Saskatchewan ensures that security is an integral part of information systems. Information systems
include operating systems, infrastructure, business applications, off-the-shelf, products, services, and ITO developed
applications. The design and implementation of the information system supporting the business process can be crucial for
security. Security requirements are identified and agreed prior to the development and/or implementation of information
systems. All security requirements are identified at the requirements phase of a project and justified, agreed, and
documented as part of the overall business case for an information system.
Description Yes No

12.1.1.1a Has the project formally assessed the risk and considered additional controls
where security requirements cannot be satisfied?

Details:

12.1.1.1b Was a formal testing and acquisition process followed and security
requirements identified, prior to purchasing technology products, to include in the
contract with the supplier? (Security resources must be consulted throughout the
process of any acquisition which may affect the security posture of the organization)

Details:

12.2 Correct processing in applications


The Government of Saskatchewan prevents errors, loss, unauthorized modification or misuse of information in
applications. Appropriate controls are designed into applications, including ITO developed applications to ensure correct
processing. These controls include the validation of input data, internal processing, and output data.
The Government of Saskatchewan implements additional controls as required, based on security requirements and risk
assessments, for systems that process, or have an impact on, sensitive, valuable, or critical information.
Description Yes No

12.2.1.1a Has the project ensured data input validation has be applied to:

Business transactions
Standing data
Parameter tables
Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 22
12.2.1.1b Has the project formally consider the following data input validation checks:

Out-of-range values
Invalid characters or data type in data fields
Missing or incomplete data
Exceeding upper and lower data volume limits
Unauthorized or inconsistent control data
Error messages are appropriate for the type of error encountered
Details:

12.2.2.1c Has the project, when developing, modifying, or acquiring applications,


assessed the business impact of corrupt data when incorporating internal processing
controls to minimize the loss of data integrity?

Details:

12.2.2.1d Has the project formally consider these specific areas to minimize
processing failures:

Use add, modify, and delete functions to change data


Procedures to ensure programs run at the correct time, prevent
programs running in the wrong order, and running after failure of prior
processing
Use of appropriate programs to recover from failures
Protection against buffer overrun/overflow attacks
Reconciliation of data file balances after transaction updates
Validation of system-generated input data
Integrity checks on uploaded/downloaded data and software
Totals of records and files
Logging processing activities
Details:

12.2.2.2 Has the project, when developing, modifying or acquiring applications,


conducts assessments of security risks to determine if protecting message integrity in
applications is required and whether cryptographic techniques (message
authentication) or other method should be utilized? (Message authentication is
concerned with protecting the integrity of the message, validating the identity of the
originator, and non-repudiation)

Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 23
12.2.2.3 Has the project, when developing or modifying applications, included the
following application data output validation:

Define the responsibilities of all personnel involved in the data output


process
Plausibility checks
Reconciliation control counts
Provide information to determine the accuracy, completeness,
precision, and classification of the information
Procedures for responding to output validation test failures or errors
Log data output validation activities
Details:

12.3 Cryptographic controls


The Government of Saskatchewan protects the confidentiality, authenticity, and integrity of sensitive information by
cryptographic means. A policy has been developed on the use of cryptographic controls. Cryptographic key management
of has been formally considered to support the use of cryptographic techniques.
Description Yes No

12.3.2.1a Has the project utilized encryption and has the key management system
been based on an agreed set of standards, procedures, and secure methods for:

Generating keys for different cryptographic systems and different


applications
Generating and obtaining public key certificates
obtaining, revoking, withdrawing, expiration, destroying, and archiving
keys
Rules for key changes and updates
Distribution, activation, storing (including physical protection of
equipment used to generate, store and archive keys),
Compromised key
Recovering lost or corrupted keys
Logging key management activities
keys will have an activation and expiration date
Details:

12.3.2.1b Has the project used a certification authority to ensure the authenticity of
public keys that addresses liability, reliability of services, and response times in the
contract?

Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 24
12.3.2.1c Has the project utilized one of the two approved types of cryptographic
techniques:

Secret key techniques


Public key techniques
Details:

12.4 Security of system files


The Government of Saskatchewan ensures the security of system files by controlling access to system files and program
source code. IT projects and support activities are conducted in a secure manner. Care is taken to avoid exposure of
sensitive data in test environments.
Description Yes No

12.4.1.1a Has the project followed these guidelines to control the installation of
software on operational systems:

Management will authorize a release manager to coordinate the install


and update of software, applications, and program libraries
Production systems will not contain development code or compilers
User acceptance testing will be extensively and successfully tested on a
separate system prior to production implementation
A rollback strategy will be in place and previous versions of application
software will be retained
Old versions of software will be archived including configuration details
and system documentation
Program library updates will be logged
Details:

12.4.1.1b Has the project ensured vendor software will be maintained at the
supported level, and vendor access will be authorized and monitored?

Details:

12.4.1.1c Has the project ensured security software patches have been applied as
recommended by the vendor?

Details:

12.4.1.1d Has the project ensured operating systems will only be upgraded when
there is a requirement to do so?

Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 25
12.4.2.1 Has the project used production data for user acceptance testing, and where
the following requirements met:

The data is modified beyond recognition before use


The production access control procedures are applied in the user
acceptance testing environment
Authorization is required every time data is copied from production to a
user acceptance testing environment
When testing is complete, the data has been erased
Details:

12.5 Security in development and support processes


The Government of Saskatchewan maintains the security of application system software and information. Project and
support environments are strictly controlled.The Government of Saskatchewan managers, responsible for application
systems, are responsible for the security of the project or support environment. They must ensure that all proposed
system changes are reviewed to ensure that they do not compromise the security of either the system or the operating
environment. Ministry application owners will be notified of security issues.
Description Yes No

12.5.1.1a Has the project tested new software (including patches, service packs, and
other updates) in an environment that is segregated from the development and
production environments? (Automated updates will not be used on critical systems)

Details:

12.5.1.1b Has the project, when introducing new systems and major changes to
existing systems, ensured that it:

Follows a formal process of:


o Documentation
o Specification
o Testing
o Quality control
o Approval
o A formally managed implementation
Includes:
o A risk assessment
o An analysis of the impacts of changes
o Specifications of security controls
o Ensure that existing security and control procedures are not
compromised
o Obtaining a formal agreement and approval for any change

Security Compliance Assessment Checklist


Jan 2011 V.02 26
Details:

12.5.2.1a Has the project implemented a process for technical review of application
control and integrity procedures which will test the impact of operating system changes
on business critical applications that at minimum, formally considers the following:

Notification of operating system changes


Business continuity plans must be updated to reflect related changes
Details:

12.5.2.1b Has the project ensured a specific group or individual has been given
responsibility for monitoring vulnerabilities and vendors releases of patches and fixes?

Details:

12.5.2.3 Has the project formally considered the following when outsourcing software
development:

Licensing arrangements
Code ownership
Intellectual property rights
Audit and certification of the quality and accuracy of the development
Escrow arrangements
Quality and security contractual requirements
Testing for malicious code
Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 27
12.6 Technical vulnerability management
The Government of Saskatchewan reduces risks resulting from exploitation of published technical vulnerabilities.
Technical vulnerability management has been implemented in an effective, systematic, and repeatable way with
measurements taken to confirm its effectiveness. These considerations include operating systems, and any other
applications in use.
Description Yes No

12.6.1.1 Has the project established and documented effective management


procedures for technical vulnerabilities using the following guidelines:

Define and establish the roles and responsibilities for:


o Vulnerability monitoring
o Vulnerability risk assessment
o Patching
o Asset tracking
o Coordination
Information resources that identify and maintain awareness about
relevant technical vulnerabilities
Define timelines for notification reactions
Identify associated risks and the actions to be taken for potential
technical vulnerability
If possible, follow change management or information security incident
response procedures
Assess risks associated with patch installation compared to risks
associated with the vulnerability
Formally consider these controls:
o Test, evaluate, then install patch
o Turn off services or capabilities
o Adapting or adding access controls
o Increase monitoring
o Raise awareness
Log all procedures undertaken
Regularly monitor and evaluate the technical vulnerability management
process
Address high risk systems first
Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 28
13 INFORMATION SECURITY INCIDENT MANAGEMENT
13.1 Reporting Information Security Events and Weaknesses
The Government of Saskatchewan ensures information security events and weaknesses associated with information
security are communicated in a manner allowing timely corrective action to be taken. Formal event reporting and
escalation procedures are in place. All employees, contractors and third party users are made aware of the procedures for
reporting the different types of event and weakness that might have an impact on the security of organizational assets.
They are required to report any information security events and weaknesses as quickly as possible to the ITO Service Desk.
Description Yes No

13.1.1.1 Has the project communicated to employees, contractors and third party
users of information systems and services that they are required to report any
suspicious events to the service desk?

Details:

13.1.2.1 Has the project notified employees, contractors and third party users not to
attempt to validate suspected weaknesses without specific management approval?

Details:

14 BUSINESS CONTINUITY MANAGEMENT


14.1 Information Security Aspects of Business Continuity Management
Business continuity management includes controls to, in addition to the general risks assessment process, identify and
reduce risks in order to limit the consequences of damaging incidents, and ensure that information required for business
processes is readily available. The Government of Saskatchewan counteracts interruptions to business activities to protect
critical business processes from the effects of major failures of information systems or disasters and to ensure their timely
resumption. A business continuity management process is implemented to minimize the impact on the organization and
recover from the loss of information assets (which may be the result of, but not limited to, natural disasters, accidents,
equipment failures, and deliberate actions) to an acceptable level through a combination of preventive and recovery
controls. This process identifies the critical business processes and information security management requirements of
business continuity along with other continuity requirements relating to areas such as operations, staffing, materials,
transport and facilities. The consequences of disasters, security failures, loss of service, and service availability are subject
to a business impact analysis. Business continuity plans are developed and implemented to ensure timely resumption of
essential operations. Information security is an integral part of the overall business continuity process, and other
management processes within the organization.
Description Yes No

14.1.1.1 Has the project provided documentation to identify and provide for the
continued availability of:

Critical systems, applications, assets, employees, documents, and


project information
Other services and assets when warranted and identified by a threat
and risk analysis
Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 29
14.1.1.2 Has the project provided documentation to support a testing plan for the
business continuity that:

Ensures that key personnel understand the documented recovery


procedures and have the document available to them
Educates all members of the recovery teams, and their backups, of their
roles in the event of a disaster
Provides verification of the recovery strategy
Performing annual testing and review
Identify any flaws or lack of documentation in all sections of the plan
Verify that critical business functions may be recovered while simulating
disaster scenarios
Update existing plans to encompass new requirements due to business,
systems, networks, legal or contractual requirement, or personnel
changes
Test all components of the plan, including hardware, software,
personnel, data, supplier facilities and services, communications,
procedures, forms, documentation, alternate site locations
Make modifications based on test results
If a backup hot site is adopted, a parallel test should be performed.
Otherwise a simulation test should be completed
Details:

15 Compliance
15.1 Compliance with Legal Requirements
The design, operation, use, and management of information systems are subject to statutory, regulatory, and contractual
security requirements. The Government of Saskatchewan has procedures in place to avoid breaches of any legal,
statutory, regulatory, or contractual obligations, and of any security requirements.
Advice on specific legal requirements is sought from the Ministry of Justice, or suitably qualified legal practitioners.
Legislative requirements vary from country to country and may vary for information created in one country that is
transmitted to or through another country (i.e. trans-border data flow).
Description Yes No

15.1.1.1 Has the project received approval from the ministry compliance owner
(tasked with defining, documenting, and keeping updated all relevant legal, regulatory,
and contractual requirements for each information system identified as critical) that the
project meets the following compliance criteria:

The organizational approach meets all requirements


The specific controls and individual responsibilities meet all
requirements
Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 30
15.1.2.2 Has the project classified records and complied with the Records Act (2004)
which details the retention period?

Details:

15.1.2.3 Has the project communicated the data protection and privacy specification
to all personnel processing personal information?

Details:

15.1.2.4 Has the project ensured all users are made aware of the precise scope of their
permitted access and of the monitoring in place to detect unauthorized use through the
signing of written authorizations?

Details:

15.2 Compliance with Security Policies and Standards, and Technical


Compliance
The Government of Saskatchewan ensures the compliance of systems with organizational security policies and standards
that are regularly reviewed.
Such reviews are performed against the appropriate security policies and the technical platforms and information systems
are audited for compliance with applicable security implementation standards and documented security controls.
Description Yes No

15.2.1.1 Has the project ensured all information processing facilities have been
assessed for compliance with appropriate security policies, standards, and any other
security requirements, and ITO Security Services has a record of the assessment?

Details:

15.2.2.1a Has the project ensured penetration tests or vulnerability assessments are
planned, documented, and repeatable, and caution is exercised (as such activities can
lead to a compromise of the security of the system)?

Details:

15.2.2.1b Has the project ensured information gathered from security testing is
analyzed and recommendations are made based on the results?

Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 31
15.3 Information System Audit Considerations
The Government of Saskatchewan maximizes the effectiveness of and minimizes interference to/from the information
systems audit process. There are controls to safeguard operational systems and audit tools during information systems
audits.
Protection is provided to safeguard the integrity and prevent misuse of audit tools.
Description Yes No

15.2.2.1 Has the project addressed the risk of misuse by third party auditing, by
formally considering:

Identifying the risks


Restricting physical access
Immediately changing any passwords disclosed
Clearly stating scope, rules, and limitations of the agreement
Confidentiality/non-disclosure agreements
Details:

Security Compliance Assessment Checklist


Jan 2011 V.02 32