Title Page
-
Conducted on
-
Prepared by
-
Location
Ender User Controls – Sample 5 – 10%
Ownership of Assets
-
Are computers named correctly for assigned owners? – Sample 5 – 10 %
-
Are Computers/Servers correctly assigned ownership in Service Now? - Sample 5 – 10 %
Access Control
-
Is there any evidence of passwords written down?
-
Do local PC’s get the privacy pop-up after Bit-Locker? (Can ask user – don’t have to reboot)
-
Do end-user Systems have Anti-Virus, Forcepoint, ForeScout & System Center Installed?
-
Is Web Filtering working – test websites?
-
Are patches properly installed or failing check software center?
Facility Level Controls
-
Are there visitor safety tri-fold brochures at the front desk?
-
Is there unused equipment on-site ?
-
Where is it stored?
-
Is it secured?
-
Who has access?
-
Are there any Rogue Wireless Networks?
Physical & Environmental Security
Physical Security Perimeter
-
Is the facility secured by an Electronic Badge/FOB system?
-
What System? (ADT or Other)
-
IT managed by TRC or a 3rd Party?
-
Are all external doors covered by the system?
-
Is the server room covered by the system?
-
What 3rd parties have been assigned badge access the facility?
-
Who manages the Badges locally?
-
Are Unused badges secured?
-
Is the office monitored by video/camera?
-
Are all entrances / exits covered by the cameras?
-
Are the primary doors secured 24/7?
-
If primary doors are unsecured during business hours, is there always a receptionist present?
-
Are all non-primary doors secured during the day?
-
Is there a Visitor Sign-in Log at the front Desk?
-
Are office visitors issued visitor badges or tags upon sign in?
-
Do they provide facility Access?
Delivery and Loading Areas
-
Is there a delivery/loading area in the facility?
-
Does it connect into TRC Space?
-
Is the access to TRC Space from the loading dock secured when not in use?
-
Is the delivery/loading area proximate to the local Server Room, Server or Networking equipment?
Equipment Siting and Protection
-
1. Is local unused IT equipment secured?
-
Who has access?
Supporting Utilities
-
Does the facility have backup power (generator)?
-
Is the generator managed by TRC?
-
Who manages it?
-
What type of power does it use (Diesel, Propane, Natural Gas, Other)
-
Who is responsible for managing it?
-
How often is it tested?
-
What type of power does it use (Diesel, Propane, Natural Gas, Other)
-
When was the last time it was tested?
-
Is there a UPS for the Server & Networking Equipment?
-
Is all the Servers & Networking equipment attached to the UPS?
-
Questions for IT Ops
-
How often is the UPS tested?
-
When was the last test?
-
Is an automatic notification configured for battery replacement and for when the UPS?
-
What is the expected run time for the UPS?
-
When was the battery last replaced?
Unattended User Equipment
-
1. Are there unattended systems in the office?
-
2. Are Any Unlocked?
-
How Many?
Clean Desk Policy
-
Are there unclaimed documents on the printers/copiers?
-
Are Laptops left in the office overnight?
-
Are there shred bins in the office?
-
Are they locked?
-
Can documentation be manually removed from the them?
Server Room Controls – Only necessary if there is a Server Room
-
Is there a server room at this location?
Secure log-on procedure – Local Office
-
Do the local servers have Anti-Virus, Endpoint Protection & firewalls
Securing offices, rooms and facilities – Server Rooms
-
Is the Server Room in TRC Space or Shared Space in the facility?
-
Is the Server Room secured 24/7?
-
Is there an access list to the building management as to who may request access?
-
If there is camera/video surveillance in the office, is the server room door being Monitored?
-
If there is a badge/fob system in the office is the server room door secured by it?
-
Which TRC Employees have access?
-
Do any 3rd parties have access?
-
If Yes, who?
-
How is the server room door secured?
-
Is there a documented list of who has access?
-
Are keys stored appropriately?
-
Is there a lost stolen key policy?
-
1. Is there a documented list of who has access?
-
2. Is there a documented list of employee codes?
-
a. If yes, who has access and how is it secured?
-
b. Have terminated employee codes been removed?
-
Other?
-
Does the lock-set on the Server Room Auto-Unlock?
-
Is there a Server Room Sign-In sheet in the Server Room?
-
Is it by the Server Room door? (Take Picture) (Video)
-
If Yes, Inside or Outside
-
When was the last documented time the server room was accessed?
-
Is the Appropriate Signage on the server room Door?
-
Is the Server/Network Equipment in a lockable Rack/Cabinet?
-
What type of Lock – Key, Code, Other?
-
Is the Rack locked?
-
Who has access to keys?
-
Where are keys stored?
-
Does the cleaning staff have access to the server room?
-
Is there dedicated AC in the server room?
-
What are the hours of operation?
-
What is the temperature setting?
-
Is there a Spot Cooler in the Server room?
-
Does water need to be manually dumped?
-
What is the temperature setting?
-
What are the hours of operation?
-
Is the server room cooled by regular building AC?
-
What is the temperature setting?
-
What are the hours of Operation?
-
Is the server room adequately ventilated?
-
Is there a Temperature Monitor/Sensor in the local UPS’s? (verify with IT Ops)
-
Where & how? (i.e., Dedicated or Part of another device)
-
Does the Server Room have dedicated power circuits?
-
Are all power cables/wires in the server room covered to prevent trip hazards?
-
Is there a fully-charged/certified Class C fire extinguisher in the server room?
-
When was it last inspected?
-
Is it Expired?
-
Is the server room and area around the server free from clutter, boxes or paper?
-
Are there old laptops (or other IT equipment) stored in the server room?
-
Are they just stored in the room or additionally secured?
-
Is there non-IT equipment stored in the server room?
-
Sweep the Server Room?
Protecting against external and environmental threats
-
Is there an Emergency Power Shutoff Switch in the server room?
Equipment Maintenance
-
Is all the Server/Enterprise network equipment under maintenance contract?
Cabling Security
-
Are Server Rooms in the facility secured 24/7?
-
Are Telecom rooms in the facility secured 24/7?
Open Area Server Controls – Only necessary if there is a Server / Switch in an Open Area
-
Is the Server/Switch in an Open Area?
-
Is the Server/Network Equipment in a locked Cabinet?
-
What type of Lock – Key, Code, Other?
-
Is the rack locked?
-
Who has access?
-
Where are keys stored?
-
Is there an alerting mechanism when the cage is opened?
-
If there is camera/video surveillance in the office, is the server/network equipment/cabinet being monitored?
-
Does the Facility AC operate 24/7?
-
What hours does the AC Operate?
-
Is there a Spot Cooler to supplement?
-
Does water need to be manually dumped?
-
What is the temperature setting?
-
Is there a Temperature Monitor/Sensor in the Local UPS? (Verify with IT OPS)
-
Does the Server/Network equipment have dedicated power circuits?
-
Are 3rd party individuals requesting access to the equipment /rack escorted or monitored at all times?
-
Are all power cables/wires covered/secured to prevent trip hazards?
-
Are monitors/keyboards for connecting to servers secured when not in use? i.e., Not Connected
-
Is all the Server/Enterprise network equipment under maintenance contract?
Other Server/Equipment Controls – Only necessary if stored outside of a Server Room and not in an open area
-
Servers / switches stored outside of a Server Room and not in an open area? i.e., running in a closet, office, etc…
-
If there is camera/video surveillance in the office, is the server/network equipment/being monitored?
-
Does the Facility AC operate 24/7?
-
What hours does the AC Operate?
-
Is there a Spot Cooler to supplement?
-
Does water need to be manually dumped?
-
What is the temperature setting?
-
Is there a Temperature monitor/sensor in the local UPS? (Verify with IT OPS)
-
Does the server/network equipment have dedicated power circuits?
-
Are 3rd party individuals requesting access to the equipment/rack escorted or monitored at all times?
-
Are all power cables/wires covered/secured to prevent trip hazards?
-
Are monitors/keyboards for connecting to servers secured when not in use? i.e., not connected.
-
Is all the Server / Enterprise network equipment under maintenance contract?