What IT security measures should the firm adopt? Prepare a security checklist, and be sure to consider all six security levels.

What will be an ideal response?

---

Answers will vary. Instructors can refer to the list of issues in Question 9. In addition, the following is a checklist that a company might use to assess security and prepare for future security threats and problems:

Physical Security
• Survey the security of the computer room at various times and days of the week, and attempt to enter the computer room security perimeter.
• Assure that each entrance is equipped with a suitable security device.
• Determine whether all access doors have internal hinges and electromagnetic locks equipped with a battery backup system.
• Test biometric security devices, if any.
• Test video cameras and motion sensors, if any.
• Check each server and desktop computer case to determine whether it has a locking device.
• Try to identify any server or computer case that would permit the installation of a keystroke logging device.
• Determine whether tamper-evident cases are, or could be, used.
• Find out whether monitor screensavers are being used on any server or workstation that is left unattended. See if BIOS-level passwords, boot-level passwords, or power-on passwords are in use.
• Examine notebook computers to assure that each has been marked or engraved with the company name and address, or a tamper-proof asset ID tag.
• Determine whether notebook computers have a Universal Security Slot (USS) that can be fastened to a cable lock or laptop alarm.

Network Security
• Obtain samples of network traffic to determine whether it is encrypted, with special attention to wireless networks, if any.
• If encryption is being used, determine whether it involves public key encryption (PKE).
• Determine whether private networks that involve a dedicated connection are, or could be, used.
• Determine whether virtual private networks are, or could be, used.
• Conduct a port scan to learn the existence of any service or application that monitors, or listens on a particular port.
• Assure that system firewalls are installed and operating properly, and that suitable traffic control protocols are in place.

Application Security
• List each server-based application, determine the functions and services that it provides, and disable all unnecessary applications and services.
• Review the configuration for each application to identify any potential security holes.
• Assure that each application has input validation features to reduce potential security problems. Learn how application patches and updates are handled and documented, and determine whether automatic update services, if any, pose security risks.

File Security
• Document all file permissions to assure that appropriate access is available to authorized users, and blocked to all others.
• Determine whether managing file security through user groups would reduce vulnerability and risk.

User Security
• Review the entire subject of identity management to determine whether controls and procedures are in place to identify legitimate users and system components.
• Analyze password protection policies and procedures to assure that passwords are case-sensitive, have a minimum length, and a limited duration.
• Determine whether the firm could employ new technology similar to the AOL Passcode feature to reduce the chances of unauthorized access to the system.
• Determine whether search engines or other applications are creating security risks by allowing subsequent users to retrieve previously entered data or passwords.
• Test the firm’s defenses to a social engineering attack by requesting access to data or password information.
• Survey and observe users to assure that they are complying with all applicable security policies and procedures.

Procedural Security
• Establish clear managerial policies and controls.
• Build a corporate culture that stresses security.
• Define how particular tasks are to be performed.
• Stress employee responsibility for security.
• Guard against dumpster diving.
• Use paper shredders and instruct employees as to when, why, and how they are used.
• Develop a system of classification levels and communicate it effectively.