Committee Reports::Special Report - Computer Security in Government Departments and Offices::30 November, 1990::Appendix


	HOME Baile
	COMMITTEE REPORTS Tuasascálacha Coistí

Committee Reports > List of Committees > Dáil > 1990 > Committee of Public Accounts > Special Report - Computer Security in Government Departments and Offices

APPENDIX A

COMPUTER SYSTEM SECURITY QUESTIONNAIRE

PUBLIC ACCOUNTS COMMITTEE

Computer System Security Questionnaire

A computer system for the purposes of this questionnaire is taken to mean all hardware, software, applications (financial and other) and word processing.

Computer System Security is defined as being the protection of the confidentiality, integrity and availability of information provided through a computer system and of the computer system itself.

You are requested to complete the enclosed questionnaire which will provide the basis for the Public Accounts Committee’s examination of the adequacy of Computer System Security in Government Departments/Offices.

The Questionnaire is broken down into 3 sections: -

1.Description of Organisation and Computer Facilities

2.Computer System Security Checklist

3.Risk Assessment and Incidence of Loss.

PRIVATE AND CONFIDENTIAL

Part 1 - Description of Organisation and Computer Facilities

Organisation

Title of Organisation _______________________________________________
Contact Name __________________________
Phone No ____________	Ext __________
Principal Location _______________________________________________
Number of Separate Locations ___________	Number of Computer Centres___________
Total Number of Staff¹ ___________	Number of Computer Staff ² ___________
Departmental Expenditure/Revenue Estimate 1990 £ ____________

Computer Facilities

	Tick if applicable	Quantity	No of Terminals Served	Make/Model
Standalone PC (incl wordprocessors)		________		________________________________________
LAN		________	________	________________________________________
Mini		________	________	________________________________________
Mainframe		________	________	________________________________________
Telecommunications³			________	________________________________________

Summary of Application Systems

Ref no ¹	Name of System	No of online users	Confidentiality of Data (VH/H/M/L)	How critical is the system ?(H/M/L)²

1	_________________________	__________	_______________	__________________
2	_________________________	__________	_______________	__________________
3	_________________________	__________	_______________	__________________
4	_________________________	__________	_______________	__________________
5	_________________________	__________	_______________	__________________
6	_________________________	__________	_______________	__________________
7	_________________________	__________	_______________	__________________
8	_________________________	__________	_______________	__________________
9	_________________________	__________	_______________	__________________
10	_________________________	__________	_______________	__________________
11	_________________________	__________	_______________	__________________
12	_________________________	__________	_______________	__________________
13	_________________________	__________	_______________	__________________
14	_________________________	__________	_______________	__________________
15	_________________________	__________	_______________	__________________


	VH (Very High)
	H (High)
	M (Medium)
	L (Low)

Part 2 - Computer System Security Checklist

NOTE:	(a)Organisations whose computer base consists solely of standalone PCs should respond only to questions 1.1 - 1.5.
	(b)For other Organisations each question should be answered in respect of all computer configurations operated by Departments/Offices

1. Microcomputers

1.1Are there documented procedures and standards for the security of software held on micro computers which cover:

	YES	NO
	*(Please tick appropriate box)*
development of software?
testing of software?
prohibition of unlicensed software?
protection against viruses?

1.2How often is software on microcomputers checked to identify unlicenced software and viruses?

Quarterly	Annually	Never

1.3Are there written procedures and standards for the security of data stored on microcomputers which cover:

			YES	NO
			*(Please tick appropriate box)*
		backup of data?
		storage of diskettes?
		physical controls over access?
		appropriate controls to prevent unauthorised access? e.g. passwords
		use of lock-up devices such as keyboard locks?
		encryption of sensitive data?
1.4	Are the security procedures regularly reviewed for compliance?
1.5	Are effective input controls in place to ensure the integrity of data?
2.	Organisational Controls
2.1	Does the organisation have a written computer security policy? If yes, please append copy.
2.2	Does your organisation have a designated individual responsible for monitoring security?
2.3	Has your organisation’s computer security ever been reviewed by a third party (date / / )?
2.4	Is your organisation’s computer security regularly evaluated by an internal group?
2.5	Is security included in staff courses?
2.6	Is the principle of separation of duties enforced at all stages of the data processing cycle?
2.7	Does each system have prescribed clerical control procedures to complement computer-based controls?
3.	Physical Security
3.1	Is hardware and communications equipment at all sites protected against:
		Fire?
		Vandalism?
		Water?
		Temperature and humidity problems?
3.2	Is there an uninterruptable power supply installed?
3.3	Are all visitors to the computer area
		Identified?
		Logged?
		Supervised?
3.4.	Is there a secure storage area for sensitive and valuable documents (including stationery and negotiable instruments) and magnetic media?
3.5	Is there security for sensitive material in transit?
4.	Logical Access Controls
4.1	Are all individuals required to enter a valid identifier and a unique, non-shared password before any access to the system(s) is permitted?
4.2	Have default passwords, demonstration passwords and passwords used by engineers been removed or disabled?
4.3	Are unauthorised access attempts automatically logged, reviewed and followed up?
4.4	Is there an access control software package in use? (provide details)
5.	Operations Controls
5.1	Is a detailed job schedule produced containing authorised jobs for a specified period and are changes to this schedule authorised and controlled?
5.2	Is there a regular review of actual jobs run against the authorised schedule and does this include all ad hoc and emergency jobs?
5.3	Is there a formal incident/error reporting procedure including automatic follow-up?
5.4	Can operators access or alter production systems and data by permission or by use of utilities?
5.5	Is sensitive output identified and supervised?
5.6	Are there written operating instructions for all systems?
6.	Backup and Recovery
6.1	Is all production software and data backed up?
6.2	Are copies of all production software and data held at a secure off-site location?
6.3	Are backup files reconciled (eg.check totals) before they are transported off-site?
6.4	Are stored backups regularly tested to ensure that they would work in an emergency?
7.	Contingency
7.1	Is there a documented contingency plan to cater for total or partial loss of your computer system? (append copy)
7.2	Was the contingency plan ever tested? (date last tested in full / / )
8.	Telecommunications
8.1	Are all external users limited to particular systems?
8.2	Are all modems disconnected when not in use?
8.3	Are external users monitored to detect attempts at unauthorised logging in?
8.4	Is there a method of authorisation used to confirm that messages come from an authorised source?
8.5	Are there dial-up facilities including remote diagnostics?
8.6	Are there authorisation procedures and call back devices on dial-up ports?
8.7	Is sensitive data encrypted during transmission?
9.	Software Integrity
9.1	Are formal written standards in place for the different stages of an application system development project?
9.2	Are all changes to production systems initiated by formal change requests authorised by users?
9.3	Are user areas required to acceptance test systems before implementation?
9.4	Are the procedures for promoting systems from test to live production such that only authorised changes may be made to live systems?
9.5	Is software sourced and/or modified by third parties subject to the same testing/acceptance procedures as that developed inhouse?
10.	Database Administration
10.1	Is there a formal database administrator’s role which is segregated from systems programming, day to day operations, application programming and maintenance and end user access?
10.2	Is the availability and use of powerful database utilities subject to formal controls and review?
10.3	Are transaction recovery logs maintained for control, audit and recovery using a separate physical device from that holding the database?
10.4	Is the integrity and consistency of the database regularly reviewed?

Part 3 - Risk Assessment and Incidence of Loss

1. Management Overview

	YES	NO
	*(Please tick appropriate box)*
Have you identified the potential threats to your computer systems within the past year?
Have you documented the risks posed by these threats?
Have you undertaken a formal risk assessment project?
Do you believe that there may be a level of unauthorised access/fraud which is currently going undetected?
Do you believe that there is an error rate inherent in current systems which results in incorrect processing or output?

2. Incidents

Classify below any incidents in the last two years which adversely affected the availability, integrity or confidentiality of the computer system.

Loss/Cause		Minor	Significant	Crippling
			(indicate number of incidents below)
	Natural Hazard	________	________	________
	System Failure	________	________	________
	Error	________	________	________
	Fraud	________	________	________
	Malicious Act	________	________	________
	Loss of Confidential Data	________	________	________
	Industrial Action	________	________	________

If you experienced any loss, how was it discovered? Was it by:

Control Systems		Accident
Internal Audit		Client/Supplier Complaint
C & A G		Other

3. Risk Assessment

From the following list, what in your opinion are the five principal areas of risk to your organisation arising from the use of computer systems?

Please rank these in order of priority 1 - 5 (1 = highest risk)

	Program error giving inaccurate result	____________
	Serious organisational disruption because of major computer fault	____________
	Loss or destruction of important data - either accidentally or deliberately	____________
	Confidential information being leaked - either internally or externally	____________
	Fraud perpetrated by member of staff	____________
	Telephone access by unauthorised 3rd party	____________
	Misuse of computer time by operators	____________
	Destruction of computer equipment	____________
	Operator mistake giving rise to payments of incorrect amounts or double payments	____________
	Incorrect input being accepted through insufficient checking	____________
	External fraud	____________

4. Security Related Spending

Approximately what proportion of your total Computer / IT budget is devoted to computer security?

	%
Last Year	____________
Current Year	____________
Next Year	____________

¹ Please provide appropriate organisation chart

² Please provide a detailed organisation chart of the Computer Department (including the number of staff in each section of the department)

³ Please provide a diagram of the computer networks in use, identifying communications links to other computers and terminals at remote locations. Indicate on the diagram whether communications links are provided by leased lines, packet switching network, or dial-up phones.

¹ Attach additional information if appropriate (clearly indicate the ref no)

² In terms of availability and reliability