Network Security Assessment Checklist

This network assessment checklist is taken from Managing a Network Vulnerability Assessment  by Thomas R. Peltier, Justin Peltier and John A. Blackley.  What do you think? To much or?

1. Unique user ID and confidential password required    
2. Additional identification required for remote access
3. "Help" screen access available to logged-on users only
4. Last session date and time message back to user at sign-on time
5. Exception reports for disruptions in either input or output
6. Session numbers for users/processors that are not constantly logged in
7. Notification to users of possible duplicate messages
8. Threshold of errors and consequential retransmission on the network related to management via automatic alarms
9. Encryption requirements    
10. Encryption key management controls
11. Message Authentication Code requirements for nonencrypted sensitive data transmission
12. System authentication at session start-up (wiretap controls)
13. Confirmation of host log-off to prevent line grabbing
14. Downloading controls for connected intelligent workstations
15. User priority designation process
16. Transaction handling for classified communications
17. Trace and snapshot facilities requirements
18. Log requirements for sensitive messages
19. Alternate path requirements between nodes
20. Contingency plans for hardware as well as all usual system requirements
21. Storage of critical messages in redundant locations
22. Packet recovery requirements
23. Physical access for workstations when units are not in use
24. Control units, hubs, routers, cabinets secured
25. Environmental control critical requirements
26. Segregation for sections of the network that are deemed "untrustworthy"
27. Gateway identification for authorized nodes
28. Automatic disable of a user/account, line or port if evidence an attack is underway
29. Naming convention to distinguish test messages from production
30. User switching application controls
31. Time-out reauthorization requirements
32. Password changes (time/length/history) requirements
33. Encryption requirements for passwords, security parameters, encryption keys, tables, etc.
34. Shielding requirements for fiber-optic lines
35. Controls to prevent wiretapping
36. Reporting procedures for all interrupted telecommunication sessions
37. Identification requirements for station/ terminal access connection to network
38. Printer control requirements for classified information
39. Appropriate "welcome" connection screens
40. Dial-up access control procedures
41. Anti-daemon dialer controls
42. Standards for equipment, applications, protocols, operating environment
43. Help desk procedures and telephone numbers
44. Protocol converters and access method converters dynamic change control requirements
45. LAN administrator responsibilities
46. Control requirements to add nodes to the network
47. Telephone number change requirements
48. Automatic sign-on controls
49. Telephone trace requirements
50. FTP access controlled
51. Are patches tested and applied?
52. Software distribution current
53. Employee policy awareness
54. Emergency incident response plan/procedure
55. Internal applications control
56. Proper control of the development environment
57. Software licensing compliance review
58. Portable device (laptop/notebook/PDA) handling procedures
59. Storage and disposal of sensitive data/information
60. Default password controls and settings
61. Review of off-site storage for disaster recovery resources
62. Unnecessary services disabled
63. Client server data transfer analyzed and secured
64. Restrict telnet and r-commands (rlogin, rsh, etc.)
65. Configuration management procedures
66. Tracking port scans
67. Review monitoring responsibilities
68. Separation between test and production environment
69. Strong dial-in authentication
70. System administrator training
71. Voice system protection procedures
72. Tunneling for all remote access (inbound or outbound)
73. Encryption of laptops
74. Management awareness
75. Program and system change control procedures
76. Open "inbound" modem access for vendor support
77. Modem usage policy
78. Incident event coordination (procedures)
79. Intrusion detection system (IDS) implementation and monitoring
80. Monitoring Web site from attack (internal and external)
81. Domain Name Server monitoring
82. Hardware maintenance requirements
83. Hard drive repair, maintenance, and disposal procedures
84. BIOS (Basic Input/Output System) boot order
85. E-mail content policy and monitoring
86. E-mail forwarding policy (hopping)
87. Spamming controls and testing procedures
88. Employee termination and credential disablement
89. After-hours sign-in logs
90. Network sniffer policy, procedures, and monitoring
91. Validity of e-mail accounts
92. Background checks before hiring
93. Administrator accounts and password controls
94. Time synchronization procedures
95. Establishment of a Security Committee
96. Testing process for LAN applications
97. Business unit security person designated
98. Log and review of all Administrator changes
99. Review and resolution of past audit comments
100. Audit logs secured.