Found em... last years questionnaire with tests.

-------- Original Message --------

Control 1: Inventory of Authorized and Unauthorized Devices

Questions:

Do you have a current inventory of authorized and unauthorized devices on your network? if yes, Does the inventory include all IT resources on campus? Do you have a control in place to detect new devices on the network? if yes, What controls are in place? if yes, What areas of your network have this control in place? if yes, Do the controls in place require that a device authenticate itself before being allowed access? if no, how is device authentication handled or managed?

Tests:

Obtain a copy of all authorized device IP's on the network. Perform a network scan to verify against the same authorized devices and show/score discrepancies. Attach an unauthorized device onto an important subnet and show verification that this device would be detected and tracked down. Randomly generate spoofed mac-addresses and/or ip addresses on the important subnet to try and bypass arp watching capabilities.

Designate a sample segment Obtain logical inventory of sample segment Physical audit sample of asset inventory Logical/Network audit of sample of asset inventory

Control 2: Inventory of Authorized and Unauthorized Software

Questions:

Do you have a list of authorized software that is required in the enterprise for each type of system, including servers, workstations, and laptops of various kinds and uses? Do you have software an inventory tool that monitors for unauthorized software installed on each machine?

Tests:

Place an unauthorized, benign program on a managed machine. Evaluate whether an alert is generated and acted upon.

Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

Questions:

Does the institution use a secure base configuration for hardware and software in one or more of the following categories: Institution owned Laptops, Workstations, Servers? If Yes, What resources or references do you use to establish the baseline security configurations? (e.g. Websites, Organizations, Internal Recommendations) What are the top security mechanisms employed in these configurations for each device type? (e.g. Anti-virus, Host based Firewall, etc.) Is the process of deploying secure configurations automatic and/or enforced centrally? How often are the secure configurations updated?

Tests: Provide a workstation with a standard security configuration for review. Provide a security with a standard security configuration for review. Examine configuration for vulnerabilities and mis-configuration, inconsistent with industry standards. Validate all software is patched. Validate OS is securely configured. Validate a number of deployed sample machines for compliance with standard configuration.

Control 4: Continuous Vulnerability Assessment and Remediation

Questions:

Do you have a vulnerability assessment scanning process? if yes, what tools are used to perform this process? if yes, what percentage of the institution owned devices are scanned? Do you have a policy in place to remediate the scan results? if yes, how are remediation processes handled? (Vulnerability based, network/devices based, etc) if yes, are their time constraints associated with the severity of the need to remediate? if yes, are the remediated devices documented and tracked? if no, how are vulnerabilities managed/contained within the organization?

Tests: Perform an external vulnerability scan on all of the campus public routed networks. Perform an internal vulnerability scan of a sample of campus networks from an internal network. If a scanning network is in place scans should be performed from this network. Otherwise scan from a reasonable, readily accessible vantage point.

Control 5: Malware Defenses

Questions: Do you have a malware management solution deployed? Is the solution mandatory for all machines? Is the solution centrally managed? Do you have a procedure for addressing malware incident?

Test: Deploy a piece of test malware, follow the detection and response chain.

Control 6: Application Software Security

Scope: Web facing applications

Questions: Do you perform monthly/quarterly application vulnerability scans? Do you utilize Web Application Firewalls/Proxies?

Tests: Validate scan results, using similar scanning tool. Verify that WAF is installed between applications and users.

Control 7: Wireless Device Control

Questions: Do you detect rogue access points? How?

Tests: Stand up AP with unrelated SSID, follow detection chain. Stand up AP with related SSID, follow detection chain.

Control 8: Data Recovery Capability

Questions: Are backups created on a regular basis of critical systems? Do these backups include the operating systems, aplication software, and data components of these sytems? What media is used? Is this media have appropriate physical protection and encryption?

Tests: Select a sample of critical systems identified by the institution as being backed up. Verify backups are taking place at a reasonable interval, are restorable, and protected appropriately.

Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps

Questions:

Do you have a security training or awareness program? if yes, is this program a mandatory requirement for all faculty, staff and students? Do you perform any periodic exercises to sample the effectiveness of security awareness? if yes, how are these exercises performed? (phishing, social engineering, etc) if yes, are the exercises and results tracked and documented for reference?

Test: Perform various social engineering exercises such as phishing, leaving out USB sticks with malicious files, etc.

Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Questions:

Do you centrally manage network infrastructure configurations? if yes, do you monitor for authorized or unauthorized changes? Do the device configurations follow a security best practices template? Do have IPv6 enabled on networking infrastructure? if yes, do the IPv6 controls follow the same controls as IPv4?

Test: Obtain network device config and audit for compliance with industry best practices. Demonstrate a network device change and audit the resulting documentation.

Control 11: Limitation and Control of Network Ports, Protocols, and Services

Questions:

Are host-based firewalls or an equivalent control in place for all critical servers and where appropriate, critical end-user / workstation network segments? Do the host-based firewalls log traffic? To a central log repository? Do you have a system or process to check for unauthorized services opened on critical servers and workstations?

Test: Select a sample of critical servers and workstations and verify that a host-based firewall or equivalent is in place and configured appropriately to only allow access to authorized services. Compare assessment vulnerability scans against an authorized service list for critical servers and workstations?

Control 12: Controlled Use of Administrative Privileges

Questions:

A. Do you have automated tools to inventory all administrative accounts and validate that each person with administrative privileges on desktops, laptops, and servers? B. Do you have an enforcible password policy? C. Before deploying any new devices to the network, do you change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to a difficult-to-guess value? D. Do you configure all administrative-level accounts to require regular password changes? How often? E. Do you ensure that all service accounts have long and difficult-to-guess passwords that are changed on a periodic basis, as is done for traditional user and administrator passwords, at a frequent interval? F. Are Passwords for all systems stored in a well-hashed or encrypted format, with weaker formats such as Windows LANMAN hashes eliminated from the environment? G. Do files containing these encrypted or hashed passwords required for systems to authenticate users readable only with superuser privileges? H. Do you ensure that administrator accounts are used only for system administration activities, and not for reading e-mail, composing documents, or surfing the Internet - web browsers and e-mail clients are configured to never run as administrator? I. Through policy and user awareness, do you require that administrators establish unique, different passwords for their administrator and nonadministrative accounts? J. Do you configure passwords so that they cannot be re-used within a certain timeframe, such as six months? K. Do you audit the use of administrative privileges for anomalous behavior? L. Do you use two-factor authentication for high level administration activities, such as Domain administration?

Test:

Create a temporary, disabled, limited privilege test account on a sample of systems and then attempt to change the password on the account. Add a temporary disabled test account to a superuser group (such as a domain administrator group) to verify review auditing and reporting on this account. Run a script that determines which browser and e-mail client programs are running on a sample of systems, including clients and servers. Any browsers or mail client software running with Windows administrator or Linux/Unix UID 0 privileges must be identified. If the institution claims that all stored passwords conform to the password policy, audit a statistically significant sample of password hashes.

Control 13: Boundary Defense

Questions:

Do you maintain a firewall at your network border? Is any additional network segmentation in place once past the network perimeter (i.e. how are you squishy on the inside?) Have you implemented URPF or other mechanisms at your network perimeter to prevent spoofing on ingress and egress network traffic? Have you deployed an IDS/IDP at your border? Do you collect network flows or logging of network traffic at your perimeter? How long do you retain logs?

Test:

Attempt to send an internal-source spoofed icmp/udp packets from an external network source to the strike package. Verify that the packets are blocked. Attempted to send a internal-spoofed icmp/udp packet from another segment of the internal network to the strike package. Verify whether the packet arrives. Attempt to send a bogon sourced packet from outside the institution network border. Generate traffic or an attack against a live host/service that should fire an alert or a block on a reasonably configured IDS/IDP system. Verify that traffic is blocked at the time of the attack or provide ISO/network staff with a time stamp and attack source and ask them to provide a copy of any alerts generated by the IDS system. Generate traffic that should be blocked by a network border firewall or an internal network segement boundary. Verify that these packets are being blocked, and that netflows and/or firewall logs are being generated.

Control 14: Maintenance, Monitoring, and Analysis of Security Audit Logs

Questions: Are all critical host and infrastructure logging appropriately to a remote host?

Test: Verify a sample of the historical logs.

Control 15: Controlled Access Based on the Need to Know

Questions: A. Do you have a policy on classifying data based on the impact of exposure of the data? B. Do your file shares have defined controls (such as Windows share access control lists) that specify at least that only “authenticated users” can access the share? C. Is your network segmented based on the trust levels of the information stored on the servers?

Test: Create two test accounts each on sample systems, both client and server systems. - For each system evaluated, one account must have limited privileges, while the other must have privileges necessary to create files on the systems. - Evaluate whether the nonprivileged account is unable to access the files created for the other account on the system. - Verify if this generates any alerts are generated.

Control 16: Account Monitoring and Control

Questions: A. Do you review system accounts and disable any account that cannot be associated with a business process and owner? B. Do you have an automated report that includes a list of locked-out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire? C. Do you have a process for revoking system access by disabling accounts immediately upon termination of an employee or contractor? D. Do you regularly monitor the use of accounts, automatically logging off users after a standard period of inactivity? E. Do you monitor account usage to determine dormant accounts that have not been used for a given period? F. When a dormant account is disabled, do files associated with that account get encrypted and moved to a secure file server for analysis by security or management personnel? G. Are nonadministrator accounts required to have a minimum length of 12 characters, contain letters, numbers, and special characters, and periodically changed, have a minimal age of one day, and not be allowed to use the previous 15 passwords as a new password? H. After eight failed log-on attempts within a ___-minute period, do your accounts lock out for a period of time? How long? I. Do you monitor attempts to access deactivated accounts?

Test: Verify that the list of locked-out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire has successfully been completed on a daily basis for the previous 30 days by reviewing archived alerts and reports to ensure that the lists were completed. In addition, a comparison of a baseline of allowed accounts must be compared to the accounts that are active in all systems. The report of all differences must be created based on this comparison.

Control 17: Data Loss Prevention

Questions:

A. Do you deploy approved hard drive encryption software to mobile machines that hold sensitive data? B. Do you analyze outbound traffic looking for anomalies? C. Do you monitor perimeters for certain sensitive information (i.e., personally identifiable information), keywords for unauthorized attempts to exfiltrate data across network boundaries? D. Do you conduct periodic scans of server machines using automated tools to determine whether sensitive data (i.e., personally identity, health, credit card, and classified information) is present on systems in clear text? E. Do you use secure, authenticated, and encrypted mechanisms to move data between networks? F. Is data stored on removable and easily transported storage media such as USB tokens (i.e., “thumb drives”), USB portable hard drives, and CDs/DVDs encrypted automatically without user intervention?

Test: Attempt to transfer large data sets across network boundaries from an internal system. Attempt to transfer test data sets of personally identifiable information (that trigger DLP systems but do not contain sensitive data) across network boundaries from an internal system (using multiple keywords specific to the business). Attempt to maintain a persistent network connection for at least 10 hours across network boundaries between an internal and external system, even though little data may be exchanged. Attempt to maintain a network connection across network boundaries using an anomalous service port number between an internal and external system. Insert a USB token into an organization system and attempt to transfer example test data to the USB device.

Control 18: Incident Response Capability

Questions: Do you have an incident response plan? Has it been documented and tested?

Test: Examine incident response plan against incident standards. Examine documentation of a previous incident response.

Control 19: Secure Network Engineering

Questions: Do you have proper network maps? Are your network segmented based on use and sensitivity? Are your sensitive or regulated network segmented from the general network? (PCI, HIPPA)

Test: Review the external vulnerability scan and review access to a sample of internal networks. Review Network maps for proper segmentation

Control 20: Penetration Tests and Red Team Exercises

Questions: Do you perform monthly/quarterly penetration tests on your systems.

Test: Examine previous pen-test results and compare against industry standards. Spot check pen-test results for accuracy.