This section assesses the controls of applications and servers. It does that using two methods. The first method asks questions designed to determine whether low level, medium level, or high level controls are in place. It provides questions to determine what level of controls are being applied in the following areas:
Medium Level Application Controls
High Level Application Controls
Medium Level Server Controls
High Level Server Controls
The second method provides statements about what is required for both the application and the server to have low, medium, or high level security controls.
Low Level Application Requirements
Medium Level Application Requirements
High Level Application Requirements
Medium Level Server Requirements
High Level Server Requirements
Application Items that are issues reguardless of the security control
How is user authentication handled and is it secure?
How are users authenticated?
Will they use passwords, tokens, Active Directory?
What authentication protocols will be used?
Account management - Who will manage any user accounts and will this add additional maintenance cost to the project?
Consider Data location and network paths - What ports through between which network zones need to be open? Provide a data flow diagram including the following information:
The data flow.
Data flow triggers indicating when data is exchanged.
Restrictions on data flow such as from specific IP addresses.
Direction of data flow.
The type of data such as SQL and information about sensitivity and each field of data in the database.
Reasons for the data flow.
Where is the data stored?
Do users sign security or non-disclosure agreements?
Are users required to have a background check?