Control Assessment

This section assesses the controls of applications and servers. It does that using two methods. The first method asks questions designed to determine whether low level, medium level, or high level controls are in place. It provides questions to determine what level of controls are being applied in the following areas:

  • Medium Level Application Controls
  • High Level Application Controls
  • Medium Level Server Controls
  • High Level Server Controls

Requirements

The second method provides statements about what is required for both the application and the server to have low, medium, or high level security controls.

  • Low Level Application Requirements
  • Medium Level Application Requirements
  • High Level Application Requirements
  • Medium Level Server Requirements
  • High Level Server Requirements

Other concerns

Application Items that are issues reguardless of the security control

  1. How is user authentication handled and is it secure?
  2. How are users authenticated?
    1. Will they use passwords, tokens, Active Directory?
    2. What authentication protocols will be used?
  3. Account management - Who will manage any user accounts and will this add additional maintenance cost to the project?
  4. Consider Data location and network paths - What ports through between which network zones need to be open? Provide a data flow diagram including the following information:
    1. The data flow.
    2. Data flow triggers indicating when data is exchanged.
    3. Restrictions on data flow such as from specific IP addresses.
    4. Direction of data flow.
    5. The type of data such as SQL and information about sensitivity and each field of data in the database.
    6. Reasons for the data flow.
  5. Where is the data stored?
  6. Access controls
    1. Do users sign security or non-disclosure agreements?
    2. Are users required to have a background check?