Application Controls

Medium Level Application Controls

  1. Is any data cached on any servers or client computers that could compromise confidentiality? If yes, the application has low level security controls.
  2. Does an application security plan exist covering:
    1. Technical controls - Includes identification, authentication, access control, auditing, encryption, system protection, communications protection.
    2. Rules - Application rules of behavior.
    3. Personnel security - Separation of duties, least privilege, individual accountability.
    4. Training - Training for users, application administrators, and system administrators especially regarding security responsibilities.
    5. Contingency plan for continued function of the application in the event of automated failure for critical applications.
    6. Information sharing - How the application shares information with other applications, what the risk is, and whether it should share information.
    7. Public access controls
    8. Testing after program changes
    If the answer is not yes, the application has low level security controls.
  3. Does a documented method exist in the application security plan for verification of authorization and authenticity for application user accounts as the accounts are created? If no,the application has low level security controls.
  4. Does a documented method exist in the application security plan for verification of authorization and authenticity for application user accounts as the account passwords are reset? If no,the application has low level security controls.
  5. Are user passwords stored on the client computer in encrypted or hashed form at any time? If yes, the application has low level security controls.
  6. Are any passwords stored on the server in plaintext form? If yes, the application has low level security controls.
  7. Are user or administrative passwords stored on the server in plaintext form at any time? If yes, the application has low level security controls.
  8. Is the hash of user passwords transmitted without further encryption or additional hash modifications? If yes, the application has low level security controls.
  9. Can passwords be reset using a single private question set by the user? If yes, the application has low level security controls.
  10. Is sensitive data transmitted across the internet without encryption? If yes, the application has low level security controls.
  11. Is data access limited to people with approved need? Who including administrators has access to the data? If no, the application has low level security controls.