System Information

  1. List Server names that are a part of this system
  2. List IP addresses of project servers - Includes all servers the project will use such as database server, application server, web server, mail server, and possibly domain controllers or DNS servers.
  3. List Physical locations of all servers related to specific projects such as where are development servers, QA servers, and production servers.
  4. Provide a project plan which should describe the system.
  5. Provide a network diagram if possible showing locations of all systems.
  6. What change and configuration management process is in place for the project including servers and applications?
  7. Is this project a critical project and is there a business continuity or disaster recovery plan which covers this project?
  8. Who will maintain the system?
  9. Will any wireless connectivity be used with this system and have proper precautions been taken based on data sensitivity?

Server Information:

  1. Provide a server description.
  2. List the IP address of the server.
  3. List the physical location of the server (all servers supporting the application).
  4. List the servers that this server communicates with and what ports are used. Provide a network diagram with server names, IP addresses, and protocols used to commmunicate.
  5. List services required by this system from outside systems and services this system provides to outside systems such as SQL database, file sharing, etc. Also indicate what access is allowed to the server such as internet access from any location or specific IP addresses or internal access from specific subnets such as is used for file and print sharing. Limit access to this server from other required servers only (network access control) where possible.
  6. List all applications operating on the server.
  7. List services operating on and provided by the system such as web service, FTP, backup, anti-virus, file sharing, etc. including protocols and port numbers.
  8. List Network locations or all servers such as zone1, zone2 providing a network diagram.
  9. List any servers that will have SSL certificates.
  10. List users accounts that will have access to the server for the purposes of administration or for file access. If a group has file access list the group and it's type.
  11. What are the peak load times on the server?
  12. What storage encryption or transmission encryption is used?
  13. What is the communication speed?
  14. What hardware is being used?
  15. What operating system is running on the server?
  16. How many administrators for the system exist and what are their roles?
  17. How are backups done, how often and what type (incremental, full)? What media are they stored on? Is backup media stored in an alternate location? How often is data restoration tested or planned to be tested? Basically describe the process and policies for backups of the systems involved in the project.
  18. What user groups or roles are provided? How are they controlled?
  19. How long are database transaction log files kept and where are they stored?
  20. Is there auditing of transaction logs, records, and reports on the system and servers? How often?
  21. Are all user IDs and passwords unique?
  22. Is sensitive data being sent over the internet? If so, is it encrypted with 128 bit or higher encryption? Is SSL being used?
  23. Does the business owner have a security incident process or does a process exist that informs the business owner when an incident which may affect them occurs?
  24. Is there a documented maintenance and patch management plan for the system?
  25. Does a business continuity/disaster recovery plan cover this system and applications on it?
  26. Is real time updated virus protection operating on the server?