Information Technology Security (IT Sec) Checklist

PDF Version (203Kb) Help on Alternative Formats

PROTECTED A (when completed)

Company Name:

Government Department:

Organization Number – Site:

IT Review:

(see SRCL Part C.11.d)

Contract Number:

IT Link:

(see SRCL Part C.11.e)

Award Date (YYYY-MM-DD):

Expiry Date: (YYYY-MM-DD):

NOTE: The purpose of this checklist is to provide the Industrial Security Program (ISP) Information Technology Security (IT Sec) Inspector with initial information identifying the company's IT Sec posture in preparation for the on-site inspection in support of the processing, producing and storing of sensitive information for this government contract at the above identified site. This IT Sec Checklist is not to be used by the government department as the Technical Document as required in Security Requirement Check List (SRCL) at Part C.11.d or as the Connectivity Criteria document at Part C.11.e.

Annex A – List of References

Annex B – List of References available only upon request

Annex C – List of Abbreviations and Definitions

INFORMATION SYSTEM (IS) (Check all applicable)

Is the Information System (IS) utilized for this contract currently in place, configured, operational and ready for the IT Sec Inspection?

Yes No

NOTE:

This checklist pertains ONLY to the

Information Technology (IT) in support of this contract.

CORPORATE NETWORK:

Corporate Network (MAN/WAN)
Local Area Network (LAN)
Virtual Local Area Network (VLAN)
Wireless Local Area Network (WLAN)

STAND-ALONE:
(See Annex B)

Closed Local Area Network
Stand-alone Workstation
Stand-alone Laptop

TEMPEST EQUIPMENT:

Closed Local Area Network

Yes No

Stand-alone Workstation

Yes No

Stand-alone Laptop

Yes No

What is the sensitivity of the government information that is being processed and produced in support of this contract: (Indicate the levels if more than one level)

What is the sensitivity of the government information that is being electronically safeguarded in support of this contract: (Indicate the levels if more than one level)

Briefly describe the IS used for the processing, producing and storing of the sensitive information in support of this contract:

THREAT RISK ASSESSMENT (TRA)

Has your company completed and documented a Threat/Risk Assessment (TRA) for the processing of the Protected/Classified information?

Yes No

Date (YYYY-MM-DD):

Please provide details

Remarks:

Has the IS in support of this contract been Certified and Accredited (C&A)?

Yes No

Date (YYYY-MM-DD):

Please provide details

Remarks:

For Classified information processing only: Has emission security been addressed within the TRA?

Yes No N/A

Please provide details

Remarks:

SYSTEM LOCATION – Identify all sites where Protected and/or Classified information is processed, produced, stored and/or backed up for all aspects of this specific contract or any related subcontracts.

Will the Protected/Classified information be electronically sent from the supplier's IT system at this site to an alternate site, a non-government location and/or to a third party supplier?

Yes No

Remarks:

If yes, please provide details

(Attach separate list as required)

Name and address:

Remarks:

Name and address:

Remarks:

If there is connectivity to another site and/or location, was there a subcontract initiated for this purpose?

Yes No

Remarks:

If yes, please provide details

Contract number:

N/A

Remarks:

SRCL 11.d

Yes No N/A

Remarks:

SRCL 11.e

Yes No N/A

Remarks:

Additional Comments:

COMMUNICATION – Identify all mechanisms used to exchange Protected/Classified information for this specific contract.

At this site, does the IS connect to any other information systems? (e.g. Corporate, Government, Home, Internet, etc.)

Yes No

Please provide details

Remarks:

Does your company utilize an "IT Link" as a mean of communication?

Yes No

(If yes, please check all applicable)

FTP

Yes No

VPN

Yes No

HTTPS

Yes No

SSL

Yes No

Other (Specify):

VPN (please provide details):

HTTPS (please provide details):

Remarks:
Contract: SRCL
Part C.11.e

Can the IS be accessed remotely?

Yes No

Remarks:

Do you utilize two factor authentications?

Yes No

If yes, please provide details

Remarks:

Does your company utilize wireless technology?

Yes No

Network (Specify):

Yes No

Hand-held Devices (Specify):

Yes No

Remarks:

How are the contract deliverables provided to government?

Remarks:

Does you company utilize "Courier" services as a mean of communication?

Yes No

(If yes, please provide name and address of courier)

Remarks:
ISM 506.1.d

Provide a Network Topology Diagram demonstrating where the Protected and/or Classified information in support of this contract is processed, produced, stored and/or backed up.

Attached: Yes No

Remarks:

Provide a Data Flow Diagram demonstrating where the Protected and/or Classified information in support of this contract is processed, produced, stored and/or backed up from the entry point in the company until deliverables are given to government.

Attached: Yes No

Remarks:

10.

Does your company utilize a facsimile (FAX) in support of this contract?

Yes No

Remarks:

Additional Comments:

IT MEDIA – Identify all types of IT media used in support of this contract

CD/DVD:

Yes No

Remarks:

Mobile USB Storage Device:

Yes No

If yes, please provide details

Remarks:

USB External Hard Drive:

Yes No

If yes, please provide details

Remarks:

Removable Hard Drive:

Yes No

If yes, please provide details

Remarks:

Audio/Video Media:

Yes No

If yes, please provide details

Remarks:

Backup Media:

Yes No

If yes, please provide details

Remarks:

Other (Specify):

Please provide details

Remarks:

MEDIA HANDLING in support of this contract

Is the IT Equipment (Servers, Workstations and/or Laptops) used in support of this contract marked to the highest sensitivity level?

Yes No

Remarks:

Is the IT Media used in support of this contract marked to the highest sensitivity level?

Yes No

Remarks:

If you use IT media as a backup method, do the backups have the level of sensitivity, the contract number and the government department marked on them?

Yes No

Remarks:

Is the location of all media used in support of this contract known by the Company Security Officer (CSO) and/or Alternate CSO (ACSO) at all times?

Yes No

Remarks:

Is all IT media used in support of this contract kept separate from all other corporate IT media?

Yes No

Please provide details

Remarks:

How is the location of all media known by the CSOand/or ACSO at all times?

Yes No

Please provide details

Remarks:

Is all IT media used in support of this contract kept separate from other contracts' IT media.

Yes No

Please provide details

Remarks:

When transporting Protected/Classified information on IT media to an outside location, is it encrypted?

Yes No

Please provide details

Remarks:

When transporting Protected/Classified information on IT media to an outside location, is it transported in accordance with the Industrial Security Manual (ISM) Chapter 5?

Yes No

Please provide details

Remarks:

Additional Comments:

PHYSICAL SECURITY in support of this contract

Provide a floor plan identifying where the processing, producing, and the storing of the Protected/Classified information in support of this contract.

Attached: Yes No

Remarks:

Will any additional physical location(s) at this site that was not identified during the physical inspection for the company’s Document Safeguarding Capability (DSC) be used for IT processing, producing and/or storing of Protected/Classified information in support of this contract?

Yes No

If yes, please provide details

Remarks:

Are all IT media stored in the ISP approved security container?

Yes No

If no, please provide details

Remarks:

Do you have an Access Control List (ACL) within your Security and your High-Security Zones when processing Classified information?

N/A Yes No

Remarks:

Does your company maintain a Visitor Log?

Yes No

Remarks:

Does your company issue Visitors Passes?

Yes No

Remarks:

Are visitors escorted in the locations while the processing, producing, and storing of the Protected/Classified information is being performed?

Yes No

Remarks:

Additional Comments:

PERSONNEL SECURITY in support of this contract

Corporate Company Security Officer (CCSO)

N/A

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

Remarks:

Company Security Officer (CSO)

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

Remarks:

Alternate Company Security Officer (ACSO)

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

Alternate Company Security Officer (ACSO)

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

Alternate Company Security Officer (ACSO)

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

Remarks:

Personnel directly involved with the electronic processing, producing and storing of the Protected/Classified information in support of this contract. (Attach separate list as required)

Personnel

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

Personnel

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

Personnel

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

Personnel

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

Personnel

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

Personnel

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

Personnel

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

Personnel

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

Does your company utilize Call Center personnel in support of this contract?

Yes No

Remarks:

Are all personnel with access to the IS cleared to the security level of the information processed within this contract?

Yes No

Remarks:

Do all personnel with access to the IS have a need-to-know for the information processed?

Yes No

Remarks:

Is there a documented Security Awareness program for all personnel involved with this contract?

Yes No

Please provide details

Remarks:

Are all personnel aware of the handling of information as defined in the ISM?

Yes No

Remarks:

Additional Comments:

IT PERSONNEL SECURITY in support of this contract

IT Personnel directly involved with the Administration and Support of the IT equipment/software. (Attach separate list as required)

IT Personnel

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

IT Personnel

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

IT Personnel

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

IT Personnel

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

IT Personnel

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

IT Personnel

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

IT Personnel

Security Clearance Level

Expiry Date (YYYY-MM-DD) :

Remarks:

Does your company utilize Help Desk personnel in support of this contract?

Yes No

Remarks:

Are all IT personnel, with access to the IS, cleared to the security level of the information processed within this contract?

Yes No

Remarks:

Because of their elevated access privileges, have all IT personnel received a security awareness briefing on the handling of information as defined in the ISM?

Yes No

Remarks:

Have all IT personnel received, as part of their security awareness briefing, specific instructions on the handling of the hardware in support of the Protected/Classified information?

Yes No

Remarks:

Have all IT personnel received specific instructions on the updating of the software in support of the Protected/ Classified information as part of their security awareness briefing.

Yes No

Remarks:

Does your company utilize a third party company and/or single technician to perform IT support tasks on the above identified IS?

Yes No

If yes, please provide details

Name of company/individual(s):

Registered in the ISP:

Yes No

Remains under escort while performing IT support tasks on the above identified IS?

Yes No

Remarks:

Additional Comments:

LIST OF IT EQUIPMENT – List all the IT equipment used in support of this contract and for the complete duration of this contract.

Description: (Check all applicable)

Desktop(s):

Network Stand-alone

Quantity

Make

Model

Remarks:

Laptop(s):

Network Stand-alone

Quantity

Make

Model

Remarks:

Application Server(s)

Quantity

Make

Model

Remarks:

SAN Server(s)

Quantity

Make

Model

Remarks:

Files and Print Server(s)

Quantity

Make

Model

Remarks:

Email Servers(s)

Quantity

Make

Model

Remarks:

Multi-function Printers
(Printer/Copier/Scanner/Fax)

with internal hard-disk without internal hard-disk

Quantity

Make

Model

Remarks:

Printer(s)

with internal hard-disk without internal hard-disk

Quantity

Make

Model

Remarks:

Printer(s)

with wireless capability without wireless capability

Quantity

Make

Model

Remarks:

Scanner(s)

with internal hard-disk without internal hard-disk

Quantity

Make

Model

Remarks:

Fax(s)

with internal hard-disk without internal hard-disk

Quantity

Make

Model

Remarks:

Photocopier(s)

with internal hard-disk without internal hard-disk

Quantity

Make

Model

Remarks:

Tape Backup Appliance(s)

Quantity

Make

Model

Remarks:

Router(s)/Switch(es)

Quantity

Make

Model

Remarks:

Router

with wireless capability without wireless capability

Quantity

Make

Model

Remarks:

Firewall Appliance

Quantity

Make

Model

Remarks:

Wireless Transceiver(s)

Quantity

Make

Model

Remarks:

Cable Modem to connect with the ISP

Quantity

Make

Model

Remarks:

VoIP – Management phone system

Quantity

Make

Model

Remarks:

Other (Specify):

Quantity

Make

Model

Remarks:

Additional Comments:

INFORMATION TECHNOLOGY SECURITY in support of this contract

Is there an IT Security Policy in place?

Yes No

Last Updated (YYYY-MM-DD):

Remarks:

Do you utilize a Firewall solution?

Yes No

Remarks:

Hardware Software

Remarks:

Please provide details – name and version

Remarks:

Is the Firewall configuration documented?

Yes No

Last Updated (YYYY-MM-DD):

Remarks:

Who is responsible for the configuration of the Firewall?

Remarks:

Are the Firewall Security Logs maintained and reviewed periodically?

Yes No

Remarks:

What is the Operating Systems (OS) and Service Pack (SP) on the IS?

Servers:

Workstations:

Laptops:

Remarks:

How are the OS Updates and Security Patches applied?

Servers:

Manually
Central Server
Auto-update

Other (Specify):

Workstations:

Manually
Central Server
Auto-update

Other (Specify):

Laptops:

Manually
Central Server
Auto-update

Other (Specify):

Remarks:

Are administrative accounts used solely for the administration of the IS?

Servers:

Yes No

Workstations:

Yes No

Laptops:

Yes No

Remarks:

Do you use Active Directory to create User Accounts?

Servers:

Yes No

Workstations:

Yes No

Laptops:

Yes No

Remarks:

10.

Are unique username accounts and unique passwords required to access the IS?

Servers:

Yes No

Workstations:

Yes No

Laptops:

Yes No

Remarks:

11.

Provide details on password policies. (e.g. length, difficulty, life, lock-out policy, etc.)

Servers:

Workstations:

Laptops:

Remarks:

12.

Are users forced to change the temporary password at first login?

Servers:

Yes No

Workstations:

Yes No

Laptops:

Yes No

Remarks:

13.

Does the IS permit users the capability to save passwords at login?

Servers:

Yes No

Workstations:

Yes No

Laptops:

Yes No

Remarks:

14.

Are IS Security Logs maintained and reviewed periodically? (e.g. event viewer)

Servers:

Yes No

Workstations:

Yes No

Laptops:

Yes No

Remarks:

15.

Is antivirus software used?

Servers:

Yes No

Workstations:

Yes No

Laptops:

Yes No

Remarks:

16.

Provide antivirus product details.

Servers:

Product Name:

Version:

Last Updated Date (YYYY-MM-DD):

Workstations:

Product Name:

Version:

Last Updated Date (YYYY-MM-DD):

Laptops:

Product Name:

Version:

Last Updated Date (YYYY-MM-DD):

Remarks:

17.

What is the frequency of the virus protection software updates?

Daily Weekly Monthly
Other (Specify):

Remarks:

18.

How are the antivirus updates applied?

Servers:

Manually
Central Server
Auto-update

Other (Specify):

Workstations:

Manually
Central Server
Auto-update

Other (Specify):

Laptops:

Manually
Central Server
Auto-update

Other (Specify):

Remarks:

19.

Is there any Protected/Classified information saved locally on the IS?

Servers:

Yes No

Workstations:

Yes No

Laptops:

Yes No

Elsewhere:

Yes No

If yes, specify:

Remarks:

20.

Is the Protected/Classified information for this contract segregated from corporate information?

Servers:

Yes No

Workstations:

Yes No

Laptops:

Yes No

Remarks:

21.

How is the Protected/Classified information for this contract segregated from corporate information?

Remarks:

22.

Do you have any other current Government contracts at this site with an IT component requirement?

Yes No

Remarks:

23.

How is the information segregated from other contracts information?

Remarks:

24.

Do you have encryption capability?

Servers:

Yes No

Workstations:

Yes No

Laptops:

Yes No

Remarks:

25.

Who provides the encryption product?

Government Corporate

Remarks:

26.

If encryption is utilized, how is it utilized?

Remarks:

27.

Provide encryption product name and version.

Servers:

Name:

Version:

Assurance Level:

AES:

Workstation:

Name:

Version:

Assurance Level:

AES:

Laptops:

Name:

Version:

Assurance Level:

AES:

Remarks:

Additional Comments:

SECURITY VIOLATIONS, BREACHES AND COMPROMISES

Do you have a process to report security breaches or incidents?

Yes No

If yes, please provide details

Remarks:
ISM 512

Do you apply sanctions to IT Sec incidents when in the opinion of Senior Management there has been misconduct or negligence?

Yes No

If yes, please provide details

Remarks:

Additional Comments:

RECOVERY in support of this contract

Do you backup the information for the Protected/Classified information in support of this contract?

Yes No

Remarks:

Do you have a documented backup procedure plan for the Protected/Classified information in support of this contract?

Yes No

Remarks:

Provide a brief description of the backup process.

Remarks:

What is the frequency of the backups? (Check all applicable)

Daily

Incremental Full

Remarks:

Weekly

Incremental Full

Remarks:

Monthly

Incremental Full

Remarks:

Other:

Remarks:

Do you backup the information for the Protected/Classified information in support of this contract?

Yes No

Remarks:

If yes, please provide location and address

Remarks:

Do you have a Documented Disaster Recovery Plan in place?

Yes No

Remarks:

If yes, when was it last tested?

Remarks:

Additional Comments:

DESTRUCTION/DISPOSAL – CSEC – ITSG-06 Refers.

Upon completion of contract, do you retain any electronic information?

Yes No

Remarks:

If yes, explain how

If yes, provide retention period

Upon completion of contract, are all IT equipment and media sanitized?

Yes No

Remarks:

Provide "sanitization" method to ensure that all Protected/Classified information is completely removed from the IS.

Remarks:

Provide "sanitization" product name and version. (e.g. triple-overwrite software)

Name:

Version:

Remarks:

What happens to unserviceable data storage devices (IT Media) if there is an equipment malfunction and they must be replaced before the end of the contract?

Remarks:

What happens to all data storage devices (IT Media, including internal hard drives) at the end of the contract?

Remarks:

Do you maintain a record of destruction/disposal?

Yes No

If yes, explain

Remarks:

Additional Comments:

This completed check list is NOT to be sent by return email unless it has been encrypted. Please contact the IT Sec Inspector for instructions and to confirm transmittal method.

Annex A – List of References

REFERENCES

Long Title and Internet Link

TBS – PGS

Policy on Government Security (Formerly GSP)
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578&section=text

TBS – MITS

Operational Security Standard: Management of Information Technology Security
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12328&section=text

TBS – OSSPS

Operational Security Standard on Physical Security
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12329

TBS – SCMS

Security and Contracting Management Standard
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12332

PWGSC/ISP – ISM

Industrial Security Manual
http://ssi-iss.tpsgc-pwgsc.gc.ca/msi-ism/msi-ism-eng.html

CSEC – Industry Program

Advice and Guidance on Commercial Products
http://www.cse-cst.gc.ca/its-sti/services/index-eng.html

CSEC – CITP

Canadian Industrial TEMPEST Program
http://www.cse-cst.gc.ca/its-sti/services/industry-prog-industrie/citp-ptic-eng.html

CSEC – CSG

COTS Security Guidance
http://www.cse-cst.gc.ca/its-sti/services/csg-cspc/index-eng.html

CSEC – ITSA

Information Technology Security Advisory
http://www.cse-cst.gc.ca/its-sti/publications/itsa-asti/index-eng.html

CSEC – ITSB

Information Technology Security Bulletin
http://www.cse-cst.gc.ca/its-sti/publications/itsb-bsti/index-eng.html

CSEC – ITSD

Information Technology Security Directive
http://www.cse-cst.gc.ca/its-sti/publications/itsd-dsti/index-eng.html

CSEC – ITSG

Information Technology Security Guidance
http://www.cse-cst.gc.ca/its-sti/publications/itsg-csti/index-eng.html

CSEC – ITSPSR

IT Security Product System Report
http://www.cse-cst.gc.ca/its-sti/publications/itspsr-rpssti/index-eng.html

CSEC – HTRA

Harmonized TRA Methodology
http://www.cse-cst.gc.ca/its-sti/publications/tra-emr/index-eng.html

CSEC – CCCS

Canadian Common Criteria Scheme
http://www.cse-cst.gc.ca/its-sti/services/cc/index-eng.html

Common Criteria

Common Criteria
http://www.commoncriteriaportal.org/index.html
Certified Products
http://www.commoncriteriaportal.org/products.html

Annex B – List of References available ONLY upon request to your IT Sec Inspector in support of classified contracts.

REFERENCES

Location

CSEC – ITSG-11

Information Technology Security Guidance 11 – COMSEC Installation Planning – TEMPEST Guidance and Criteria

CSEC – ITSG-12

Information Technology Security Guidance 12 – Government of Canada Facility Evaluation Procedures

Annex C – List of Abbreviations and Definitions

ABBREVIATIONS

Long Titles and/or Definitions

ACL

Access Control List

ACSO

Alternate Company Security Officer

AES

Advanced Encryption Standard

C&A

Certification and Accreditation (See below)

CCSO

Corporate Company Security Officer

COTS

Commercial, off-the-shelf

CSEC

Communication Security Establishment Canada

CSO

Company Security Officer

DSC

Document Safeguarding Capability

FTP

File Transfer Protocol

HTTPS

Hypertext Transfer Protocol Secure

Information System

ISM

Industrial Security Manual

ISP

Industrial Security Program

Information Technology

IT Sec

Information Technology Security

LAN

Local Area Network

MAN

Metropolitan Area Network

Operating Systems

SAN

Storage Area Network

Service Pack

SRCL

Security Requirement Check List

SSL

Secure Sockets Layer

TEMPEST

Transient Electro Magnetic Pulse Emanation Surveillance Technology

TRA

Thread Risk Assessment

USB

Universal Serial Bus

VLAN

Virtual Local Area Network

VoIP

Voice over Internet Protocol

VPN

Virtual Private Network

WAN

Wide Area Network

WLAN

Wireless Local Area Network

DEFINITIONS

Certification and Accreditation (C&A)

C&A is the process of comprehensively evaluating technical and non-technical features of an information system [in its environment] so that it can be determined whether or not the system is ready to operate at an acceptable level of [residual] risk based on the implementation of an approved set of technical, managerial, and procedural safeguards.

Stand-alone device

Refers to any computer device that includes the following, but is not limited to: workstation, laptop, tablet PC or any other device that does not connect to any network; either through a wired, wireless or remote access connection.