Information Technology Security (IT Sec) Checklist

PDF Version (203Kb) Help on Alternative Formats

PROTECTED A (when completed)

Company Name:

Government Department:

Organization Number – Site:

IT Review:

(see SRCL Part C.11.d)

Contract Number:

IT Link:

(see SRCL Part C.11.e)

Award Date (YYYY-MM-DD):

Expiry Date: (YYYY-MM-DD):

NOTE: The purpose of this checklist is to provide the Industrial Security Program (ISP) Information Technology Security (IT Sec) Inspector with initial information identifying the company's IT Sec posture in preparation for the on-site inspection in support of the processing, producing and storing of sensitive information for this government contract at the above identified site. This IT Sec Checklist is not to be used by the government department as the Technical Document as required in Security Requirement Check List (SRCL) at Part C.11.d or as the Connectivity Criteria document at Part C.11.e.

Annex A – List of References

Annex B – List of References available only upon request

Annex C – List of Abbreviations and Definitions

INFORMATION SYSTEM (IS) (Check all applicable)

Is the Information System (IS) utilized for this contract currently in place, configured, operational and ready for the IT Sec Inspection?

Yes No

NOTE:

This checklist pertains ONLY to the

Information Technology (IT) in support of this contract.

CORPORATE NETWORK:

CORPORATE NETWORK:

Corporate Network (MAN/WAN)
Local Area Network (LAN)
Virtual Local Area Network (VLAN)
Wireless Local Area Network (WLAN)

STAND-ALONE:

STAND-ALONE:
(See Annex B)

Closed Local Area Network
Stand-alone Workstation
Stand-alone Laptop

TEMPEST EQUIPMENT:

Closed Local Area Network

Yes No

Stand-alone Workstation

Yes No

Stand-alone Laptop

Yes No

What is the sensitivity of the government information that is being processed and produced in support of this contract: (Indicate the levels if more than one level)

What is the sensitivity of the government information that is being electronically safeguarded in support of this contract: (Indicate the levels if more than one level)

Briefly describe the IS used for the processing, producing and storing of the sensitive information in support of this contract:

THREAT RISK ASSESSMENT (TRA)

1. Has your company completed and documented a Threat/Risk Assessment (TRA) for the processing of the Protected/Classified information?

Yes No

1.Date (YYYY-MM-DD):

1.(Please provide details)

1.Remarks:

2. Has the IS in support of this contract been Certified and Accredited (C&A)?

Yes No

2.Date (YYYY-MM-DD):

2.(Please provide details)

2.Remarks:

3. For Classified information processing only: Has emission security been addressed within the TRA?

Yes No N/A

3.(Please provide details)

3.Remarks:

SYSTEM LOCATION – Identify all sites where Protected and/or Classified information is processed, produced, stored and/or backed up for all aspects of this specific contract or any related subcontracts.

1. Will the Protected/Classified information be electronically sent from the supplier's IT system at this site to an alternate site, a non-government location and/or to a third party supplier?

Yes No

Remarks:

(If yes, please provide details)

(Attach separate list as required)

SYSTEM LOCATION 1.Name and address:

SYSTEM LOCATION 1.Remarks:

SYSTEM LOCATION 2.Name and address:

SYSTEM LOCATION 2.Remarks:

2. If there is connectivity to another site and/or location, was there a subcontract initiated for this purpose?

Yes No

2. If there is connectivity to another site and/or location, was there a subcontract initiated for this purpose?.Remarks:

(If yes, please provide details)

Contract number:

N/A

2. If there is connectivity to another site and/or location, was there a subcontract initiated for this purpose?Remarks:

SRCL 11.d

SRCL 11.d

Yes No N/A

SRCL 11.d Remarks:

SRCL 11.e

SRCL 11.e

Yes No N/A

SRCL 11.e Remarks:

SYSTEM LOCATION Additional Comments:

COMMUNICATION – Identify all mechanisms used to exchange Protected/Classified information for this specific contract.

1. At this site, does the IS connect to any other information systems? (e.g. Corporate, Government, Home, Internet, etc.)

Yes No

COMMUNICATION 1.(Please provide details)

COMMUNICATION 1.Remarks:

2. Does your company utilize an "IT Link" as a mean of communication?

Yes No

(If yes, please check all applicable)

FTP

Yes No

VPN

Yes No

HTTPS

Yes No

SSL

Yes No

Other (Specify):

VPN (please provide details):

HTTPS (please provide details):

Remarks:
Contract: SRCL
Part C.11.e

3. Can the IS be accessed remotely?

Yes No

3. Remarks:

4. Do you utilize two factor authentications?

Yes No

COMMUNICATION 4.(If yes, please provide details)

COMMUNICATION 4.Remarks:

5. Does your company utilize wireless technology?

Yes No

Network

Network (Specify):

Yes No

Hand-held Devices

Hand-held Devices (Specify):

Yes No

Remarks:
CSEC: ITSPSR-21A

6. How are the contract deliverables provided to government?

COMMUNICATION 6. Remarks:

7. Does you company utilize "Courier" services as a mean of communication?

Yes No

(If yes, please provide name and address of courier)

Remarks:
ISM 506.1.d

8. Provide a Network Topology Diagram demonstrating where the Protected and/or Classified information in support of this contract is processed, produced, stored and/or backed up.

Attached:

Yes No

COMMUNICATION 8. Remarks:

9. Provide a Data Flow Diagram demonstrating where the Protected and/or Classified information in support of this contract is processed, produced, stored and/or backed up from the entry point in the company until deliverables are given to government.

COMMUNICATION 9.Attached:

Attached:

Yes No

COMMUNICATION 9. Remarks:

10. Does your company utilize a facsimile (FAX) in support of this contract?

Yes No

COMMUNICATION 10. Remarks:

Additional Comments:
COMMUNICATIONAdditional Comments:

IT MEDIA – Identify all types of IT media used in support of this contract

1. CD/DVD

1. CD/DVD:

Yes No

IT MEDIA 1. Remarks:

2. Mobile USB Storage Device:

Yes No

IT MEDIA 2. (If yes, please provide details)

IT MEDIA 2. Remarks:

3. USB External Hard Drive:

Yes No

IT MEDIA 3. (If yes, please provide details)

IT MEDIA 3. Remarks:

4. Removable Hard Drive:

Yes No

IT MEDIA 4. (If yes, please provide details)

IT MEDIA 4. Remarks:

5. Audio/Video Media:

Yes No

IT MEDIA 5. (If yes, please provide details)

IT MEDIA 5. Remarks:

6. Backup Media:

Yes No

IT MEDIA 6. (If yes, please provide details)

IT MEDIA 6. Remarks:

7. Other (Specify):

IT MEDIA 7. (Please provide details)

IT MEDIA 7. Remarks:

MEDIA HANDLING in support of this contract

1. Is the IT Equipment (Servers, Workstations and/or Laptops) used in support of this contract marked to the highest sensitivity level?

Yes No

MEDIA HANDLING 1. Remarks:

2. Is the IT Media used in support of this contract marked to the highest sensitivity level?

Yes No

MEDIA HANDLING 2. Remarks:

3. If you use IT media as a backup method, do the backups have the level of sensitivity, the contract number and the government department marked on them?

Yes No

MEDIA HANDLING 3. Remarks:

4. Is the location of all media used in support of this contract known by the Company Security Officer (CSO) and/or Alternate CSO (ACSO) at all times?

Yes No

MEDIA HANDLING 4. Remarks:

5. Is all IT media used in support of this contract kept separate from all other corporate IT media?

Yes No

MEDIA HANDLING 5. (Please provide details)

MEDIA HANDLING 5. Remarks:

6. How is the location of all media known by the CSO and/or ACSO at all times?

Yes No

MEDIA HANDLING 6. (Please provide details)

MEDIA HANDLING 6. Remarks:

7. Is all IT media used in support of this contract kept separate from other contracts' IT media.

Yes No

MEDIA HANDLING 7. (Please provide details)

MEDIA HANDLING 7. Remarks:

8. When transporting Protected/Classified information on IT media to an outside location, is it encrypted?

Yes No

MEDIA HANDLING 8. (Please provide details)

MEDIA HANDLING 8. Remarks:

9. When transporting Protected/Classified information on IT media to an outside location, is it transported in accordance with the Industrial Security Manual (ISM) Chapter 5?

Yes No

MEDIA HANDLING 10. (Please provide details)

MEDIA HANDLING 10. Remarks:

Additional Comments:
Additional Comments:

PHYSICAL SECURITY in support of this contract

1. Provide a floor plan identifying where the processing, producing, and the storing of the Protected/Classified information in support of this contract.

Attached: Yes No

PHYSICAL SECURITY 1. Remarks:

2. Will any additional physical location(s) at this site that was not identified during the physical inspection for the company’s Document Safeguarding Capability (DSC) be used for IT processing, producing and/or storing of Protected/Classified information in support of this contract?

Yes No

PHYSICAL SECURITY 2. (If yes, please provide details)

PHYSICAL SECURITY 2. Remarks:

3. Are all IT media stored in the ISP approved security container?

Yes No

PHYSICAL SECURITY 3. If no, please provide details

PHYSICAL SECURITY 3. Remarks:

4. Do you have an Access Control List (ACL) within your Security and your High-Security Zones when processing Classified information?

N/A Yes No

PHYSICAL SECURITY 4. Remarks:

5. Does your company maintain a Visitor Log?

Yes No

PHYSICAL SECURITY 5. Remarks:

6. Does your company issue Visitors Passes?

Yes No

PHYSICAL SECURITY 6. Remarks:

7. Are visitors escorted in the locations while the processing, producing, and storing of the Protected/Classified information is being performed?

Yes No

PHYSICAL SECURITY 7 Remarks:

Additional Comments:
PHYSICAL SECURITY 7 Additional Comments:

PERSONNEL SECURITY in support of this contract

Corporate Company Security Officer (CCSO)

N/A

Security Clearance Level

Expiry Date (YYYY-MM-DD):

Corporate Company Security Officer (CCSO) Remarks:

Company Security Officer (CSO)

Company Security Officer (CSO) Security Clearance Level

Company Security Officer (CSO) Expiry Date (YYYY-MM-DD):

Corporate Company Security Officer Remarks:

1. Alternate Company Security Officer (ACSO)

1. Security Clearance Level

1. Expiry Date (YYYY-MM-DD):

2. Alternate Company Security Officer (ACSO)

2. Security Clearance Level

2. Expiry Date (YYYY-MM-DD):

3. Alternate Company Security Officer (ACSO)

3. Security Clearance Level

3. Expiry Date (YYYY-MM-DD):

4. Remarks:

Personnel directly involved with the electronic processing, producing and storing of the Protected/Classified information in support of this contract. (Attach separate list as required)

1.a. Personnel

1.b. Security Clearance Level

1.b. Expiry Date (YYYY-MM-DD):

2.a. Personnel

2.b. Security Clearance Level

2.c. Expiry Date (YYYY-MM-DD):

3.a. Personnel

3.b. Security Clearance Level

3.c. Expiry Date (YYYY-MM-DD):

4.a. Personnel

4.b. Security Clearance Level

4.c. Expiry Date (YYYY-MM-DD):

Personnel Remarks:

1. Does your company utilize Call Center personnel in support of this contract?

Yes No

1. Does your company utilize Call Center personnel in support of this contract? Remarks:

2. Are all personnel with access to the IS cleared to the security level of the information processed within this contract?

Yes No

2. Are all personnel with access to the IS cleared to the security level of the information processed within this contract? Remarks:

3. Do all personnel with access to the IS have a need-to-know for the information processed?

Yes No

3. Do all personnel with access to the IS have a need-to-know for the information processed? Remarks:

4. Is there a documented Security Awareness program for all personnel involved with this contract?

Yes No

4. Is there a documented Security Awareness program for all personnel involved with this contract? (Please provide details)

4. Is there a documented Security Awareness program for all personnel involved with this contract? Remarks:

5. Are all personnel aware of the handling of information as defined in the ISM?

Yes No

5. Are all personnel aware of the handling of information as defined in the ISM? Remarks:

Additional Comments:
PERSONNEL SECURITY (CSO) Additional Comments:

IT PERSONNEL SECURITY in support of this contract

IT Personnel directly involved with the Administration and Support of the IT equipment/software. (Attach separate list as required)

i. IT Personnel

i. Security Clearance Level

i. Expiry Date (YYYY-MM-DD):

ii. IT Personnel

ii. Security Clearance Level

ii. Expiry Date (YYYY-MM-DD):

iii. IT Personnel

iii. Security Clearance Level

iii. Expiry Date (YYYY-MM-DD):

iv. IT Personnel

iv. Security Clearance Level

iv. Expiry Date (YYYY-MM-DD):

v. IT Personnel

v. Security Clearance Level

v. Expiry Date (YYYY-MM-DD):

vi. IT Personnel

vi. Security Clearance Level

vi. Expiry Date (YYYY-MM-DD):

vii. IT Personnel

vii. Security Clearance Level

vii. Expiry Date (YYYY-MM-DD):

IT PERSONNEL Remarks:

1. Does your company utilize Help Desk personnel in support of this contract?

Yes No

1. Does your company utilize Help Desk personnel in support of this contract? Remarks:

2. Are all IT personnel, with access to the IS, cleared to the security level of the information processed within this contract?

Yes No

2. Are all IT personnel, with access to the IS, cleared to the security level of the information processed within this contract? Remarks:

3. Because of their elevated access privileges, have all IT personnel received a security awareness briefing on the handling of information as defined in the ISM?

Yes No

3. Because of their elevated access privileges, have all IT personnel received a security awareness briefing on the handling of information as defined in the ISM? Remarks:

4. Have all IT personnel received, as part of their security awareness briefing, specific instructions on the handling of the hardware in support of the Protected/Classified information?

Yes No

4. Have all IT personnel received, as part of their security awareness briefing, specific instructions on the handling of the hardware in support of the Protected/Classified information? Remarks:

5. Have all IT personnel received specific instructions on the updating of the software in support of the Protected/ Classified information as part of their security awareness briefing.

Yes No

5. Have all IT personnel received specific instructions on the updating of the software in support of the Protected/ Classified information as part of their security awareness briefing. Remarks:

6. Does your company utilize a third party company and/or single technician to perform IT support tasks on the above identified IS?

Yes No

6. Does your company utilize a third party company and/or single technician to perform IT support tasks on the above identified IS? (If yes, please provide details)

6. Does your company utilize a third party company and/or single technician to perform IT support tasks on the above identified IS? Name of company/individual(s):

Registered in the ISP:

Yes No

Remains under escort while performing IT support tasks on the above identified IS?

Yes No

6. Does your company utilize a third party company and/or single technician to perform IT support tasks on the above identified IS? Remarks:

Additional Comments:
IT PERSONNEL SECURITY in support of this contract Additional Comments:

LIST OF IT EQUIPMENT – List all the IT equipment used in support of this contract and for the complete duration of this contract.

Description: (Check all applicable)

Desktop(s):

Desktop(s):

Network Stand-alone

Desktop(s) Quantity

Desktop(s) Make

Desktop(s) Model

Desktop(s) Remarks:

Laptop(s):

Laptop(s):

Network Stand-alone

Laptop(s) Quantity

Laptop(s) Make

Laptop(s) Model

Laptop(s) Remarks:

Application Server(s)

Yes

Application Server(s) Quantity

Application Server(s) Make

Application Server(s) Model

Application Server(s) Remarks:

SAN Server(s)

Yes

SAN Server(s) Quantity

SAN Server(s) Make

SAN Server(s) Model

SAN Server(s) Remarks:

Files and Print Server(s)

Yes

Files and Print Server(s) Quantity

Files and Print Server(s) Make

Files and Print Server(s) Model

Files and Print Server(s) Remarks:

Email Servers(s)

Yes

Email Servers(s) Quantity

Email Servers(s) Make

Email Servers(s) Model

Email Servers(s) Remarks:

Multi-function Printers

Multi-function Printers
(Printer/Copier/Scanner/Fax)

with internal hard-disk without internal hard-disk

Multi-function Printers Quantity

Multi-function Printers Make

Multi-function Printers Model

Multi-function Printers Remarks:

Printer(s)

with internal hard-disk without internal hard-disk

Quantity

Make

Model

Printer(s) Remarks:

Printer(s) with/without wireless

Printer(s)

with wireless capability without wireless capability

Printer(s) Quantity

Printer(s) Make

Printer(s) Model

Printer(s) with/without wireless Remarks:

Scanner(s)

with internal hard-disk without internal hard-disk

Scanner(s) Quantity

Scanner(s) Make

Scanner(s) Model

Scanner(s) Remarks:

Fax(es)

with internal hard-disk without internal hard-disk

Fax(es) Quantity

Fax(es) Make

Fax(es) Model

Fax(es) Remarks:

Photocopier(s)

with internal hard-disk without internal hard-disk

Photocopier(s)Quantity

Photocopier(s)Make

Photocopier(s)Model

Photocopier(s)Remarks:

Tape Backup Appliance(s)

Yes

Tape Backup Appliance(s) Quantity

Tape Backup Appliance(s) Make

Tape Backup Appliance(s) Model

Tape Backup Appliance(s) Remarks:

Router(s)/Switch(es)

Yes

Router(s)/Switch(es) Quantity

Router(s)/Switch(es) Make

Router(s)/Switch(es) Model

Router(s)/Switch(es) Remarks:

Router

with wireless capability without wireless capability

Router Quantity

Router Make

Router Model

Router Remarks:

Firewall Appliance

Yes

Firewall Appliance Quantity

Firewall Appliance Make

Firewall Appliance Model

Firewall Appliance Remarks:

Wireless Transceiver(s)

Yes

Wireless Transceiver(s) Quantity

Wireless Transceiver(s) Make

Wireless Transceiver(s) Model

Wireless Transceiver(s) Remarks:

Cable Modem to connect with the ISP

Yes

Cable Modem to connect with the ISP Quantity

Cable Modem to connect with the ISP Make

Cable Modem to connect with the ISP Model

Cable Modem to connect with the ISP Remarks:

VoIP – Management phone system

Yes

VoIP – Management phone system Quantity

VoIP – Management phone system Make

VoIP – Management phone system Model

VoIP – Management phone system Remarks:

VoIP – Management phone system Other (Specify):

Other Quantity

Other Make

Other Model

Other Remarks:

Additional Comments:
LIST OF IT EQUIPMENT Additional Comments:

INFORMATION TECHNOLOGY SECURITY in support of this contract

1. Is there an IT Security Policy in place?

Yes No

Last Updated (YYYY-MM-DD):

1. Is there an IT Security Policy in place? Remarks:

2. Do you utilize a Firewall solution?

Yes No

2. Do you utilize a Firewall solution? Remarks:

>Type

Hardware Software

Hardware/Software Remarks:

Hardware/Software (Please provide details – name and version)

INFORMATION TECHNOLOGY SECURITY Hardware/Software Remarks:

3. Is the Firewall configuration documented?

Yes No

3. Is the Firewall configuration documented? Last Updated (YYYY-MM-DD):

3. Is the Firewall configuration documented? Remarks:

4. Who is responsible for the configuration of the Firewall?

4. Who is responsible for the configuration of the Firewall? Remarks:

5. Are the Firewall Security Logs maintained and reviewed periodically?

Are the Firewall Security Logs maintained and reviewed periodically? Yes Are the Firewall Security Logs maintained and reviewed periodically? No

5. Are the Firewall Security Logs maintained and reviewed periodically? Remarks:

6. What is the Operating Systems (OS) and Service Pack (SP) on the IS?

Servers:

Servers: OS

Servers: SP

Workstations:

Workstations: OS

Workstations: SP

Laptops:

Laptops: OS

Laptops: SP

Laptops: Remarks:

7. How are the OS Updates and Security Patches applied?

7. How are the OS Updates and Security Patches applied? Servers:

Servers:

Manually
Central Server
Auto-update

Servers: Other (Specify):

7. How are the OS Updates and Security Patches applied? Workstations:

Workstations:

Manually
Central Server
Auto-update

Workstations: Other (Specify):

7. How are the OS Updates and Security Patches applied? Laptops:

Laptops:

Manually
Central Server
Auto-update

Laptops: Other (Specify):

7. How are the OS Updates and Security Patches applied? Laptops: Remarks:

8. Are administrative accounts used solely for the administration of the IS?

8. Are administrative accounts used solely for the administration of the IS? Servers:

Servers:

Yes No

8. Are administrative accounts used solely for the administration of the IS? Workstations:

Workstations:

Yes No

8. Are administrative accounts used solely for the administration of the IS? Laptops:

Laptops:

Yes No

8. Are administrative accounts used solely for the administration of the IS? Laptops:Remarks:

9. Do you use Active Directory to create User Accounts?

9. Do you use Active Directory to create User Accounts? Servers:

Servers:

Yes No

9. Do you use Active Directory to create User Accounts? Workstations:

Workstations:

Yes No

9. Do you use Active Directory to create User Accounts? Laptops:

Laptops:

Yes No

9. Do you use Active Directory to create User Accounts? Remarks:

10. Are unique username accounts and unique passwords required to access the IS?

10. Are unique username accounts and unique passwords required to access the IS? Servers:

Servers:

Yes No

10. Are unique username accounts and unique passwords required to access the IS? Workstations:

Workstations:

Yes No

10. Are unique username accounts and unique passwords required to access the IS? Laptops:

Laptops:

Yes No

10. Are unique username accounts and unique passwords required to access the IS? Remarks:

11. Provide details on password policies. (e.g. length, difficulty, life, lock-out policy, etc.)

Provide details on password policies. Servers:

Provide details on password policies. Workstations:

Provide details on password policies. Laptops:

Provide details on password policies. Remarks:

12. Are users forced to change the temporary password at first login?

12. Are users forced to change the temporary password at first login? Servers:

Servers:

Yes No

12. Are users forced to change the temporary password at first login? Workstations:

Workstations:

Yes No

12. Are users forced to change the temporary password at first login? Laptops:

Laptops:

Yes No

12. Are users forced to change the temporary password at first login? Remarks:

13. Does the IS permit users the capability to save passwords at login?

13. Does the IS permit users the capability to save passwords at login? Servers:

Servers:

Yes No

13. Does the IS permit users the capability to save passwords at login? Workstations:

Workstations:

Yes No

13. Does the IS permit users the capability to save passwords at login? Laptops:

Laptops:

Yes No

13. Does the IS permit users the capability to save passwords at login? Remarks:

14. Are IS Security Logs maintained and reviewed periodically? (e.g. event viewer)

14. Are IS Security Logs maintained and reviewed periodically? Servers:

Servers:

Yes No

14. Are IS Security Logs maintained and reviewed periodically? Workstations:

Workstations:

Yes No

14. Are IS Security Logs maintained and reviewed periodically? Laptops:

Laptops:

Yes No

14. Are IS Security Logs maintained and reviewed periodically? Remarks:

15. Is antivirus software used?

Servers:

Yes No

15. Is antivirus software used? Workstations:

Workstations:

Yes No

15. Is antivirus software used? Laptops:

Laptops:

Yes No

15. Is antivirus software used? Remarks:

16. Provide antivirus product details.

Servers:

Servers: Product Name:

Servers: Version:

Servers: Last Updated Date (YYYY-MM-DD):

Workstations:

Workstations: Product Name:

Workstations: Version:

Workstations: Last Updated Date (YYYY-MM-DD):

Laptops:

Laptops: Product Name:

Laptops: Version:

Laptops: Last Updated Date (YYYY-MM-DD):

16. Provide antivirus product details. Laptops: Remarks:

17. What is the frequency of the virus protection software updates?

Daily Weekly Monthly
17. What is the frequency of the virus protection software updates? Other (Specify):

17. What is the frequency of the virus protection software updates? Remarks:

18. How are the antivirus updates applied?

18. How are the antivirus updates applied? Servers:

Servers:

Manually
Central Server
Auto-update

18. How are the antivirus updates applied? Servers: Other (Specify):

18. How are the antivirus updates applied? Workstations:

Workstations:

Manually
Central Server
Auto-update

18. How are the antivirus updates applied? Workstations: Servers: Other (Specify):

18. How are the antivirus updates applied? Laptops:

Laptops:

Manually
Central Server
Auto-update

18. How are the antivirus updates applied? Laptops: Other (Specify):

18. How are the antivirus updates applied? Remarks:

19. Is there any Protected/Classified information saved locally on the IS?

19. Is there any Protected/Classified information saved locally on the IS? Servers:

Servers:

Yes No

19. Is there any Protected/Classified information saved locally on the IS? Workstations:

Workstations:

Yes No

19. Is there any Protected/Classified information saved locally on the IS? Laptops:

Laptops:

Yes No

19. Is there any Protected/Classified information saved locally on the IS? Elsewhere:

Elsewhere:

Yes No

Elsewhere: (If yes, specify):

19. Is there any Protected/Classified information saved locally on the IS? Remarks:

20. Is the Protected/Classified information for this contract segregated from corporate information?

20. Is the Protected/Classified information for this contract segregated from corporate information? Servers:

Servers:

Yes No

20. Is the Protected/Classified information for this contract segregated from corporate information? Workstations:

Workstations:

Yes No

20. Is the Protected/Classified information for this contract segregated from corporate information? Laptops:

Laptops:

Yes No

20. Is the Protected/Classified information for this contract segregated from corporate information? Remarks:

21. How is the Protected/Classified information for this contract segregated from corporate information?

21. How is the Protected/Classified information for this contract segregated from corporate information? Remarks:

22. Do you have any other current Government contracts at this site with an IT component requirement?

Yes No

22. Do you have any other current Government contracts at this site with an IT component requirement? Remarks:

23. How is the information segregated from other contracts information?

23. How is the information segregated from other contracts information? Remarks:

24. Do you have encryption capability?

24. Do you have encryption capability? Servers:

Servers:

Yes No

24. Do you have encryption capability? Workstations:

Workstations:

Yes No

24. Do you have encryption capability? Laptops:

Laptops:

Yes No

24. Do you have encryption capability? Remarks:

25. Who provides the encryption product?

Government Corporate

25. Who provides the encryption product? Remarks:

26. If encryption is utilized, how is it utilized?

26. If encryption is utilized, how is it utilized? Remarks:

27. Provide encryption product name and version.

Servers:

27. Provide encryption product name and version. Servers: Name:

27. Provide encryption product name and version. Servers: Version:

27. Provide encryption product name and version. Servers: Assurance Level:

27. Provide encryption product name and version. Servers: AES:

Workstation:

27. Provide encryption product name and version. Workstation: Name:

27. Provide encryption product name and version. Workstation: Version:

27. Provide encryption product name and version. Workstation: Assurance Level:

27. Provide encryption product name and version. Workstation: AES:

Laptops:

27. Provide encryption product name and version. Laptops: Name:

27. Provide encryption product name and version. Laptops: Version:

27. Provide encryption product name and version. Laptops: Assurance Level:

27. Provide encryption product name and version. Laptops: AES:

27. Provide encryption product name and version. Laptops: Remarks:

Additional Comments:
27. Provide encryption product name and version. Laptops: Additional Comments:

SECURITY VIOLATIONS, BREACHES AND COMPROMISES

1. Do you have a process to report security breaches or incidents?

Yes No

1. Do you have a process to report security breaches or incidents? (If yes, please provide details)

Remarks:
ISM 512

2. Do you apply sanctions to IT Sec incidents when in the opinion of Senior Management there has been misconduct or negligence?

Yes No

2. Do you apply sanctions to IT Sec incidents when in the opinion of Senior Management there has been misconduct or negligence? (If yes, please provide details )

2. Do you apply sanctions to IT Sec incidents when in the opinion of Senior Management there has been misconduct or negligence? Remarks:

Additional Comments:
2. Do you apply sanctions to IT Sec incidents when in the opinion of Senior Management there has been misconduct or negligence? Additional Comments:

RECOVERY in support of this contract

1. Do you backup the information for the Protected/Classified information in support of this contract?

Yes No

1. Do you backup the information for the Protected/Classified information in support of this contract? Remarks:

2. Do you have a documented backup procedure plan for the Protected/Classified information in support of this contract?

Yes No

2. Do you have a documented backup procedure plan for the Protected/Classified information in support of this contract? Remarks:

3. Provide a brief description of the backup process.

3. Provide a brief description of the backup process. Remarks:

4. What is the frequency of the backups? (Check all applicable)

4. What is the frequency of the backups? Daily

Daily

Incremental Full

4. What is the frequency of the backups? Daily Remarks:

4. What is the frequency of the backups? Weekly

Weekly

Incremental Full

4. What is the frequency of the backups? Weekly Remarks:

4. What is the frequency of the backups? Monthly

Monthly

Incremental Full

4. What is the frequency of the backups? Monthly Remarks:

4. What is the frequency of the backups? Other:

4. What is the frequency of the backups? Other: Remarks:

5. Are backups stored off-site?

Yes No

RECOVERY 5. Are backups stored off-site? Remarks:

5. Are backups stored off-site? (If yes, please provide location and address)

5. Are backups stored off-site? Remarks:

6. Do you have a Documented Disaster Recovery Plan in place?

Yes No

RECOVERY 6. Do you have a Documented Disaster Recovery Plan in place? Remarks:

6. Do you have a Documented Disaster Recovery Plan in place? (If yes, when was it last tested?)

6. Do you have a Documented Disaster Recovery Plan in place? Remarks:

Additional Comments:
RECOVERY Additional Comments:

DESTRUCTION/DISPOSAL – CSEC – ITSG-06 Refers.

1. Upon completion of contract, do you retain any electronic information?

Yes No

1. Upon completion of contract, do you retain any electronic information? Remarks:

1. Upon completion of contract, do you retain any electronic information? (If yes, explain how)

1. Upon completion of contract, do you retain any electronic information? (If yes, provide retention period)

2. Upon completion of contract, are all IT equipment and media sanitized?

Yes No

2. Upon completion of contract, are all IT equipment and media sanitized? Remarks:

3. Provide "sanitization" method to ensure that all Protected/Classified information is completely removed from the IS.

3. Provide "sanitization" method to ensure that all Protected/Classified information is completely removed from the IS. Remarks:

4. Provide "sanitization" product name and version. (e.g. triple-overwrite software)

4. Provide "sanitization" product name and version. (e.g. triple-overwrite software) Name:

4. Provide "sanitization" product name and version. (e.g. triple-overwrite software) Version:

4. Provide "sanitization" product name and version. (e.g. triple-overwrite software) Remarks:

5.What happens to unserviceable data storage devices (IT Media) if there is an equipment malfunction and they must be replaced before the end of the contract?

5.What happens to unserviceable data storage devices (IT Media) if there is an equipment malfunction and they must be replaced before the end of the contract? Remarks:

6. What happens to all data storage devices (IT Media, including internal hard drives) at the end of the contract?

6. What happens to all data storage devices (IT Media, including internal hard drives) at the end of the contract? Remarks:

7. Do you maintain a record of destruction/disposal?

Yes No

7. Do you maintain a record of destruction/disposal? (If yes, explain)

7. Do you maintain a record of destruction/disposal? Remarks:

Additional Comments:
7. Do you maintain a record of destruction/disposal? Additional Comments:

This completed check list is NOT to be sent by return email unless it has been encrypted. Please contact the IT Sec Inspector for instructions and to confirm transmittal method.

Annex A – List of References

REFERENCES

Long Title and Internet Link

TBS – PGS

Policy on Government Security (Formerly GSP)
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578&section=text

TBS – MITS

Operational Security Standard: Management of Information Technology Security
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12328&section=text

TBS – OSSPS

Operational Security Standard on Physical Security
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12329

TBS – SCMS

Security and Contracting Management Standard
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12332

PWGSC/ISP – ISM

Industrial Security Manual
http://ssi-iss.tpsgc-pwgsc.gc.ca/msi-ism/msi-ism-eng.html

CSEC – Industry Program

Advice and Guidance on Commercial Products
http://www.cse-cst.gc.ca/its-sti/services/index-eng.html

CSEC – CITP

Canadian Industrial TEMPEST Program
http://www.cse-cst.gc.ca/its-sti/services/industry-prog-industrie/citp-ptic-eng.html

CSEC – CSG

COTS Security Guidance
http://www.cse-cst.gc.ca/its-sti/services/csg-cspc/index-eng.html

CSEC – ITSA

Information Technology Security Advisory
http://www.cse-cst.gc.ca/its-sti/publications/itsa-asti/index-eng.html

CSEC – ITSB

Information Technology Security Bulletin
http://www.cse-cst.gc.ca/its-sti/publications/itsb-bsti/index-eng.html

CSEC – ITSD

Information Technology Security Directive
http://www.cse-cst.gc.ca/its-sti/publications/itsd-dsti/index-eng.html

CSEC – ITSG

Information Technology Security Guidance
http://www.cse-cst.gc.ca/its-sti/publications/itsg-csti/index-eng.html

CSEC – ITSPSR

IT Security Product System Report
http://www.cse-cst.gc.ca/its-sti/publications/itspsr-rpssti/index-eng.html

CSEC – HTRA

Harmonized TRA Methodology
http://www.cse-cst.gc.ca/its-sti/publications/tra-emr/index-eng.html

CSEC – CCCS

Canadian Common Criteria Scheme
http://www.cse-cst.gc.ca/its-sti/services/cc/index-eng.html

Common Criteria

Common Criteria
http://www.commoncriteriaportal.org/index.html
Certified Products
http://www.commoncriteriaportal.org/products.html

Annex B – List of References available ONLY upon request to your IT Sec Inspector in support of classified contracts.

REFERENCES

Location

CSEC – ITSG-11

Information Technology Security Guidance 11 – COMSEC Installation Planning – TEMPEST Guidance and Criteria

CSEC – ITSG-12

Information Technology Security Guidance 12 – Government of Canada Facility Evaluation Procedures

Annex C – List of Abbreviations and Definitions

ABBREVIATIONS

Long Titles and/or Definitions

ACL

Access Control List

ACSO

Alternate Company Security Officer

AES

Advanced Encryption Standard

C&A

Certification and Accreditation (See below)

CCSO

Corporate Company Security Officer

COTS

Commercial, off-the-shelf

CSEC

Communication Security Establishment Canada

CSO

Company Security Officer

DSC

Document Safeguarding Capability

FTP

File Transfer Protocol

HTTPS

Hypertext Transfer Protocol Secure

Information System

ISM

Industrial Security Manual

ISP

Industrial Security Program

Information Technology

IT Sec

Information Technology Security

LAN

Local Area Network

MAN

Metropolitan Area Network

Operating Systems

SAN

Storage Area Network

Service Pack

SRCL

Security Requirement Check List

SSL

Secure Sockets Layer

TEMPEST

Transient Electro Magnetic Pulse Emanation Surveillance Technology

TRA

Threat Risk Assessment

USB

Universal Serial Bus

VLAN

Virtual Local Area Network

VoIP

Voice over Internet Protocol

VPN

Virtual Private Network

WAN

Wide Area Network

WLAN

Wireless Local Area Network

DEFINITIONS

Certification and Accreditation (C&A)

C&A is the process of comprehensively evaluating technical and non-technical features of an information system [in its environment] so that it can be determined whether or not the system is ready to operate at an acceptable level of [residual] risk based on the implementation of an approved set of technical, managerial, and procedural safeguards.

Stand-alone device

Refers to any computer device that includes the following, but is not limited to: workstation, laptop, tablet PC or any other device that does not connect to any network; either through a wired, wireless or remote access connection.