 |
|
 |
|
|
|
Security Checklist
Summary Checklist for Common Issues
Checklist
This checklist summarizes some common issues that can be addressed by financial institutions to target
areas of probable risk. This is meant as a summary of common issues rather than a complete security guide.
Limit Threats Against External Gateways
- Disable Unneeded Modems
- Filter Outbound Traffic
- Validate Firewall Rules
Don't Invite the Enemy In
- Use Anti Virus On All Computers
- Use Patch Management Process (either automated software or manual/consistent process)
- Implement Web Content Filtering
- Limit User Rights
- Don't allow normal users to run as Administrator
- Limit user's installation rights/capabilities
Control Remote Access
- Ensure that VPN Uses Complex Passwords / Consider Multi-Factor Authentication
- Log all Remote Access
- Address Remote Access in Security Policy (i.e. home/hotel users)
- Terminate VPN Connections in DMZ
Utilize DMZ
- Host Email/Web Server in DMZ
- Filter Traffic from DMZ to LAN
Don't Let Confidential Information Go Out the Front Door
- Educate Users on Confidential Information and Email
- Laptops:
- Encrypt Hard Drives
- Don't Cache VPN Authentication Credentials
- Limit Storage of Confidential Data as Practical
- Periodically Review Laptops to Verify Configuration
- Encrypt Backups Stored Offsite
- Implement Plan for Hardware Disposal
- Computer Hard Drives
- Tapes, CD ROM's, etc.
Implement Employee Peer Review Process
- Firewall changes
- Server deployment, patching
- Firewall changes
- Server deployment, patching
- Verify Vendors are Providing Services According to Contract
- Outsourced servers: Verify hardening/patch/critical_updates
- Many are insecure
- Document shredding companies: Ensure proper document handling
- Outsourced IT vendors
Limit Trust Relationships With Partners
- Terminate Partner Link into Separate DMZ
Business Continuity Consideration
- Test the Business Continuity Plan
- Make Sure Dates are Current and there are no Tags
- Address Critical Infrastructure, for example:
- Fedline & Core Banking Application
- Telephone Systems, Communications Links
- File Server Data
- Loan Documents / Information
- FiCritical Hardware and Software (replacement file server, etc)
- Physical Operations Location
|
|
 |
