Educause Security Discussion
mailing list archives
Re: checklists/auditing within the IT department
From: Kathy Bergsma <kbergsma () UFL EDU>
Date: Fri, 12 Dec 2008 08:59:42 -0500
The Educause Risk Management Framework was recently overhauled. A list of
potential questions are included.
Brad Judy wrote:
When I was working on a questionnaire for IT risk assessment, I created
one based largely on NIST 800 series docs (800-26 and 800-53). I
recommend looking at the NIST 800 series special publications -
It looks like they pulled the self assessment questionnaire document I
referenced from their website, which is unfortunate because I found it
to be a good starting point (I have a copy if you'd like one). I liked
the approach of asking not only if something was being done, but also if
it was documented and if someone was verifying that it was being done.
These aspects are often weaknesses, particularly in an IT shop that is
stretched thin on human resources. In the end, we changed a lot of the
questions and cut down the length quite a bit, so the end product is a
Naturally, there's CERT OCTAVE stuff too, but it's a LOT to sift through
if you're just looking for a simple questionnaire.
U Virginia has a good website on their IT risk management process that
includes their questionnaires:
I'll keep Rodney happy and plug the Educause Security Risk Assessment
and Analysis section too :-)
----- Original Message ----- From: "Youngquist, Jason R."
<jryoungquist () CCIS EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Wednesday, December 10, 2008 3:41 PM
Subject: [SECURITY] checklists/auditing within the IT department
I'm looking for any recommendations on books or documents for
auditing/best practices within one's IT department.
Our department is broken up into 5 sections:
Data Services - support the student information system - by programming
and system support
Web Services - program web applications & work on databases
Network Services - physical security, networking gear (routers,
firewalls, switches, etc.) servers (Windows, Linux, and a number of
different applications), and VOIP services
End User Support - purchase, deploy, and fix desktop computer-related
Helpdesk/Computer Lab - provide support to customers and student
I'm looking for a number of questions/checklists/best practices to ask
individuals in each section of the department. The goal is to come up
with a list of questions/checklists so each week I'll talk to an
individual from each section of the department and ask them a few
questions (from a long list of questions from their particular area) in
order make sure things are working properly, security is being followed,
and determine if there are any issues that need to be addressed.
Here are some example questions:
Generator XYZ - does a self-check happen? If so, when? Has the
self-check been successful?
Servers - Which servers are being backed up? Are there new servers
which haven't been added to the tape backup schedule yet?
Servers - When was the last time a file restore was done? Was it
Inventory - When was the last time a computer inventory was done? Where
is it located?
VOIP - What steps are being taken to reduce/eliminate toll fraud,
eavesdropping, caller-id spoofing, denial of service, etc.
Web - Is there an inventory of web applications? If so, where is it
Web - Is there a document of coding best practices? If so, where is it
I've been doing some googling and brainstorming, but appreciate any
Information Technology Security Engineer
1001 Rogers Street, Columbia, MO 65216
jryoungquist () ccis edu
UF Information Security Manager