San Diego State University - Leadership Starts Here

Information Technology Security Office (ITSO)

Skip repeated menu and go directly to page content.

Self Assessment

Desktop/Laptop/Mobile Device Security
Associated checklist documents
1 The Information Classification Standard has been implemented. DT1
2 Written process and a 10% sampling of systems:
* Patch management clients are configured & functioning properly.
* Anti-virus/spyware clients are configured & functioning properly.
DT2
3 Written process for daily review of infections within the last 24 hour workday. DT3
4 Standard builds used to install desktop software and documented. DT4
5 Written process for authorizing software and distributing. DT5
6 Written process for configuring laptops with full disk encryption. DT6
7 Written process for protected information encrypted. DT7
Server Security
Associated checklist documents
1 Servers utilize RAID, redundant powers supplies and UPS. SS1
2 Written process for each server anti-virus update and review. SS2
3 Written process for each server anti-spyware update and review. SS3
4 Written process for each server logging and review. SS4
5 Written process for each server build, including vulnerability reviews. SS5
Configuration Managemanet
Associated checklist documents
1 Written process to identify/manage controlled documentation. CM1
2 Written process to identify/manage controlled systems. CM2
Account Management
Associated checklist documents
1 Written process to create, reassign, disable or delete accounts, especially DBA/root/administrator accounts. AM1
2 Written process for workstations locked after 15 mins inactivity or when unattended. AM2
3 Written process for passwords expiration each 90 days or semester. AM3
4 Written process for configuring account passwordstrength, resets, initial account password, reuse, and emphasizing not sharing passwords. AM4
5 Document process for IT Management review of accounts every quarter or semester. AM5
Information Security
Associated checklist documents
1 Written process for desktop, laptop, server, and network device security patch managementand reporting. IS1
2 Written process for storing, distributing, and encrypting protected information (verify not emailed, stored on mobile devices, or physically unattended). IS2
3 Written process for daily backups executed and verified with a scheduled restoration. IS3
4 Part of backup process includes a schedule to rotate and replace backup media. IS4
5 Written process for to erase and properly document surplus. IS5
6 Written process for http://www.calstate.edu/
recordsretention.
IS6
7 Written process for securing, logging, and tracking controlled media. IS7
8 Written process for tracking, storage, and authorizing protected information, including search for SSN data. IS8
Application Security
Associated checklist documents
1 Written process of design, requirements, and implementation authorization of application. AS1
2 Written process for testing web applications vulnerabilities. AS2
3 Written process for reviewing code. AS3
Network Security
Associated checklist documents
1 Written request for systems with protected level 1 information behind a firewall. NS1
2 Verification all systems used for campus business are connected to wired network. NS2
3 Systems connected via wired network have wireless networking disabled. NS3
Physical and Environmental Security
Associated checklist documents
1 Verification server room doors are self-closing, locked, and fail-safe. PS1
2 Verification server room access is restricted. PS2

Self Assessment Form Self Assessment Form in excel


Note: documents in Portable Document Format (PDF) require Adobe Acrobat Reader 5.0 or higher to view. Download Adobe Acrobat Reader. Documents in Excel format (XLS) require Microsoft Viewer, download excel; and documents in Word format (DOC) require Microsoft Viewer, download word.