In-Depth
Back to Basics Quiz
Are you the master of your Windows domain?
You may be a genius with AD, a master crafter of applications and a conqueror
of collaboration. In all the excitement, though, you may be forgetting something.
With so many products, technologies and outright threats to wrestle with, it can
be easy even for seasoned IT pros to forget the fundamentals.
So put down the plan for that big Web 2.0 project for a minute, and take a moment to make sure you've covered all your IT bases with this quick quiz.
Backup and Recovery
Do you perform regular data backups?
- Yes [5 points]
- No [0 points]
Does your backup strategy involve off-site
tape rotation for disaster recovery purposes?
- Yes [5 points]
- No [0 points]
If Yes, is the off-site location far enough away that it won't be hit by a region-wide disaster?
- Yes [5 points]
- No [0 points]
Do you incorporate special, additionally scheduled backups for archival purposes?
- Yes [5 points]
- No [0 points]
Do you perform periodic restores to verify backup data? If so, how often?
- Never [0 points]
- Monthly [5 points]
- Quarterly [4 points]
- Bi-annually [3 points]
- Annually [1 points]
Do you have an information lifecycle management (ILM) strategy that includes offsite backup for
disaster recovery?
- Yes [5 points]
- No [0 points]
Does your backup strategy extend to remote offices?
- Yes [5 points]
- No [0 points]
Password Policy
Do you require complex passwords with a mix of numbers and symbols?
- Yes [5 points]
- No [0 points]
If not, do you require passphrases of greater than 15 characters that include spaces?
- Yes [5 points]
- No [0 points]
Do you specify a minimum number of characters for passwords? If so, how many?
- No minimum [0 points]
- 4-6 [2 points]
- 7-13 [3 points]
- 14 or more [5 points]
Do you require end users to change their passwords?
- Never [0 points]
- Every month [5 points]
- Every two months [4 points]
- Once a year [2 points]
If so, does this password change policy also affect Unix users?
- Yes [5 points]
- No [0 points]
Have you presented user training on information security, social hacking, and the importance of strong passwords and protection of data?
- Yes [5 points]
- No [0 points]
Have you hired a professional security company to perform a security assessment involving penetration testing?
- Yes [5 points]
- No [0 points]
If Yes, have you incorporated the suggestions of that testing into your operations?
- Yes [5 points]
- No [0 points]
Do you incorporate policies that enforce screen
saver locks when users walk away from their machines?
- Yes [5 points]
- No [0 points]
Malware Management
What rights level do most of your end-users operate at?
- Administrator [0 points]
- Power User [3 points]
- Limited Rights [5 points]
Have you implemented a plan to adopt least-
privileged user rights?
- Yes [5 points]
- No [0 points]
Have you deployed anti-virus software across the enterprise? What platforms have you deployed to?
- Not deployed [0 points]
- Clients only [2 points]
- Clients and servers [3 points]
- Clients, servers, and gateways [5 points]
How often are virus signatures updated?
- Hourly [5 points]
- Daily [4 points]
- 2-3 times per week [3 points]
- Weekly [2 points]
- Monthly [1 points]
- Not updated regularly [0 points]
Have you deployed anti-spyware software?
- Yes [5 points]
- No [0 points]
Do you have a proven ability to remove spyware if machines are infected?
- Yes [5 points]
- No [0 points]
Does anti-virus and anti-spyware protection extend to company laptops not regularly attached to the network?
- Yes [5 points]
- No [0 points]
Do you employ a spam filter?
- Yes [5 points]
- No [0 points]
Have you secured both your externally facing and internal SMTP servers against unauthenticated relay?
- Yes [5 points]
- No [0 points]
Are users trained in how to minimize spam (such as do not reply)?
- Yes [5 points]
- No [0 points]
Is your company in compliance with the Can-Spam Act?
- Yes [5 points]
- No [0 points]
License Management
Are you comfortable that you are in compliance with software licensing?
- Yes [5 points]
- No [0 points]
Have you deployed an asset management system that automatically inventories machines for licensed software?
- Yes [5 points]
- No [0 points]
Do you have proof of ownership of all your software licenses?
- Yes [5 points]
- No [0 points]
Vendor Management
Do you have rules for buying from a startup?
- Yes [5 points]
- No [0 points]
Do you look at the finances of smaller vendors you buy from?
- Yes [5 points]
- No [0 points]
Do you require source code in escrow from less secure vendors?
- Yes [5 points]
- No [0 points]
Do you make sure that mission critical tools are only bought from financially secure vendors?
- Yes [5 points]
- No [0 points]
Does your IT team have a plan to either support a product if the vendor goes under or a plan to switch to another tool?
- Yes [5 points]
- No [0 points]
Online Application
Management
Do you prohibit or manage public network IM traffic and clients on your network?
- Yes [5 points]
- No [0 points]
Do you monitor and/or filter IM traffic?
- Yes [5 points]
- No [0 points]
Do you have a way of controlling what IM clients are installed on local machines?
- Yes [5 points]
- No [0 points]
Do you prohibit or manage remote access applications like VNC or GoToMyPC on your network?
- Yes [5 points]
- No [0 points]
Do you prohibit or manage peer-to-peer on
your network?
- Yes [5 points]
- No [0 points]
Do you have a standard for peer-to-peer?
- Yes [5 points]
- No [0 points]
Do you have a way of controlling what is installed?
- Yes [5 points]
- No [0 points]
Active Directory
Does your backup solution include backups of your Active Directory database?
- Yes [5 points]
- No [0 points]
Do you have a plan in place for an AD restore in case of a lost object, domain controller, domain or forest?
- Yes [5 points]
- No [0 points]
Have you appropriately locked down Domain Administrator rights to as few people as possible?
- Yes [5 points]
- No [0 points]
Do you have a policy to ensure your Schema Admins and Enterprise Admins group remains empty of users until they require access for a particular purpose (least privileged policy)?
- Yes [5 points]
- No [0 points]
Management and
Monitoring
Do you incorporate automated systems management in your network (like Altiris or SMS) that includes an inventory function?
- Yes [5 points]
- No [0 points]
Do you have a monitoring solution in your network that incorporates pager or phone notification when systems go down or hard drives die?
- Yes [5 points]
- No [0 points]
Is your monitoring system tuned to eliminate or reduce false positives and false negatives?
- Yes [5 points]
- No [0 points]
Do you have a policy in place such that system administrators know what to do when a page occurs?
- Yes [5 points]
- No [0 points]
Do you have an out-of-band notification system for your employees to notify them of issues when the e-mail system is down?
- Yes [5 points]
- No [0 points]
General Security
When was the last time you performed a risk/security assessment?
- Less than one year ago [5 points]
- One to two years ago [3 points]
- Two to four years ago [2 points]
- More than four years ago [1 points]
- Never [0 points]
Do you have a security policy? Is it documented and are end users aware of points relevant to them such as acceptable use?
- Yes [5 points]
- No [0 points]
Do you have a patch management policy?
- Yes [5 points]
- No [0 points]
Does your patch management policy include provisions for laptops not necessarily attached to your network or users' home machines attached to work via VPN?
- Yes [5 points]
- No [0 points]
Are your wireless networks protected with strong encryption?
- Yes [5 points]
- No [0 points]
- Do not use wireless networks [5 points]
Do you get Microsoft Security Bulletins as soon as they appear?
- Yes [5 points]
- No [0 points]
Does your patch management policy include service level agreements including metrics for time-to-patch and compliance percentage?
- Yes [5 points]
- No [0 points]
Do you have a short-cut path for highly critical patches in your process?
- Yes [5 points]
- No [0 points]
Do you have IDS/IPS to augment your firewalls?
- Yes [5 points]
- No [0 points]
Do you have an action plan in place to handle extended emergencies?
- Yes [5 points]
- No [0 points]
How Good Are You?
|
Add up your score and see where you fall:
- [305 to 241]
Domain Controller: You've mastered your domain and you're ready to take on new challenges. Do you have your eye on the CIO's office?
- [240 to 181]
Human Firewall: Your network is in good hands. Security is solid and operations are efficient, but there's always room for some fine-tuning.
- [180 to 121]
Tech Plugger: You've made a fair showing, but your techniques and tactics need improvement.
- [120 to 61]
Security Slacker: You had better pick it up or you're going to get picked off. Your network is low hanging fruit for hackers.
- [60 to zero]
IT Idiot: You need to find another line of work -- please.
|
|
|