ISO 17799

Download free HIPAA, PCIDSS and ISO27001 Password Security Policy Templates. This Templates covering basic security policy such as:
- To keep passwords confidential, which includes in no circumstances giving them to a third party, whatever the ostensible reason.

- To avoid keeping any paper or electronic record of passwords (unless this can be securely stored – which means encryption and strong, two-factor access control protection).

1. Systems Maintenance
Objective: Determine that all maintenance activity is performed and documented according to installation standards and procedures by reviewing documentation related to systems maintenance.

Audit steps
a. Determine whether standards have been established for the documentation of systems maintenance
b. Evaluate existing standards to determine whether they are comprehensive enough and cover issues such as compliance with International Standards Organization (ISO) 17799
c. Review a sample of existing documentation to determine whether it complies with installation standards
d. Ascertain whether systems maintenance documentation is maintained in a secure environment and protected against tampering

Basically to build to good and easy to be accepted IT Security Masterplan, we should cover every IT area. Here is simple checklist to build a sound good IT Security Masterplan

IT Policies

• Education and awareness programs.
• Badge wearing.
• Clean desk policy.
• Visitor and contractor controls.
• Employee involvement and responsibilities.
• When and how to have armed off-duty police officers onsite.

IT Investigations

• Use of hidden cameras along with determining who should be involved in the decision to use them.
• Use of a polygraph for interrogations.
• Whether or not to prosecute employees or others when a crime has been committed (even a minor crime).

Technology

• What technologies might be utilized in the future and when, where, and why

General background information on the company
An organizational chart for the management of the facility
A copy of the post orders
A copy of the site security manual
Blueprints of the facilities to be reviewed
Copies of any security-related procedures or practices, including information protection
Copies of incident reports for the past two years
Copies of any incident summary or analysis data
Copies of any crime statistic data on hand
A copy of the contract guard contract, if applicable
A copy of any other security-related contracts, such as confidential destruction

Source: Timothy D Giles, IT Security Master Plan

ISO 27001 is an Information System Security Management Standard (ISMS) that could be used for your guidance during auditing network devices such as router, firewall or switch. Basically this checklists focusing into area:

Audit Coverage
Policy and Procedures
Services: Password Encryption, Authentication Settings
Security: Filtering, Route Protocols, Configuration Maintenance
Operation: Redundancy, Log Monitoring and Incident Handling

Any suggestion or tips for this checklists template? Feel free to ask and give comments