This site graciously hosted
by our friends at




Security-At-a-Glance (SAG) Checklist

1.  The consequences of the most severe security breach imaginable, in terms of damage to the corporation or restoration costs, would be LESS than $5M. (5 points)

2.  The applications end of life (EOL) is scheduled to occur in the next 6 months. (5 points)

3.  There are FEWER than 10 users of this application system. (4 points)

4.  The percentage of application system users who are employees is greater than 90%. (3 points)

5.  More than 10% of the application system users have been explicitly told about the sensitivity of the information or the risk presented to the corporation in the event of a security breach. (4 points)

6.  Security training courses that are unique to this application system are available and mandatory for all system users and support personnel. (3 points)

7.  The application system administrators are trained to recognize &quotsocial engineering " attacks, and they have effective policies and procedures to defend against such attacks. (3 points)

8.  A current application system security policy exists and has been distributed to system users and support personnel. (3 points)

9.  A plan for detecting attacks or misuse of the application system has been developed, a staff has been assigned to test it; and a team meets periodically to discuss and update it. (2 points)

10.  Procedures, roles, and responsibilities for disaster recovery have been defined; training exists; and testing of recovery plans has occurred. (4 points)

11.  Appropriate configuration management processes are in place to protect the application system source code in developmentand life-cycle updates. (4 points)

12.  This application system requires a password for users to gain access. (0 points)

13.  All userid logins are unique (i.e., no group logins exist). (4 points)

14.  This application system uses role-based access control. (4 points)

15.  This application system uses other techniques in addition to Unix system password/Application logon for authentication/authorization. (3 points)

16.  With this application system, passwords are never transmitted across the network (WAN) in clear text. (4 points)

17.  Encryption is used to protect data when it is transferred between servers and clients. (3 points)

18.  Database audits on application system data are performed periodically and frequently. (1 point)

19.  System configuration audits are performed periodically and frequently. (3 points)

20.  Account authorization and privilege assignments are checked at least once a month to ensure that they remain consistent with end-user status. (2 points)


Site Contents Copyright (C) 2002, 2003 Mark G. Graff and Kenneth R. van Wyk. All Rights Reserved.
webmaster@securecoding.org