[XLS]IRS Office of Safeguards SCSEM - Internal Revenue … · Web viewHRM2 HRM3 FTI access from...

IRS Office of Safeguards SCSEM

document.xls Page 1 of 55

Internal Revenue ServiceOffice of Safeguards

▪ SCSEM Subject: DB2 for IBM z/OS Mainframes ▪ SCSEM Version: 2.1 ▪ SCSEM Release Date: September 30, 2017

NOTICE:The IRS strongly recommends agencies test all Safeguard Computer Security Evaluation Matrix (SCSEM) settings in a development or test

it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configurationshould match the production system configuration. Prior to making changes to the production system, agencies should back up all critical datafiles on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary.

General Testing InformationAgency Name:Agency Code:Test Location:Test Date:Closing Date:Shared Agencies:Name of Tester:Device Name:z/OS and DB2 Version:Network Location:Device Function:

Agency Representatives and Contact Information

Name:Org:Title:Phone:E-mail:

Name:Org:Title:Phone:E-mail:

This SCSEM was designed to comply with Section 508 of the Rehabilitation ActPlease submit SCSEM feedback and suggestions to [email protected] SCSEM updates online at http://www.irs.gov/uac/Safeguards-Program

environment prior to deployment in production. In some cases a security setting may impact a system’s functionality and usability. Consequently,



InstructionsIntroduction and Purpose:

Test Cases Legend:▪ Test ID Pre-populated number to uniquely identify SCSEM test cases. The ID format includes the platform, platform version

and a unique number (01-XX) and can therefore be easily identified after the test has been executed.▪ NIST ID Mapping of test case requirements to one or more NIST SP 800-53 control identifiers for reporting purposes.▪ NIST Control Name Full name which describes the NIST ID.▪ Test Method: The test case is executed by Interview, Examine or Test methods in accordance with the test methodology specified

in NIST SP 800-53A. In test plans where SCAP testing is available, Automated and Manual indicators are added to the Test method to indicate whether the test can be accomplished through the SCAP tool.

▪ Test Objective Description of specifically what the test is designed to accomplish. The objective should be a summary of the test case and expected results.

▪ Policy Location: Applicable to Microsoft Windows and Internet Explorer, this field will identify the location of the configuration settingin the Group or Local Policy Editor.

▪ Test Procedures A detailed description of the step-by-step instructions to be followed by the tester. The test procedures should be executed using the applicable NIST 800-53A test method (Interview, Examine, Test).

▪ Expected Results Provides a description of the acceptable conditions allowed as a result of the test procedure execution.▪ Actual Results The tester shall provide appropriate detail describing the outcome of the test. The tester is responsible for identifying

Interviewees and Evidence to validate the results in this field or the separate Notes/Evidence field.▪ Status The tester indicates the status for the test results (Pass, Fail, Info, N/A). "Pass" indicates that the expected results

were met. "Fail" indicates the expected results were not met. "Info" is temporary and indicates that the test executionis not completed and additional information is required to determine a Pass/Fail status. "N/A" indicates that the test subject is not capable of implementing the expected results and doing so does not impact security. The tester must determine the appropriateness of the "N/A" status.

▪ Notes/Evidence As determined appropriate to the tester or as required by the test method, procedures or expected results, the tester may need to provide additional information pertaining to the test execution (Interviewee, Documentation, etc.)

This SCSEM is used by the IRS Office of Safeguards to evaluate compliance with IRS Publication 1075 for agencies that have implemented a DB2 database on an IBM z/OS mainframs to receive, store, process or transmit Federal Tax Information (FTI).

Agencies should use this SCSEM to prepare for an upcoming Safeguard review, but it is also an effective tool for agencies to use as part of internal periodic security assessments or internal inspections to ensure continued compliance in the years when a Safeguard review is not scheduled. Also the agency can use the SCSEM to identify the types of policies to have in place to ensure continued compliance with IRS Publication 1075.

This SCSEM was created for the IRS Office of Safeguards based on the following resources.▪ IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies (October 2014)▪ NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations▪ IRS IRM 10.8.4, IT Security, RDBMS Security Configurations (August 2010)▪ DISA Generic Database Security Checklist, Version 8, Release 1.6▪ DISA Microsoft SQL Server 2005 Database Security Checklist, Version 8, Release 1.7



Pre-populated number to uniquely identify SCSEM test cases. The ID format includes the platform, platform version

The test case is executed by Interview, Examine or Test methods in accordance with the test methodology specified in NIST SP 800-53A. In test plans where SCAP testing is available, Automated and Manual indicators are added to

Applicable to Microsoft Windows and Internet Explorer, this field will identify the location of the configuration setting

A detailed description of the step-by-step instructions to be followed by the tester. The test procedures should be

The tester shall provide appropriate detail describing the outcome of the test. The tester is responsible for identifying

The tester indicates the status for the test results (Pass, Fail, Info, N/A). "Pass" indicates that the expected results were met. "Fail" indicates the expected results were not met. "Info" is temporary and indicates that the test execution

test subject is not capable of implementing the expected results and doing so does not impact security. The tester

As determined appropriate to the tester or as required by the test method, procedures or expected results, the tester

This SCSEM is used by the IRS Office of Safeguards to evaluate compliance with IRS Publication 1075 for agencies that have implemented a DB2 database on an IBM z/OS mainframs to receive,

Agencies should use this SCSEM to prepare for an upcoming Safeguard review, but it is also an effective tool for agencies to use as part of internal periodic security assessments or internal inspections to ensure continued compliance in the years when a Safeguard review is not scheduled. Also the agency can use the SCSEM to identify the types of policies to have in place to ensure

This SCSEM was created for the IRS Office of Safeguards based on the following resources.IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies (October 2014)NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations



Testing ResultsINSTRUCTIONS:Sections below are automatically calculated.

The 'Info' status is provided for use by the tester during test execution to indicate more information is needed to complete the test.It is not an acceptable final test status, all test cases should be Pass, Fail or N/A at the conclusion of testing.

All SCSEM Test Results Overall SCSEM Statistics

Passed Failed N/A All SCSEM Tests Complete Blank

0 0 0 0 0 0% Totals 0 40

Weighted ScoreRisk Rating Test Cases Pass Fail N/A Weight

8 0 0 0 0 15007 0 0 0 0 7506 1 0 0 0 1005 22 0 0 0 504 7 0 0 0 103 0 0 0 0 52 1 0 0 0 21 0 0 0 0 1

Final Test Results (This table calculates all tests in the Test Cases tab)Additional

Information Requested

Total Number of Tests Performed

Weighted Pass Rate



Test CasesTest ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status

DB2-01 SA-22

DB2-02 AC-4

DB2-03 AC-4

DB2-04 AC-4

Unsupported System Components

InterviewExamine

Verify that the DB2 Database is under vendor support

The DBA shall ensure that the versions of DB2 operating in the IRS environment are supported versions. Versions that are not supported shall be upgraded to a supported version.

The SecSpec shall ensure that unsupported DBMS software is removed or upgraded prior to a vendordropping support.

The SecSpec shall ensure that the site has a formal migration plan for removing or upgrading DBMSsystems prior to the date the vendor drops security patch support.

IBM has dropped base support for v8.x of DB2 (April 30, 2009).

Up to date product lifecycle information can be found here:http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21168270

1. Speak with the DBA to determine if the database version is a supported release. Refer to the vendors support website to verify that support for it has not expired. 2. If support has expired speak with the DBA to determine if base or extended support is available for the copy of DB2 that you are reviewing.

1. Support for the installed version has not expired or the system is currently under extended support.

Information Flow Enforcement

InterviewTest

Assess the file-level labeling of the DB2 database files containing FTI.

Procedures:1. Identify which DB2 database files on the system contain FTI.2. Determine if the naming convention of the files identifies them as containing FTI.

All DB2 database files containing FTI are named to clearly identify them as containing FTI.


InterviewTest

Determine if FTI which is commingled with non-FTI within the DB2 databases / data tables, is clearly identified / labeled.

Procedures:For all DB2 databases which contain FTI:1. Determine if FTI data is commingled with non-FTI data, and at what level, i.e., database, table, element. If FTI data is not commingled with non-FTI data, this test is Not Applicable.2. If FTI data is commingled, determine if FTI within the data tables are clearly identified / labeled.

1. If FTI data is not commingled with non-FTI data, this test is Not Applicable.2. If FTI data is commingled with non-FTI data, FTI data within the data tables are labeled at the level that separates from non-FTI data, i.e., database, table, element.


InterviewTest

Determine if auditing is activated within the DB2 database, and is enabled / configured for all data tables containing FTI.

Procedures:For all DB2 databases which contain FTI:Determine if DB2 auditing is activated within the database, and is enabled / configured for all data tables containing FTI.

Auditing is activated within the DB2 database, and is enabled / configured for all data tables containing FTI. Auditing must be enabled to the extent necessary to capture access, modification, deletion and movement of FTI by each unique user.



Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status

DB2-05 SI-2 Flaw Remediation

DB2-06 AC-2 Account Management Interview

DB2-07 AU-6 Interview

DB2-08 AC-12 Session Termination Interview

DB2-09 AC-5 Separation of Duties Interview

DB2-10 AU-9

DB2-11 AU-8 Time Stamps

ExamineTest

Verify that the latest FixPak has been installed for the installed version.

The DBA shall ensure that the latest FixPak has been installed for the installed version.

-Enter the following DB2 system command:db2level-The above command's output will include an "Informational tokens" section. Determine the DB2 version and the FixPak version from this output.1. Verify that the DB2 version begins with 9. An example DB2 version is v9.1.

2. Verify that the FixPak version matches the latest FixPak version provided by IBM. The latest FixPak version can be found here:http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21256235

1. The DB2 version begins with 9. An example DB2 version is v9.1.

2.The FixPak version matches the latest FixPak version provided by IBM.

Verify the agency has implemented an account management process for the Database.

Interview the DBA (Database Administrator) to verify account management processes exist and are implemented for user and system account creation, termination, and expiration.

1. An account management process exists and has been implemented for approving account access to the database under the agency defined authentication method.

Audit Review, Analysis, and Reporting

Verify that audit trails are periodically reviewed by security personnel.

Exceptions and violations are properly analyzed and appropriate actions are taken.

1. Interview DB Administrator and ask for the system documentation that states how often audit logs are reviewed. Also, determine when the last audit logs were reviewed.

2) Examine reports that demonstrate monitoring of security violations, such as unauthorized user access.

1. The DB Administrator can provide system documentation identifying how often the auditing logs are reviewed.

The auditing logs have been reviewed by security personnel within the time period identified in the system documentation.

Verify the DB requires an automatic timeout and termination for login sessions.

1. Examine system configurations and verify administrators are logged out and the session is terminated after no more than 30 minutes of inactivity.

1. User sessions are terminated after no more than 30 minutes of inactivity.

Verify that the DB system enforces a separation of duties for sensitive administrator roles.

There is an effective segregation of duties between the administration functions and the auditing functions of the DB system.

1. Interview the DB Administrator to identify the following:• Personnel that review and clear audit logs• Personnel that perform non-audit administration such as create, modify, and delete access control rules; DB user access management.

1. Personnel who review and clear audit logs are separate from personnel that perform non-audit administration.

Protection of Audit Information

Interview/ Examine

Audit trails cannot be read or modified by non-administrator users.

-Interview the DB administrator to determine the DB2 audit log location. -Examine the permission rules for the log files.

1. Log files have appropriate permissions assigned and permissions are not excessive.

Interview/ Examine

The DB provides time stamps for use in audit record generation.

1. 'Interview the DB administrator to demonstrate the application provides time and date of the last change in data content. This may be demonstrated in application logs, DB2 audit logs, or database tables and logs.

1. The audit logs contain time and date of auditable events using the internal system clock.




DB2-12 CM-7 Least Functionality

DB2-13 AU-11 Audit Record Retention Interview

DB2-14 AU-6 Interview

DB2-15 AC-5 Separation of Duties

DB2-16 AC-3 Access Enforcement

Interview/ Examine

Unneeded functionality is disabled. 1. Interview the DB Administrator to determine what functionality is installed and enabled by default for the application. 2. Examine the configuration of the server the DB runs on. Determine what software is installed on the servers. Determine which services are needed for the DB by examining the system documentation and interviewing the Application Administrator.

1. The DB does not install with functionality which is unnecessary and enabled by default. Any functions installed by default that are not required by the application are disabled.

2. Services or software which are not needed are not present or disabled on the server.

Verify that audit data is archived and maintained.

IRS practice is to retain archived audit logs/trails for seven years.

1. Interview the DBA to determine if audit data is captured, backed up, and maintained for seven years in accordance with IRS Publication 1075 guidelines

1.Audit data is captured, backed up, and maintained. IRS practice has been to retain archived audit data for seven years in accordance with IRS Publication 1075 guidelines

Audit Review, Analysis, and Reporting

Verify that the database audit data is reviewed at a minimum weekly.

The database audit data shall be reviewed at a minimum weekly. This review process shall check for any intrusive activity and any anomalous activity.

1. Interview the DBA. Ask if the audit trail is reviewed at a minimum weekly for anomalies to standard operations or unauthorized access attempts.

1.The audit trail is reviewed at a minimum weekly for anomalies to standard operations or unauthorized access attempts.

ExamineTest

Verify that DAS access is available only to the DBA.

Verify that only authorized DBAs are assigned the DAS administrative privilege.

The SecSpec shall ensure that DAS access is available only to the DBA.

The SecSpec shall ensure that only authorized DBAs are assigned the DAS administrative privilege.

Repeat the following steps for each DB2 instance.

-Enter the following command from the DB2 Command Line Processor to determine the value assigned to DASADM_GROUP.get admin cfg-Enter the following command from the DB2 Command Line Processor to determine the value assigned to SYSADM_GROUP.get dbm cfg-Check memberships for each group specified in steps 1 and 2 from the host operating system. 1. Verify that only DBA accounts are members of the DB2 Database Admin and DB2 SysAdmin groups.

1. Only DBA accounts are members of these groups

ExamineTest

Verify that access to Data Link file directories is restricted to SAs, DBAs, the DB2 installation account, and the DB2 service/daemon accounts.

The SA/DBA shall ensure that access to Data Link file directories is restricted to SAs, DBAs, the DB2 installation account, and the DB2 service/daemon accounts.


-Enter the following command from the DB2 Command Line Processor:get dbm cfg-View the returned value for the DATALINKS parameter.If the DATALINKS value is NO, then proceed to the next instance. Otherwise, continue with the following steps.-Enter the following DB2 system command:dlfm list registered databasesdlfm list registered directories for all users on db <database_name> inst <instance_name> node<node_name>-For all of the directories listed, view the host system file permissions1. Verify that permissions are granted only to SAs, DBAs, the DB2 installation account, the Data Links Administrator account, and the DB2 and Data Links Manager service/daemon accounts.

1. Permissions are granted only to SAs, DBAs, the DB2 installation account, the Data Links Administrator account, and the DB2 and Data Links Manager service/daemon accounts.




DB2-17 AC-6 Least Privilege

DB2-18 AC-2 Account Management



DB2-21 IA-4 Identifier Management

ExamineTest

Verify that only authorized DBAs are assigned the SYSADM, SYSCTRL, and SYSMAINT authorities.

The SecSpec shall ensure that only authorized DBAs are assigned the SYSADM, SYSCTRL, and SYSMAINT authorities.


-Enter the following command from the DB2 Command Line Processor to determine the values assigned to SYSADM_GROUP, SYSCTRL_GROUP, and SYSMAINT_GROUP. get dbm cfg1. If any value is blank, then this check fails.

-Check memberships for each group specified above from the host operating system. 2. Verify that only authorized DBA accounts are members of these groups.

1. If any value is blank, then this check fails.

2. Only authorized DBA accounts are members of these groups.

ExamineTest

Verify that a custom account is created to support the DB2 installation.

The DBA/SA shall ensure that a custom account is created to support the DB2 installation.

-Determine the location of the DB2 installation directory (DB2PATH).-From the system prompt, navigate to the DB2 installation directory specified in above.-Determine the DB2 installation account (the owner of the DB2 files and directories).1. Verify that the DB2 installation account is a custom account created specifically to support the DB2 installation.

Make a note of the name if the DB2 installation account. This account name is used in future checks.

1. The DB2 installation account is a custom account created specifically to support the DB2 installation.

ExamineTest

Verify that the DB2 software installation account is assigned the least privilegesrequired to support operation of DB2 database and functions.

The DBA/SA shall ensure that the DB2 software installation account is assigned the least privilegesrequired to support operation of DB2 database and functions.

This check requires information found in a previous check. It requires the name of the DB2 installation account.

Verify that the DB2 installation account has been removed from "Z-PARMS" (the DB2 startup parameters), so that the account no longer has DB2 sysadmin privileges.

The DB2 installation account has been removed from "Z-PARMS" (the DB2 startup parameters), so that the account no longer has DB2 sysadmin privileges.

ExamineTest

Verify that access to the DB2 installation account is restricted to SecSpec-approved users.

The SecSpec shall ensure that access to the DB2 installation account is restricted to SecSpec-approved users.

This check requires information found in a previous check. It requires the name of the DB2 installation account.

1. Verify with the DBA that access to the DB2 installation account is restricted to SecSpec-approved users.

1.Access to the DB2 installation account is restricted to approved users.

ExamineTest

Verify that a custom account is created to support the DB2 services/daemonsand that this account is assigned the least privileges required to support operation of the DB2 instance.

The DBA/SA shall ensure that a custom account is created to support the DB2 services/daemonsand that this account is assigned the least privileges required to support operation of the DB2 instance.

Determine the DB2 service account.1. Verify that the DB2 service account is a custom account used specifically to support the service/daemon.

1. Verify that the DB2 service account is a custom account used specifically to support the service/daemon.







ExamineTest

Verify that only authorized DBAs and application owner accounts are assigned the DBADM authority.

The SecSpec shall ensure that only authorized DBAs and application owner accounts are assignedthe DBADM authority.

Repeat the following steps for each DB2 database in each instance.

-Enter the following command from the DB2 Command Line Processor.select grantee,granteetype from syscat.dbauth where dbadmauth='Y'-For each record where granteetype = "U".1. Verify that the grantee for that record is an authorized DBA or application owner account.

-For each record where granteetype = "G" 2. Verify that each user in the group specified in grantee is an authorized DBA or application owner account.

1.The grantee for that record is an authorized DBA or application owner account.

2. Each user in the group specified in grantee is an authorized DBA or application owner account.

ExamineTest

Verify that DB2 connect privileges are not assigned to groups unless justified anddocumented with the SecSpec.

The DBA shall ensure that DB2 connect privileges are not assigned to groups unless justified anddocumented with the SecSpec.


-Enter the following command from the DB2 Command Line Processor.select grantee from syscat.dbauth where granteetype='G' and connectauth='Y'-For each record returned, 1. Verify that the value for grantee is not a group unless justified and documented with the SecSpec.

-For each record returned2. Verify that the value for grantee is not PUBLIC.

1. The value for grantee is not a group unless justified and documented with the SecSpec.

2. The value for grantee is not PUBLIC.

ExamineTest

Verify that application users are not assigned any database privileges except for the CONNECT database privilege.

Verify that database privileges with the exception of the CONNECT privilege are restricted to application owner accounts and DBA accounts on a production database.

Verify that database privileges with the exception of the CONNECT privilege are restricted to application owner accounts, application developer accounts, and DBA accounts on a development database.

The DBA shall ensure that application users are not assigned any database privileges except for the CONNECT database privilege.

The DBA shall ensure that database privileges with the exception of the CONNECT privilege are restricted to application owner accounts and DBA accounts on a production database.

The DBA shall ensure that database privileges with the exception of the CONNECT privilege are restricted to application owner accounts, application developer accounts, and DBA accounts on a development


-Interview the DBA to determine if the database is used for production or development.-Enter the following command from the DB2 Command Line Processor.select grantee from syscat.dbauth where CREATETABAUTH='Y' or BINDADDAUTH='Y' orNOFENCEAUTH='Y' or IMPLSCHEMAAUTH='Y' or EXTERNALROUTINEAUTH='Y' orQUIESCECONNECTAUTH='Y' or LOADAUTH='Y'-For each record returned, 1. Verify that the value for grantee is not an application user account.

2. If this is a production database, then verify for each record returned that the value for grantee is either a DBA account or an application owner account.

or2. If this is a development database, then verify for each record returned that the value for grantee is either a DBA account, an application owner account, or a developer account.

1. The value for grantee is not an application user account.

2. If this is a production database, for each record returned that the value for grantee is either a DBA account or an application owner account.

or2. If this is a development database, for each record returned that the value for grantee is either a DBA account, an application owner account, or a developer account.




DB2-25 SC-14

DB2-26 SC-14

Public Access Protections

ExamineTest

Verify that PUBLIC is not granted the CONNECT, CREATETAB, BINDADD, IMPLICIT_SCHEMA database privilege.

The DBA shall ensure that PUBLIC is not granted the CONNECT, CREATETAB, BINDADD, IMPLICIT_SCHEMA database privilege.


-Enter the following command from the DB2 Command Line Processor.select grantee from syscat.dbauth where CREATETABAUTH='Y' or BINDADDAUTH='Y' or IMPLSCHEMAAUTH='Y' or CONNECTAUTH='Y'1. For each record returned, verify that the value for grantee is not PUBLIC.

1. The value for grantee is not PUBLIC.

Public Access Protections

ExamineTest

Verify that privileges that alter data structures are restricted to DBAs and application object owners.

Verify that PUBLIC is not granted CREATEIN object privileges within any database.

Verify that the USE privilege to tablespaces is not granted to PUBLIC.

Privileges that create, modify, or delete database objects constitute a change to the database design and can effect operation of the database. To protect the integrity of the database, privileges that alter data structures shall be restricted to DBAs and application object owners.

The DBA shall ensure that PUBLIC is not grantedCREATEIN object privileges within any database.

The USE privilege to tablespaces is granted automatically to PUBLIC upon tablespace creation. This privilege shall be revoked from PUBLIC in order to prevent usage of tablespace resources by unauthorized users.


-Enter the following command from the DB2 Command Line Processor.select grantee from syscat.tabauth where alterauth='Y' or refauth='Y' or indexauth='Y' or controlauth='Y'select grantee from syscat.schemaauth where alterinauth='Y' or createinauth='Y' or dropinauth='Y'(Note if PUBLIC is assigned CREATEINAUTH)select grantee from syscat.passthruauthselect grantee from syscat.sequenceauth where alterauth='Y' or usageauth='Y'select grantee from syscat.tbspaceauth where useauth='Y'(Note if PUBLIC is assigned USEAUTH)select grantee from syscat.indexauth where controlauth='Y'select grantee from syscat.packageauth where controlauth='Y' or bindauth='Y'1. Verify that each grantee returned is either a DBA or an application owner account.

2. Verify that PUBLIC is not a grantee for having USE tablespace authority or the CREATEIN schema authority.

1. Each grantee returned is either a DBA or an application owner account.

2. PUBLIC is not a grantee for having USE tablespace authority or the CREATEIN schema authority.





DB2-28 AC-22 1. No records are returned.

ExamineTest

Verify that privilege assignment is restricted to DBAs and application object owners.

When privileges are assigned with the CONTROL object privilege, several individual object privileges are granted with the WITH GRANT OPTION. The WITH GRANT OPTION allows the grantee to assign the granted privilege to other database users. Privilege assignment shall be restricted to DBAs and application object owners. The CONTROL object privilege shall not be granted to application user database accounts. Object privileges shall not be granted to application users with the WITH GRANT OPTION.


-Enter the following command from the DB2 Command Line Processor.select grantee from syscat.tabauth where alterauth='G or deleteauth='G'' or refauth='G' or indexauth='G' orinsertauth='G' or updateauth='G' or deleteauth='G'select grantee from syscat.schemaauth where alterinauth='G' or createinauth='G' or dropinauth='G'select grantee from syscat.routineauth where executeauth='G'select grantee from syscat.sequenceauth where alterauth='G' or usageauth='G'select grantee from syscat.tbspaceauth where useauth='G'select grantee from syscat.indexauth where controlauth='Y'select grantee from syscat.packageauth where executelauth='G' or bindauth='G'1. Verify that each grantee returned is either a DBA or an application owner account.

1. Each grantee returned is either a DBA or an application owner account.

Publicly Accessible Content

ExamineTest

Verify that access to the system catalog tables and views described in the Description field have been revoked from PUBLIC.

By default, PUBLIC is granted select privileges to 238 system catalog tables and views during atypical installation. These privileges should be reviewed to determine what is required by supportedapplications. Required permissions should be removed from PUBLIC and assigned to the appropriateapplication user role. At a minimum, access to the following system catalogs tables and views shall berevoked from PUBLIC:• SYSCAT.DBAUTH• SYSCAT.TABAUTH• SYSCAT.PACKAGEAUTH• SYSCAT.INDEXAUTH• SYSCAT.COLAUTH• SYSCAT.PASSTHRUAUTH• SYSCAT.SCHEMAAUTH


-Enter the following command from the DB2 Command Line Processor.select grantee from syscat.tabauth where grantee='PUBLIC' and selectauth='Y' and tabname in ('DBAUTH', 'TABAUTH','PACKAGEAUTH','INDEXAUTH','COLAUTH','PASSTHRUAUTH', 'SCHEMAAUTH')1. Verify that no records are returned.





DB2-30 AU-2 Auditable Events

DB2-31 AU-12 Audit Generation

ExamineTest

Verify that the custom application object owner account is used only for update and maintenance of the application objects.

The DBA shall ensure that the custom application object owner account is used only for update andmaintenance of the application objects.


-Enter the following command from the DB2 Command Line Processor.select distinct definer from syscat.indexes where definer <>'SYSIBM'select distinct definer from syscat.packages where definer <>'SYSIBM'select distinct definer from syscat.routines where definer <>'SYSIBM'select distinct definer from syscat.schemata where definer <>'SYSIBM'select distinct definer from syscat.tables where definer <>'SYSIBM'select distinct definer from syscat.triggers where definer <>'SYSIBM'select distinct definer from syscat.views where definer <>'SYSIBM'1. For all definers listed, verify with the DBA that these are authorized application object owners or DBAs.

1. For all definers listed, these are authorized application object owners or DBAs.

ExamineTest

Verify that audit options have been configured as described in the Description field.

The DBA shall configure audit options as follows or more inclusive:• Audit – required success and failure– audits audit configuration changes• Checking – not required - audits authorization checking of attempts to access, create, alter, dropDB2 objects• Objmaint – required success and failure– audits create, alter, or drop of objects• Secmaint – required success and failure– audits privilege assignments and database configurationmodifications• Sysadm – required success and failure– audits SYSADM privileged activities• Validate – required – audits authentication events


-Enter the following DB2 system command:db2audit describe1. Verify that all of the following are returned with a value of true:Log audit eventsLog object maintenance eventsLog security maintenance eventsLog system administrator eventsLog validate events2. Verify with the DBA that both success and failure of each of the above events is logged.

1.All of the following are returned with a value of true:Log audit eventsLog object maintenance eventsLog security maintenance eventsLog system administrator eventsLog validate events2. Both success and failure of each of the above events is logged.

ExamineTest

Verify that DB2 auditing is enabled at database server startup.

The DBA/SA shall ensure that DB2 auditing is enabled at database server startup.


-Enter the following DB2 system command:db2audit describe1. Verify that the value "Audit active" returns true.2. Verify with the DBA that a process exists that enabled auditing at server startup.

1. The value "Audit active" returns true.2. A process exists that enabled auditing at server startup.




DB2-32 AU-9

DB2-33 SC-2 Application Partitioning




Protection of Audit Information

ExamineTest

Verify that access to the db2audit.log and db2audit.cfg files is restricted to the authorizedusers

The DBA/SA shall ensure that access to the db2audit.log and db2audit.cfg files is restricted to the authorizedusers.


-Identify the DB2 audit file. Verify that the file access rules are properly locked down to prevent access to the DB2 audit file by the general user community.

The DB2 audit file is not accessible by the general user community

ExamineTest

Verify that file and directory ownership is limited to the DB2 instance owner, DB2 fenced user, and DAS account as appropriate.

The DBA/SA shall set DB2 file and directory ownership to the DB2 instance owner, DB2 fenced user, and DAS account as appropriate.

Determine the location of the DB2 installation directory.

1. Verify that all files and directories are owned by the DB2 instance owner, DB2 fenced user, or DAS account.

1. All files and directories are owned by the DB2 instance owner, DB2 fenced user, or DAS account.

ExamineTest

Verify that world privileges have been revoked from DB2 files and directories.

The DBA/SA shall revoke all world privileges from DB2 files and directories.

Determine the location of the DB2 installation (distribution) files.1. Verify that none of the installation files are accessible by the general user community.

1. None of the installation files are accessible by the general user community.

ExamineTest

Verify that a single OS account is used to authenticate to databases to support replicationactivities.

The DBA shall ensure that a single OS account is used to authenticate to databases to support replicationactivities.


-Enter the following command from the DB2 Command Line Processor.select count(*) from syscat.tables where datacapture='Y'-If no records are returned from the query, then proceed to the next database. If records are returned, then proceed.-Interview the DBA. Ask which user accounts are used for replication and if there is more than one account used for replication. 1. Verify that only one account is used to perform replication.

1. Only one account is used to perform replication.

ExamineTest

Verify that the minimum DB2 privileges are assigned to the replication account onthe database server to support the replication activities on that database.

The DBA shall ensure that the minimum DB2 privileges are assigned to the replication account on the database server to support the replication activities on that database.

-If no accounts were found in DB2-37, then this check is N/A.1. Verify that the identified accounts do not require elevated OS privileges, and that none of the accounts perform administrative functions.

1. None of the identified accounts require elevated OS privileges, and none of the accounts perform administrative functions.





DB2-38 SC-2 Application Partitioning



ExamineTest

Verify that DASADM and SYSADM authorities are not granted to replication OS accounts.

The DBA shall ensure that DASADM and SYSADM authorities are not granted to replication OSaccounts.


-Enter the following command from the DB2 Command Line Processor to determine the value assigned to DASADM_GROUP.get admin cfg-Enter the following command from the DB2 Command Line Processor to determine the values assigned to SYSADM_GROUP, SYSCTRL_GROUP, and SYSMAINT_GROUP.get dbm cfg-Check memberships for each group specified in the above steps from the host operating system. 1. Verify that replication accounts are not members of these groups.

1. Replication accounts are not members of these groups.

ExamineTest

Verify that the data files exist on a separate volume from the executable and parameter files.

The DBA shall have the data files on a separate volume from the executable and parameter files.


-Confer with the DBA to determine the locations of the DB2 execution libraries, and the database files. Verify that they are located on separate disk packs, not collocated on the same disk pack.

1. The DB2 execution libraries and the database files are located on separate disk packs.

ExamineTest

Verify that access to a shared database N-Tier connection account is restricted by network configuration and authentication method to the connecting application server.

The DBA shall ensure that access to a shared database N-Tier connection account is restricted by network configuration and authentication method to the connecting application server.


-Enter the following command from the DB2 Command Line Processor.select distinct grantee from syscat.dbauth where connectauth = 'Y'1. For each grantee, determine with the DBA if the grantee is used by more than one user or if the grantee is used to access the database by an application hosted on a middle-tier server. If the grantee meets this criteria, then verify that the account is restricted by network configuration and authentication method to the connecting application server.

1. Access to shared accounts and/or application accounts is restricted by network configuration and authentication method to the connecting application server.

ExamineTest

Verify that inactive database accounts are disabled/removed.

The DBA shall monitor database account expiration and inactivity and remove expired and inactive accounts in accordance with IRS requirements, which requires disabling of accounts after 120 days of inactivity.


-Enter the following command from the DB2 Command Line Processor.select distinct grantee from syscat.dbauth where connectauth = 'Y'1. Review the list of users with the DBA and verify that they are active, authorized accounts.

1. All users are active, authorized accounts.



Notes/Evidence

4/11/14: Updated.Note: Document here the file names of the databases (or other direct access files) which contain FTI.

4/11/14: Updated.Note: Document how FTI labeling is done at the table/row/element level.Note: FTI labeling requirements are:a. FTI needs to be tagged at the application, database, data profile, data table, data column and row, or even data element level.b. If an agency has a database that is composed entirely of FTI, labeling at the database level would be sufficient.c. If an agency has FTI commingled with other information in a database, FTI has to be labeled at the level that separates from non-FTI data (i.e. data table, data element).

4/11/14: Updated.Note: Document how table / element level auditing is done, what audit elements are collected, and where and how the audit data are stored.



Notes/Evidence

There is no visible status to the user until they take action, at which time the application will indicate to the user their session has timed out and they must login again to gain access to the application.



Notes/Evidence



Notes/Evidence



Notes/Evidence



Notes/Evidence



Notes/Evidence



Notes/Evidence



Notes/Evidence



Notes/Evidence



Change LogVersion Date Description of Changes Author1.0 4/11/2014 First Release (Note: Still contains "Not Applicable to MF" findings) Booz Allen Hamilton1.1 6/25/2014 Booz Allen Hamilton

1.2 3/31/2015 Booz Allen Hamilton

2.0 3/25/2016 Booz Allen Hamilton

2.1 12/31/2016 Session terminations set to 30 minutes, Issue code changes Booz Allen Hamilton2.1 1/31/2017 Deleted lagging spaces from HAC40 and HSA14 in IC Table Booz Allen Hamilton2.1 9/30/2017 Updated issue code table Booz Allen Hamilton

Updated DashboardUpdated Controls DB2-01, DB2-05, DB2-15, DB2-16, DB2-38, DB2-38Added baseline Criticality Score and Issue Codes, weighted test cases based on criticality, and updated Results TabRemoved duplicative test cases, added test cases per latest Publication 1075, re-assigned issue codes and revised weighted risk formulas

Issue CodeHAC1HAC2HAC3HAC4HAC5HAC6HAC7HAC8HAC9HAC10HAC100HAC11HAC12HAC13HAC14HAC15HAC16HAC17HAC18HAC19HAC20HAC21HAC22HAC23HAC24HAC25HAC26HAC27HAC28HAC29HAC30HAC31HAC32HAC33HAC34HAC35HAC36HAC37HAC38HAC39HAC40HAC41HAC42HAC43HAC44HAC45

HAC46HAC47HAC48HAC49HAC50HAC51HAC52HAC53HAC54HAC55HAC56HAC57HAC58HAC59HAC60HAC61HAC62HAT1HAT100HAT2HAT3HAT4HIA1HIA2HIA3HIA4HIA5HAU1HAU2HAU3HAU4HAU5HAU6HAU7HAU8HAU9HAU10HAU100HAU11HAU12HAU13HAU14HAU15HAU16HAU17HAU18HAU19

HAU20HAU21HAU22HAU23HAU24HAU25

HAU26

HAU27HCA1HCA100HCA2HCA3HCA4HCA5HCA6HCA7HCA8HCA9HCA10HCA11HCA12HCA13HCA14HCA15HCM1HCM2HCM3

HCM4

HCM5

HCM6

HCM7HCM8HCM9HCM10HCM11HCM12HCM13HCM14HCM15HCM16HCM17HCM18HCM19HCM20

HCM21HCM22HCM23HCM24HCM25HCM26HCM27HCM28

HCM29

HCM30HCM31HCM32

HCM33

HCM34HCM35HCM36HCM37HCM38HCM39HCM40HCM41HCM42HCM43HCM44HCM45HCM46HCM47HCM48HCM100HCP1HCP100HCP2HCP3HCP4HCP5HCP6HCP7HCP8HCP9HCP10HIR1HIR100HIR2HIR3

HIR4

HIR5HMA1HMA100HMA2HMA3HMA4HMA5HMT1HMT2HMT3HMT4HMT5HMT6HMT7HMT8HMT9HMT10HMT100HMT11HMT12HMT13HMT14HMT15HMT16HMT17HMT18HPW1HPW2HPW3HPW4HPW5HPW6HPW7HPW8HPW9HPW10HPW100HPW11HPW12HPW13HPW14HPW15HPW16HPW17HPW18

HPW19HPW20HPW21HPW22HPW23HRA1HRA100HRA2HRA3

HRA4

HRA5HRA6HRA7HRA8HRA9HRM1HRM100HRM2HRM3HRM4HRM5HRM6HRM7HRM8HRM9HRM10HRM11HRM12HRM13HRM14HRM15HRM16HRM17HRM18HRM19HSA1HSA100HSA2HSA3HSA4HSA5HSA6HSA7

HSA8

HSA9

HSA10

HSA11

HSA12HSA13HSA14HSA15HSA16HSA17HSA18HSC1HSC2HSC3HSC4HSC5HSC6HSC7HSC8HSC9HSC10HSC100HSC11HSC12HSC13HSC14HSC15HSC16HSC17HSC18HSC19HSC20HSC21HSC22HSC23HSC24HSC25HSC26HSC27HSC28HSC29HSC30HSC31HSC32HSC33

HSC34HSC35HSC36HSC37HSI1HSI2HSI3HSI4HSI5HSI6HSI7HSI8HSI9HSI10HSI100HSI11HSI12HSI13HSI14HSI16HSI17HSI18HSI19HSI20HSI21HSI22HSI23HSI24HSI25HSI26HSI27HSI28HSI29HSI30

HSI31

HSI32HSI33HSI34HTW1HTW100HTW2HTW3HTW4HTW5HTW6HMP1

HPE1HPM1HTC1HTC10HTC100HTC11HTC12HTC13HTC14HTC15HTC16HTC17HTC18HTC19HTC2HTC20HTC21HTC22HTC23HTC24HTC25HTC26HTC27HTC28HTC29HTC3HTC30HTC31HTC32HTC33HTC34HTC35HTC36HTC37HTC38HTC39HTC4HTC40HTC41HTC42HTC43HTC44HTC45HTC46HTC47HTC48HTC49

HTC5HTC50HTC51HTC52HTC53HTC54HTC55HTC56HTC57HTC58HTC59HTC6HTC7HTC8HTC9

DescriptionContractors with unauthorized access to FTIUser sessions do not lock after the Publication 1075 required timeframeAgency processes FTI at a contractor-run consolidated data centerFTI is not labeled and is commingled with non-FTIFTI is commingled with non-FTI data in the data warehouseCannot determine who has access to FTIAccount management procedures are not in placeAccounts are not reviewed periodically for proper privilegesAccounts have not been created using user rolesAccounts do not expire after the correct period of inactivityOtherUser access was not established with concept of least privilegeSeparation of duties is not in placeOperating system configuration files have incorrect permissionsWarning banner is insufficientUser accounts not locked out after 3 unsuccessful login attemptsNetwork device allows telnet connectionsAccount lockouts do not require administrator actionNetwork device has modems installedOut of Band Management is not utilized in all instancesAgency duplicates usernamesAgency shares administrative account inappropriatelyAdministrators do not use su or sudo command to access root privilegesUnauthorized disclosure to other agenciesUser roles do not exist within the data warehouse environmentAgency employees with inappropriate access to FTIInappropriate access to FTI from mobile devicesDefault accounts have not been disabled or renamedDatabase trace files are not properly protectedAccess to system functionality without identification and authenticationRACF access controls not properly implementedThe database public users has improper access to data and/or resourcesMainframe access control function does not control access to FTI dataFTI is accessible to third partiesImproper access to DBMS by non-DBAsInappropriate public access to FTIAgency allows FTI access from unsecured wireless networkAccount management procedures are not implementedWarning banner does not existAccess to wireless network exceeds acceptable rangeThe system does not effectively utilize whitelists or ACLsAccounts are not removed or suspended when no longer necessarySystem configuration files are not stored securelyManagement sessions are not properly restricted by ACLSystem does not have a manual log off featureSplit tunneling is enabled

Access to mainframe product libraries is not adequately controlledFiles containing authentication information are not adequately protected Usernames are not archived and may be re-issued to different usersUse of emergency userIDs is not properly controlledPrint spoolers do not adequately restrict jobs Unauthorized access to FTI Wireless usage policies are not sufficientMobile device policies are not sufficientFTI is not properly labeled in the cloud environmentFTI is not properly isolated in the cloud environmentMobile device does not wipe after the required threshold of passcode failuresMobile devices policies governing access to FTI are not sufficientAccess control parameter thresholds are reset The guest account has improper access to data and/or resourcesAgency does not centrally manage access to third party environments User rights and permissions are not adequately configuredHost-based firewall is not configured according to industry standard best practiceAgency does not train employees with FTI accessOtherAgency does not train contractors with FTI accessAgency does not maintain training recordsAgency does not provide security-specific trainingAdequate device identification and authentication is not employedStandardized naming convention is not enforcedAuthentication server is not used for end user authenticationAuthentication server is not used for device administrationSystem does not properly control authentication processNo auditing is being performed at the agencyNo auditing is being performed on the systemAudit logs are not being reviewedSystem does not audit failed attempts to gain accessAuditing is not performed on all data tables containing FTISystem does not audit changes to access control settingsAudit records are not retained per Pub 1075Logs are not maintained on a centralized log serverNo log reduction system existsAudit logs are not properly protectedOtherNTP is not properly implementedAudit records are not time stampedAudit records are not archived during VM rollbackRemote access is not loggedVerbose logging is not being performed on perimeter devicesA centralized automated audit log analysis solution is not implementedAudit logs do not capture sufficient auditable eventsAudit logs are reviewed, but not per Pub 1075 requirementsAudit log anomalies or findings are not reported and tracked

Audit log data not sent from a consistently identified sourceSystem does not audit all attempts to gain access Content of audit records is not sufficientAudit storage capacity threshold has not been definedAdministrators are not notified when audit storage threshold is reachedAudit processing failures are not properly reported and responded to

Audit trail does not include access to FTI in pre-productionSystems are not formally certified by management to process FTIOtherUndocumented system interconnections existAgency does not conduct routine assessments of security controlsNo third party verification of security assessmentsPOA&Ms are not used to track and mitigate potential weaknessesThe agency's SSR does not address the current FTI environmentSSR is not current with Pub 1075 reporting requirementsRules of behavior does not existRules of behavior is not sufficientAssessment results are not shared with designated agency officialsInterconnection Security Agreements are not sufficientPOA&Ms are not reviewed in accordance with Pub 1075System authorizations are not updated in accordance with Pub 1075 A continuous monitoring program has not been establishedThe continuous monitoring program is not sufficient Information system baseline is insufficientFTI is not properly labeled on-screenOperating system does not have vendor support

Web portal with FTI does not have three-tier architecture

Configuration management procedures do not existThe ability to make changes is not properly limitedSystems are not deployed using the concept of least privilegeSystem has unneeded functionality installedSNMP is not implemented correctlyOffline system configurations are not kept up-to-dateSystem component inventories do not existSystem component inventories are outdatedHardware asset inventory is not sufficientSoftware asset inventory is not sufficientHardware asset inventory does not existSoftware asset inventory does not existFirewall rules are not reviewed or removed when no longer necessary Application interfaces are not separated from management functionality

System/service provider is not held accountable to protect and share audit records with the agency

Routine operational changes are not reviewed for security impacts before being implemented

Agency does not control routine operational changes to systems via an approval process

Permitted services have not been documented and approvedApplication code is not adequately separated from data setsSystem is not monitored for changes from baselineAgency network diagram is not completeZoning has not been configured appropriatelyStatic IP addresses are not used when neededInformation system baseline does not exist Boundary devices are not scanned for open ports and services

System reset function leaves device in unsecure state Default SSID has not been changedThe device is inappropriately used to serve multiple functions

Significant changes are not reviewed for security impacts before being implemented

Agency does not control significant changes to systems via an approval processServices are not configured to use the default/standard portsThe required benchmark has not been applied Configuration settings and benchmarks have not been defined Agency does not adequately govern or control software usageRACF security settings are not properly configured ACF security settings are not properly configuredTop Secret security settings are not properly configuredUNISYS security settings are not properly configuredIBMi security settings are not properly configuredAgency does not properly test changes prior to implementationSystem configuration provides additional attack surfaceAgency does not centrally manage mobile device configurationSystem error messages display system configuration informationLow-risk operating system settings are not configured securelyOtherNo contingency plan exists for FTI dataOtherContingency plans are not tested annuallyContingency plan does not exist for consolidated data centerFTI is not encrypted in transit to the DR siteBackup data is not adequately protectedContingency plan is not updated annuallyContingency plan is not sufficientContingency training is not conductedContingency training is not sufficient Backup data is located on production systemsIncident response program does not existOtherIncident response plan is not sufficientAgency does not perform incident response exercises in accordance with Pub 1075

Application architecture does not properly separate user interface from data repository

Incident response plan does not existExternal maintenance providers not escorted in the data centerOtherMaintenance not restricted to local accessMaintenance tools are not approved / controlledMaintenance records are not sufficientNonlocal maintenance is not implemented securelyRisk Assessment controls are not implemented properlyPlanning controls are not implemented properlyProgram management controls are not implemented properlySystem acquisition controls are not implemented properlySA&A controls are not implemented properlyContingency planning controls are not implemented properlyConfiguration management controls are not implemented properlyMaintenance controls are not implemented properlySystem and information integrity controls are not implemented properlyIncident response controls are not implemented properlyOtherAwareness and training controls are not implemented properlyIdentification and authentication controls are not implemented properlyAccess controls are not implemented properlyAudit and accountability are not implemented properlySystem and communications protection controls are not implemented properlyDocumentation does not existDocumentation is sufficient but outdatedDocumentation exists but is not sufficientNo password is required to access an FTI systemPassword does not expire timelyMinimum password length is too shortMinimum password age does not existPasswords are generated and distributed automaticallyPassword history is insufficientPassword change notification is not sufficientPasswords are displayed on screen when enteredPassword management processes are not documentedPasswords are allowed to be storedOtherPassword transmission does not use strong cryptographyPasswords do not meet complexity requirementsEnabled secret passwords are not implemented correctlyAuthenticator feedback is labeled inappropriatelyPasswords are shared inappropriatelySwipe-based passwords are allowed on mobile devicesDefault passwords have not been changedNo password is required to remotely access an FTI system

Agency does not provide support resource for assistance in handling and reporting security incidents

More than one Publication 1075 password requirement is not metUser is not required to change password upon first usePasswords are allowed to be stored unencrypted in config filesAdministrators cannot override minimum password age for users, when requiredPasswords cannot be changed by usersRisk assessments are not performedOtherVulnerability assessments are not performedVulnerability assessments do not generate corrective action plans

Vulnerabilities are not remediated in a timely mannerScope of vulnerability scanning is not sufficientRisk assessments are performed but not in accordance with Pub 1075 parametersPenetration test results are not included in agency POA&MsApplication source code is not assessed for static vulnerabilitiesMulti-Factor authentication is not requiredOtherMulti-Factor authentication is not required to access FTI via personal devicesFTI access from personal devicesFTI access from offshoreUser sessions do not terminate after the Publication 1075 period of inactivityThe mainframe is directly routable to the internet via Port 23The agency does not adequately control remote access to its systemsDirect root access is enabled on the systemVPN technology does not perform host checkingClient side cache cleaning utility has not been implementedSite to site connection does not terminate outside the firewallAn FTI system is directly routable to the internet via unencrypted protocolsThe agency does not blacklist known malicious IPs The agency does not update blacklists of known malicious IPsMulti-factor authentication is not enforced for local device management VPN access points have not been limitedSSH is not implemented correctly for device managementRemote access policies are not sufficientAgency cannot remotely wipe lost mobile deviceLive FTI data is used in test environments without approvalOtherUsage restrictions to open source software are not in placeNo agreement exists with 3rd party provider to host FTISoftware installation rights are not limited to the technical staffConfiguration changes are not controlled during all phases of the SDLCSecurity test and evaluations are not performed during system developmentThe external facing system is no longer supported by the vendor

Vulnerability assessments are not performed as frequently as required per Publication 1075

The internally hosted operating system's major release is no longer supported by the vendor

The internally hosted software's major release is no longer supported by the vendor

The internally hosted software's minor release is no longer supported by the vendor

Internal networking devices are no longer supported by the vendorIT security is not part of capital planning and the investment control processFTI systems are not included in a SDLC FTI contracts do not contain all security requirementsDocumentation is not properly protectedSecurity is not a consideration in system design or upgradeCloud vendor is not FedRAMP certifiedFTI is not encrypted in transitFTI is emailed outside of the agencyFTI is emailed incorrectly inside the agencyVOIP system not implemented correctlyNo DMZ exists for the networkNot all connections to FTI systems are monitoredNAT is not implemented for internal IP addressesNetwork architecture is flatDatabase listener is not properly configuredFTI is not properly deleted / destroyedOtherNo backup plan exists to remove failed data loads in the data warehouseOriginal FTI extracts are not protected after ETL processFTI is transmitted incorrectly using an MFDVM to VM communication exists using VMCIEncryption capabilities do not meet FIPS 140-2 requirementsSystem does not meet common criteria requirementsDenial of Service protection settings are not configuredSystem communication authenticity is not guaranteedNetwork perimeter devices do not properly restrict trafficPublically available systems contain FTINumber of logon sessions are not managed appropriatelyVPN termination point is not sufficientSite survey has not been performedDigital Signatures or PKI certificates are expired or revokedNetwork sessions do not timeout per Publication 1075 requirementsEmail policy is not sufficientTraffic inspection is not sufficientThe network is not properly segmentedCryptographic key pairs are not properly managed VLAN configurations do not utilize networking best practicesCollaborative computing devices are not deployed securelyPKI certificates are not issued from an approved authorityDatawarehouse has insecure connections

The internally hosted operating system's minor release is no longer supported by the vendor

The production and development environments are not properly separatedProcedures stored in the database are not encryptedSystem is configured to accept unwanted network connectionsNetwork connection to third party system is not properly configuredSystem configured to load or run removable media automaticallySystem patch level is insufficientSystem is not monitored for threatsNo intrusion detection system existsOS files are not hashed to detect inappropriate changesIntrusion detection system not implemented correctlyFTI can move via covert channels (e.g., VM isolation tools)All VM moves are being tracked in the virtual environmentNetwork device configuration files are not kept offlineHash sums of ISO images are not maintained in the virtual environmentOtherAntivirus is not configured to automatically scan removable mediaNo antivirus is configured on the systemAntivirus does not exist on an internet-facing endpointThe system's automatic update feature is not configured appropriatelyAgency network not properly protected from spam emailAntivirus is not configured appropriatelyVM rollbacks are conducted while connected to the networkData inputs are not being validatedAgency does not receive security alerts, advisories, or directives FTI is inappropriately moved and shared with non-FTI virtual machinesData remanence is not properly handledAgency has not defined an authorized list of softwareAgency does not monitor for unauthorized software on the networkAgency does not monitor for unauthorized hosts on the networkNo host intrusion detection/prevention system existsCritical security patches have not been applied Security alerts are not disseminated to agency personnelData inputs are from external sourcesSystem output is not secured in accordance with Publication 1075

Agency does not properly retire or remove unneeded source code from production

Virtual Switch (Vswitch) security parameters are set incorrectlyMemory protection mechanisms are not sufficientA file integrity checking mechanism does not existTumbleweed client is not configured properlyOtherTumbleweed certificate is assigned to the wrong personNo written procedures for using TumbleweedFTI is left on the device running the Tumbleweed applicationAxway does not run on a dedicated platform The data transfer agreement is not in placeMedia sanitization is not sufficient

Printer does not lock and prevent access to the hard driveA senior information officer does not exist The Windows 2000 server is unsupportedThe ASA firewall is not configured securelyOtherThe RACF Mainframe is not configured securelyThe ACF2 Mainframe is not configured securelyThe Top Secret Mainframe is not configured securelyThe Unisys Mainframe is not configured securelyThe i5OS Mainframe is not configured securelyThe VPN concentrator is not configured securelyThe Citrix Access Gateway is not configured securelyThe Windows XP Workstation is not configured securelyThe Windows 7 Workstation is not configured securelyThe Windows 2003 Server is not configured securelyThe Windows 8 Workstation is not configured securelyNetwork protection capabilities are not configured securelyThe MFD is not configured securelyThe GenTax application is not configured securelyThe data warehouse is not configured securelyThe RSI data warehouse is not configured securelyThe Teradata data warehouse is not configured securelyThe DB2 database is not configured securelyThe Oracle 9g database is not configured securelyThe Oracle 10g database is not configured securelyThe Windows 2008 Server is not configured securelyThe Oracle 11g database is not configured securelyThe SQL Server 2000 installation is unsupportedThe SQL Server 2005 installation is not configured securelyThe SQL Server 2008 installation is not configured securelyThe SQL Server 2012 installation is not configured securelyThe VMWare Hypervisor is not configured securelyThe Tumbleweed client is not configured securelyThe internet browser is not configured securelyThe storage area network device is not configured securelyThe voice-over IP network is not configured securelyThe Windows 2012 Server is not configured securelyThe wireless network is not configured securelyThe custom web application is not configured securelyThe IVR system is not configured securelyThe web server is not configured securelyThe cloud computing environment is not configured securelyThe Apple iOS device is not configured securelyThe Google Android device is not configured securelyThe Blackberry OS device is not configured securelyThe Microsoft Windows RT device is not configured securelyThe mobile device is not configured securely

The Solaris server is not configured securelyAgency has not notified IRS of this technologyTechnology is not properly sanitized after useThe AIX server is not configured securelyThe custom application is not configured securelyThe SuSE Linux server is not configured securelyThe Adabas database is not configured securelyThe Windows 10 operating system is not configured securelyThe Oracle 12c database is not configured securelyThe Red Hat Enterprise Linux 6 operating system is not configured securelyThe Red Hat Enterprise Linux 7 operating system is not configured securelyThe Red Hat Linux server is not configured securelyThe CentOS server is not configured securelyThe Cisco networking device is not configured securelyThe Cisco pix firewall is not configured securely

Weight 12-1-16 v36452242454454515718656655564475575585524556544

66464522455535343333135364476533424444363655535

254224

544444256454223354337

35

324554133223356

45544456

5536

55463455555556434423355234225433

2543143444234244431144442117563231725464626478

656145465

4454457586848666458544563643255448

7

6

8

764451476553655655414536454664635434545445

6556655645432346675544244524457344

455641414354

45754444445572724144444742477443133224524444474

254242222222245

Date post:	06-Apr-2018
Category:	Documents
Upload:	trinhcong
View:	252 times
Download:	5 times

[XLS]IRS Office of Safeguards SCSEM - Internal Revenue … · Web viewHRM2 HRM3 FTI access from...

Documents