This document contains a set of items to think about, questions to ask, tools, and references for conducting a STRA in a BCGov DevOps environment. Based on various Information Security frameworks, the focus is on the system and the practices of the team supporting it and avoids the enterprise policy questions.
- Scope and timeline of the assessment
- Criticality of the system
Is there an inventory of:
- hosts, platform, and/or system stack?
- critical software components and versions?
- Is there a process to keep the inventory up to date?
Is there a Data Flow Diagram or other document describing:
- all entities, (servers, services, APIs, end-users and admin)?
- all communications between entities (protocols, ports, direction)?
- Is the design kept up to date?
- Do firewall rules support the system design?
- Are all exposures necessary (i.e. no unused services running)?
- Does a port scan confirm the above (i.e. nmap)?
- Is TLS configuration sufficient? (e.g. Grade A at https://www.ssllabs.com/ssltest/)?
- Is there idir/BCeID integration or an exemption otherwise?
- Are _A accounts used for server admin?
- Have any default user accounts been removed?
- Is the process for granting/revoking access documented?
- Is access control centralized (i.e. Active Directory)?
- Is the purpose/location of system accounts documented?
- Do system accounts have the least amount of privilege?
- Are system passwords/keys well protected?
- Are there vulnerability notifications for all critical software components?
Is there testing for each build:
- static code analysis (e.g. SonarQube)?
- dynamic app testing (e.g. ZAP)?
- user testing (e.g. fuzzing, invalid inputs)?
- APIs protected/not leaking data?
- Are critical security patches prioritized?
- Are changes scheduled?
- Are changes tested?
Are changes/outages communicated:
- from service providers (e.g. Hosting)?
- to stakeholders?
Do logs record an appropriate level of detail for each of the following categoies of events?
- Web Access?
- Admin access?
- Are logs stored external to the system?
- Are logs protected from tampering/deletion?
Are there alerts to notify system admins/owners of:
- system outages?
- performance degradation?
- unauthorized access attempts/misuse (e.g. brute force)?
- Are there backups for critical data?
- Are there periodic/recent restore tests?
- Is data at-rest protected (e.g. encrypted disks)?
- Business Continuity
- Are Recovery Time Objectives defined (e.g. maximum downtime)?
- Is there a communication plan for unexpected outages?
- Is there a contact list for key staff and alternates?
- Are operating manuals/docs sufficient for others to understand?
- Have recovery plans been tested?