Security testing checklist is a very powerful fact-gathering tool deployed to ensure that our new web application behaves as expected from security related considerations.
| Sr. | Check Point | Yes/No |
| Check Points related to Data Security | ||
| 1. | Are data inputs adequately filtered? | |
| 2. | Are data access privileges identified? (e.g., read, write, update and query) | |
| 3. | Are data access privileges enforced? | |
| 4. | Have data backup and restore processes been defined? | |
| 5. | Have data backup and restore processes been tested? | |
| 6. | Have file permissions been established? | |
| 7. | Have file permissions been tested? | |
| 8. | Have sensitive and critical data been allocated to secure locations? | |
| 9. | Have date archival and retrieval procedures been defined? | |
| 10. | Have date archival and retrieval procedures been tested? | |
| Check Points related to Data Encryption | ||
| 1. | Are encryption systems / levels defined? | |
| 2. | Is there a standard of what is to be encrypted? | |
| 3. | Are customers compatible in terms of encryption levels and protocols? | |
| 4. | Are encryption techniques for transactions being used for secured transactions? - Secure socket layer (SSL) - Virtual Private Networks (VPNs) | |
| 5. | Have the encryption processes and standards been documented? | |
| Check Points related to Disaster Recovery | ||
| 1. | Have service levels been defined. (E.g., how long should recovery take?) | |
| 2. | Are fail-over solutions needed? | |
| 3. | Is there a way to reroute to another server in the event of a site crash? | |
| 4. | Are executables, data, and content backed up on a defined interval appropriate for the level of risk? | |
| 5. | Are disaster recovery process & procedures defined in writing? If so, are they current? | |
| 6. | Have recovery procedures been tested? | |
| 7. | Are site assets adequately Insured? | |
| 8. | Is a third party "hot-site' available for emergency recovery? | |
| 9. | Has a Business Contingency Plan been developed to maintain the business while the site is being restored? | |
| 10. | Have all levels in organization gone through the needed training & drills? | |
| 11. | Do support notification procedures exist & are they followed? | |
| 12. | Do support notification procedures support a 24/7 operation? | |
| 13. | Have criteria been defined to evaluation recovery completion / correctness? | |
No comments:
Post a Comment