Difference between revisions of "Visa E-commerce Security Checklist Questionaire"
From Hostek.com Wiki
(Created page with "==Visa E-commerce Security Checklist Questionaire== ===Physical Security=== Q: Where is the server physically located? A: St. Louis, MO, USA (in most cases) Q: Who has ac...") |
(No difference)
|
Revision as of 15:47, 5 April 2014
Contents
Visa E-commerce Security Checklist Questionaire
Physical Security
Q: Where is the server physically located? A: St. Louis, MO, USA (in most cases)
Q: Who has access? A: Authorized personnel only.
Q: Who authorizes access? A: Data Center
Q: What is the access control mechanism? A: Multi-step: Security cards, manual ID inspection, manual access entry.
Q: Are there motion detectors, cameras, etc...? A: Several 24x7 recorded cameras/video throughout.
Q: Where are the backups stored? A: Generally offsite in Dallas, TX, USA
Network Security
Q: Are the appropriate contacts defined in DNS? A: Yes
Q: On what VLAN is the host? Where does this VLAN exist? A: Virtual VLAN via vmWare
Q: Is there a network firewall in place? A: Yes
Q: Is there a host-based firewall in place? A: Yes
Q: What are the firewall rules for remote administrative access? A: Internal only
Q: What kind of logging is in place? A: Standard logging (generic question)
Q: Are the logs periodically reviewed and acted on? A: Yes
Q: What services are available to the Internet? A: Only needed services to allow the site to function. All others blocked.
Q: What network access controls are in place for the database server? A: Internal access only for admin access, requiring strong username/password authentication.
System Security
Q: What OS is running on the system? A: Depends. If you have cPanel, it's Linux. If you have MochaPanel/WCP, it's Windows.
Q: What is the OS version? Is it nearing end of life? A: Depends on the plan chosen.
Q: Is the OS patched? What is the process for applying security patches? A: Yes. The servers are routinely patched as releases are made.
Q: What is the server used for, other than this application? A: Our shared web servers are only used as web servers.
Q: What software is installed? A: Depends on the OS type.
Q: What services are running? A: Only those services needed by a web server.
Q: Is the clock synchronized via NTP? A: Yes
Q: What are the login accounts on the system? A: N/A
Q: What authentication methods does the system support? A: Depends on the OS.
Q: Does the system authenticate against a domain/realm/external database? A: No
Q: How does one get root/Administrator privilege? A: You don't on a shared server.
Q: Are strong passwords used? Is usage enforced? A: Yes
Q: Are there shared accounts? A: Users are not shared. The web server is a shared server.
Q: What is the state of the file system security? (world writable files, suid root) A: Files have restricted access to the account owner.
Q: How are backups done? A: Nightly.
Q: What kind of logging is in place? A: Standard logging.
Q: Are the logs periodically reviewed and acted on? A: Yes
Database Security
Q: Where does the database server run? A: On a separate database server.
Q: With what privileges on the system does the database server run? A: Depends on the type of database server. The user account privileges are restricted to that specific database.
Q: What access controls are in place for the application's data? A: (Customer needs to answer)
Q: What database privileges does the application have? A: (Customer needs to answer)
Q: What information is stored in the database? A: (Customer needs to answer)
Q: What database users/roles are defined, and what privileges do they have? A: (Customer needs to answer)
Q: What is the data retention policy? A: Backups are retained up to 14 days on shared database servers.
Q: How is the database backed-up? A: Nightly
Q: What kind of logging is in place? A: Standard logging
Q: Are the logs periodically reviewed and acted on? A: Yes
Web Server Security
Q: Does the server force SSL/TLS to the application? A: (Customer needs to answer)
Q: Is the SSL/TLS keypair adequately secured? A: Yes
Q: Are weak ciphers disabled? A: Yes
Q: Is SSLv2 disabled? A: Yes
Q: Are unnessesary modules/plugins disabled? A: Yes
Application Security
Customer needs to answer those questions as they are application specific.