Difference between revisions of "Visa E-commerce Security Checklist Questionaire"

From Hostek.com Wiki
Jump to: navigation, search
(Created page with "==Visa E-commerce Security Checklist Questionaire== ===Physical Security=== Q: Where is the server physically located? A: St. Louis, MO, USA (in most cases) Q: Who has ac...")
(No difference)

Revision as of 15:47, 5 April 2014

Visa E-commerce Security Checklist Questionaire

Physical Security

Q: Where is the server physically located?
A: St. Louis, MO, USA (in most cases)
Q: Who has access?
A: Authorized personnel only.
Q: Who authorizes access?
A: Data Center 
Q: What is the access control mechanism?
A: Multi-step: Security cards, manual ID inspection, manual access entry.
Q: Are there motion detectors, cameras, etc...?
A: Several 24x7 recorded cameras/video throughout.
Q: Where are the backups stored?
A: Generally offsite in Dallas, TX, USA

Network Security

Q: Are the appropriate contacts defined in DNS?
A: Yes
Q: On what VLAN is the host? Where does this VLAN exist?
A: Virtual VLAN via vmWare
Q: Is there a network firewall in place?
A: Yes
Q: Is there a host-based firewall in place?
A: Yes
Q: What are the firewall rules for remote administrative access?
A: Internal only
Q: What kind of logging is in place?
A: Standard logging (generic question)
Q: Are the logs periodically reviewed and acted on?
A: Yes
Q: What services are available to the Internet?
A: Only needed services to allow the site to function.  All others blocked.
Q: What network access controls are in place for the database server?
A: Internal access only for admin access, requiring strong username/password authentication.

System Security

Q: What OS is running on the system?
A: Depends.  If you have cPanel, it's Linux.  If you have MochaPanel/WCP, it's Windows.
Q: What is the OS version? Is it nearing end of life?
A: Depends on the plan chosen.
Q: Is the OS patched? What is the process for applying security patches?
A: Yes.  The servers are routinely patched as releases are made.
Q: What is the server used for, other than this application?
A: Our shared web servers are only used as web servers.  
Q: What software is installed?
A: Depends on the OS type.
Q: What services are running?
A: Only those services needed by a web server.
Q: Is the clock synchronized via NTP?
A: Yes
Q: What are the login accounts on the system?
A: N/A
Q: What authentication methods does the system support?
A: Depends on the OS.
Q: Does the system authenticate against a domain/realm/external database?
A: No
Q: How does one get root/Administrator privilege?
A: You don't on a shared server.
Q: Are strong passwords used? Is usage enforced?
A: Yes
Q: Are there shared accounts?
A: Users are not shared.  The web server is a shared server.
Q: What is the state of the file system security? (world writable files, suid root)
A: Files have restricted access to the account owner.
Q: How are backups done?
A: Nightly.
Q: What kind of logging is in place?
A: Standard logging.
Q: Are the logs periodically reviewed and acted on?
A: Yes

Database Security

Q: Where does the database server run?
A: On a separate database server.
Q: With what privileges on the system does the database server run?
A: Depends on the type of database server.  The user account privileges are restricted to that specific database.
Q: What access controls are in place for the application's data?
A: (Customer needs to answer)
Q: What database privileges does the application have?
A: (Customer needs to answer)
Q: What information is stored in the database?
A: (Customer needs to answer)
Q: What database users/roles are defined, and what privileges do they have?
A: (Customer needs to answer)
Q: What is the data retention policy?
A: Backups are retained up to 14 days on shared database servers.
Q: How is the database backed-up?
A: Nightly
Q: What kind of logging is in place?
A: Standard logging
Q: Are the logs periodically reviewed and acted on?
A: Yes


Web Server Security

Q: Does the server force SSL/TLS to the application?
A: (Customer needs to answer)
Q: Is the SSL/TLS keypair adequately secured?
A: Yes
Q: Are weak ciphers disabled?
A: Yes
Q: Is SSLv2 disabled?
A: Yes
Q: Are unnessesary modules/plugins disabled?
A: Yes


Application Security

Customer needs to answer those questions as they are application specific.