RE: Security Checklist

["Dave Kleiman" <dave () davekleiman com>]

First, is your company bound by any regulatory compliance (SoX, HIPAA, or maybe PCI)?

A bunch have already suggested excellent checklists, since you mentioned Windows systems you might want to include the 
MS Common Criteria Guidelines, there are a bunch of checklists here: 
http://technet.microsoft.com/en-us/library/cc723510.aspx

Then there are tools like S-Lok, that automate all those checklists and even provide a safety system in case someone 
alters something that is listed on the checklist, it changes it back and creates a log entry. 
http://www.s-doc.com/products/slok.asp


Respectfully,

Dave Kleiman - http://www.DigitalForensicExpert.com
http://www.ComputerForensicExaminer.com - http://DigitalForensicAnalyst.com

4371 Northlake Blvd #314
Palm Beach Gardens, FL 33410
561.310.8801 

Digital Computer Forensics + Data Recovery + Electronic Discovery


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Venkatesh Selvaraju
Sent: Tuesday, May 05, 2009 13:23
To: info () jamesattard com
Cc: security-basics () securityfocus com
Subject: Re: Security Checklist

CIS benchmarks are the industry wide acceptable standards for IT
security controls and they have got it all from operating systems to
routers to web servers:
http://www.cisecurity.com/benchmarks.html

HTH

On Mon, May 4, 2009 at 10:31 PM, James Attard <james.attard () gmail com> wrote:
> Dear list,
>
> I need some help to build up a security checklist for my company
> running mainly windows operating systems, apache webservers, and
> checkpoint firewall. What I have in mind is that everyday I dedicate
> not more than 1 hour and I look at this checklist and see whether the
> health status from a security point of view of the whole IT
> infrastructure is OK. What should I be looking at? What logs do I need
> to generate if they don't exist, and what information patterns should
> I look at in the Apache logs/Windows logviewers? Do I need some
> software to help me aggregate and process all this information?
>
> Regards,
> J
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
> Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
> Penetration Tester exams, taught by an expert with years of real pen testing experience.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------