API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 17th, 2018
213
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 31.32 KB | None | 0 0
raw download clone embed print report
  1.  
  2. // Copyright 2016 Google Inc. All rights reserved.
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14.  
  15. {
  16. "questionnaire": [
  17. {
  18. "type": "block",
  19. "text": "Physical & Data Center Security Questionnaire",
  20. "items": [
  21. {
  22. "type": "block",
  23. "id": "block_office_security",
  24. "text": "Security at the Office",
  25. "items": [
  26. {
  27. "type": "info",
  28. "text": "<b>Why this section matters:</b> Data centers are often fairly easy to protect because not very many people need physical access to them. Offices, on the other hand, are much harder to secure because a lot of people need frequent access. In addition to being directly connected to data centers on a network level, offices host the physical machines that are used to access data. Unless the office is sufficiently protected, attackers might use physical access to (for example) set up back doors on machines or steal local data, including credentials that can then be used to access information in data centers."
  29. },
  30. {
  31. "type": "info",
  32. "text": "<b>Note:</b> If you have multiple offices with network-level access to systems or data containing confidential information, answer the following questions for the office with the fewest physical controls (the weakest link)."
  33. },
  34. {
  35. "type": "radiogroup",
  36. "id": "office_facilities_excl",
  37. "text": "Are all facilities used exclusively by your company, or are some shared?",
  38. "defaultChoice": false,
  39. "choices": [
  40. {"office_facilities_excl_yes": "Yes, we are the only tenant of the facilities."},
  41. {"office_facilities_excl_no": "No, some or all of the facilities are shared with other companies."},
  42. {"office_facilities_home": "We don't have offices; everyone works from home."}
  43. ]
  44. },
  45. {
  46. "type": "box",
  47. "id": "office_home_device_mgmt",
  48. "cond": "office_facilities_home",
  49. "text": "How do you manage your employees' devices, considering everyone works from home? Are they centrally managed?"
  50. },
  51. {
  52. "type": "box",
  53. "id": "office_facilities_separation",
  54. "cond": "office_facilities_excl_no",
  55. "text": "How is your physical area separated from other areas of the office facility? Explain how you control access to your area (e.g., door with swipe card and a receptionist)."
  56. },
  57. {
  58. "type": "radiogroup",
  59. "id": "office_ra",
  60. "cond": "!office_facilities_home",
  61. "text": "Does your company review the physical and environmental risks that your office facilities are exposed to, and do you have procedures in place to evaluate and, if necessary, address them?",
  62. "defaultChoice": false,
  63. "choices": [
  64. {"office_ra_yes": "Yes, we do risk assessments to proactively identify risks related to physical and environmental security."},
  65. {"office_ra_no": "No, we don't review physical and environmental risks."}
  66. ]
  67. },
  68. {
  69. "type": "tip",
  70. "id": "warn_no_office_ra",
  71. "cond": "office_ra_no",
  72. "text": "To ensure that your current security controls are adequate, it's important to assess the physical and environmental risks that your office facilities are exposed to.",
  73. "warn": "yes",
  74. "name": "No risk assessments of physical security at office",
  75. "why": "If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below. If you're working to address this issue, include an estimate of when it will be resolved:",
  76. "severity": "high"
  77. },
  78. {
  79. "type": "checkgroup",
  80. "cond": "office_facilities_excl_no",
  81. "text": "Select the security controls that are in place at <i>all</i> of your offices:",
  82. "defaultChoice": false,
  83. "choices": [
  84. {"office_controls_receptionist": "Staffed reception desk"},
  85. {"office_controls_guards_shared": "Guards (shared by entire building)"},
  86. {"office_controls_guards_exclusive": "Guards (hired by and for your company specifically)"},
  87. {"office_controls_motion_detectors": "Motion detectors"},
  88. {"office_controls_alarms": "Alarms"},
  89. {"office_controls_cctv": "CCTV"},
  90. {"office_controls_swipe_cards": "Electronic access control (e.g., swipe cards)"},
  91. {"office_controls_perimeter_security": "Perimeter security"}
  92. ]
  93. },
  94. {
  95. "type": "tip",
  96. "id": "warn_office_controls_swipe_cards",
  97. "cond": "office_facilities_excl_no && !office_controls_swipe_cards",
  98. "text": "Electronic access control is strongly recommended for office facilities that deal with confidential or sensitive data or have network-level access to it. Standard (non-electronic) keys are very difficult to control (short of changing the entire lock), and access is generally not logged in an auditable way.",
  99. "warn": "yes",
  100. "name": "No electronic access controls at the office",
  101. "why": "If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below. If you're working to address this issue, include an estimate of when it will be resolved:",
  102. "severity": "high"
  103. },
  104. {
  105. "type": "radiogroup",
  106. "id": "office_policy",
  107. "cond": "!office_facilities_home",
  108. "text": "Do you have a written policy that lists the physical security requirements for office facilities?",
  109. "defaultChoice": false,
  110. "choices": [
  111. {"office_policy_yes": "Yes"},
  112. {"office_policy_no": "No"}
  113. ]
  114. },
  115. {
  116. "type": "tip",
  117. "id": "warn_office_policy",
  118. "cond": "office_policy_no",
  119. "text": "Having a written physical security policy helps ensure that all offices establish the same standards for protecting against unauthorized physical access. Because overall security is determined by the weakest link in the chain, a single noncompliant office may introduce risk to your company's (and customers') confidential and sensitive information.",
  120. "warn": "yes",
  121. "name": "No written policy for physical security at office",
  122. "why": "If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below. If you're working to address this issue, include an estimate of when it will be resolved:",
  123. "severity": "medium"
  124. },
  125. {
  126. "type": "block",
  127. "id": "block_access_control",
  128. "cond": "office_controls_swipe_cards",
  129. "text": "Access Control",
  130. "items": [
  131. {
  132. "type": "radiogroup",
  133. "id": "office_access",
  134. "text": "Do you have an auditable process in place for granting and revoking physical access to office facilities?",
  135. "defaultChoice": false,
  136. "choices": [
  137. {"office_access_yes": "Yes"},
  138. {"office_access_no": "No"}
  139. ]
  140. },
  141. {
  142. "type": "tip",
  143. "id": "warn_office_access",
  144. "cond": "office_access_no",
  145. "text": "Physical access to office facilities should be restricted, because a breach can affect the confidentiality, integrity, and availability of information. It's important to have an auditable process for granting and revoking physical access, and for reviewing physical entry logs.",
  146. "warn": "yes",
  147. "name": "No auditable procedures for physical security at office",
  148. "why": "If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below. If you're working to address this issue, include an estimate of when it will be resolved:",
  149. "severity": "high"
  150. },
  151. {
  152. "type": "radiogroup",
  153. "id": "office_acclogs",
  154. "cond": "!office_facilities_home",
  155. "text": "Are physical entry logs kept for at least six months?",
  156. "defaultChoice": false,
  157. "choices": [
  158. {"office_acclogs_yes": "Yes"},
  159. {"office_acclogs_no": "No"}
  160. ]
  161. },
  162. {
  163. "type": "tip",
  164. "id": "warn_office_acclogs",
  165. "cond": "office_acclogs_no",
  166. "text": "Unfortunately, security incidents (whether physical or logical) are not always immediately detected. It's important to retain physical access log files, typically for six months, in case they're needed for investigation.",
  167. "warn": "yes",
  168. "name": "No office access log retention",
  169. "why": "If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below. If you're working to address this issue, include an estimate of when it will be resolved:",
  170. "severity": "medium"
  171. },
  172. {
  173. "type": "block",
  174. "id": "block_entry_log_review",
  175. "cond": "!office_facilities_home",
  176. "text": "Entry Log Review",
  177. "items": [
  178. {
  179. "type": "radiogroup",
  180. "text": "How often do you review physical entry logs?",
  181. "defaultChoice": false,
  182. "choices": [
  183. {"office_acclogs_review_never": "Never"},
  184. {"office_acclogs_review_quarterly": "Every couple of months"},
  185. {"office_acclogs_review_monthly": "Once per month"},
  186. {"office_acclogs_review_often": "More often"}
  187. ]
  188. },
  189. {
  190. "type": "tip",
  191. "id": "warn_office_acclogs_review_never",
  192. "cond": "office_acclogs_review_never",
  193. "text": "In data theft incidents, it is not always immediately obvious that data has been copied (after all, nothing is missing per se). To address this, physical access logs should be regularly reviewed so that irregularities can be quickly identified and investigated.",
  194. "warn": "yes",
  195. "name": "No office access log reviews",
  196. "why": "If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below. If you're working to address this issue, include an estimate of when it will be resolved:",
  197. "severity": "medium"
  198. }
  199. ]
  200. }
  201. ]
  202. },
  203. {
  204. "type": "radiogroup",
  205. "id": "office_network_room",
  206. "cond": "!office_facilities_home",
  207. "text": "Offices need a lot of networking equipment. If an attacker manages to gain access to such equipment, they could, for example, do a man-in-the-middle attack for all office traffic. It's important to protect access to network equipment like floor distributor switches, office routers, wireless APs, etc.",
  208. "defaultChoice": false,
  209. "choices": [
  210. {"office_network_room_yes": "All of these are well protected and locked away. Only a few IT employees have physical access to networking equipment."},
  211. {"office_network_room_no": "We don't protect access to office networking equipment."}
  212. ]
  213. },
  214. {
  215. "type": "tip",
  216. "id": "warn_office_network_room",
  217. "cond": "office_network_room_no",
  218. "text": "Lack of protection for office network equipment can provide an attacker with a conveniently central place from which to attempt to breach your network. If someone manages to gain unauthorized physical access to office routers/distribution switches, they might be able to get around security controls (such as ARP-spoofing protections or 802.1x). It's best to lock away office networking equipment, to prevent unauthorized tempering.",
  219. "warn": "yes",
  220. "name": "No protection of office network equipment",
  221. "why": "If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below. If you're working to address this issue, include an estimate of when it will be resolved:",
  222. "severity": "medium"
  223. },
  224. {
  225. "type": "box",
  226. "id": "office_other",
  227. "text": "Is there anything else you want us to know about the physical security at your office?"
  228. }
  229. ]
  230. },
  231. {
  232. "type": "block",
  233. "text": "Data Center Security",
  234. "items": [
  235. {
  236. "type": "info",
  237. "text": "<b>Why this section matters:</b> Most of a company's data should be stored and processed in a data center. The physical and environmental protections built into data centers are intended to provide a safe haven for data. This section asks questions about these security controls, to ensure they can provide adequate protection for confidential data."
  238. },
  239. {
  240. "type": "line",
  241. "id": "dc_howmany",
  242. "text": "How many data centers will (potentially) be used to store confidential data?"
  243. },
  244. {
  245. "type": "line",
  246. "id": "dc_countries",
  247. "text": "List all countries where data centers are located:"
  248. },
  249. {
  250. "type": "checkgroup",
  251. "id": "dc_outsourced",
  252. "text": "Do you use Google Cloud, Amazon Web Services, or a similar outsourced, virtual-machine-based data center?",
  253. "defaultChoice": false,
  254. "choices": [
  255. {"dc_outsourced_yes": "Yes."},
  256. {"dc_outsourced_no": "No, we maintain our own data centers."}
  257. ]
  258. },
  259. {
  260. "type": "line",
  261. "id": "dc_provider",
  262. "cond": "dc_outsourced_yes",
  263. "text": "Who is your data center provider?"
  264. },
  265. {
  266. "type": "block",
  267. "cond": "dc_outsourced_no",
  268. "text": "Running Own Data Centers",
  269. "items": [
  270. {
  271. "id": "dc_facilities_excl",
  272. "text": "Are all facilities used exclusively by your company, or are some shared?",
  273. "type": "radiogroup",
  274. "defaultChoice": false,
  275. "choices": [
  276. {"dc_facilities_excl_yes": "Yes, we are the only user of all data centers that potentially store confidential data."},
  277. {"dc_facilities_excl_no": "No, some or all of the facilities are shared with other companies."}
  278. ]
  279. },
  280. {
  281. "type": "box",
  282. "id": "dc_facilities_equipment_separated",
  283. "cond": "dc_facilities_excl_no",
  284. "text": "How is your equipment separated from other users of the facility?"
  285. },
  286. {
  287. "type": "line",
  288. "id": "dc_certifications",
  289. "text": "Are the data centers categorized in tiers or certified in some way (e.g., TIA-942, ISO 27001, SSAE-16, etc.)? If yes, list the tiers/certifications:"
  290. },
  291. {
  292. "id": "dc_policy",
  293. "text": "Do you have a written policy that lists the physical security requirements for data centers?",
  294. "type": "radiogroup",
  295. "defaultChoice": false,
  296. "choices": [
  297. {"dc_policy_yes": "Yes"},
  298. {"dc_policy_no": "No"}
  299. ]
  300. },
  301. {
  302. "type": "tip",
  303. "id": "warn_dc_policy",
  304. "cond": "dc_policy_no",
  305. "text": "When strong physical security controls are in place, certain requirements that are usually recommended (e.g., encryption of data at rest) may be relaxed. These exceptions are acceptable only if specific security controls are implemented in all data centers that may store confidential information. A written policy describing these requirements should be enforced to ensure that a baseline for physical security is uniformly implemented across all data centers.",
  306. "warn": "yes",
  307. "name": "No written physical security policy",
  308. "why": "If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below. If you're working to address this issue, include an estimate of when it will be resolved:",
  309. "severity": "medium"
  310. },
  311. {
  312. "type": "checkgroup",
  313. "text": "Select the security controls that are in place at <i>all</i> of your data centers:",
  314. "defaultChoice": false,
  315. "choices": [
  316. {"dc_controls_guards": "Guards"},
  317. {"dc_controls_mantrap": "Mantrap"},
  318. {"dc_controls_motiondetectors": "Motion detectors"},
  319. {"dc_controls_alarms": "Alarms"},
  320. {"dc_controls_cctv": "CCTV"},
  321. {"dc_controls_electronic_access_control": "Electronic access control (e.g., swipe cards)"},
  322. {"dc_controls_perimetersec": "Perimeter security"}
  323. ]
  324. },
  325. {
  326. "type": "checkgroup",
  327. "defaultChoice": false,
  328. "choices": [
  329. {"dc_controls_ups": "UPS batteries"},
  330. {"dc_controls_generator": "Backup generators"},
  331. {"dc_controls_water_detection": "Water detection system"},
  332. {"dc_controls_fire_detection": "Fire detection system"},
  333. {"dc_controls_fire_suppression_gas": "Gas-based fire suppression system"},
  334. {"dc_controls_fire_suppression_water": "Water-based fire suppression system"}
  335. ]
  336. },
  337. {
  338. "type": "tip",
  339. "id": "warn_no_dc_controls_electronic_access_control",
  340. "cond": "!dc_controls_electronic_access_control",
  341. "text": "Electronic access control is strongly recommended for data centers that handle or store confidential or sensitive data. Standard (non-electronic) keys are very difficult to control (short of changing the entire lock), and access is generally not logged in an auditable way.",
  342. "warn": "yes",
  343. "name": "No electronic access control",
  344. "why": "If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below. If you're working to address this issue, include an estimate of when it will be resolved:",
  345. "severity": "high"
  346. },
  347. {
  348. "id": "dc_testing",
  349. "text": "Are all of the controls you selected above tested at least annually?",
  350. "type": "radiogroup",
  351. "defaultChoice": false,
  352. "choices": [
  353. {"dc_testing_yes": "Yes"},
  354. {"dc_testing_no": "No"}
  355. ]
  356. },
  357. {
  358. "type": "tip",
  359. "id": "warn_no_dc_testing",
  360. "cond": "dc_testing_no",
  361. "text": "Make sure to put procedures in place to regularly verify that security controls are working as intended.",
  362. "warn": "yes",
  363. "name": "Security controls in data centers not tested",
  364. "why": "List the controls that are not regularly tested, and explain whether you have compensating controls in place:",
  365. "severity": "high"
  366. },
  367. {
  368. "id": "dc_monitoring",
  369. "text": "Do all data centers have monitoring and alerting in place for power supply, HVAC, and temperature?",
  370. "type": "radiogroup",
  371. "defaultChoice": false,
  372. "choices": [
  373. {"dc_monitoring_yes": "Yes"},
  374. {"dc_monitoring_no": "No"}
  375. ]
  376. },
  377. {
  378. "type": "tip",
  379. "id": "warn_no_dc_monitoring",
  380. "cond": "dc_monitoring_no",
  381. "text": "HVAC and temperature inside data centers should be monitored, and appropriate personnel should be informed when they are outside normal ranges.",
  382. "warn": "yes",
  383. "name": "Data center security controls not monitored",
  384. "why": "If you have compensating controls in place, such as automatic failover to another data center, please explain below:",
  385. "severity": "high"
  386. },
  387. {
  388. "type": "block",
  389. "id": "block_dc_access_control",
  390. "cond": "dc_controls_electronic_access_control",
  391. "text": "Access Control",
  392. "items": [
  393. {
  394. "id": "dc_access",
  395. "text": "Do you have an auditable process in place for granting and revoking physical access to data centers?",
  396. "type": "radiogroup",
  397. "defaultChoice": false,
  398. "choices": [
  399. {"dc_access_yes": "Yes"},
  400. {"dc_access_no": "No"}
  401. ]
  402. },
  403. {
  404. "type": "tip",
  405. "id": "warn_dc_access",
  406. "cond": "dc_access_no",
  407. "text": "Physical access to data center facilities should generally be highly restricted, because a breach can affect confidentiality, integrity, and availability of information. It's important to have an auditable process for granting and revoking physical access, and for reviewing physical entry logs. Otherwise it won't be possible to determine at any given time who actually has access to the data center and the data stored within it.",
  408. "warn": "yes",
  409. "name": "No auditable procedures for data center access",
  410. "why": "If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below. If you're working to address this issue, include an estimate of when it will be resolved:",
  411. "severity": "high"
  412. },
  413. {
  414. "id": "dc_acclogs",
  415. "text": "Are physical entry logs kept for at least six months?",
  416. "type": "radiogroup",
  417. "defaultChoice": false,
  418. "choices": [
  419. {"dc_acclogs_yes": "Yes"},
  420. {"dc_acclogs_no": "No"}
  421. ]
  422. },
  423. {
  424. "type": "tip",
  425. "id": "warn_dc_acclogs",
  426. "cond": "dc_acclogs_no",
  427. "text": "Unfortunately, security incidents (whether physical or logical) are not always immediately detected. It's important to retain physical access log files, typically for six months, in case they're needed for investigation.",
  428. "warn": "yes",
  429. "name": "No data center access log retention",
  430. "why": "If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below. If you're working to address this issue, include an estimate of when it will be resolved:",
  431. "severity": "medium"
  432. },
  433. {
  434. "type": "block",
  435. "id": "block_entry_logs",
  436. "text": "Entry Logs Review",
  437. "items": [
  438. {
  439. "type": "radiogroup",
  440. "defaultChoice": false,
  441. "choices": [
  442. {"dc_acclogs_review_never": "Never"},
  443. {"dc_acclogs_review_quarterly": "Every couple of months"},
  444. {"dc_acclogs_review_monthly": "Once per month"},
  445. {"dc_acclogs_review_often": "More often"}
  446. ],
  447. "text": "How often do you review physical entry logs?"
  448. },
  449. {
  450. "type": "tip",
  451. "id": "warn_dc_acclogs_review_never",
  452. "cond": "dc_acclogs_review_never",
  453. "text": "In data theft incidents, it is not always immediately obvious that data has been copied (after all, nothing is missing per se). To address this, physical access logs should be regularly reviewed so that irregularities can be quickly identified and investigated.",
  454. "warn": "yes",
  455. "name": "No data center access log reviews",
  456. "why": "If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below. If you're working to address this issue, include an estimate of when it will be resolved:",
  457. "severity": "medium"
  458. }
  459. ]
  460. }
  461. ]
  462. },
  463. {
  464. "id": "dc_outage",
  465. "text": "Even the most advanced and protected data centers have occasional outages. Depending on the availability requirements of your project, it might be necessary to quickly switch to another data center so that operations can be resumed without excessive downtime.",
  466. "type": "radiogroup",
  467. "defaultChoice": false,
  468. "choices": [
  469. {"dc_outage_yes": "We are able to quickly route traffic to another data center (within one hour)."},
  470. {"dc_outage_no": "We would need more than one hour to resume our service in case of a data center outage."}
  471. ]
  472. },
  473. {
  474. "type": "tip",
  475. "id": "warn_dc_outage",
  476. "cond": "dc_outage_no",
  477. "text": "If availability is a strong concern for your project, you should make sure you're able to quickly switch to a different data center that is not geographically close to the one that's experiencing the outage.",
  478. "warn": "yes",
  479. "name": "No data center outage procedures",
  480. "why": "If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below. If you're working to address this issue, include an estimate of when it will be resolved:",
  481. "severity": "medium"
  482. },
  483. {
  484. "id": "dc_ra",
  485. "text": "Does your company review the physical and environmental risks that your data centers are exposed to, and do you have procedures in place to evaluate and, if necessary, address them?",
  486. "type": "radiogroup",
  487. "defaultChoice": false,
  488. "choices": [
  489. {"dc_ra_yes": "Yes, we do risk assessments or &mdash; if hosted with a colocation provider &mdash; review our provider's security practices."},
  490. {"dc_ra_no": "No, we don't."}
  491. ]
  492. },
  493. {
  494. "type": "tip",
  495. "id": "warn_no_dc_ra",
  496. "cond": "dc_ra_no",
  497. "text": "To ensure that current security controls are adequate, it's important to assess the physical and environmental risks that your data center (or data center provider) is exposed to.",
  498. "warn": "yes",
  499. "name": "Environmental risks in data center not monitored",
  500. "why": "If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below. If you're working to address this issue, include an estimate of when it will be resolved:",
  501. "severity": "high"
  502. }
  503. ]
  504. },
  505. {
  506. "type": "box",
  507. "id": "dc_other",
  508. "text": "Is there anything else you want us to know about the security of your data centers?"
  509. }
  510. ]
  511. },
  512. {
  513. "type": "block",
  514. "id": "block_feedback",
  515. "text": "Feedback",
  516. "items": [
  517. {
  518. "type": "box",
  519. "id": "feedback",
  520. "text": "<b>Good news!</b> You have made it to the end of this questionnaire. If you can spare another minute, please let us know how we can improve it. Any feedback is highly appreciated."
  521. }
  522. ]
  523. }
  524. ]
  525. }
  526. ]
  527. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!