Skip Trinity Banner Navigation

Skip to main content »

Trinity College Dublin

Skip Main Navigation
IT Security
Secondary Navigation

Security Questionnaire for new Systems

All individuals developing/purchasing software for use in College should consider whether the software meets the best practice standards as outlined by College policy.

The questionnaire below should be filled out when planning, designing or purchasing a new system to assess the suitability of the proposed system.

General information

Systems Name:

 

System Function:

 

System Architecture:

 

Type of data to be stored/processed:

 

Department for use:

 

 Questionnaire 

1

Describe the method of authentication to be used in the system.

 

2

What security controls are in place to ensure that the authentication mechanism cannot be circumvented?

 

3

Will all users have a unique identifier in the system?

 

4

Will identifiers be assigned to groups/functions?

 

5

Will authentication credentials be passed in an encrypted or clear text format?

 

6

Is authentication mandatory to obtain access to the system?

 

7

Are session timeouts enforced, if so after what period of inactivity?

 

8

If passwords are used are complex passwords enforced by the system?

 

9

Describe password setting controls in the system.

 

10

Describe the user account security controls in place.

 

11

Is there a configurable account lockout policy that can be enforced by the system?

 

12

Are all Failed and successful authentications/Logins logged for audit purposes?

 

13

Does the system allow accounts to be created with configurable expiration dates?

 

14

Are management reports on all user accounts their status and access levels available from the system?

 

15

Describe how access rights are granted to accounts in the system.

 

16

Is access granted on a role-based system of least privilege access?

 

17

Is documentation of security controls in place in the system provided with the system?

 

18

Describe how data is stored in the system and what security controls are in place?

 

19

Is encryption used to encrypt sensitive data in storage e.g. in a database?

 

20

Is encryption used to protect sensitive data in transit? E.g. between the end user and the application, between the application and database?

 

21

What database hardening measures will be implemented in the system?

 

22

What security controls will be applied to the server which hosts the system?

 

23

If the system is web based:

Is SSL implemented to ensure data is protected in transit?

 

24

If the system is web based:

Are web session timeouts enforced?

 

25

If the system is web based:

Are Formal logouts enforced?

 

26

Describe the secure coding techniques in use in the system.

 

27

What controls are in place to validate input?

 

28

What controls are in place to avoid buffer over flows?

 

29

What security checks have been carried out on the code either manually or using automated tools?

 

30

What plans are in place to provide an integrated backup and recovery plan for the system - application, database, and server?

 

31

Describe how user actions in the system are logged.

 

32

Can all actions be traced back to a unique identifier for each user?

 

33

Does the system allow for passwords to be changed after first use?

 

34

If passwords are used - Does the system allow the user to change their own password?

 

35

Has all applicable legislation been considered so as to ensure that the system meets all legal criteria?

Click here for further details.

 

36

Does the system have mechanisms to automatically purge or archive information after a period of time?

 

 

Contact: ITSecurity@tcd.ie | Sitemap | Last Updated: June 23, 2005