Architecture Review Checklist - Security

1. Security Awareness: Have you ensured that the corporate security policies and guidelines to which you are designing are the latest versions?  Have you read them?  Are you aware of all relevant Computing Security Compliance and Risk Acceptance processes? (Interviewer should list all relevant policies and guidelines.)

2. Identification / Authentication: Diagram the process flow of how a user is identified to the application and how the application authenticates that the user is who they claim to be.  Provide supporting documentation to the diagram explaining the flow from the user interface to the application/database server(s) and back to the user.  Are you compliant to corporate policies on Accounts, Passwords, etc?

3a. Authorization:  Provide a process flow from beginning to end showing how a user requests access to the application, indicating the associated security controls and separation of duties.  This should include how the request is approved by the appropriate data owner, how the user is placed into the appropriate access level classification profile, how the user id, password, and access is created and provided to the user. Also include how the user is informed of their responsibilities associated with using the application, given a copy of the access agreement, how to change password, who to call for help, etc.

3b. Access controls:  Document how the user ids, passwords, and access profiles are added, changed, removed, and documented.  The documentation should include who is responsible for these processes.
4. Sensitive Information Protection: Provide documentation that identifies sensitive data requiring additional protection.  Identify the data owners responsible for this data and the process to be used to protect storage, transmission, printing, and distribution of this data.  Include how the password file/field is protected.  How will users be prevented from viewing someone else's sensitive information?  Are there agreements with outside parties (partners, suppliers, contractors, etc.) concerning the safeguarding of information?  If so, what are the obligations?

5. Audit Trails and Audit Logs:  Identify and document group accounts required by the users or application support, include operating system group accounts.  Identify and document individual accounts and/or roles that have super user type privileges, what these privileges are, who has access to these accounts, how access to these accounts are controlled, tracked, logged and how password change and distribution are handled, include operating system accounts.  Also identify audit logs, who can read the audit logs, who can modify the audit logs, who can delete the audit logs, and how the audit logs are protected and stored.  Is the user id obscured in the audit trails?

6. External Access Considerations:  Will the application be used internally only?  If not, are you compliant with corporate external access requirements?

Copyright The Open Group, 2001