The SSIF Risk Assessment Toolkit

The following tootkit is intended to introduce the novice to the concepts and practices associated with SAN Security Best Practices, while simultaneously enabling you to evaluate your own SAN security effectiveness.

Requires a JavaScript enabled browser.

---

Please test this beta toolkit and provide feedback by filling out our Feedback Survey.

 

1. Do you use transport encryption (SSL, IPSec, FCSP, etc.)? Yes   No   I Don't Know 2. Do you use perimeter security methods, such as routers, firewalls, and intrusion detection? Yes   No   I Don't Know 3. Are your management passwords still the default passwords? Yes   No   I Don't Know 4. Is your data center physically secure? Yes   No   I Don't Know 5. Do you use strong cryptographic techniques for management access to storage? Yes   No   I Don't Know 6. Do you periodically check tapes for alteration? Yes   No   I Don't Know 7. Do you use cryptographic methods for port authentication in Fibre Channel (Initiator and Target in IP networks)? Yes   No   I Don't Know 8. Do you have a written plan for storage security? Yes   No   I Don't Know 9. How often do you review log activity for security attacks? Real-Time, Automatic Frequent Manual Review No Schedule Unknown 10. How do you use storage activity logs to analyze attacks? None / Unknown / Don't Check for Attacks Manual Checking Automated or Tool-Based Checking 11. Are security measures formally rechecked after a storage reconfiguration? Yes   No   I Don't Know 12. Do you allow LUNs to be accessed only by the minimum number of servers required? Yes   No   I Don't Know 13. Have you identified information classes (e.g. public, sensitive, private, confidential) for your data? Yes   No   I Don't Know 14. Does your storage infrastructure encrypt data? Yes   No   I Don't Know 15. What kind of firewall protects your storage network (including management consoles, switches, servers, etc.) from attack by IP? Firewall Authenticated Sub-Net VPN None / Unknown 16. Do you regularly check for storage security policy compliance of your storage environment (e.g. set procedure, automated tools)? Yes   No   I Don't Know 17. Do you have a good, real time centralized monitoring in place for security related events such as violations, warning etc.? Yes   No   I Don't Know 18. Are your audit logs protected from tampering or deletion? Yes   No   I Don't Know 19. Do you ensure your server OS is continually updated for the latest security patches? Yes   No   I Don't Know 20. Do you implement secure (complete) erasure of data? (NOTE: typical file deletion commands do not completely erase data) Yes   No   I Don't Know

---

Click the Calculate Results button to receive your score.

Confidentiality:     For an explanation of the Confidentiality Rating, click the following links:      Low   Medium    High Integrity:     For an explanation of the Integrity Rating, click the following links:      Low   Medium    High Availability:     For an explanation of the Availability Rating, click the following links:      Low   Medium    High

Please provide feedback on this Toolkit by filling out our Feedback Survey.

• End Users
• Hot Topics
• Storage Security Standards