This scorecard will guide you through a brief review of your server administration practices, and may help you to identify ways to improve your server's security and availability.

Note: Completion of this self-assessment is not a replacement for a professional detailed risk analysis and operational review.

Section I. Server Hardware

____ QI-1. Server hardware:

(5 pts) My server uses hardware that's described by the vendor as "server-class."
(0 pts) My server uses hardware that's described by the vendor as "desktop-class."

____ QI-2. Server age:

(5 pts) My server is new (one year old or less).
(3 pts) My server is aging (more than one year old but less than three years old).
(0 pts) My server is old (three or more years old).

____ QI-3. Server capacity:

(5 pts) My server normally runs at less than 50% of capacity.
(3 pts) My server normally runs at less than 75% of capacity.
(0 pts) My server normally runs at 75% or more of its capacity.

____ QI-4. Server redundancy:

(5 pts) We have a fully redundant/load balanced server configuration.
(4 pts) We have a "hot spare" server that we can use if our primary server fails.
(3 pts) Our server has some redundancy features, such as dual power supplies or mirrored disks.
(0 pts) Our server is non-redundant/unprotected.

____ QI-5. Server maintenance:

(5 pts) We have a vendor hardware and software maintenance contract.
(4 pts) We have extensive spare parts and are prepared to do server self maintenance as may be needed.
(0 pts) We handle server maintenance on an informal/ad-hoc basis.

____ QI-6. Server access control:

(5 pts) Our server is in a secure data center.
(4 pts) Our server is in a physically secure area other than a data center.
(0 pts) Our server is in a generally accessible or otherwise insecure area.

____ QI-7. Server power:

(5 pts) Our server has dual power supplies, and each of those power supplies is fed via diverse power sources. An uninterruptable power supply ("UPS") protects each of those power sources. Loss of one or the other power source will not result in the remaining circuit becoming overloaded.
(3 pts) Our server is behind an uninterruptable power supply ("UPS").
(1 pt) Our server is protected by a surge supressor.
(0 pts) Our server uses normal wall power w/o any special protection.

____ QI-8. Server air conditioning:

(5 pts) Our server is in an area that has dedicated (24x7) air conditioning and that air conditioning keeps our server sufficiently cool.
(3 pts) Our server is in an area that has normal building air conditioning. That air conditioning usually keeps our server cool, but that building air conditioning is subject to interruption on weekends or outside of normal business hours (but that doesn't appear to cause a problem).
(1 pts) Our server is in an area that is not air conditioned, but overheating does not appear to be an issue.
(0 pts) Our server is in an area that is not air conditioned, and sometimes it may get too hot.

_____ QI-9. Fire detection and suppression:

(5 pts) Our server is protected with eiter an inert gas ("Halon(tm)") fire suppression system or a dry-pipe preaction fire suppression system.
(3 pts) Our server is protected by a normal water-based fire suppression system.
(1 pt) Our server is protected by a normal fire detector.
(0 pts) Our server doesn't have a fire detection/suppression system.

Section II. Operating System

____ QII-1. Operating system version:

(5 pts) Our server is running the current (vendor-recommended) version of its operating system.
(3 pts) Our server is running an older (but still supported) version of its operating system.
(0 pts) Our server is running a no-longer-supported version of its operating system.

____ QII-2. Operating system patch status:

(5 pts) We've applied all vendor-recommended critical patches to our server.
(2 pts) We've applied some critical patches, but have not applied other critical patches (for whatever reason).
(0 pts) We've not patched our operating system with vendor recommended critical patches.

(5 pts) Our server has been set to automatically apply critical new patches.
(3 pts) We are automatically notified of new patches, which we then manually review and apply as appropriate.
(0 pts) We apply patches on an ad hoc/informal basis.

(5 pts) All unneeded network-based services have been disabled on our server.
(0 pts) Our server offers the full set of default network services.

____ QII-5. File sharing:

(5 pts) File sharing has been disabled.
(3 pts) File sharing is enabled, but has been carefully limited.
(0 pts) File sharing is enabled.

____ QII-6. Firewalls:

(5 pts) A host-based software firewall has been installed on our server, and is configured to deny all traffic except that which has been explicitly permitted.
(3 pts) A host-based software firewall has been installed on our server, but is configured to permit all traffic except that hich has been explicitly forbidden.
(0 pts) Our server does not use a host-based software firewall.

____ QII-7. Checksumming of critical system files:

(5 pts) A checksumming program (to detect unauthorized changes to critical files) is being run on our server.
(0 pts) A checking program is not being run on our server.

____ QII-8. Antivirus/Antispyware:

(5 pts) Our server doesn't run Windows, or if we do run Windows, we have current antivirus/antispyware software installed.
(0 pts) Our server runs Windows, but we do not run antivirus/antispyware software on it, or that software does not have up to date definitions.

____ QII-9. MS Baseline Security Analyzer v2:

(5 pts) Our server doesn't run Windows, or if we do run Windows, when we run Microsoft Baseline Security Analyzer v2, no issues are flagged.
(0 pts) We run Windows and Microsoft Baseline Security Analyzer v2 flags one or more security issues.

Section III. Accounts/Passwords

____ QIII-1. Account Creation and Deletion:

(5 pts) Only authorized users have an account on our server; no-longer-needed accounts get removed.
(0 pts) Account creation and deletion is handled on an ad-hoc basis, accounts are shared, or we may potentially have unauthorized users or no-longer needed accounts on our server.

____ QIII-2. Passwords:

(5 pts) Accounts use a hardware token, biometric access method, or other two factor authentication technology.
(3 pts) Accounts have a strong and periodically changed password.
(1 pt) Accounts have passwords, but those passwords are of unknown strength (or passwords may not be required to be periodically changed).
(0 pts) Accounts do not require passwords, or weak passwords are known to be in use (username=password, or all account passwords are set to the same initial value with no change required, for example)

____ QIII-3. Password encryption:

(5 pts) Passwords transmitted over the network are encrypted with ssh, ssl, or similar strong encryption.
(0 pts) Passwords are transmitted in plain text (e.g., telnet is used instead of ssh, ftp is used instead of scp or sftp, or passwords are transmitted via unencryped web pages)

____ QIII-4. Acceptable use policy:

(5 pts) All users have been informed of applicable acceptable use policies and have affirmatively indicated that they've been informed of those policies and consent to them (for example by signing a copy of that AUP).
(3 pts) All users are informed of applicable acceptable use policies by email or by posting of the acceptable use policies on the unit's web site, but affirmative consent is not required as a condition of access.
(0 pts) There is no acceptable use policy, users are not informed of it, or the AUP is not enforced.

Section IV. Application Software

____ QIV-1. Software licensing:

(5 pts) All applications are properly licensed, current, and vendor supported, or open source.
(1 pts) Some applications are dated, or are no longer vendor supported nor open source.
(0 pts) One or more application may be improperly licensed (please note that it is University policy that all University units will respect copyrights and properly license all software used).

____ QIV-2. Locally developed applications:

(5 pts) Locally developed applications aren't in use.
(4 pts) Locally developed applications are in use, but have been written in a common, easily maintained programming language.
(2 pts) Locally developed applications are in use and are written in an uncommon programming language, however we have multiple local programmers who are fluent in that language.
(1 pt) Locally developed applications are in use and are written in an uncommon programming supported by only a single local programmer.
(0 pts) We have one or more locally developed application written in an uncommon language that none of our current staff know or use.

____ QIV-3. Change control:

(5 pts) Application modifications are made via a formal change control process, and are documented, tested, reviewed and approved before deployment on production systems occurs.
(3 pts) Application modifications are made via an informal change process, or documentation, testing, review and approval is handled on an ad hoc basis.
(0 pts) Application modifications are made to live production systems on an "as needed" basis without formal change control.

Section IV. Network

____ QIV-1. IP address:

(5 pts) Our server has a static IP address, and contact information for that IP address is up-to-date.
(2 pts) Our server has a static IP address, but the contact information for that IP address may be out of date.
(0 pts) Our server is using a dynamic IP address.

____ QIV-2. Hardware firewall:

(5 pts) Our server is sheltered from general Internet access attempts by a hardware firewall which has been configured to deny all traffic except that which is specifically allowed.
(3 pts) Our server is sheltered from general Internet access attempts by a hardware firewall which has been configured to permit all traffic except that which is specifically forbidden.
(0 pts) Our server is not behind a hardware firewall.

(5 pts) We formally track the network traffic volume associated with our server (e.g., via MRTG, RRDtool, Cricket or similar products), and have sufficient network capacity.
(3 pts) We have seen no indication that our server is running into network traffic capacity issues.
(0 pts) We know or believe that we may have insufficient network capacity or network performance problems.

Section V. Staffing

____ QV-1. System administration:

(5 pts) Our server is supported by a team of system administrators.
(3 pts) We have at least one backup system administrator to provide support when our primary system administrator is unavailable.
(1 pt) We have only a single system administrator.
(0 pts) No one is formally responsible for our server.

____ QV-2. Coverage:

(5 pts) Our server is well supported 24x7.
(3 pts) Our server is supported less than 24x7, but that coverage is sufficient because of user expectations, or because our server is not mission critical, or there are other mitigating or extenuating factors.
(1 pts) Our server is only supported during normal business hours; there is concern that that is not sufficient given expectations for our server.
(0 pts) Our server does not have formal coverage/staffing, or what coverage/staffing we do have is known to be insufficient/causing problems.

Section VI. Operational Practice

____ QVI-1. Server documentation:

(5 pts) Our server's configuration and routine operation is fully documented.
(2 pts) Our server's configuration and routine operation is partially documented, or that document may be potentially out of date.
(0 pts) Our server's configuration and routine operation is not documented or that documentation is known to be inaccurate or incorrect.

____ QVI-2. Server monitoring:

(5 pts) The server is monitored, and an administrator is paged or otherwise automatically notified if the server hangs or crashes.
(1 pts) The system administrator receives and responds to user-generated complaints regarding system availability.
(0 pts) The system isn't monitored; complaints relating to system availability may be handled on a best efforts basis (or not at all).

____ QVI-3. Maintenance windows:

(5 pts) There's a routinely scheduled maintenance window for our server.
(2 pts) We can usually arrange a maintenance window on an ad-hoc basis when one is needed.
(0 pts) For whatever reason, it is difficult or impossible to find time to schedule routine maintenance.

____ QVI-4. User communication:

(5 pts) We have a mailing list or other ready "push" communication channel which we can use to communicate with users about our server.
(3 pts) We have a web page or other "pull" communication channel that interested users can visit for information about our server.
(0 pts) We lack an easy way to communicate with users of our server.

____ QVI-5. Data on the server:

(5 pts) Data on our server has been reviewed for sensitivity, and is appropriately controlled.
(1 pt) We've taken some steps to address issues related to sensitive data on our server, but work remains to be done.
(0 pts) Data on our server has not been reviewed for sensitivity, or sensitive data may not be appropriately controlled.

____ QVI-6. Backups:

(5 pts) The contents of our server are routinely backed up, and backups are stored at a secure off site location.
(3 pts) The contents of our server are routinely backed up, however we do not store copies of those backups off site.
(1 pt) We occaisionally take backups of our server.
(0 pts) Our server is not backed up.

____ QVI-7. Disaster recovery:

(5 pts) We have a disaster recovery plan that covers our server, we've tested that plan, and we've verified that it will prevent material long term disruption to normal business operations.
(3 pts) We have a partial disaster mitigation plan that covers our server, but it is untested or it is likely that if we need to use it, disruptions to normal business operations will occur for a material period of time.
(0 pts) We do not have a disaster recovery or disaster mitigation plan covering our server.

Total score (sum all items): ______ out of 185 possible total points.

Interpretting your score:

165-185 points: Superior
145-164 points: Good
125-144 points: Weak
124 points or below: Poor

v0.2 March 28th, 2006