Microsoft Word - 2022.05.20 Sample Audit Checklist for CSP 5.7

Sample Audit Checklist for CJIS Security Policy Area 7

# QUESTION YES NO N/A STANDARD COMMENT

Page 1 of 2

5.7 Configuration Management

1. Planned or unplanned changes to the hardware,

software, and/or firmware components of the

information system can have significant effects

on the overall security of the system. The goal is

to allow only qualified and authorized

individuals access to information system

components for purposes of initiating changes,

including upgrades, and modifications.

CSP 5.5, Access Control, describes agency

requirements for control of privileges and

restrictions.

Based on inquiry and record examination, does

the Tribe or TGRA configure the application,

service, or information system to provide only

essential capabilities and specifically prohibit

and/or restrict the use of specified functions,

ports, protocols, and/or services?

____

CSP 5.7.1.1

2. Based on inquiry and record examination, does

the Tribe or TGRA ensure that a complete

topological drawing depicting the

interconnectivity of the agency network, to

criminal justice information, systems and

services is maintained in a current status?

Based on inquiry and record examination, does

the Tribe or TGRA network topological drawing

include:

1. All communications paths, circuits, and other

components used for the interconnection,

beginning with the agency-owned system(s)

and traversing through all interconnected

systems to the agency end-point?

2. The logical location of all components (e.g.,

firewalls, routers, switches, hubs, servers,

encryption devices, and computer

workstations)? (Individual workstations

(clients) do not have to be shown; the

number of clients is sufficient).

____

CSP 5.7.1.2(1)

CSP 5.7.1.2(2)

Throughout this document, the term “agency” refers to tribal agencies.

See CSP Appendix C for sample network diagrams.

Sample Audit Checklist for CJIS Security Policy Area 7

# QUESTION YES NO N/A STANDARD COMMENT

Page 2 of 2

3. “For Official Use Only” (FOUO) markings?

4. The agency name and date (day, month, and

year) the drawing was created or updated?

____

CSP 5.7.1.2(3)

CSP 5.7.1.2(4)

The system configuration documentation often

contains sensitive details (e.g. descriptions of

applications, processes, procedures, data

structures, authorization processes, data flow,

etc.)

Based on inquiry and record examination, does

the Tribe or TGRA protect the system

documentation from unauthorized access

consistent with the provisions described in CSP

5.5 Access Control?

____

CSP 5.7.2