Sample Audit Checklist for CJIS Security Policy Area 7
# QUESTION YES NO N/A STANDARD COMMENT
Page 1 of 2
5.7 Configuration Management
1. Planned or unplanned changes to the hardware,
software, and/or firmware components of the
information system can have significant effects
on the overall security of the system. The goal is
to allow only qualified and authorized
individuals access to information system
components for purposes of initiating changes,
including upgrades, and modifications.
CSP 5.5, Access Control, describes agency
1
requirements for control of privileges and
restrictions.
Based on inquiry and record examination, does
the Tribe or TGRA configure the application,
service, or information system to provide only
essential capabilities and specifically prohibit
and/or restrict the use of specified functions,
ports, protocols, and/or services?
____
____
____
CSP 5.7.1.1
2. Based on inquiry and record examination, does
the Tribe or TGRA ensure that a complete
topological drawing depicting the
interconnectivity of the agency network, to
criminal justice information, systems and
services is maintained in a current status?
2
Based on inquiry and record examination, does
the Tribe or TGRA network topological drawing
include:
1. All communications paths, circuits, and other
components used for the interconnection,
beginning with the agency-owned system(s)
and traversing through all interconnected
systems to the agency end-point?
2. The logical location of all components (e.g.,
firewalls, routers, switches, hubs, servers,
encryption devices, and computer
workstations)? (Individual workstations
(clients) do not have to be shown; the
number of clients is sufficient).
____
____
____
____
____
____
CSP 5.7.1.2(1)
CSP 5.7.1.2(2)
1
Throughout this document, the term “agency” refers to tribal agencies.
2
See CSP Appendix C for sample network diagrams.