S.

No Action Description
ISO 27001
Control no. or
Policy
reference
Responsible
(by
Designation
/Name)
UAT
completion
date
Completion
and
implementati
on date
Review Date
- Frequency
as per
organization
A
Plan the configuration and
deployment of Web server
1
Identify functions of Web
server
List of functions
performed by web server
2
Identify information categories
that will be stored, processed
and transmitted through the
Web server
Information classification
as per ISO27001 policy or
organizational procedure
3
Identify security requirements
of information
Security requirements can
be : firewall policy &
restrictions, admin rights ,
backup plan, BCP etc
4
Identify how information is
published to the Web server
CMS or FTP etc. Access
approvals for users,
restrictions on file types
etc. Access reviews and
revocations
5
Identify a dedicated host to run
Web server
Host - preventive
maintenance, physical
security , environment
security
6
Identify users and categories of
users of the Web server and
determine privilege for each
category of user
Privileged users - access
approvals, access
monitoring, log reviews ,
revokation of access
rights
7
Identify user authentication
methods for Web server
For example
login/password;
whitelisted IP only, VPN or
hard keys/mobile OTP etc
Web Server Security Implementation Requirements and Audit Checklist
Published by Varinder Kumar
B
Choose appropriate
operating system for Web
server
1
Minimal exposure to
vulnerabilities
Check nvd.nist.gov ,
https://cve.mitre.org for
vulnerabilities on the host
system
2
Ability to restrict administrative
or root level activities to
authorized users only
Privileged user
management, log review,
log storage retention
period, log copying to
another server with read
only access for ensuring
log integrity, incident
management , backup in
case of integrity issue
caused by intrusion
3
Ability to deny access to
information on the server other
than that intended to be
available
Access restrictions - can
be based on
login/password, IP
restriction etc
4
Ability to disable unnecessary
network services that may be
built into the operating system
or server software
Hardening procedure
5
Ability to control access to
various forms of executable
programs, such as Computer
Gateway Interface (CGI)
scripts and server plug-ins in
the case of Web servers
Hardening procedure,
privilege user, principle of
least privilege
6
Availability of experienced staff
to install, configure, secure,
and maintain operating system
Security roles, Access
auhtorizations,
configuration
management, backup
policy, restoration testing,
BCP test, emergency plan
and availability of
employees in case of
hacking/ server failure
C
Patch and upgrade operating
system
1
Identify and install all
necessary patches and
upgrades to applications and
services included with the
operating system
Hardening procedure,
patch management policy,
Software and hardware
obsolescence
management plan,
D
Remove or disable
unnecessary services and
applications
1
Disable or remove
unnecessary services and
applications
Hardening procedure
E
Configure the operating
system user authentication
1
Remove or disable unneeded
default accounts and groups
Hardening procedure,
User creation procedure,
access authorization
2
Disable non-interactive
accounts
Hardening procedure,
Group Policy for non-
interactive user accounts,
log monitoring
3
Password policy, User Access /
Provilege Access Management
Password complexity,
password age, account
lockout, Admin and
privilege user rights,
admin and operator logs,
User creation procedure,
Hardening procedure
4
Install and configure other
security mechanisms to
strengthen authentication
captcha , IP blocking,
Mobile OTP, network
authentication etc
F
Test the security of the Web
Server OS/Platform
1
Vulnerability Assessmet (if
requried Pen Testing)
Vulnerability testing
procedure, Vulnerability
testing frequency,
PenTest if required, BCP
testing, DB syncing,
Offsite backup
requirements, DR
requirements
2 Patch Plan
Patch Management
Procedure, Scheduled
downtime, Rollback
planning, If HA enabled -
phase wise
implementation
Link to Me : http://in.linkedin.com/in/varinderk
Download the xls from www.securityground.com