C Tpat Audit
C Tpat means Customs Trade Partnership Against Terrorism. Security practices that help to mitigate the risk of loss, theft, and contraband smuggling that could potentially introduce acts of terrorism in the global supply chain. Please be prepared to respond to each question during the audit. Only c tpat audit checklist and IT security guideline is described here. You can visit more about c tpat audit security.
C Tpat Audit Guidelines for IT Part:
- Password need to logon to be set up to control employees to access to network and sensitive information system
- Conduct periodic and regular inner audits of the IT systems
- Employees are required to change passwords on a ordered basis
- System in place to identify the abuse of IT including improper access for tampering or altering of business data system
- All system violators are treated to appropriate disciplinary actions for abuse.
- All system violators should flow c tpat audit guideline and need to be reported to the management and to be noted. All records should be kept for at least 10 months
- All illegal actions must be reported to the management and police of the country
- Need to cancel user ID, EMail ID & Internet address when any worker/staff/Manager resign, Dropped out & Termination.
- Computer password change record.Should change within every 90 days.
- Individual user wise password. Pass word should assign individually.
- CD back up register. CD backup record.
- CD sending record file.
- Internal IT security audit report. IT internal security audit.
- IT training record register. IT training record.
- Weekly invalid pass word check record. Weekly invalid password check.
- Unauthorized file access check record.
- CC-TV camera and PC maintenance/repair record. CCTV camera and PC maintenance/repair record.
- Monthly IT development meeting records.
- Visitor in/out register IT room.
- Disciplinary action record against IT abuse.
- List of PC user.
- Authorized person list of PC user.
C Tpat Audit Checklist – More about Password
- The password definition parameters ensure that minimum password length is specified according to the company’s IT security policy of the company (at least 6 characters, combination of uppercase or lowercase & numbers).
- The maximum validity period of password is not beyond the number of days permitted in the company’s IT Security policy (maximum 30 days cycle).
- The parameters to control the maximum number of invalid logon attempts is specified properly in the system according to the if security policy (at least 3 consecutive limes
- Password history maintenance is enabled in the system to allow same passwords can be used again after at least 4 times.
- Password entries must be masked.
- The terminal inactive time allowable for users should be set in accordance with the company’s policy.
- Operating time schedule for the users is to be defined where necessary.
- Sensitive passwords have to be preserved itt a sealed envelope with movement records for usage in case of emergency.
- Audit trail should be available to review the user profile for maintenance purpose.
Information Security Standard
The objective of this part is to specify Information Security Policies and Standard to be adopted by all department of PROJECT STITCH using Information Technology for service delivery and data processing. It covers the basic and general information security controls applicable to all functional groups of a business to ensure that information assets are protected against risk.
Access Control for information systems
User ID Maintenance
- Each user must have a unique User ID and a valid password.
- The User ID will be locked up after 3 unsuccessful log-in attempts.
- There need to have a control to ensure that user ID and password are not same.
- The User ID Maintenance Form with access privileges is duly approved by the appropriate authority.
- Access privileges are changed or locked within 24 hours when userst status changed or left the office.
- Valid and allowed User ID and Password is mandatory to access any system in the company.
- There should keep detail profile for every correspondent User ID.
- For every logon attempts should be kept in the history for future reference.
Access Controls for Outside Service Providers
There are rules for access of outside service provider. Very limited outsiders and only few listed service providers may have that permission. Authorized persons should review the access record on periodic basis to ensure only authorized service provider personnel has access to the appropriate data. The review periods should be as below:
- Monthly review,
- Half yearly review,
- Yearly Review,
- At the end of contract or before renewal of any contract with the service provider.
Review should be done by:
- IT Administrator and authorized IT personals
- Correspondent department head and users.
- The Network Design and its security are implemented under a documented plan.
- Physical security for the network equipment should be ensured. Specifically access should be restricted and controlled and these should be housed in a secure environment.
- The sensitive information should be kept in restricted area in the networking environment.
- Unauthorized access and Electronic tampering is to be controlled strictly.
- Security of the network should be under dual administrative control.
- Firewalls are in place on the network for any external connectivity.
- Redundant communication links are used for WAN.
The LAN of PROJECT STCH is behind a world well reputed and trusted System LAN firewall named ‘Check Point’. is a licensed system firewall policy and updates about all the threats automatically from the origin Organaisation and help the network pilfer proof every moment.
- Secury Check:
- System firewall should be latest regularly.
- Authorized person should check the rules of the system LAN firewall regularly! Periodically to diminish risk.
- Ruless should be well documented and each of every change in rules should be insbntly latest in the log book.
- Authorized net user administrator or expert of the Organaisation.
- No outsider or supplier is allowed.
- Review Period:
- Monthly review
- Half yearly review
- Yearly Review
- As the need arises or in response to any threats.
Other Firewall Policy:
All the sewers, workstations, laptop or notebooks, etc. are using original operating system; all of them are protected wh the latest system firewall policy provided by the operating system supplier.
- Secury Policy:
- Organaisation should use original operating system and software.
- All the system firewall that comes wh the operation system should be enabled.
- All the operation system should be latest that the system firewall policy wall can work suitablely.
- Except net user administrator, no System user should be able
C-Tpat Security Questionnaire Access Controls:
- Does the garment factory have procedures in place to limit access to keys, key cards and computer systems to only those persons who have a job related need for such access? Are terminated employees immediately denied access to keys, computer system, etc.?
- Are information systems is password protected, and are relevant employees provided with individually assigned IT system accounts?
- Are passwords subject to regular forced changes as a part of c-tpat security questionnaire?
- Is there an established procedure to conduct periodic unannounced information access control security checks to ensure that all information access control security procedures are being performed properly?
- Are closed circuit television cameras (CCTV) utilized to monitor the activity inside/outside the factory?
- List of CC-TV camera as per location. List of CCTV camera with location.
Physical Secury Policy for Desktop and Laptop or notebook computers
- Desktop and laptop or notebook computer should be connected to UPS to protect damage of data and hardware.
- When leaving a desktop or laptop or notebook computer unattended, System users shall apply the “Lock Workstation “feature (ctrl/alt/delete, enter) where systems allow.
- Password protected screen brand saver should be used to protect desktop and laptop or notebook from unauthorized system access.
- Automatic screenbrand saver should be activated after a period of inactivy. This period should not be more than five (5) minutes.
- Laptop or notebook computers that store confidential or sensive information must have encryption technology. Desktop and laptop or notebook computers and monors shall be turned off at the end of each workday.
- Laptop or notebook computers actively connected to the network or information systems must not be left unattended.
- Laptop or notebook computers, computer media and any other forms of removable storage (e.g. diskettes, CD ROMs, zip disks, PDAs, flash drives) shall be stored in a secured location or locked cabinet when not in use.
- Other information storage media containing confidential data such as paper, files, tapes, etc. shall be stored in a secured location or locked cabinet when not in use.
- Individual System users shall not install or download software applications and/or executable files to any desktop or laptop or notebook computer whout prior authorization.
- Desktop and laptop or notebook computer System users shall not wre, compile, copy, knowingly propagate, execute, or attempt to introduce any computer code designed to self-replicate, damage, or otherwise hinder the performance of any computer system (e.g. virus, worm, Trojan etc).
- Any kind of virus should be reported immediately.
- Virus shall not be deleted whout expert assistance
- System user identification (name) and authentication (password) shall be required to system access all desktop and laptop or notebook whenever turned on or restarted.
- Standard virus detection software must be installed on all desktop and laptop or notebook computers, mobile, and remote device and shall be configured to check files when read and routinely scan the system for virus.
- Desktop and laptop or notebook computers shall be configured to log all significant computer secury relevant events. (e.g., password guessing, unauthorized system access attempts or modifications to applications or systems software.)
- On holiday occasions computers should be removed from floors and away from windows.
Physical Secury Policy for Other System and Device
- Fax Machine,
- Video Conference,
- CC Cameras,
- Controlling &t Monoring Device,
- Time Attendance & Door System access System, etc.
The securies measures need to follow for these system and device should be followed are as below
- All the device should be locked and securedd by password, pin no. or any kind of physical attachments.
- The device that are connected through LAN, should be system access restrInformation Communication Technology through DNS system access control ruless or others.
- The device that use WAN should be behind the system lan firewall. For these kinds of device there should be special rules in the system lan firewall that are carefully sated and suitablely monored time to time.
- The output of these device should only go to only the authenticated employee of the Organaisation.
- There should have time to time monoring and documentation for if the outputs of these device are going to suitable hand or not
C Tpat Audit Checklist:
- Are the users change their password regularly?
- Are the users try to illegal access to computer system
- Are all UPS give power backup well?
- Are the necessary applications in all computer run well?
- Does the users keep data backup on server?
- Does the users can access or share unauthorized data of the server?
- Does the users can access or share authorized data of other user on server frequently?
- Are the computers locked automatically after 5 minutes when the computer stay idle situation
- Is email ID deleted when a user resign from factory?
- Is computer user ID deleted from server when a user resign from company?
- Is any monitor damaged ?
- Is computer power system sparking?
- Is user computer system wired with standard network structured system ?
- Is user computer connected with central network?
- Is user computer integrated with domain network ?
- Is the user browsing internet improperly?
- Does the users can print their documents efficiently?
- Is anybody trying to illegal login?
- Is computer locked if any user attempt to invalid login more than 3 times
- Is password policy of client/server complex?
- Are the users trained about IT security?
- Is CCTV working well?
- Is PABX working well?
- Is the network server controlled by IT officer?
- Is antivirus updated every week in all user computers ?
- Is mail server controlled by IT Manager?
- Does anybody get internet/email connection without permission?
- Does the email users change their email password?
- Are the users connected with network by different password ?
- Does anybody can change server administrative password witolut IT officer/ IT manager?
- Are all computer controlled by IT officer in factory?
- Are all security policy applied for all users ?
- All user should flow the above c tpat audit checklist.
Engr. Kh. Mashiur Rahman, Garments Auto Machine Technologist, Web: www.autogarment.com, Email: email@example.com, Cell: +88 017 92 52 53 54