The purpose of the checklist is to guide an agency and for the Statewide Office of Information Security to
follow in validating security requirements for systems, applications, system software, and other
technologies before they are deployed into a production environment. It is designed to ensure
compliance with specifications, regulations, standards and objectives identified during each phase of
the System Development Life Cycle (SDLC). Reference the 205 – Certification and Accreditation
Policy.
Check Boxes for those that are Completed
DOTGOV name
Create the dotgov name space space (include other domain space .com, etc) within
space
the State’s environment.
In order for a DOTGOV to be acquired by a state level authority the Chief Information
Officer must approve the domain via a signed authorization letter. Creative Services
keeps a copy of all the authorization letters.
OIT does not pay for any client domains. All domains are registered by the client at
their respective registrar; nj.gov and state.nj.us are registered through OIT.
Physical SAR
Vulnerability
Assessment
Requests to OIT for a vulnerability assessment of applications, hosts, devices or networks should be
submitted to
oit.riskassessments@oit.nj.gov
no later than 4:00 pm Thursdays and prior to 20 business
days before production. Execution of security scanning will be conducted the next week following the
request. The risk assessment and remediation are not included in the scanning process and must be
factored into the project timeline.
1) OS and Software scans.
Scan Date
Requestor Name
2) Application security scans.
Scan Date
Requestor Name
3) Penetration testing.
Scan Date
Requestor Name
Vulnerabilities Detected.
Vulnerabilities Results Reviewed.
Vulnerabilities Report Distributed.
Risk
Assessment
OIT-0137 (11/02/2016)
Information Security’s Certification and Accreditation Checklist Version 4
Page 3 of 4