Академический Документы
Профессиональный Документы
Культура Документы
ISO 27001/17799
Question
Number
Question
Number
I. Security Policy
I. Security Policy
For policies that have been provided, are the supported and
enforced by your department's leadership?
I. Security Policy
I. Security Policy
I. Security Policy
Are you familiar with the University's Risk Acceptance Process? 4.1
I. Security Policy
I. Security Policy
3 Security Policy
6.2.1 Information security education
and training
I. Security Policy
3.1
11/22/2014
Page 1
ISO 27001/17799
Question
Number
4.3 Outsourcing
4.3.1 Security requirements in
outsourcing contracts
4.2, 4.3, 6.1, 6.3, 8.1, 8.7, 10.5
4.2.2 Security requirements in third
party contracts
4.3 Outsourcing
4.3.1
Security requirements
5.2
Information
Classificationin
11
12
3 Security Policy
7.2.5 Security of equipment offpremises
8.7.2 Security of media in transit
9.8.1 Mobile computing
3 Security Policy
7.2.5 Security of equipment offpremises
8.7.2 Security of media in transit
9.8.1 Mobile computing
Have you worked with members of the IT department to map out 15.1
systems movement (such as mobile devices) into and out of the
organization?
4.3 Outsourcing
4.3.1 Security requirements in
outsourcing contracts
Question
Number
10
10
7 Relationship Process
7.3 Supplier Management
7.3.2 Contract Management
12
11/22/2014
16
18
Page 2
ISO 27001/17799
Question
Number
Question
Number
22
23
11/22/2014
23
24
20
24
Page 3
ISO 27001/17799
Question
Number
Question
Number
25
26
27
28
11.26 Archiving, 11.27 Protection of Sensitive Messages 8.7.4 Security of electronic mail
29
11/22/2014
Do you archive email and if so, where do you store the archive?
29
32
Page 4
ISO 27001/17799
Question
Number
Question
Number
33
35
10 Release Process
10.1.2 Release Policy g) verification and
acceptance of release
32
10 Release Process
10.1.2 Release Policy c) authority of release
into acceptance test and production
environments g) verification and acceptance
of release
9.2 Change Management
33
34
11/22/2014
37
38
40
41
Page 5
ISO 27001/17799
Question
Number
Question
Number
43
44
XII. Compliance
XII. Compliance
XII. Compliance
XII. Compliance
39
11/22/2014
46
47
Page 6
Is there a current process for defining and ongoing review of policy exceptions?
11/22/2014
Page 7
Are background and reference checks performed and verified during the
recruiting and hiring and processes?
Are security skill requirements reviewed and mapped to current security staff
capabilities and evaluated against organizational security requirements?
Are security skills redundant within staff members so that no critical security
functions are dependent on a single employee?
Are there specific criteria that a business partner or vendor must meet for
security requirements?
Has an asset inventory system been implemented that includes asset criticality
and/or classification ratings?
Have information flows and systems moves into and out of systems and
facilities been identified? Is there a policy that defines this flow of data, systems,
and information?
Is there a policy that defines acceptable flow of data, systems, and information
between third parties?
Are there defined procedures for granting access levels to staff and third parties
based on there job requirement to access the information?
Have employees been identified that add/remove user accounts and is account
creation/removal logged so that information can be audited or reviewed?
11/22/2014
Page 8
Are physical security controls implemented for key IT systems such as the data
center and has a third party assessed those controls for the level of
effectiveness?
Has a policy been defined and implemented that outlines security for mobile
devices such as laptops and PDA's, and mobile storage such as flash drives?
Have you worked with departments in the organization to assess risks to critical
data or systems and the resulting impact to the business should those risks be
realized?
Have high risk areas identified through risk assessment activities been
prioritized and a plan to prioritize the remediation of these risks been
developed?
Does automation of businesses processes through IT systems cause additional
risk to the security of information and have you worked to the identify automated
processes that might contain those risks?
Have integrity controls been implemented in systems that process transactions
to verify accuracy, validity, and non-repudiation?
11/22/2014
Page 9
Is regular security assessment and testing performed that includes things such
as penetration testing, vulnerability scanning, policy and configuration review?
If you answered yes to question 17, do you prioritize patches and perform
testing to determine suitability to be implemented on production systems?
Do all systems in your department have current anti-virus software installed and
are definition files updated on a regular basis (preferably every day)?
If you answered yes to question 32, are definition files updated on a regular
basis (preferably every day)?
Is security an integrated component of the evaluation and selection of
Information Technology solutions?
11/22/2014
Page 10
Is there a log or document that outlines all changes including who reviewed the
changes, testing performed, back out plans, acceptance/denial, and who
performed the changes?
If you answered yes to question 26, have provisions been made to ensure
critical information is available for mission critical business processes in the
event of a security incident?
Does your department have the ability to identify and resolve such incidents in a
timeframe consistent with business operational requirements?
11/22/2014
Page 11
Are these plans tested on a recurring basis and updated as required depending
on the outcome of tests?
Has the IT staff collaborated with key business users to make sure that
business critical information is backed up and available offsite? If so, have
restore operations been tested successfully?
Have you deployed processes and/or automated alerts so that policy violations
and intrusive behavior can be identified? This includes things such as account
lockout alerts, intrusion detections systems, virus alerting, intellectual property
violations, etc.
11/22/2014
Page 12
Answer
Describe Existing Key Security
Yes/No/Somewhat/N
Controls Supporting This
ot Applicable
Question
Not
Applicable
I. Security Policy
1
I. Security Policy
I. Security Policy
I. Security Policy
I. Security Policy
I. Security Policy
I. Security Policy
I. Security Policy
11/22/2014
Page 13
Answer
Describe Existing Key Security
Yes/No/Somewhat/N
Controls Supporting This
ot Applicable
Question
11/22/2014
Page 14
Answer
Describe Existing Key Security
Yes/No/Somewhat/N
Controls Supporting This
ot Applicable
Question
11/22/2014
Page 15
Answer
Describe Existing Key Security
Yes/No/Somewhat/N
Controls Supporting This
ot Applicable
Question
11/22/2014
Page 16
Answer
Describe Existing Key Security
Yes/No/Somewhat/N
Controls Supporting This
ot Applicable
Question
11/22/2014
Page 17
Answer
Describe Existing Key Security
Yes/No/Somewhat/N
Controls Supporting This
ot Applicable
Question
XII. Compliance
XII. Compliance
XII. Compliance
XII. Compliance
11/22/2014
Page 18
1 - Initial / Ad-Hoc
3 - Defined Process
5 - Optimized
0 - Non-existent
Complete lack of any recognizable processes. The enterprise has not even recognized that there is an issue to be addressed.
1 - Initial
There is evidence that the enterprise has recognized that the issues exist and need to be addressed. There are, however, no standardized processes;
instead there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized.
2 - Repeatable
Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or
communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and,
therefore, errors are likely.
3 - Defined
Procedures have been standardized and documented, and communicated through training. It is, however, left to the individual to follow these processes,
and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.
4 - Managed
It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are
under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.
5 - Optimized
Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modeling with other enterprises. IT is
used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt
.
3 SECURITY POLICY
3.1 INFORMATION SECURITY POLICY
3.1.1 Information security policy document
3.1.2 Review and evaluation
4 ORGANIZATIONAL SECURITY
4.1 INFORMATION SECURITY INFRASTRUCTURE
4.1.1 Management information security forum
4.1.2 Information security co-ordination
4.1.3 Allocation of information security responsibilities
4.1.4 Authorization process for information processing facilities
4.1.5 Specialist information security advice
4.1.6 Co-operation between organizations
4.1.7 Independent review of information security
4.2 SECURITY OF THIRD PARTY ACCESS
4.2.1 Identification of risks from third party access
4.2.2 Security requirements in third party contracts
4.3 OUTSOURCING
4.3.1 Security requirements in outsourcing contracts
5 ASSET CLASSIFICATION AND CONTROL
5.1 ACCOUNTABILITY FOR ASSETS
5.1.1 Inventory of assets
5.2 INFORMATION CLASSIFICATION
5.2.1 Classification guidelines
5.2.2 Information labelling and handling
6 PERSONNEL SECURITY
6.1 SECURITY IN JOB DEFINITION AND RESOURCING
6.1.1 Including security in job responsibilities
6.1.2 Personnel screening and policy
6.1.3 Confidentiality agreements
6.1.4 Terms and conditions of employment
6.2 USER TRAINING
6.2.1 Information security education and training
6.3 RESPONDING TO SECURITY INCIDENTS AND MALFUNCTIONS
6.3.1 Reporting security incidents
6.3.2 Reporting security weaknesses
6.3.3 Reporting software malfunctions
6.3.4 Learning from incidents
6.3.5 Disciplinary process
7 PHYSICAL AND ENVIRONMENTAL SECURITY
7.1 SECURE AREAS
7.1.1 Physical security perimeter
7.1.2 Physical entry controls
7.1.3 Securing offices, rooms and facilities
7.1.4 Working in secure areas
7.1.5 Isolated delivery and loading areas
7.2 EQUIPMENT SECURITY
7.2.1 Equipment siting and protection
7.2.2 Power supplies
7.2.3 Cabling security
7.2.4 Equipment maintenance
7.2.5 Security of equipment off-premises
7.2.6 Secure disposal or re-use of equipment