Вы находитесь на странице: 1из 3

Annex 2

Preliminary IS Security Analysis

yes partly no

1. Does the management of an organisation


know the IS Security Rules? ‰ ‰ ‰

2. Does the IS security constitute an integrated part


of security policy of an organisation? ‰ ‰ ‰

3. Are the security measures as regards data confidentiality,


integrity and availability formulated in writing
and implemented? (rules, directives) ‰ ‰ ‰

4. Was the IS security state tested in organisation last year?


(audit, risk identification, IS security analysis) ‰ ‰ ‰

5. Are the employees obliged to comply with the rules


and directives o IS? ‰ ‰ ‰

6. Are the employees (also those newly recruited) trained


regularly as regards IS security measure and do they
refer to them? (data security, passwords used, etc.) ‰ ‰ ‰

7. Is there a documentation in writing in place for each


application governing which access rights
are for what employees within their respective functions? ‰ ‰ ‰

8. Is retention of all input, manipulation or access authorisations


and tools for employees leaving ensured? ‰ ‰ ‰

9. Is the password standard laid down in writing and has it been


discussed with employees? ‰ ‰ ‰

10. Are the IS users familiar with proper password handling? ‰ ‰ ‰

11. Does the manual or automated system provide


that all of the employees have to change their respective
passwords regularly? ‰ ‰ ‰

12. Is there any actual documentation on input or access


authorisations granted? ‰ ‰ ‰

13. Are the passwords stored safe as regards the access? ‰ ‰ ‰


14. Has it been ensured that a password is required to enter
into any of the systems, and/or important applications?
(registration/login) ‰ ‰ ‰

15. Do all of the users have their respective password? ‰ ‰ ‰

16. Does the blocking follow should the wrong password


be loaded three times? ‰ ‰ ‰

17. Are all the attempts for unjustified login and exceeding
the authorisation recorded and reviewed?
(this should be regulated by an internal directive) ‰ ‰ ‰

18. Have the fire protection measures been considered


in planning and implementation of internal network?
(cabling separated, fire alarms) ‰ ‰ ‰

19. Have the fire extinguishers been installed, labelled properly,


easy accessible and maintained? (fire protecting ceilings,
fire extinguishers) ‰ ‰ ‰

20. Is the server room protected against fire properly ? ‰ ‰ ‰

21. Have any organisational measures been adopted


in the server room in case of a fire? ‰ ‰ ‰

22. Has any uninterruptible feeding resource been installed


for the central IS components? ‰ ‰ ‰

23. Is there any ban, in writing, and controlled, to use


undelivered hardware or communication tools ? (e.g.. modems,
laptops, etc.) ‰ ‰ ‰

24. Is there any ban, in writing, and controlled to use undelivered


software? (private software programmes) ‰ ‰ ‰

25. Is compatibility tested when procuring new parts of hardware


or software with the systems used already? ‰ ‰ ‰

26. Have agreements been made with suppliers about important


system components? (spare parts, maintenance, elimination
of breakdowns or damages) ‰ ‰ ‰

27. Is there any concept in place to secure data (way of security,


frequency of occurrence, certain moments, procedure,
accountability)? ‰ ‰ ‰

28. Are the employees obliged to protect data? ‰ ‰ ‰

29. Are the data and software used backed-up regularly? ‰ ‰ ‰


30. Is there relevant documentation in place to secure data?
(plan to protect data) ‰ ‰ ‰

31. Has it been tested whether or not data can be reconstructed


with existing copies secured? ‰ ‰ ‰

32. Are the carriers of back-up data stored on adequate place


outside the server room? ‰ ‰ ‰

33. Is the data safe protected against fire or theft? ‰ ‰ ‰

34. Have the concept of virus-protection and


strategy of combating the viruses been set? ‰ ‰ ‰

35. Do the servers have anti-virus programme updated? ‰ ‰ ‰

36. Do all types of computers (PCs, Macs, laptops) have


anti-virus programme updated? ‰ ‰ ‰

37. Are the anti-virus programmes updated regularly


(including macro-viruses)? ‰ ‰ ‰

38. Have the safety rules be set for using Internet at work? ‰ ‰ ‰

39. Is the access to the Internet secured by anti-virus programme


or firewall? ‰ ‰ ‰

40. Has the emergency procedure been drafted in case of the IT breakdown
(alarm plan, emergency measures and relevant information requirements
together with persons accountable)? ‰ ‰ ‰

41. Is there any recovery / renewal / reconstruction plan in place


(position and installation of hardware, software downloading,
data preparation)? ‰ ‰ ‰

42. Once the computer virus attacks, are the procedure and measures
formulated in writing? ‰ ‰ ‰

43. Has an adequate insurance policy for the IT system been contracted?
(fire, natural disaster, theft, data carriers, operation breakdowns) ‰ ‰ ‰

This procedure, however, is not exhaustive for the comprehensive IS Security


Analysis to be conducted, yet it may be used as an initial information to become familiar with
an auditee and to estimate whether or not a comprehensive IS Security Analysis is needed.

Вам также может понравиться