Section Sub section

1 Security policy
3.1 Information security policy
1.1.1 3.1.1 Information security policy document

1.1.2 3.1.2 Review and evaluation

2 Organisational Security
2.1 4.1 Information security infrastructure
2.1.1 4.1.1 Management information security forum
2.1.2 4.1.2 Information security coordination
2.1.3 4.1.3 Allocation of information security responsibilities
2.1.4 4.1.4 Authorisation process for information processing facilities
2.1.5 4.1.5 Specialist information security advise

2.1.6 4.1.6 Co-operation between organisations

2.1.7 4.1.7 Independent review of information security
2.2 4.2 Security of third party access
2.2.1 4.2.1 Identification of risks from third party access

2.2.2 4.2.2 Security requirements in third party contracts

2.3 4.3 Outsourcing
2.3.1 4.3.1 Security requirements in outsourcing contracts

3 Asset classification and control

3.1 5.1 Accountability of assets
3.1.1 5.1.1 Inventory of assets

3.2 5.2 Information classification

3.2.1 5.2.1 Classification guidelines
3.2.2 5.2.2 Information labelling and handling

4 Personnel security
4.1 6.1 Security in job definition and Resourcing
4.1.1 6.1.1 Including security in job responsibilities

4.1.2 6.1.2 Personnel screening and policy

4.1.3 6.1.3 Confidentiality agreements

4.1.4 6.1.4 Terms and conditions of employment

4.2 6.2 User training
4.2.1 6.2.1 Information security education and training
4.3 6.3 Responding to security incidents and malfunctions
4.3.1 6.3.1 Reporting security incidents
4.3.2 6.3.2 Reporting security weaknesses
4.3.3 6.3.3 Reporting software malfunctions
 4.3.4 6.3.4 Learning from incidents
4.3.5 6.3.5 Disciplinary process

5 Physical and Environmental Security

5.1 7.1 Secure Area
5.1.1 7.1.1 Physical Security Perimeter

5.1.2 7.1.2 Physical entry Controls

5.1.3 7.1.3 Securing Offices, rooms and facilities

5.1.4 7.1.4 Working in Secure Areas

5.1.5 7.1.5 Isolated delivery and loading areas

5.2 7.2 Equipment Security

5.2.1 7.2.1 Equipment siting protection

5.2.2 7.2.2 Power Supplies

5.2.3 7.2.3 Cabling Security

5.2.4 7.2.4 Equipment Maintenance

5.2.5 7.2.5 Securing of equipment off-premises

5.2.6 7.2.6 Secure disposal or re-use of equipment

5.3 7.3 General Controls
5.3.1 7.3.1 Clear Desk and clear screen policy

5.3.2 7.3.2 Removal of property

6 Communications and Operations Management

6.1 8.1 Operational Procedure and responsibilities
6.1.1 8.1.1 Documented Operating procedures

6.1.2 8.1.2 Operational Change Control

6.1.3 8.1.3 Incident management procedures

6.1.4 8.1.4 Segregation of duties
6.1.5 8.1.5 Separation of development and operational facilities
6.1.6 8.1.6 External facilities management

6.2 8.2 System planning and acceptance

6.2.1 8.2.1 Capacity Planning

6.2.2 8.2.2 System acceptance

6.3 8.3 Protection against malicious software

6.3.1 8.3.1 Control against malicious software

6.4 8.4 Housekeeping

6.4.1 8.4.1 Information back-up

6.4.2 8.4.2 Operator logs

6.4.3 8.4.3 Fault Logging

6.5 8.5 Network Management
6.5.1 8.5.1 Network Controls

6.6 8.6 Media handling and Security

6.6.1 8.6.1 Management of removable computer media
6.6.2 8.6.2 Disposal of Media

6.6.3 8.6.3 Information handling procedures

6.6.4 8.6.4 Security of system documentation

6.7 8.7 Exchange of Information and software

6.7.1 8.7.1 Information and software exchange agreement

6.7.2 8.7.2 Security of Media in transit

6.7.3 8.7.3 Electronic Commerce security

 6.7.4 8.7.4 Security of Electronic email

6.7.5 8.7.5 Security of Electronic office systems

6.7.6 8.7.6 Publicly available systems

6.7.7 8.7.7 Other forms of information exchange

7 Access Control
7.1 9.1 Business Requirements for Access Control
7.1.1 9.1.1 Access Control Policy

7.2 9.2 User Access Management

7.2.1 9.2.1 User Registration
7.2.2 9.2.2 Privilege Management
7.2.3 9.2.3 User Password Management

7.2.4 9.2.4 Review of user access rights

7.3 9.3 User Responsibilities
7.3.1 9.3.1 Password use
7.3.2 9.3.2 Unattended user equipment

7.4 9.4 Network Access Control

7.4.1 9.4.1 Policy on use of network services

7.4.2 9.4.2 Enforced path

7.4.3 9.4.3 User authentication for external connections

7.4.4 9.4.4 Node Authentication

7.4.5 9.4.5 Remote diagnostic port protection
7.4.6 9.4.6 Segregation in networks
7.4.7 9.4.7 Network connection protocols
7.4.8 9.4.8 Network routing control

7.4.9 9.4.9 Security of network services

7.5 9.5 Operating system access control
7.5.1 9.5.1 Automatic terminal identification
7.5.2 9.5.2 Terminal log-on procedures

7.5.3 9.5.3 User identification and authorisation

7.5.4 9.5.4 Password management system

 7.5.5 9.5.5 Use of system utilities
7.5.6 9.5.6 Duress alarm to safeguard users
7.5.7 9.5.7 Terminal time-out
7.5.8 9.5.8 Limitation of connection time
7.6 9.6 Application Access Control
7.6.1 9.6.1 Information access restriction
7.6.2 9.6.2 Sensitive system isolation
7.7 9.7 Monitoring system access and use
7.7.1 9.7.1 Event logging
7.7.2 9.7.2 Monitoring system use

7.7.3 9.7.3 Clock synchronisation

7.8 9.8 Mobile computing and teleworking

7.8.1 9.8.1 Mobile computing

7.8.2 9.8.2 Teleworking

8 System development and maintenance

8.1 10.1 Security requirements of systems
8.1.1 10.1.1 Security requirements analysis and specification

8.2 10.2 Security in application systems

8.2.1 10.2.1 Input data validation

8.2.2 10.2.2 Control of internal processing

8.2.3 10.2.3 Message authentication

8.2.4 10.2.4 Output data validation

8.3 10.3 Cryptographic controls
8.3.1 10.3.1 Policy on use of cryptographic controls

8.3.2 10.3.2 Encryption

8.3.3 10.3.3 Digital Signatures

8.3.4 10.3.4 Non-repudiation services

8.3.5 10.3.5 Key management

8.4 10.4 Security of system files

8.4.1 10.4.1 Control of operational software
8.4.2 10.4.2 Protection of system test data
8.4.3 10.4.3 Access Control to program source library
8.5 10.5 Security in development and support process
 8.5.1 10.5.1 Change control procedures
8.5.2 10.5.2 Technical review of operating system changes

8.5.3 10.5.3 Technical review of operating system changes

8.5.4 10.5.4 Covert channels and Trojan code

8.5.5 10.5.5 Outsourced software development

9 Business Continuity Management

9.1 11.1 Aspects of Business Continuity Management
9.1.1 11.1.1 Business continuity management process

9.1.2 11.1.2 Business continuity and impact analysis

9.1.3 11.1.3 Writing and implementing continuity plan

9.1.4 11.1.4 Business continuity planning framework

9.1.5 11.1.5 Testing, maintaining and re-assessing business continuity plan

10 Compliance
10.1 12.1 Compliance with legal requirements
10.1.1 12.1.1 Identification of applicable legislation

10.1.2 12.1.2 Intellectual property rights (IPR)

10.1.3 12.1.3 Safeguarding of organisational records

10.1.4 12.1.4 Data protection and privacy of personal information
10.1.5 12.1.5 Prevention of misuse of information processing facility

10.1.6 12.1.6 Regulation of cryptographic controls

10.1.7 12.1.7 Collection of evidence
10.2 12.2 Reviews of Security Policy and technical compliance
10.2.1 12.2.1 Compliance with security policy
10.2.2 12.2.2 Technical compliance checking

10.3 12.3 System audit considerations

10.3.1 12.3.1 System audit controls
10.3.2 12.3.2 Protection of system audit tools
 Audit Question

Whether there exists an Information security policy, which is approved

by the management,
Whether it states the published
management andcommitment
communicated andas appropriate
set out the to all
employees.
organisational approach to managing information security.
Whether the Security policy has an owner, who is responsible for its
maintenance and review
Whether the process according
ensures that atoreview
a defined
takesreview
place process.
in response to
any changes affecting the basis of the original assessment, example:
significant security incidents, new vulnerabilities or changes to
organisational or technical infrastructure.
Whether there is a management forum to ensure there is a clear
direction there
Whether and visible management support
is a cross-functional forum offormanagement
security initiatives within
the organisation.
representatives from relevant parts of the organisation
Whether responsibilities for the protection of individual assets to coordinate
and for
the implementation
carrying out
Whether therespecificof information security
security processes
is a management controls.
were clearly
authorisation process defined.
in place for any
new information
Whether specialistprocessing
informationfacility.
securityThis should
advice is include
obtainedallwhere
new
facilities such
appropriate. as hardware and software.
A specific individual may be identified to co-ordinate in-house
knowledge
Whether and experiences
appropriate contactstowith
ensure
law consistency,
enforcement and provide help in
authorities,
security
regulatorydecision
bodies, making.
information service providers
Whether the implementation of security policy is reviewed and telecommunication
operators wereon
independently maintained to ensure
regular basis. This isthat appropriate
to provide action can
assurance that be
quickly taken and
organisational adviceproperly
practices obtained, in thethe
reflect event of aand
policy, security
that itincident.
is feasible
Whether risks from third party access are identified and appropriate
and effective.
security
Whethercontrols
the types implemented.
of accesses are identified, classified and reasons for
access are justified.
Whether security risks with third party contractors working onsite was
identified there
Whether and appropriate controls containing,
is a formal contract are implemented.
or referring to, all the
security requirements to ensure compliance with the organisation’s
security
Whetherpolicies
securityand standards.are addressed in the contract with the
requirements
third contract
The party, when theaddress
should organisation haslegal
how the outsourced the management
requirements are to be met,
and control
how of all of
the security or the
some of its information
organisation’s assetssystems, networks
are maintained and/ or
and
desktop environments.
tested, and the right of audit, physical security issues and how the
availability of the services is to be maintained in the event of disaster.
Whether an inventory or register is maintained with the important
assets
Whether associated
each asset with each information
identified system.
has an owner, the security classification
defined and agreed and the location identified.
Whether there is an Information classification scheme or guideline in
place;
Whether which will assist inset
an appropriate determining how are
of procedures the defined
information is to be
for information
handled and protected.
labelling and handling in accordance with the classification scheme
adopted by the organisation.

Whether security roles and responsibilities as laid in Organisation’s

information
This should security policy isresponsibilities
include general documented where appropriate. or
for implementing
maintaining security policy as well as specific responsibilities
Whether verification checks on permanent staff were carried out for at the
protection
time should
This of particular
of job applications. assets, or for extension of particular
include character reference, confirmation of claimed security
processes
academic or activities.
and professional qualifications and independent identity
Whether employees are asked to sign Confidentiality or non-disclosure
checks.
agreement
Whether asagreement
this a part of their initial
covers theterms andof
security conditions of the
the information
employment.
processing
Whether facility
terms andand organisation
conditions of theassets.
employment covers the
employee’s responsibility for information security. Where appropriate,
these
Whetherresponsibilities
all employees might continue
of the for a defined
organisation and thirdperiod
partyafter the
users end
(where
of the employment.
relevant) receive appropriate Information Security training and regular
updates
Whether in organisational
a formal reportingpolicies and exists,
procedure procedures.
to report security
incidents athrough
Whether formal appropriate management
reporting procedure channels
or guideline as quickly
exists as to
for users,
possible.
report security weakness in, or threats to, systems or
Whether procedures were established to report any software services.
malfunctions.
Whether there are mechanisms in place to enable the types, volumes
and coststhere
Whether of incidents anddisciplinary
is a formal malfunctions to be quantified
process and
in place for monitored.
employees
who have violated organisational security policies and procedures.
Such a process can act as a deterrent to employees who might
otherwise be inclined to disregard security procedures.

What physical border security facility has been implemented to protect

the
SomeInformation
examplesprocessing service.
of such security facility are card control entry gate,
walls, entry
What manned reception
controls are inetc.,
place to allow only authorised personnel into
various
Whetherareas within which
the rooms, organisation.
have the Information processing service, are
locked
Whether the Informationcabinets
or have lockable processingor safes.
service is protected from natural
and man-made
Whether there isdisaster.
any potential threat from neighbouring premises.
The information is only on need to know basis. Whether there exists
any security
Whether the control
deliveryfor third
area andparties or for personnel
information processingworking in secure
area are isolated
area.
from eacha other
Whether to avoid anywas
risk assessment unauthorised
conducted access.
to determine the security in
such areas.
Whether the equipment was located in appropriate place to minimise
unnecessary
Whether the items access into work
requiring areas.protection were isolated to reduce
special
the general level of protection required.
Whether controls were adopted to minimise risk from potential threats
such as theft,
Whether therefire,
is aexplosives,
policy towardssmoke, water,
eating, dist, vibration,
drinking and smokingchemical
on in
effects,
proximity electrical
to supply
information interfaces,
processing electromagnetic
services.
Whether environmental conditions are monitored which would radiation, flood.
adversely
Whether the affect the information
equipment processing
is protected facilities.
from power failures by using
permanence
Whether of power
the power andsupplies such as multiple
telecommunications cablefeeds, uninterruptible
carrying data or
power
supportingsupply (ups),
information backup generator
services are etc.,
protected from interception
Whether there are any additional security controls in place for sensitive or
damage.
or critical information.
Whether the equipment is maintained as per the supplier’s
recommended service intervals
Whether the maintenance and specifications.
is carried out only by authorised personnel.
Whether logs are maintained with all suspected or actual faults and all
preventive
Whether and corrective
appropriate measures.
controls are implemented while sending
equipment
If the equipmentoff premises.
is covered by insurance, whether the insurance
requirements are satisfied.
Whether any equipment usage outside an organisation’s premises for
information
Whether theprocessing has to be
security provided forauthorised by the management.
these equipments while outside the
premises
Whether storage device containing sensitive information are inside
are on par with or more than the security provided the
physically
premises. or securely over written.
destroyed
Whether automatic computer screen locking facility is enabled. This
would
Whetherlock the screenare
employees when the computer
advised to leave anyis left unattended
confidential for a in
material
period.
the form of paper documents, media etc., in a locked manner
Whether equipment, information or software can be taken offsite while
unattended.
without appropriate
Whether spot checks authorisation.
or regular audits were conducted to detect
unauthorised removal
Whether individuals are ofaware
property.
of these types of spot checks or regular
audits.

Whether the Security Policy has identified any Operating procedures

such as Back-up,
Whether Equipment
such procedures are maintenance
documented andetc.,used.
Whether all programs running on production systems are subject to
strict change
Whether auditcontrol i.e.,maintained
logs are any changefortoany
be change
made tomade
thosetoproduction
the
programs
production need to go
programs. through the change control authorisation.
Whether an Incident Management procedure exist to handle security
incidents.
Whether the procedure addresses the incident management
responsibilities, orderly and
Whether the procedure quick response
addresses to security
different types incidents.
of incidents ranging
from denial of service to breach of confidentiality etc., and ways to
handle them.
Whether the audit trails and logs relating to the incidents are
maintained
Whether and and
duties proactive
areasaction taken in a are
of responsibility wayseparated
that the incident
in order to
doesn’t
Whether reoccur.
reduce opportunities
the development for unauthorised
and testing modification or misuse
facilities are isolated of
from
information
operational or services.
Whether any of the Information processing facility is managed byrun on
facilities. For example development software should
a different
external
Whether computer
company
the or to that of with
contractor
risks associated the computer
(third
suchparty). with production
management software.
is identified in
Where
advance,necessary
discussed development
with the and
third production
party and network
appropriate should
controlsbewere
Whether
separated necessary
from approval
other. is obtained from business and application
incorporated
owners. intoeach
the contract.
Whether the capacity demands are monitored and projections of future
capacity
Example:requirements are made.
Monitoring Hard This RAM,
disk space, is to ensure
CPU onthat adequate
critical servers.
processing power and storage are available.
Whether System acceptance criteria are established for new
information systems,
Whether suitable testsupgrades and new
were carried versions.
out prior to acceptance.

Whether there exists any control against malicious software usage.

Whether the security policy does address software licensing issues
such as prohibiting
Whether there exists usage of unauthorised
any Procedure software.
to verify all warning bulletins are
accurate Antivirus
Whether and informative
software with regards to
is installed onthe
themalicious
computers software
to checkusage.
and
isolate or remove any viruses from computer and media.
Whether this software signature is updated on a regular basis to check
any latestallviruses.
Whether the traffic originating from un-trusted network in to the
organisation is checked for viruses. Example: Checking for viruses on
email,
Whether email attachments
Back-up and on
of essential the web,
business FTP traffic.
information such as production
server,
Example:critical network
Mon-Thu: components,
Incremental configuration
Backup backup
and Fri: Full etc., were
Backup.
taken regularly.
Whether the backup media along with the procedure to restore the
backup
Whetherare
thestored securely
backup andregularly
media are well awaytested
from to
theensure
actual that
site.they
could be restored within the time frame allotted in the operational
Whether Operational staffs maintain a log of their activities such as
procedure
name of the
Whether forperson,
recovery.
Operator errors,
logs corrective
are checked onaction
regularetc.,
basis against the
Operating procedures.
Whether faults are reported and well managed. This includes corrective
action being taken, review of the fault logs and checking the actions
taken
Whether effective operational controls such as separate network and
system
Whetheradministration facilities
responsibilities were be established
and procedures whereof
for management necessary.
remote
equipment,
Whether including
there equipment
exist any in user areas
special controls were established.
to safeguard confidentiality
and integrity of data processing over the public network and to protect
the connected
Whether there systems. Example:for
exist a procedure Virtual Private Networks,
management other
of removable
encryption
computerthe and
media hashing
such mechanisms
asare
tapes, etc.,
disks, required
cassettes,
Whether media that no longer arememory
disposedcards
off and
reports.
securely and safely.
Whether disposal of sensitive items are logged where necessary in
order to maintain
Whether an audit
there exists trail.
a procedure for handling the storage of
information. Does this procedure address issues such as information
protection
Whether thefrom unauthorised
system disclosure
documentation or misuse.
is protected from unauthorised
access.
Whether the access list for the system documentation is kept to
minimum and authorised by the application owner. Example: System
documentation need to
Whether there exists beformal
any kept onor ainformal
shared agreement
drive for specific purposes,
between the
the document need to have Access Control Lists
organisations for exchange of information and software. enabled (to be
accessible only by limited users.)
Whether the agreement does addresses the security issues based on
the sensitivity
Whether securityof the business
of media information
while involved. taken into account.
being transported
Whether the media is well protected from unauthorised access, misuse
or corruption.
Whether Electronic commerce is well protected and controls
implemented
Whether to protect
Security against
controls such fraudulent activity, contract
as Authentication, dispute
Authorisation areand
disclosure
considered or
inmodification
the ECommerce of information.
environment.
Whether electronic commerce arrangements between trading partners
include a documented agreement, which commits both parties to the
agreed terms of trading, including details of security issues.
Whether there is a policy in place for the acceptable use of electronic
mail or does
Whether security
controls suchpolicy does address
as antivirus the isolating
checking, issues with regards to
potentially
use of electronic
unsafe
Whether there is mail.
attachments, spam control,
an Acceptable useanti relaying
policy etc., are
to address theput
useinofplace to
reduce theoffice
Electronic risks systems.
created by electronic email.
Whether there are any guidelines in place to effectively control the
business and security
Whether there risks associated
is any formal authorisationwithprocess
the electronic
in placeoffice
for the
systems.
information to be made publicly available. Such
Whether there are any controls in place to protect the as approval from
integrity of such
Change
This Control
information
might include which includes
publiclycontrols
available from
such Business,
asany Application
unauthorised
firewalls, Operating owner
access.
system etc.,
hardening, anyare
Whether there Intrusion detection
any policies, type of tools
procedures used toin
or controls monitor
place tothe
system
protect etc.,
the exchange of information through the use of voice,
Whether staffs are reminded to maintain the confidentiality of sensitive facsimile
and video communication
information while using such facilities.
forms of information exchange facility.

Whether the business requirements for access control have been

defined and
Whether the documented.
Access control policy does address the rules and rights for
each user or a group
Whether the users of service
and user. providers were given a clear statement
of the business requirement to be met by access controls.
Whether there is any formal user registration and de-registration
procedure
Whether the forallocation
granting access
and usetoofmulti-user information
any privileges systems and
in multi-user
services.
information
The system
allocation environmentofispasswords
and reallocation restricted and controlled
should i.e.,
be controlled
Privileges
Whether the users are asked to sign a statement to keep theallocated
through a are allocated
formal on
managementneed-to-use
process. basis; privileges are password
only after formal authorisation process.
confidential.
Whether there exist a process to review user access rights at regular
intervals. Example: Special privilege review every 3 months, normal
privileges everyare
Whether there 6 moths.
any guidelines in place to guide users in selecting
and maintaining
Whether secure
the users passwords.are made aware of the security
and contractors
requirements
Example: andwhen
Logoff procedures
sessionforis protecting
finished orunattended
set up auto equipment,
log off, as
well as their
terminate responsibility
sessions to implement
when finished etc., such protection.
Whether there exists a policy that does address concerns relating to
networks and network
Parts of network to be services
accessed, such as:
Authorisation services to determine who is allowed to do what,
Procedures to protect the access to network connections and network
services.
Whether there is any control that restricts the route between the user
terminal
Whether and
therethe designated
exist computer mechanism
any authentication services theforuser is authorised
challenging
to access example:
external connections.
Cryptography enforced path to reduce the risk.
Examples:hardware tokens, software tokens,
based technique,
challenge/ response protocol
Whether connections to remote etc.,computer systems that are outside
organisations security management
Whether accesses to diagnostic ports are authenticated.
are Node i.e.,
securely controlled
authentication
protectedthe
Whether can
by network serve
a security as an
mechanism.
(where alternate means of authenticating
business partner’s and/ or third parties
groups
need of remote
access to users where
information they are
system) connected using
is segregated to a secure, shared
perimeter
Whether
computer there exists any network connection
facility. control for shared
security
Whethermechanisms
networks that extend
there exist anysuch
beyondas the
network firewalls.
organisational
control boundaries.
to ensure Example:
that computer
electronic
connections
Whether mail,
the and web
routing access,
information file
controls flows transfers,
are baseddo not etc.,
onbreach the access
the positive sourcecontrol
and
policy of the
destination business
identification applications.
mechanism. This is often
Example: essential
Network
Whether the organisation, using public or private network service does for networks
Address
shared
ensure with
Translation anon-organisations
that (NAT).clear description users.
of security attributes of all services used
is provided.
Whether automatic terminal identification mechanism is used to
authenticate
Whether access connections.
to information system is attainable only via a secure
log-on process.
Whether there is a procedure in place for logging in to an information
system.
WhetherThis is toidentifier
unique minimise is the opportunity
provided of unauthorised
to every user such as access.
operators,
system
The generic user accounts should only be suppliedtechnical.
administrators and all other staff including under exceptional
circumstances
Whether where there is
the authentication a clearused
method business
does benefit. Additional
substantiate the claimed
controls
identity may
of thebe necessary
user; commonly to maintain
used accountability.
method: Password
Whether there exists a password management system that enforces that only the
user knows.
various password controls such as: individual password for
accountability, enforce password changes, store passwords in
encrypted form, not display passwords on screen etc.,
Whether the system utilities that comes with computer installations, but
may override
Whether system
provision and
of a application
duress alarm iscontrol is tightly
considered forcontrolled.
users who might
be the target
Inactive of coercion.
terminal in public areas should be configured to clear the
screen
Whether orthere
shut down automatically
exist any restriction after a defined time
on connection period
forofhigh-risk
inactivity.
applications. This type of set up should be considered for sensitive
applications for which
Whether access the terminals
to application are installed
by various groups/inpersonnel
high-risk locations.
within the
organisation shouldsystems
Whether sensitive be defined in the access
are provided with control
isolatedpolicy as per the
computing
individual
environment such as running on a dedicated computer, sharewith the
business application requirement and is consistent
organisation’s
resources onlyInformation
trustedaccess
with recording policy.
application systems, etc.,
Whether audit logs exceptions and other security relevant
events
Whether are produced are
procedures andsetkept
upfor
foran agreed period
monitoring to assist
the use in future
of information
investigations
processing
The and
facility.
procedure access control monitoring.
should ensure that the users are performing only the
activities that are
Whether the results explicitly authorised.activities are reviewed regularly.
of the monitoring
Whether the computer or communication device has the capability of
operating
The a real
correct time
setting ofclock, it shouldclock
the computer be set
is to an agreed
important standard
to ensure thesuch
as Universal
accuracy co-ordinated
of the audit logs.time or local standard time.
Whether a formal policy is adopted that takes into account the risks of
working
Whetherwith computing
trainings facilities such
were arranged as notebooks,
for staff to use mobile palmtops etc.,
computing
especially
facilities in unprotected
raise their environments.
Whether there is any policy, procedure and/ or standard to controlfrom
to awareness on the additional risks resulting
this way of
teleworking
Whether working and
activities,
suitable controls
this should
protection that need site
to beis
be consistent
of teleworking implemented
with to
organisation’s
in place against
mitigate
security the risks.
policy.
threats such as theft of equipment, unauthorised disclosure of
information etc.,
Whether security requirements are incorporated as part of business
requirement statementand
Security requirements for new systems
controls or forshould
identified enhancement to existing
reflect business
systems.
value of information assets involved and the consequence
Whether risk assessments are completed prior to commencement from failure
of
of Security.
system development.
Whether data input to application system is validated to ensure that it is
correct and
Whether theappropriate.
controls such as: Different type of inputs to check for error
messages,
Whether Procedures
areas for responding
of risks are identified in tothevalidation
processing errors,
cycledefining
and
responsibilities
validation of all personnel involved in data input
Whether appropriate controls are identified for applications to has
checks were included. In some cases the process
data that etc.,been
are
mitigate
considered.
correctly entered
fromcontrols
risks during can be corrupted
internal on
processing. by processing errors or through
The will depend nature of application and business impact
deliberate
of any acts. of data.
corruption
Whether an assessment of security risk was carried out to determine if
Message
Message authentication
authentication is is required;
a technique andused
to identify most
to detect appropriate
unauthorised
method
Whether of
changes the implementation
to, or corruption
data output of if it is necessary.
of,application
the contents of theistransmitted
system validated toelectronic
ensure
message.
that the processing of stored information is correct and appropriate to
circumstances.
Whether there is a “Policy in use of cryptographic controls for
protectiona of
Whether information”
risk assessment is was
in place.
carried out to identify the level of
protection the information
Whether encryption techniques wereshould be given.
used to protect the data.
Whether assessments were conducted to analyse the sensitivity of the
data and Digital
Whether the level of protection
signatures wereneeded.
used to protect the authenticity and
integrity of electronic documents.
Whether non-repudiation services were used, where it might be
necessaryDispute
Example: to resolve disputes
involving useabout occurrence
of a digital or non-occurrence
signature of
on an electronic
an event there
payment
Whether or contract.
or action.
is a management system is in place to support the
organisation’s
Whether the Key usemanagement
of cryptographic techniques
system is basedsuch as Secret
on agreed key
set of
technique and Public key technique.
standards, procedures and secure methods.
Whether there are any controls in place for the implementation of
software
Whether on operational
system systems.
test data This is
is protected andto controlled.
minimise theTherisk of of
use
corruption
operational
Whether of operational
database
strict systems.
controlscontaining
are in placepersonal information
over access shouldsource
to program be
avoided for
libraries. test
This is purposes. If such
to reduce the information
potential is used,ofthe
for corruption data should
computer
be depersonalised before use.
programs.
Whether there are strict control procedures in place over
implementation
Whether there are of changes
process or to procedure
the information system.
in place This is
to ensure to
application
minimise
system is the
Periodically itcorruption
reviewed and of
is necessary information
tested system.
after change
to upgrade in operating
operating system.
system i.e., to install
service
Whetherpacks,
there patches, hot fixes etc.,
are any restrictions in place to limit changes to software
packages.
As far as possible the vendor supplied software packages should be
used without
Whether theremodification.
are controlsIfinchanges
place toare deemed
ensure essential
that the covertthe original
channels
software
and Trojanshould
codes be retained
are not and
introducedthe changes
into new applied
or only
upgraded
A covert channel can expose information by some indirect and obscure to a clearly
system.
identified copy.code
means. Trojan All changes
is designed should be clearly
to affect testedinand
a system documented,
a way that is not
Whether
so they there
can be are controls
reapplied if in place
necessary over
to outsourcing
future software.
software upgrades.
authorised.
The points to be noted includes: Licensing arrangements, escrow
arrangements, contractual requirement for quality assurance, testing
before installation to detect Trojan code etc.,
Whether there is a managed process in place for developing and
maintaining
This business
might include continuity throughout
Organisation wide Businessthe organisation.
continuity plan, regular
testing and
Whether updating
events of the cause
that could plan, formulating
interruptions and
to documenting
business processa
business
were continuity
identified strategy
example: etc.,
equipment failure, flood and fire.
Whether a risk assessment was conducted to determine impact of such
interruptions.
Whether a strategy plan was developed based on the risk assessment
results
Whether toplans
determine
were an overall approach
developed to restoretobusiness
businessoperations
continuity.within
the required time frame following an interruption
Whether the plan is regularly tested and updated. or failure to business
process.
Whether there is a single framework of Business continuity plan.
Whether this framework is maintained to ensure that all plans are
consistent and
Whether this identify conditions
identifies priorities for
fortesting and and
activation maintenance.
individuals
responsible
Whether for executing
Business each
continuity component
plans of the
are tested plan. to ensure that
regularly
they are up
Whether to date continuity
Business and effective.
plans were maintained by regular reviews
and updates to ensure
Whether procedures were theirincluded
continuing effectiveness.
within the organisations change
management programme to ensure that Business continuity matters
are appropriately addressed.
Whether all relevant statutory, regulatory and contractual requirements
were explicitly
Whether defined
specific andand
controls documented
individual for each information
responsibilities to meetsystem.
these
requirements were defined and documented.
Whether there exist any procedures to ensure compliance with legal
restrictions
Whether theonprocedures
use of material in respect
are well of which there may be
implemented.
intellectual property rights such as copyright,
Whether proprietary software products are supplied design under
rights,atrade
license
marks.
agreement that limits the use
Whether important records of of
thethe products toisspecified
organisation protectedmachines.
from loss
The only there
destruction
Whether exception
andisfalsi might be for making
function.
a management structureown
and back-up
controlcopies
in place ofto
the
software.
protect
Whetherdatauseand privacy of personal
of information processing information.
facilities for any non-business
or unauthorised purpose, without management
Whether at the log-on a warning message is presented approvalon is the
treated as
improper
computerthe
Whether use of
screen the
regulationfacility.
indicating that the system
of cryptographic being
control is entered
as per theis private
sector and
and that
national unauthorised
agreement. access is not permitted.
Whether the process involved in collecting the evidence is in
accordance with legal and industry best practise.
Whether all areas within the organisation is considered for regular
review
Whetherto information
ensure compliance
systemswith
weresecurity policy,
regularly standards
checked and
for compliance
procedures.
with security
Whether implementation
the technical standards.
compliance check is carried out by, or under the
supervision of, competent, authorised persons.
Whether audit requirements and activities involving checks on
operational
Whether systems
access shouldaudit
to system be carefully planned
tools such and agreed
as software to files are
or data
minimise
protected the risk of disruptions
to prevent to misuse
any possible business orprocess.
compromise.