Self Assessment MASTER v7.0

Primary Security Domain
COBIT 4.0 Control Objective
ISO 27001/17799
ISO 20000/ITIL Reference
Question
Number
Question (Control Objective) Business Staff
Question
Number
I. Security Policy
PO6 Communicate Management Aims and Direction

PO4.14 Contracted Staff Policies and Procedures
3.1 Information Security Policy

6.6 Information Security Management
1
4.1 Information Security Infrastructure 6.6.1 General (See ISO Mapping for additional
details)
6.6.6 Controls c)
Are you and members of your department aware of information

security policies and have you been provided with any type of
awareness training or ongoing communications?
I. Security Policy

PO4.14 Contracted Staff Policies and Procedures
3.1 Information Security Policy

2
4.1 Information Security Infrastructure 6.6.1 General (See ISO Mapping for additional
details)
6.6.6 Controls c)
For policies that have been provided, are the supported and
enforced by your department's leadership?
I. Security Policy
M1 Monitor the Processes

1.1 Collecting Monitoring Data
1.2 Assessing Performance
1.3 Assessing Customer Satisfaction
1.4 Management Reporting
M2 Assess Control Adequacy
2.1 Internal Control Monitoring
12.2 Reviews of Security Policy and

Technical Compliance

3
6.6.1 General (See ISO Mapping for additional
details)
6.6.6 Controls (a,c,e)
Is there a process in place to review employee compliance with

organizational policies?
I. Security Policy



details)


4
details)
Has your department or employees ever requested an exception 4

from policy items?
I. Security Policy



4.1
details)
Are you familiar with the University's Risk Acceptance Process? 4.1
I. Security Policy
11.18 Protection of Disposed Sensitive Information,

11.26 Archiving
5.2.2 Information labeling and handling 6.6 Information Security Management

5
details)
Do policies and procedures exist for the handling of paper copy

documents?
I. Security Policy
11.27 Protection of Sensitive Messages
3 Security Policy
6.2.1 Information security education
and training

Are you aware of email and Internet acceptable usage policies?
II. Organizational Security
PO1 Define a Strategic IT Plan

PO4.11 IT Staffing
4.1 Information Security Infrastructure 4 Planning and Implementing Service

Management
Does your department collaborate with the IT department for

purposes of strategic planning?
4.2 Organizational Placement of the IT Function

4.4 Roles and Responsibilities
4.6 Responsibility for Logical and Physical Security
4.1 Information Security Infrastructure

6.11 Including Security in
Responsibilities
8.1 Operational procedures and
responsibilities
I. Security Policy
Fusion Alliance, Inc. , University of Cincinnati Confidential
3.1

8
details)
6.6.6 Controls (a,c,d)
11/22/2014
Are members of your department assigned responsibilities for 6

information security and if so do they have specific directives for
protecting critical information?
Page 1
ISO 27001/17799
Question
Number
PO7 Manage Human Resources

7.1 Personnel Recruitment and Promotion
7.2 Personnel Qualifications
7.5 Cross-training or Staff Backup
7.6 Personnel Clearance Procedures
6.1 Personnel Security
3.3.2 Professional Development a)

Recruitment
3.3 Competence, Awareness, and Training

7.5 Cross-training
or StaffServices
Backup
DS2
Manage Third-party
2.4 Third-party Qualifications
2.5 Outsourcing Contracts

details)
7.3 Supplier Management (See ISO 27001
mapping for additional details)
DS2 Manage Third-party Services

2.6 Continuity of Services
2.7 Security Relationships
7.3 Supplier Management

6.6.3 Security Risk Assessment Practices
DS5 Ensure Systems Security

5.13 Counterparty Trust
III. Asset Classification and

Control
PO2.3 Data Classification Scheme

PO4.7 Ownership and Custodianship
PO4.8 Data and System Ownership
4.3 Outsourcing
4.3.1 Security requirements in
outsourcing contracts
4.2, 4.3, 6.1, 6.3, 8.1, 8.7, 10.5
4.2.2 Security requirements in third
party contracts
4.3 Outsourcing
4.3.1
Security requirements
5.2
Information
Classificationin
6.62 Identifying and Classifying Information

Assets
11
Do you know which of the data items in your department need 13

protected? Do you have a way of identifying this data that is
different than the words and vocabulary you use to identify data
that does not need secured?

Control
PO2.3 Data Classification Scheme
5.2 Information Classification
6.62 Identifying and Classifying Information

Assets
12
Do you know which computer systems in your department are 14

used to process or store critical or private data? Are you aware of
any mechanism to document any such systems?

Control
3 Security Policy
7.2.5 Security of equipment offpremises
8.7.2 Security of media in transit
9.8.1 Mobile computing

13
details)
Have you worked with members of the IT department to map out 15

information flows into and out of the organization?

Control
PO8 Ensure Compliance with External Requirements

8.4 Privacy, Intellectual Property and Data Flow
3 Security Policy

13.1
details)
Have you worked with members of the IT department to map out 15.1
systems movement (such as mobile devices) into and out of the
organization?

Control

7.8 Job Change and Termination


14
details)
Do you have the ability to track information, mobile or storage

devices in the possession of employees and ensure safe return of
those items upon employee termination?

Control
DS9 Manage the Configuration

9.1 Configuration Recording
9.3 Status Accounting
9.4 Configuration Control
9.8 Software Accountability
10.4.1 Control of operational software 9.1 Configuration Management

10.5.2 Technical review of operating
9.1.4 Configuration Status Accounting and
system changes
Reporting
7.2 Equipment Security
IX. Access Control

5.3 Security of Online Access to Data
5.4 User Account Management
IX. Access Control

5.5 Management Review of User Accounts
5.21 Protection of Electronic Value
9.1 BUSINESS REQUIREMENT FOR

ACCESS CONTROL
9.1 Business Requirement for Access
Control
9.2 User Access Management
9.2.1 User registration
9.2.4 Review of user access rights
4.3 Outsourcing
4.3.1 Security requirements in
outsourcing contracts
Are background and reference checks performed and verified

during the recruiting hiring and processes?
Question
Number
10
10
Does your department include information security requirements 11

in contracts with third parties that handle or change sensitive data
or systems?
7 Relationship Process
7.3.2 Contract Management
12

15
6.6.7 Documents and Records d) control over
access to information, assets, and systems
16
6.6.7 Documents and Records d) control over
access to information, assets, and systems
11/22/2014
16
Do you provide IT with access requirements to information, data, 17

and applications in use by your department?
Is a new employee or terminated employee process in place to
add or remove employees access to key systems and data?
18
Page 2
ISO 27001/17799
Question
Number
IX. Access Control

5.2 Identification, Authentication and Access
5.6 User Control of User Accounts
9.2.3 User password management

17
details)
6.6.7 Documents and Records
d) control over access to information,
assets, and systems
Are you aware of requirements for the complexity or length of

your password?
IX. Access Control


18
details)
assets, and systems
Do you change you password often?
IX. Access Control

5.6 User
Control
of User
Accounts
DS5
Ensure
Systems
Security

19
details)
d)Information
control overSecurity
access Management
to information,
5.2.2 Information labeling and handling 6.6
20
details)
assets, and systems
IX. Access Control

Question
Number
Do you ever utilize a password or userID that is shared between

multiple employees?
Use accounts that have system administrator rights only in

special situations, such as when installing software or configuring
your system?
V. Physical and Environmental

Security
DS12 Manage Facilities

12.1 Physical Security
7.1 Secure Areas

7.2 Equipment Security

21
details)
VI. Equipment Security

6.3 Communication of Organization Policies
6.6 Compliance with Policies, Procedures and
Standards
6.11 Communication of IT Security Awareness
DS7 Educate and Train Users

22
details)
Do employees in your department understand requirements to

protect mobile devices that contain sensitive or critical data?
VII. General Controls
PO9 Assess Risks

9.1 Business Risk Assessment
9.3 Risk Identification
5.8 Data Classification
4.2.1 Identification of risks from third

party access
12.3 System Audit Considerations
12.3.1 System audit controls

6.6.4 Risks to Information Assets
Has your department worked with the IT or Information Security 21

department to identify risks to key systems and data for your
department?
PO9 Assess Risks

9.5 Risk Action Plan
AI1 Identify Automated Solutions
1.9 Cost-effective Security Controls
DS7Identify
Educate
and TrainSolutions
Users
AI1
Automated
1.1 Definition of Information Requirements
4.2.1 Identification of risks from third

party access
No direct mapping (See COBIT
mapping for additional details)

6.6.4 Risks to Information Assets
22

6.6.1 General (See COBIT Mapping for
additional details)
23
DS11 Manage Data

8.7.3 Electronic commerce security
11.1 Data Preparation Procedures
10.2 Security in Application Systems
11.2 Source Document Authorization Procedures
10.3 Cryptographic Controls
11.3 Source Document Data Collection
11.4 Source Document Error Handling
11.7 Accuracy, Completeness and Authorization Checks
11.8 Data Input Error Handling
11.9 Data Processing Integrity
11.10 Data Processing Validation and Editing
11.11 Data Processing Error Handling
11.14 Output Balancing and Reconciliation
11.15 Output Review and Error Handling
11.29 Electronic Transaction Integrity
9.1.3 Configuration Control

10.1.5 Design, Build and Configure Release
b) ensure the integrity is maintained during
build, installation, packaging, and delivery
11/22/2014
23
24
Is access controlled, monitored, and recorded to your work areas 19

or facilities?
Are automated or manual processes in place to ensure the

accuracy, validity, and non-repudiation of transactions in your
department?
20
24
Page 3

M3 Obtain Independent Assurance
No relevant mapping
3.3 Independent Effectiveness Evaluation of IT Services
3.4 Independent Effectiveness Evaluation of Third-party
Service Providers
3.5 Independent Assurance of Compliance with Laws
and Regulatory Requirements and Contractual
Commitments
3.6 Independent Assurance of Compliance with Laws
and Regulatory Requirements by Third-party Service
Providers
3.7 Competence of Independent Assurance Function
11.18 Protection of Disposed Sensitive Information
ISO 27001/17799
Question
Number
Question
Number

details)
25

details)
6.6.6 Controls
f) Expert help on risk assessment and control
implementation
26

25
details)

26
details)
6.6.5 Security and Availability of Information
a) disclosure of sensitive information to
unauthorized parties
6.6.6 Controls
f) Expert help on risk assessment and
control implementation
11.26 Archiving, 11.27 Protection of Sensitive Messages 8.7.4 Security of electronic mail
27
details)
Does your organization have a secure disposal process for

dispose of paper copy documents containing sensitive
information?
27
Have you ever had to disclose a loss or leak of sensitive

information to a student?
28
Do you know how long your email is retained?
11.26 Archiving, 11.27 Protection of Sensitive Messages 8.7.4 Security of electronic mail

28
details)
VIII. Communications &

Operations Management
PO9 Assess Risks

AI3-3.6 Acquire and Maintain Technology Infrastructure
PO11 Manage Quality
10 Systems Development and

Maintenance
8.1.5 Separation of development and
operational facilities

details)

AI4 Develop and Maintain Procedures

4.2 User Procedures Manual
4.3 Operations Manual
4.4 Training Materials
7.1 Identification of Training Needs
5.19 Malicious Software Prevention, Detection and
Correction
6.2 User Training
3.3 Competence, Awareness, and Training

3.3.1 General
3.3.2 Professional Development
29
Are information security related procedures integrated into work 30

procedures and are employees in your department provided any
security awareness training?
8.3 Protection against Malicious

Software

30
details)
Do your systems all have antivirus and antispyware software and 31

do employees ever disable or remove the software?

5.19 Malicious Software Prevention, Detection and
Correction
AI3 Acquire and Maintain Technology Infrastructure
3.1 Assessment of New Hardware and Software
DS8 Assist and Advise Customers
PO11 Manage Quality
11.9 Acquisition and Maintenance Framework for the
Technology Infrastructure
8.3 Protection against Malicious

Software

30.1
details)
If you answered yes to question 30, do employees ever disable or 31.1

remove the software?

X. Systems Development and
Maintenance
10.1 Security Requirements of

Systems
10.1.1 Security requirements analysis
and specification
11/22/2014
Do you archive email and if so, where do you store the archive?
29
32
Page 4

Maintenance
PO9 Assess Risks

11.9 Acquisition and Maintenance Framework for the
Technology Infrastructure

Maintenance
ISO 27001/17799
Question
Number
Question
Number
33
PO9 Assess Risks

PO11 Manage Quality
8.1.2 Operational change control

10.5.1 Change control procedures
10.1 Security Requirements of
Systems
10.1.1 Security requirements analysis
and specification
10 Systems Development and
Maintenance
details)

Maintenance
AI5 Install and Accredit Systems

5.7 Testing of Changes
5.11 Operational Test
5.12 Promotion to Production
8.2 System Planning and Acceptance 10 Release Process

8.1.5 Separation of development and 10.1.2 Release Policy c) authority of release
operational facilities
into acceptance test and production
environments
35

Maintenance

5.9 Final Acceptance Test
5.13 Evaluation of Meeting User Requirements
5.14 Managements Post-implementation Review
8.2.2 System acceptance
10 Release Process
10.1.2 Release Policy g) verification and
acceptance of release
32

Maintenance

AI6 Manage Changes
6.4 Emergency Changes

10.5 Security in Development and
Support Processes
system changes
10.5.3 Restrictions on changes to
software packages
10 Release Process
10.1.2 Release Policy c) authority of release
into acceptance test and production
environments g) verification and acceptance
of release
9.2 Change Management
33

Maintenance

AI6 Manage Changes

10.5 Security in Development and
Support Processes
system changes
10.5.3 Restrictions on changes to
software packages
9.2 Change Management

9.2.4 Change management reporting,
analysis, and actions
XI. Business Continuity
DS4 Ensure Continuous Service

4.2 IT Continuity Plan Strategy and Philosophy
4.4 Minimizing IT Continuity Requirements
4.10 Critical IT Resources
DS10 Manage Problems and Incidents
10.1 Problem Management System
10.2 Problem Escalation
12.6 Uninterruptible Power Supply
4.3 IT Continuity Plan Contents
4.9 User Department Alternative Processing Backup
Procedures
11 Business Continuity Management 6.3 Service Continuity and Availability

34
11.1.2 Business continuity and impact Management
analysis
6.3.4 Service Continuity Planning and Testing
34
11 Business Continuity Management

11.1.3 Writing and implementing
continuity plans
11.1.4 Business continuity planning
framework
6.3 Service Continuity and Availability

Management
11 Business Continuity Management

continuity plans

35
Management
6.3.3 Service Continuity Strategy a) maximum
acceptable period of lost service
36
Management
11.1 Aspects of Business Continuity

Management
continuity plans
11/22/2014
Does you department review and accept new technology system 36

functionality and is information security a component of the review
and acceptance process?
Do you review or test any changes to your systems and
applications prior to the IT department implementing those
changes?
37
38
Has your department worked with the IT or Information Security 39

department to identify the core systems, applications, and
information in order to determine the impact to the department in
the event of un-availability, loss, theft, or disclosure?
40
Does your department have requirements for timeframes to

recover each of the core systems, applications, or information
that affect the departments operations?
41
Are you aware of procedures or contact listings in the event of a 42

disaster involving your facility and IT systems?
Page 5
ISO 27001/17799
Question
Number
Question
Number

4.9 User Department Alternative Processing Backup
Procedures
4.6 Testing the IT Continuity Plan
4.12 Offsite Backup Storage
DS11 Manage Data
11.23 Backup and Restoration
11.24 Backup Jobs
11.25 Backup Storage
8.1 External Requirements Review
8.2 Practices and Procedures for Complying with
External Requirements
8.3 Safety and Ergonomic Compliance
8.5 Electronic Commerce
8.6 Compliance With Insurance Contracts
5.7 Security Surveillance
5.11 Incident Handling

Management
11.1.5 Testing, maintaining and reassessing business continuity plans
8.4 Housekeeping
8.4.1 Information back-up
Management

37
Management
Has your department been involved with any testing of disaster

plans?
43

38
Management
Do employees in your department have access to store files on

network folders that are backed up on a daily basis? If so, have
you been able to successfully restore data when required?
44
12.1 Compliance With Legal

Requirements
6.6.5 Security and Availability of Information
XII. Compliance

9.5 Unauthorized Software
XII. Compliance
DS11 Manage Data

11.5 Source Document Retention
11.19 Storage Management
11.20 Retention Periods and Storage Terms
11.26 Archiving
5.1.1 Inventory of assets

12.1 Compliance with Legal
Requirements
12.1.2 Intellectual property rights
8.6 Media Handling and Security
12 Compliance
12.1.3 Safeguarding of organizational
records
12.1.4 Data protection and privacy of
personal information
XII. Compliance
XII. Compliance
39
12.1 Compliance with Legal

6.6.6 Controls c) See ISO 27001 mapping for 40
Requirements
additional detail
9.7 Monitoring System Access and
Use
12.2.1 Compliance with security policy
12.2.2 Technical compliance checking
6.3 Responding to Security Incidents
and Malfunctions
9.1 Configuration Management

9.1.2 Configuration Identification e) licenses
9.1.4 Configuration Status Accounting and
Reporting
41
details)
11/22/2014
Are any regulatory requirements relevant to information your

45
department creates or stores? Examples of potential legal or
regulatory requirements are; PCI Compliance (Visa, MasterCard),
HIPAA (Healthcare), GLB (Insurance, Financial), software
licensing, intellectual property rights, contractual obligations, etc.
Does your department have the ability to monitor employee

behavior with regard to compliance to organizational policies
and/or identify illegal activities?
46
47
Are you aware of legal or organization policy or requirements to 48

retain data? (note: Examples could include financial, health, or
transaction history / information)
Page 6
Question (Control Objective) IT Staff
Has an information security policy framework been developed including who is

responsible for development, review, and approval of policies?
Has the policy framework been implemented resulting in creation of information

security policies that are supported in the highest levels of the organization?
Does internal staff regularly monitor security controls to measure performance

and adequacy?
If you answered yes to question 3, is effectiveness measured against security

policy, regulatory/contract compliance?
Is there a current process for defining and ongoing review of policy exceptions?
Are you familiar with the University's Risk Acceptance Process?
Is strategic IT planning performed to determine business requirements that

could have an impact on technologies, staffing, and information security
requirements?
Has a security organizational structure been created that defines information

security roles and responsibilities?
11/22/2014
Page 7
Are background and reference checks performed and verified during the
recruiting and hiring and processes?
Are security skill requirements reviewed and mapped to current security staff
capabilities and evaluated against organizational security requirements?
Are security skills redundant within staff members so that no critical security
functions are dependent on a single employee?
Are there specific criteria that a business partner or vendor must meet for
security requirements?
When partnering with a third party or contracting services, is a risk review

performed to determine risks such as handling sensitive data and sharing
proprietary information or intellectual property?
Are business associate agreements or similar contracts required for third party
partners that contain expected levels of security? Are those contracts typically
included and signed for all partner access to systems?
Has a data and/or asset classification scheme been developed and
implemented and does it map handling requirements to the classification levels?
Has an asset inventory system been implemented that includes asset criticality
and/or classification ratings?
Have information flows and systems moves into and out of systems and
facilities been identified? Is there a policy that defines this flow of data, systems,
and information?
Is there a policy that defines acceptable flow of data, systems, and information
between third parties?
Is there a document or system that contains hardware, software, application, or

operating system configurations for your department?
Are there defined procedures for granting access levels to staff and third parties
based on there job requirement to access the information?
Have employees been identified that add/remove user accounts and is account
creation/removal logged so that information can be audited or reviewed?
11/22/2014
Page 8
Are physical security controls implemented for key IT systems such as the data
center and has a third party assessed those controls for the level of
effectiveness?
Has a policy been defined and implemented that outlines security for mobile
devices such as laptops and PDA's, and mobile storage such as flash drives?
Have you worked with departments in the organization to assess risks to critical
data or systems and the resulting impact to the business should those risks be
realized?
Have high risk areas identified through risk assessment activities been
prioritized and a plan to prioritize the remediation of these risks been
developed?
Does automation of businesses processes through IT systems cause additional
risk to the security of information and have you worked to the identify automated
processes that might contain those risks?
Have integrity controls been implemented in systems that process transactions
to verify accuracy, validity, and non-repudiation?
11/22/2014
Page 9
Is regular security assessment and testing performed that includes things such
as penetration testing, vulnerability scanning, policy and configuration review?
Does your organization provision the services of a trusted advisor to assess

information security controls and provide guidance for areas of weakness or
vulnerability?
If you answered yes to question 17, do you prioritize patches and perform
testing to determine suitability to be implemented on production systems?
Are specific work procedures either documented or provided verbally? If so, is

security integrated into the procedures?
Do all systems in your department have current anti-virus software installed and
are definition files updated on a regular basis (preferably every day)?
If you answered yes to question 32, are definition files updated on a regular
basis (preferably every day)?
Is security an integrated component of the evaluation and selection of
Information Technology solutions?
11/22/2014
Page 10
Is a risk review performed prior to the implementation of new infrastructure

(routers, switches, servers, firewalls, etc)?
Is there a defined process for monitoring vendors for software patches or

vulnerabilities that impact the infrastructure systems in production?
Are changes to existing systems or new implementations performed in a test
environment separate from production systems?
Is acceptance testing a part of the pre-production testing process and does

acceptance include both key IT and Business personnel?
Is a formal or informal change management function practiced for changes to

systems? Does it include changes to configuration including patching and
functionality.
Is there a log or document that outlines all changes including who reviewed the
changes, testing performed, back out plans, acceptance/denial, and who
performed the changes?
Has a business impact analysis been performed with regard to identifying

critical or sensitive information?
If you answered yes to question 26, have provisions been made to ensure
critical information is available for mission critical business processes in the
event of a security incident?
Does your department have the ability to identify and resolve such incidents in a
timeframe consistent with business operational requirements?
Has your department developed business continuity or disaster recovery plans

that include maintaining or restoring basic IT resources during a disaster or
outage?
11/22/2014
Page 11
Are these plans tested on a recurring basis and updated as required depending
on the outcome of tests?
Has the IT staff collaborated with key business users to make sure that
business critical information is backed up and available offsite? If so, have
restore operations been tested successfully?
Does an employee responsible for information security review requirements for

regulatory compliance and legal obligations and collaborate with executive
leadership and legal counsel to determine which issues are relevant to the
organization? Examples include PCI Compliance (Visa, MasterCard), HIPAA (Healthcare), GLB
(Insurance, Financial), software licensing, intellectual property rights, contractual obligations, etc.
Have you deployed processes and/or automated alerts so that policy violations
and intrusive behavior can be identified? This includes things such as account
lockout alerts, intrusion detections systems, virus alerting, intellectual property
violations, etc.
Is there a software licensing inventory that provides the ability to effectively

review and manage for license compliance and is there an ongoing process to
review licenses?
Is there a policy and/or standard that defines data retention requirements?
11/22/2014
Page 12
Answer
Describe Existing Key Security
Yes/No/Somewhat/N
Controls Supporting This
ot Applicable
Question
Describe Key Weaknesses

Relative to This Question
Not
Applicable
Describe any Current Projects

Current Maturity Rating

(Please read FAQ for definitions)
0 - Non Existent
1 - Initial / Ad-Hoc
2 - Repeatable but Intuitive
I. Security Policy
1
I. Security Policy
I. Security Policy
I. Security Policy
I. Security Policy
I. Security Policy
I. Security Policy
I. Security Policy
11/22/2014
Page 13
Answer
Yes/No/Somewhat/N
ot Applicable
Question



0 - Non Existent

Control

Control
Control

Control

Control

Control
IX. Access Control
IX. Access Control
11/22/2014
Page 14
Answer
Yes/No/Somewhat/N
ot Applicable
Question



0 - Non Existent
IX. Access Control
IX. Access Control
IX. Access Control
IX. Access Control
V. Physical and Environmental

Security
11/22/2014
Page 15
Answer
Yes/No/Somewhat/N
ot Applicable
Question



0 - Non Existent



Maintenance
11/22/2014
Page 16
Answer
Yes/No/Somewhat/N
ot Applicable
Question



0 - Non Existent

Maintenance

Maintenance
Maintenance

Maintenance

Maintenance

Maintenance
11/22/2014
Page 17
Answer
Yes/No/Somewhat/N
ot Applicable
Question



0 - Non Existent
XII. Compliance
XII. Compliance
XII. Compliance
XII. Compliance
11/22/2014
Page 18
Security Control Maturity Rating

Information Security Domains
0 - Non Existent
I. Security Policy
III. Asset Classification and Control
IV. Personnel Security
V. Physical and Environmental Security
VIII. Communications & Operations Management
IX. Access Control
X. Systems Development and Maintenance
XII. Compliance
3 - Defined Process
4 - Managed and Measurable
5 - Optimized
0 - Non-existent
Complete lack of any recognizable processes. The enterprise has not even recognized that there is an issue to be addressed.
1 - Initial
There is evidence that the enterprise has recognized that the issues exist and need to be addressed. There are, however, no standardized processes;
instead there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized.
2 - Repeatable
Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or
communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and,
therefore, errors are likely.
3 - Defined
Procedures have been standardized and documented, and communicated through training. It is, however, left to the individual to follow these processes,
and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.
4 - Managed
It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are
under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.
5 - Optimized
Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modeling with other enterprises. IT is
used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt
.
PO1 Define a Strategic IT Plan

1.1 IT as Part of the Organizations Long and Short Range Plan
1.2 IT Long-range Plan
1.3 IT Long-range PlanningApproach and Structure
1.4 IT Long-range Plan Changes
1.5 Short-range Planning for the IT Function
1.6 Communication of IT Plans
1.7 Monitoring and Evaluating of IT Plans
1.8 Assessment of Existing Systems
PO2 Define the Information Architecture
2.1 Information Architecture Model
2.2 Corporate Data Dictionary and Data Syntax Rules
2.3 Data Classification Scheme
2.4 Security Levels
PO3 Determine Technological Direction
3.1 Technological Infrastructure Planning
3.2 Monitor Future Trends and Regulations
3.3 Technological Infrastructure Contingency
3.4 Hardware and Software Acquisition Plan
3.5 Technology Standards
PO4 Define the IT Organization and Relationships
4.1 IT Planning or Steering Committee
4.2 Organizational Placement of the IT Function
4.3 Review of Organizational Achievements
4.5 Responsibility for Quality Assurance
4.6 Responsibility for Logical and Physical Security
4.7 Ownership and Custodianship
4.8 Data and System Ownership
4.9 Supervision
4.10 Segregation of Duties
4.11 IT Staffing
4.12 Job or Position Descriptions for IT Staff
4.13 Key IT Personnel
4.14 Contracted Staff Policies and Procedures
4.15 Relationships
PO5 Manage the IT Investment
5.1 Annual IT Operating Budget
5.2 Cost and Benefit Monitoring
5.3 Cost and Benefit Justification
6.1 Positive Information Control Environment
6.2 Managements Responsibility for Policies
6.3 Communication of Organization Policies
6.4 Policy Implementation Resources
6.5 Maintenance of Policies
6.6 Compliance with Policies, Procedures and Standards
6.7 Quality Commitment
6.8 Security and Internal Control Framework Policy
6.9 Intellectual Property Rights
6.10 Issue-specific Policies
6.11 Communication of IT Security Awareness
7.4 Personnel Training
7.7 Employee Job Performance Evaluation
7.8 Job Change and Termination
8.1 External Requirements Review
8.2 Practices and Procedures for Complying with External Requirements
8.3 Safety and Ergonomic Compliance
8.5 Electronic Commerce
8.6 Compliance With Insurance Contracts
PO9 Assess Risks

9.2 Risk Assessment Approach
9.4 Risk Measurement
9.5 Risk Action Plan
9.6 Risk Acceptance
9.7 Safeguard Selection
9.8 Risk Assessment Commitment
PO10 Manage Projects
10.1 Project Management Framework
10.3 Project Team Membership and Responsibilities
10.4 Project Definition
10.5 Project Approval
10.6 Project Phase Approval
10.7 Project Master Plan
10.8 System Quality Assurance Plan
10.9 Planning of Assurance Methods
10.10 Formal Project Risk Management
10.11 Test Plan
10.12 Training Plan
10.13 Post-implementation Review Plan
PO11 Manage Quality
11.1 General Quality Plan
11.2 Quality Assurance Approach
11.3 Quality Assurance Planning
11.4 Quality Assurance Review of Adherence to IT Standards and Procedures
11.5 System Development Life Cycle Methodology
11.6 System Development Life Cycle Methodology for Major Changes to Existing Technology
11.7 Updating of the System Development Life Cycle Methodology
11.8 Coordination and Communication
11.9 Acquisition and Maintenance Framework for the Technology Infrastructure
11.10 Third-party Implementer Relationships
11.11 Program Documentation Standards
11.12 Program Testing Standards
11.13 System Testing Standards
11.14 Parallel/Pilot Testing
11.15 System Testing Documentation
11.16 Quality Assurance Evaluation of Adherence to Development Standards
11.17 Quality Assurance Review of the Achievement of IT Objectives
11.18 Quality Metrics
11.19 Reports of Quality Assurance Reviews
AI1 Identify Automated Solutions
1.1 Definition of Information Requirements
1.2 Formulation of Alternative Courses of Action
1.3 Formulation of Acquisition Strategy
1.4 Third-party Service Requirements
1.5 Technological Feasibility Study
1.6 Economic Feasibility Study
1.7 Information Architecture
1.8 Risk Analysis Report
1.9 Cost-effective Security Controls
1.10 Audit Trails Design
1.11 Ergonomics
1.12 Selection of System Software
1.13 Procurement Control
1.14 Software Product Acquisition
1.15 Third-party Software Maintenance
1.16 Contract Application Programming
1.17 Acceptance of Facilities
1.18 Acceptance of Technology
AI2 Acquire and Maintain Application Software
2.1 Design Methods
2.2 Major Changes to Existing Systems
2.3 Design Approval
2.4 File Requirements Definition and Documentation
2.5 Program Specifications
2.6 Source Data Collection Design
2.7 Input Requirements Definition and Documentation
2.8 Definition of Interfaces
2.9 User-machine Interface

2.10 Processing Requirements Definition and Documentation
2.11 Output Requirements Definition and Documentation
2.12 Controllability
2.13 Availability as a Key Design Factor
2.14 IT Integrity Provisions in Application Program Software
2.15 Application Software Testing
2.16 User Reference and Support Materials
2.17 Reassessment of System Design
AI3 Acquire and Maintain Technology Infrastructure
3.1 Assessment of New Hardware and Software
3.2 Preventive Maintenance for Hardware
3.3 System Software Security
3.4 System Software Installation
3.5 System Software Maintenance
3.6 System Software Change Controls
3.7 Use and Monitoring of System Utilities
AI4 Develop and Maintain Procedures
4.1 Operational Requirements and Service Levels
4.2 User Procedures Manual
4.3 Operations Manual
4.4 Training Materials
5.1 Training
5.2 Application Software Performance Sizing
5.3 Implementation Plan
5.4 System Conversion
5.5 Data Conversion
5.6 Testing Strategies and Plans
5.8 Parallel/Pilot Testing Criteria and Performance
5.9 Final Acceptance Test
5.10 Security Testing and Accreditation
5.11 Operational Test
5.12 Promotion to Production
5.13 Evaluation of Meeting User Requirements
5.14 Managements Post-implementation Review
AI6 Manage Changes
6.1 Change Request Initiation and Control
6.2 Impact Assessment
6.3 Control of Changes
6.5 Documentation and Procedures
6.6 Authorized Maintenance
6.7 Software Release Policy
6.8 Distribution of Software
DS1 Define and Manage Service Levels
1.1 Service Level Agreement Framework
1.2 Aspects of Service Level Agreements
1.3 Performance Procedures
1.4 Monitoring and Reporting
1.5 Review of Service Level Agreements and Contracts
1.6 Chargeable Items
1.7 Service Improvement Program
DS2 Manage Third-party Services
2.1 Supplier Interfaces
2.2 Owner Relationships
2.3 Third-party Contracts
2.4 Third-party Qualifications
2.5 Outsourcing Contracts
2.6 Continuity of Services
2.7 Security Relationships
2.8 Monitoring
DS3 Manage Performance Capacity
3.1 Availability and Performance Requirements
3.2 Availability Plan
3.3 Monitoring and Reporting
3.4 Modeling Tools
3.5 Proactive Performance Management
3.6 Workload Forecasting

3.7 Capacity Management of Resources
3.8 Resources Availability
3.9 Resources Schedule
4.1 IT Continuity Framework
4.5 Maintaining the IT Continuity Plan
4.6 Testing the IT Continuity Plan
4.7 IT Continuity Plan Training
4.8 IT Continuity Plan Distribution
4.9 User Department Alternative Processing Backup Procedures
4.11 Backup Site and Hardware
4.12 Offsite Backup Storage
4.13 Wrap-up Procedures
5.1 Manage Security Measures
5.3 Security of Online Access to Data
5.7 Security Surveillance
5.8 Data Classification
5.9 Central Identification and Access Rights
5.10 Management Violation and Security Activity Reports
5.11 Incident Handling
5.12 Reaccreditation
5.13 Counterparty Trust
5.14 Transaction Authorization
5.15 Nonrepudiation
5.16 Trusted Path
5.17 Protection of Security Functions
5.18 Cryptographic Key Management
5.19 Malicious Software Prevention, Detection and Correction
5.20 Firewall Architectures and Connections with Public Networks
5.21 Protection of Electronic Value
DS6 Identify and Allocate Costs
6.1 Chargeable Items
6.2 Costing Procedures
6.3 User Billing and Chargeback Procedures
7.1 Identification of Training Needs
7.2 Training Organization
7.3 Security Principles and Awareness Training
DS8 Assist and Advise Customers
8.1 Help Desk
8.2 Registration of Customer Queries
8.3 Customer Query Escalation
8.4 Monitoring of Clearance
8.5 Trend Analysis and Reporting
9.1 Configuration Recording
9.2 Configuration Baseline
9.3 Status Accounting
9.4 Configuration Control
9.5 Unauthorized Software
9.6 Software Storage
9.7 Configuration Management Procedures
10.3 Problem Tracking and Audit Trail
10.4 Emergency and Temporary Access Authorization
10.5 Emergency Processing Priorities
DS11 Manage Data

11.1 Data Preparation Procedures
11.2 Source Document Authorization Procedures
11.3 Source Document Data Collection
11.4 Source Document Error Handling
11.5 Source Document Retention
11.6 Data Input Authorization Procedures
11.7 Accuracy, Completeness and Authorization Checks
11.8 Data Input Error Handling
11.9 Data Processing Integrity
11.10 Data Processing Validation and Editing
11.11 Data Processing Error Handling
11.12 Output Handling and Retention
11.13 Output Distribution
11.14 Output Balancing and Reconciliation
11.15 Output Review and Error Handling
11.16 Security Provision for Output Reports
11.17 Protection of Sensitive Information During Transmission and Transport
11.19 Storage Management
11.20 Retention Periods and Storage Terms
11.21 Media Library Management System
11.22 Media Library Management Responsibilities
11.23 Backup and Restoration
11.24 Backup Jobs
11.25 Backup Storage
11.26 Archiving
11.28 Authentication and Integrity
11.29 Electronic Transaction Integrity
11.30 Continued Integrity of Stored Data
12.1 Physical Security
12.2 Low Profile of the IT Site
12.3 Visitor Escort
12.4 Personnel Health and Safety
12.5 Protection Against Environmental Factors
DS13 Manage Operations
13.1 Processing Operations Procedures and Instructions Manual
13.2 Start-up Process and Other Operations Documentation
13.3 Job Scheduling
13.4 Departures from Standard Job Schedules
13.5 Processing Continuity
13.6 Operations Logs
13.7 Safeguard Special Forms and Output Devices
13.8 Remote Operations
2.2 Timely Operation of Internal Controls
2.3 Internal Control Level Reporting
2.4 Operational Security and Internal Control Assurance
M3 Obtain Independent Assurance
3.1 Independent Security and Internal Control Certification/Accreditation of IT Services
3.2 Independent Security and Internal Control Certification/Accreditation of Third-party Service Providers
3.3 Independent Effectiveness Evaluation of IT Services
3.4 Independent Effectiveness Evaluation of Third-party Service Providers
3.5 Independent Assurance of Compliance with Laws and Regulatory Requirements and Contractual Commitments
3.6 Independent Assurance of Compliance with Laws and Regulatory Requirements by Third-party Service Providers
3.7 Competence of Independent Assurance Function
3.8 Proactive Audit Involvement
M4 Provide for Independent Audit
4.1 Audit Charter
4.2 Independence
4.3 Professional Ethics and Standards

4.4 Competence
4.5 Planning
4.6 Performance of Audit Work
4.7 Reporting
4.8 Follow-up Activities
3 SECURITY POLICY
3.1 INFORMATION SECURITY POLICY
3.1.1 Information security policy document
3.1.2 Review and evaluation
4 ORGANIZATIONAL SECURITY
4.1 INFORMATION SECURITY INFRASTRUCTURE
4.1.1 Management information security forum
4.1.2 Information security co-ordination
4.1.3 Allocation of information security responsibilities
4.1.4 Authorization process for information processing facilities
4.1.5 Specialist information security advice
4.1.6 Co-operation between organizations
4.1.7 Independent review of information security
4.2 SECURITY OF THIRD PARTY ACCESS
4.2.1 Identification of risks from third party access
4.2.2 Security requirements in third party contracts
4.3 OUTSOURCING
4.3.1 Security requirements in outsourcing contracts
5 ASSET CLASSIFICATION AND CONTROL
5.1 ACCOUNTABILITY FOR ASSETS
5.1.1 Inventory of assets
5.2 INFORMATION CLASSIFICATION
5.2.1 Classification guidelines
5.2.2 Information labelling and handling
6 PERSONNEL SECURITY
6.1 SECURITY IN JOB DEFINITION AND RESOURCING
6.1.1 Including security in job responsibilities
6.1.2 Personnel screening and policy
6.1.3 Confidentiality agreements
6.1.4 Terms and conditions of employment
6.2 USER TRAINING
6.2.1 Information security education and training
6.3 RESPONDING TO SECURITY INCIDENTS AND MALFUNCTIONS
6.3.1 Reporting security incidents
6.3.2 Reporting security weaknesses
6.3.3 Reporting software malfunctions
6.3.4 Learning from incidents
6.3.5 Disciplinary process
7 PHYSICAL AND ENVIRONMENTAL SECURITY
7.1 SECURE AREAS
7.1.1 Physical security perimeter
7.1.2 Physical entry controls
7.1.3 Securing offices, rooms and facilities
7.1.4 Working in secure areas
7.1.5 Isolated delivery and loading areas
7.2 EQUIPMENT SECURITY
7.2.1 Equipment siting and protection
7.2.2 Power supplies
7.2.3 Cabling security
7.2.4 Equipment maintenance
7.2.5 Security of equipment off-premises
7.2.6 Secure disposal or re-use of equipment
7.3 GENERAL CONTROLS

7.3.1 Clear desk and clear screen policy
7.3.2 Removal of property
8 COMMUNICATIONS AND OPERATIONS MANAGEMENT
8.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES
8.1.1 Documented operating procedures
8.1.3 Incident management procedures
8.1.4 Segregation of duties
8.1.5 Separation of development and operational facilities
8.1.6 External facilities management
8.2 SYSTEM PLANNING AND ACCEPTANCE
8.2.1 Capacity planning
8.2.2 System acceptance
8.3 PROTECTION AGAINST MALICIOUS SOFTWARE
8.3.1 Controls against malicious software
8.4 HOUSEKEEPING
8.4.1 Information back-up
8.4.2 Operator logs
8.4.3 Fault logging
8.5 NETWORK MANAGEMENT
8.5.1 Network controls
8.6 MEDIA HANDLING AND SECURITY
8.6.1 Management of removable computer media
8.6.2 Disposal of media
8.6.3 Information handling procedures
8.6.4 Security of system documentation
8.7 EXCHANGES OF INFORMAT ION AND SOFTWARE
8.7.1 Information and software exchange agreements
8.7.3 Electronic commerce security
8.7.4 Security of electronic mail
8.7.5 Security of electronic office systems
8.7.6 Publicly available systems
8.7.7 Other forms of information exchange
9 ACCESS CONTROL
9.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL
9.1.1 Access control policy
9.2 USER ACCESS MANAGEMENT
9.2.1 User registration
9.2.2 Privilege management
9.2.4 Review of user access rights
9.3 USER RESPONSIBILITIES
9.3.1 Password use
9.3.2 Unattended user equipment
9.4 NETWORK ACCESS CONTROL
9.4.1 Policy on use of network services
9.4.2 Enforced path
9.4.3 User authentication for external connections
9.4.4 Node authentication
9.4.5 Remote diagnostic port protection
9.4.6 Segregation in networks

9.4.7 Network connection control
9.4.8 Network routing control
9.4.9 Security of network services
9.5 OPERATING SYSTEM ACCE SS CONTROL
9.5.1 Automatic terminal identification
9.5.2 Terminal log-on procedures
9.5.3 User identification and authentication
9.5.4 Password management system
9.5.5 Use of system utilities
9.5.6 Duress alarm to safeguard users
9.5.7 Terminal time-out
9.5.8 Limitation of connection time
9.6 APPLICATION ACCESS CONTROL
9.6.1 Information access restriction
9.6.2 Sensitive system isolation
9.7 MONITORING SYSTEM ACCESS AND USE
9.7.1 Event logging
9.7.2 Monitoring system use
9.7.3 Clock synchronization
9.8 MOBILE COMPUTING AND TELEWORKING
9.8.2 Teleworking
10 SYSTEMS DEVELOPMENT AND MAINTENANCE
10.1 SECURITY REQUIREMENTS OF SYSTEMS
10.1.1 Security requirements analysis and specification
10.2 SECURITY IN APPLICATION SYSTEMS
10.2.1 Input data validation
10.2.2 Control of internal processing
10.2.3 Message authentication
10.2.4 Output data validation
10.3 CRYPTOGRAPHIC CONTROLS
10.3.1 Policy on the use of cryptographic controls
10.3.2 Encryption
10.3.3 Digital signatures
10.3.4 Non-repudiation services
10.3.5 Key management
10.4 SECURITY OF SYSTEM FILES
10.4.1 Control of operational software
10.4.2 Protection of system test data
10.4.3 Access control to program source library
10.5 SECURITY IN DEVELOPMENT AND SUPPORT PROCE SSES
10.5.2 Technical review of operating system changes
10.5.3 Restrictions on changes to software packages
10.5.4 Covert channels and Trojan code
10.5.5 Outsourced software development
11 BUSINESS CONTINUITY MANAGEMENT
11.1 ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
11.1.1 Business continuity management process
11.1.2 Business continuity and impact analysis
11.1.3 Writing and implementing continuity plans
11.1.4 Business continuity planning framework

11.1.5 Testing, maintaining and re-assessing business continuity plans
12 COMPLIANCE
12.1 COMPLIANCE WITH LEGAL REQUIREMENTS
12.1.1 Identification of applicable legislation
12.1.2 Intellectual property rights (IPR)
12.1.3 Safeguarding of organizational records
12.1.4 Data protection and privacy of personal information
12.1.5 Prevention of misuse of information processing facilities
12.1.6 Regulation of cryptographic controls
12.1.7 Collection of evidence
12.2 REVIEWS OF SECURITY P OLICY AND TECHNICAL COMPLIANCE
12.2.1 Compliance with security policy
12.2.2 Technical compliance checking
12.3 SYSTEM AUDIT CONSIDERATIONS
12.3.2 Protection of system audit tools
3 The management system

3.1 Management and Responsibility
3.2 Documentation requirements
3.3 Competence, awareness and training
3.3.1 General
3.3.2 Professional development
3.3.3 Approaches to be considered
4 Planning and implementing service management
4.1 Plan service management (Plan)
4.1.1 Scope of service Management
4.1.2 Planning approaches
4.1.3 Events to be considered
4.1.4 Scope and contents of the plan
4.2 Implement service management and provide the services
4.3 Monitoring, measuring and reviewing (Check)
4.4 COntinual improvement (Act)
4.4.1 Policy
4.4.2 Planning for service improvements
5 Planning and implementing new or changed services
5.1 Topics for consideration
5.2 Change records
6 Service delivery process
6.1 Service level management
6.1.1 Service catalogue
6.1.2 Service level agreements (SLAs)
6.1.3 Service level management (SLM) process
6.1.4 Supporting service agreements
6.2 Service reporting
6.2.1 Policy
6.2.2 Purpose and quality checks on service reports
6.2.3 Service reports
6.3 Service continuity and availability management
6.3.1 General
6.3.2 Availability monitoring and activities
6.3.3 Service continuity strategy
6.3.4 Service continuity planning and testing
6.4 Budgeting and accounting for IT services
6.4.1 General
6.4.2 Policy
6.4.3 Budgeting
6.4.4 Accounting
6.5 Capacity management
6.6 Information security management
6.6.1 General
6.6.2 Identifying and classifying information assets
6.6.3 Seruciry risk assessment practices
6.6.4 Risks to information assets
6.6.5 Security and availability of information
6.6.6 Controls
6.6.7 Documents and records
7 Relationship processes
7.1 General
7.2 Business relationship management

7.2.1 Service reviews
7.2.2 Service complaints
7.2.3 Customer satisfaction measurement
7.3 Supplier management
7.3.1 Introduction
7.3.2 Contract management
7.3.3 Service definition
7.3.4 Manageing multiple suppliers
7.3.5 Contractual disputes management
7.3.6 Contract end
8 Resolution processes
8.1 Background
8.1.1 Setting priorities
8.1.2 Workarounds
8.2 Incident management
8.2.1 General
8.2.2 Major incidents
8.3 Problem management
8.3.1 Scope of problem management
8.3.2 Initiation of problem management
8.3.3 Known errors
8.3.4 Problem resolution management
8.3.5 Communication
8.3.6 Tracking and escalation
8.3.7 Incident and problem record closure
8.3.8 Problem reviews
8.3.9 Topics for reviews
8.3.10 Problem prevention
9 Control processes
9.1 Configuratin management
9.1.1 Configuration management planning and implementation
9.1.2 Configuration identification
9.1.3 Configuration control
9.1.4 Configuration status accounting and reporting
9.1.5 Configuration verification and audit
9.2 Change management
9.2.1 Planning and implementation
9.2.2 Closing and reviewing the change request
9.2.3 Emergency changes
9.2.4 Change management reporting, analysis and actions
10 Release process
10.1 Release management process
10.1.1 General
10.1.2 Release policy
10.1.3 Release and roll-out planning
10.1.4 Developing or acquiring software
10.1.5 Design, uild and configure release
10.1.6 Release verification and acceptance
10.1.7 Documentation
10.1.8 Roll-out, distribution and installation
10.1.9 Post release and roll-out

Self Assessment MASTER v7.0

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Self Assessment MASTER v7.0

Enviado por

Direitos autorais:

Formatos disponíveis

Primary Security Domain

COBIT 4.0 Control Objective

ISO 20000/ITIL Reference

Question (Control Objective) Business Staff

PO6 Communicate Management Aims and Direction

3.1 Information Security Policy

Are you and members of your department aware of information

PO6 Communicate Management Aims and Direction

3.1 Information Security Policy

M1 Monitor the Processes

12.2 Reviews of Security Policy and

6.6 Information Security Management

Is there a process in place to review employee compliance with

M1 Monitor the Processes

12.2 Reviews of Security Policy and

6.6 Information Security Management

12.2 Reviews of Security Policy and

6.6 Information Security Management

Has your department or employees ever requested an exception 4

M1 Monitor the Processes

12.2 Reviews of Security Policy and

6.6 Information Security Management

11.18 Protection of Disposed Sensitive Information,

5.2.2 Information labeling and handling 6.6 Information Security Management

Do policies and procedures exist for the handling of paper copy

11.27 Protection of Sensitive Messages

6.6 Information Security Management

Are you aware of email and Internet acceptable usage policies?

II. Organizational Security

PO1 Define a Strategic IT Plan

4.1 Information Security Infrastructure 4 Planning and Implementing Service

Does your department collaborate with the IT department for

II. Organizational Security

4.2 Organizational Placement of the IT Function

4.1 Information Security Infrastructure

Fusion Alliance, Inc. , University of Cincinnati Confidential

6.6 Information Security Management

Are members of your department assigned responsibilities for 6

Primary Security Domain

II. Organizational Security

COBIT 4.0 Control Objective

ISO 20000/ITIL Reference

Question (Control Objective) Business Staff

PO7 Manage Human Resources

6.1 Personnel Security

3.3.2 Professional Development a)

6.1 Personnel Security

3.3 Competence, Awareness, and Training

PO7 Manage Human Resources

6.1 Personnel Security

6.6 Information Security Management

II. Organizational Security

DS2 Manage Third-party Services

7.3 Supplier Management

II. Organizational Security

DS5 Ensure Systems Security

III. Asset Classification and

PO2.3 Data Classification Scheme

6.62 Identifying and Classifying Information

Do you know which of the data items in your department need 13

III. Asset Classification and

PO2.3 Data Classification Scheme

5.2 Information Classification

6.62 Identifying and Classifying Information