Escolar Documentos
Profissional Documentos
Cultura Documentos
Review of the
5.1.2 Information Security
Policy
Information security
6.1.1 roles and
responsibilities
6.2.2 Teleworking
7.1.1 Screening
Information security,
7.2.2 awareness, education
and training
Termination or change
7.3.1 of employment
responsibilities
8 Asset management
8.1 Responsibility for assets
8.2.1 Classification of
information
8.2.2 Labelling of
information
8.3.1 Management of
removable media
9 Access control
9.1 Business requirements of access control
9.2.3 Management of
privileged access rights
Management of secret
9.2.4 authentication
information of users
Use of secret
9.3.1 authentication
information
10 Cryptography
10.1 Cryptographic controls
Protecting against
11.1.4 external and
environmental threats
11.2 Equipment
Security of equipment
11.2.6 and assets off-
premises
12 Operations security
12.1 Operational procedures and responsibilities
Separation of
12.1.4 development, testing
and operational
environments
12.2 Protection from malware
12.3 Backup
12.6.1 Management of
technical vulnerabilities
12.6.2 Restrictions on
software installation
13 Communications security
13.1 Network security management
13.1.3 Segregation in
Networks
Information transfer
13.2.1 policies and
procedures
13.2.2 Agreements on
information transfer
13.2.3 Electronic Messaging
Information security
14.1.1 requirements analysis
and specification
Securing application
14.1.2 services on public
networks
Technical review of
14.2.3 applications after
operating platform
changes
Restrictions on
14.2.4 Changes to Software
Packages
14.2.7 Outsourced
development
15 Supplier relationships
15.1 Information security in supplier relationships
Information security
15.1.1 policy for supplier
relationships
Addressing security
15.1.2 within supplier
agreements
Information and
15.1.3 communication
technology supply
chain
15.2 Supplier service delivery management
Assessment of and
16.1.4 decision on information
security events
Response to
16.1.5 information security
incidents
16.1.6 Learning from
Incidents
Implementing
17.1.2 information security
continuity
17.2 Redundancies
Availability of
17.2.1 information processing
facilities
18 Compliance
18.1 Compliance with legal and contractual requirements
Identification of
18.1.1 applicable legislation
and contractual
requirements
18.1.5 Regulation of
Cryptographic Controls
n Security Policies
nt direction for information security
Whether the organisation has comprehensive policies for information security that are
approved by management, published and communicated to all employees and relevant Organization ISMS policies
external parties
Whether the Security Policy has an owner defining responsibility for its maintenance and
review according to a defined review process. Whether the process ensures that a review Organization ISMS policies
of supporting procedures and processes is undertaken if policy changes
on of Information Security
ganisation
Whether information security for information and IT assets has been assigned to People
individuals and acknowledged
Whether there are policies or procedures in place that specify when and by whom Services Emergency, H&S, Utilities, telecom
authorities should be contacted
Whether contacts with special interest groups or other specialist security forums and Organization
professional associations are maintained
Whether a formal policy is adopted to manage the risks introduced by using mobile Hardware Mobile devices
devices
Whether there is any policy, procedure and/ or standard to control teleworking activities,
this should be consistent with organisation's security policy. Whether the teleworking site Services Branches
is protected from theft and unauthorised access
ources security
ployment
Whether verification checks on permanent staff were carried out at the time of job
applications. This should include character reference, confirmation of claimed academic People
and professional qualifications and independent identity checks
Whether terms and conditions of the employment covers the employee's responsibility for People
information security
ployment
Whether managers are aware of their responsibilities with regard to ensuring that
established policies and procedures are applied by external parties, contractors and Organization Management
employees
Whether employees, third parties and contractors receive appropriate awareness training
and regular updates in organisational policies and procedures as relevant for their job People Employees
function
Whether a formal and communicated disciplinary process is implemented to handle People Employees
employees who have committed a security breach
agement
ity for assets
Whether an inventory or register is maintained for assets associated with each Hardware,Software, People, Network, Services, Organization
information system
Whether a procedure exists to assign asset ownership at the time the asset is created or Hardware,Software, People, Network, Services, Organization
when assets are transferred to the organisation
Whether rules for acceptable use of information and assets associated with information People Employees
processing are documented and implemented
Whether procedures have been implemented to ensure that organisational assets are Organization Hardware,Software, People, Network,
returned as part of the termination process
n classification
Whether there is an information classification scheme or guideline in place which will Hardware,Software, People, Network, Services, Organization
assist in determining how the information is to be handled and protected
Whether an appropriate set of procedures are defined for information labelling and Information paper
handling in accordance with the classification scheme adopted by the organisation
Whether procedures for handling assets have been established and implemented in Hardware,Software, People, Network, Services, Organization
accordance with the information classification scheme adopted by the organisation
dling
Whether there exists a procedure for management of removable media in all its forms
particularly the use of devices that plug into a USB port. This includes backup media and Hardware Removable Media
CDs, DVDs and portable hard drives
Whether media that is no longer required is disposed off securely and safely. Whether the Media Confidential media
disposal of sensitive items is logged where necessary in order to maintain an audit trail
Whether security of media while being transported taken into account. Whether the Media containing Info Backup media in transit
media is well protected from unauthorised access, misuse or corruption
trol
equirements of access control
Whether asset owners have determined appropriate access control rules, access rights
and restrictions for specific user roles. The strictness of the access rules must reflect the Organization
associated information security risks
Whether users are only able to gain access to the network (e.g. specific shares, menus Network Network services
etc) or network services that they have been specifically authorised to use
s management
Whether the organisation has a formal registration and de-registration procedure and Organization
documents where shared user IDs have been approved
Whether there is a documented procedure for approving and setting up user access in Organization
accordance with access control policies. This should be based on job role requirements
Whether the allocation and use of any privileges in multi-user information system
environment is restricted and controlled e.g. Privileges are allocated on need-to-use Organization
basis; privileges are allocated only after formal authorisation process
Whether there exists a process to review user access rights at regular intervals - e.g. Organization
Special privilege review every 3 months, normal privileges every 6 months
Whether procedures are clearly established for removing access rights upon termination Organization
and adjusting access rights upon change of employment
nsibilities
Whether there are any guidelines in place to guide users in selecting and maintaining Organization
secure passwords
Whether access to information held in shares or applications is restricted based on need Network services Shares
to know principles and documented in an access control statement
Whether access to information system is attainable only via a secure log-on process Network services
Whether there exists a password management system that enforces various password
controls such as individual password for accountability, enforce password changes, store Network services
passwords in encrypted form, not display passwords on screen etc.
Whether the utility programs that come with computer installations, but may override Network services Software
system and application control is tightly controlled
hy
hic controls
Whether there is a Policy in place for the use of cryptographic controls for protection of Network services Information
confidential or sensitive information
What physical security facilities have been implemented to protect the Information Offices,Building
processing service. Some examples of such security facility are card control entry gate, perimeter,
walls, manned reception etc. Datacenter
What entry controls are in place to allow only authorised personnel into various areas employees, contractors and external parties
within organisation
Whether adequate physical security has been implemented based on the criticality and offices, rooms and facilities
sensitivity of the information and the processing facility
Offices,Building
Whether the organisation has considered the implementation of physical protection
mechanisms against natural disasters, malicious attack or accident
perimeter,
Datacenter
Whether there exists any security controls for third parties or for personnel working in Archives
secure area
Secure areas
Whether the delivery and loading areas are isolated and secure to prevent unauthorised Delivery and loading areas
access to information processing facilities
Whether the equipment was located to minimise unnecessary access into work areas.
Whether the items requiring special protection were isolated to reduce the general level hardware Datacenter
of protection required including those relating to environmental threats
Whether the equipment is protected from power failures and other disruptions by using
the likes of multiple feeds, uninterruptible power supply (ups), backup generator and hardware Datacenter
other supporting utilities
Whether the power and telecommunications cables are protected from interception,
interference or damage. Whether there are any additional security controls in place for Cables Network
sensitive or critical information systems
Whether the equipment is maintained as per the supplier's recommended service
intervals and specifications. Whether the maintenance is carried out only by authorised Hardware
personnel. Whether fault and maintenance logs are maintained
Whether equipment or media is verified to ensure that any sensitive information, data or Hardware Storage media
software is removed prior to disposal or re-use
Whether the users and contractors are made aware of the security requirements and
procedures for protecting unattended equipment, as well as their responsibility to Hardware Software
implement such protection. Example: Logoff when session is finished or set up auto log
off
Whether automatic computer screen locking and password protected screen savers are
enabled. Whether employees are advised to leave any confidential material in the form of Organization removable stor
paper documents, media etc, in a locked drawer or cupboard out of sight
security
l procedures and responsibilities
Whether change management controls have been implement to ensure satisfactory Organization Business proces
control of all changes.
Whether use of resources are monitored, tuned and protections made of future capacity Organization Staf
requirements to ensure systems continue to perform at optimum levels
Whether the development and testing facilities are isolated from operational facilities e.g. Dev, Test,
development software should run on a different computer to that of the computer with Operation
production software. Development and production networks should be separate environments
from malware
Whether adequate detection, prevention and recovery controls to protect against malware Desktops Servers
are implemented and combined with a high level of user awareness
Whether backups of essential business information e.g. production server, critical network
components, configuration etc are taken regularly Whether the backup media along with information software
the restore procedure are stored securely and well protected
d monitoring
Whether systems are configured for recording user activities, exceptions, faults and Organization software
information security events
Whether log information and audit trails are adequately protected by security controls to Organization Audit Logs
prevent tampering
Whether system administrator and system operator activities are logged and the logs Organization software
protected and regularly reviewed
Whether the computer or communication device has the capability of operating a real
time clock, it should be set to an agreed standard such as Universal coordinated time or Organization software
local standard time
operational software
Whether there are any controls in place for the implementation of software on operational Application software
systems. This is to minimise the risk of corruption of operational systems
ulnerability management
Whether rules governing the installation of software by users have been established and hardware Software
implemented
Whether audit requirements and activities involving the verification of operational Operational systems
systems are carefully planned and carried out with minimal impact on business processes
ations security
curity management
Whether there are controls implemented to ensure the security of information in networks Network
and the protection of connected services from unauthorised access
Whether security requirements to enable a service provider to manage agreed services in Network Network services
a secure way have been determined and regularly audited and monitored
n transfer
Whether there are procedures and controls in place to protect the transfer of information
and whether staff are reminded to maintain the confidentiality of sensitive information information Email
while using technology such as email, phones, fax and voicemail
Whether agreements address the secure transfer of business information between the Organization External parties
organisation and external parties
Whether there is a policy in place for the acceptable use of email, instant messaging and information Email
other electronic communications
Whether the requirements for confidentiality or non-disclosure are identified, reviewed, Organization
documented and reflect the organisation's needs for the protection of information
Whether information security related requirements are included in the requirements for Information systems Software
new information systems or enhancements to existing information systems
Whether information involved in application services passing over a public network is well
protected from fraudulent activity, contract dispute and disclosure or modification of Information systems Software
information
Whether application service transactions are adequately protected to prevent incomplete Information systems Applcation information
transmission, misrouting, message alteration, unauthorised disclosure etc
Whether security has been integrated in all phases of software development and Software Application
documented in a secure development policy
Whether there is evidence that major system changes are controlled by the use of formal Software Application
change control procedures
Whether there are process or procedure in place to ensure application systems are Software Application
reviewed and tested after changes to the operating system
Whether there are any restrictions in place to limit changes to software packages. Vendor
supplied software modifications should be made through standard maintenance. Changes Software Application
to software development inhouse is subject to change control procedures
Whether principles and procedures for engineering secure systems have been established, Software Application
documented, maintained and applied to any information system implementation efforts
Whether the organisation has appropriately assessed the risks associated with individual
system development and integration efforts that cover the entire system development Software Application
lifecycle
Whether there are controls in place over outsourcing software. The points to be noted
includes: Licensing arrangements, escrow arrangements, contractual requirement for Software Application
quality assurance, testing before installation to detect malware
Whether system test data is protected and controlled. The use of operational database
containing personal information should be avoided for test purposes. If such information
is used, the data should be depersonalised before use
lationships
n security in supplier relationships
Whether there is a policy for addressing supplier access to the organisation's information Organization Suppliers
based on the organisation's access control criteria
Whether the requirements for security have been established and agreed with individual
suppliers that may access, process, store, communicate or provide IT infrastructure Organization Suppliers
components for the organisation's information
Whether there are procedures in place to ensure the audit and monitoring of supplier Organization Suppliers
service delivery and the evidence that monitoring has taken place
Whether there are management procedures for authorising and implementing changes to
supplier services including whether information security policies, procedures and controls Organization Suppliers
are managed in accordance with its classification
Whether management responsibilities and procedures have been established to ensure a Organization
quick, effective and orderly response to information security incidents
Whether a formal reporting procedure exists, to report security incidents through Organization
appropriate management channels as quickly as possible
Whether a formal reporting procedure or guideline exists for users, to report security Organization
weakness in, or threats to, systems or services
Whether there is a procedure for assessing information security problems and issues and Organization
classifying them as information security incidents
Whether there are documented procedures in place for responding to an information Organization
security incident
Whether there are mechanisms in place to enable the types, volumes and costs of Organization
incidents and malfunctions to be quantified and monitored
Whether procedures for the identification, collection, acquisition and preservation of Organization
information which can serve as evidence are documented and known by staff
Whether the organisation has determined its requirements for information security and
the continuity of information security management in adverse situations in accordance Organization
with ISO22301 and ISO22313
Whether the organisation has documented processes, procedures and controls that are
regularly maintained and implemented to ensure an appropriate level of business Organization
continuity during an adverse situation
Whether information security continuity controls are reviewed at regular intervals to Organization
ensure that they are valid and effective during adverse situations
ies
Whether consideration has been given to the resilience of information systems and where
availability cannot be guaranteed using existing systems architecture, redundant Organization Information systems
components or architecture to guarantee business continuity
e
e with legal and contractual requirements
Whether all relevant statutory, regulatory and contractual requirements were explicitly
defined and documented for each information system. Whether specific controls and Organization
individual responsibilities to meet these requirements were defined and documented
Whether there are procedures to ensure compliance with legal restrictions on use of
material in respect of which there may be intellectual property rights such as copyright, software or document copyright, design rights, trademarks,
design rights, trade marks
Whether important records of the organisation are protected from loss, destruction, Organization Information
falsification unauthorised access and unauthorised release
Whether there is a policy and appropriate procedures and controls in place to protect the Information
privacy of personal information in accordance with legislation and regulation
Whether effective regulation of cryptographic controls is demonstrated in accordance with Encryption controls Keys
relevant agreements, legislation and regulations
n security reviews
Whether policies, processes, procedures, controls and control objectives are subject to . control objectives, controls, policies, processes and proced
regular independent reviews at planned intervals or when significant changes occur
Whether information systems were regularly checked for compliance with security Organization
implementation standards by Managers
Whether technical security reviews are carried out either manually or using automated
tools to confirm information security objectives are achieved - e.g. penetration testing Information systems
and vulnerability assessments
Emergency, H&S, Utilities, telecom
Mobile devices
Partners
Third parties Contractors
Contractor
External parties
Hardware,Software, People, Network, Services, Organization for employees, contractors, external parties
Removable Media
Confidential media
Backup media in transit Paper
Network services
Applications
Utility programs
program source code and associated items (such as designs, specifications, verification plans and validation plans
Encryption keys
Telephone Power
information software
information software
Copiers/Printer
papers
Hardware Faciltiies
Office Faciltiies
system images
Hardware Personnel
Hardware
Hardware
Software
Network
Network services
External parties
websites
Applcation information
OS
Information systems
Paper
Certificates