You are on page 1of 12

Section Sub section

1 Security policy
3.1 Information security policy
1.1.1 3.1.1 Information security policy document

1.1.2 3.1.2 Review and evaluation

2 Organisational Security
2.1 4.1 Information security infrastructure
2.1.1 4.1.1 Management information security forum
2.1.2 4.1.2 Information security coordination
2.1.3 4.1.3 Allocation of information security responsibilities
2.1.4 4.1.4 Authorisation process for information processing facilities
2.1.5 4.1.5 Specialist information security advise

2.1.6 4.1.6 Co-operation between organisations


2.1.7 4.1.7 Independent review of information security
2.2 4.2 Security of third party access
2.2.1 4.2.1 Identification of risks from third party access

2.2.2 4.2.2 Security requirements in third party contracts


2.3 4.3 Outsourcing
2.3.1 4.3.1 Security requirements in outsourcing contracts

3 Asset classification and control


3.1 5.1 Accountability of assets
3.1.1 5.1.1 Inventory of assets

3.2 5.2 Information classification


3.2.1 5.2.1 Classification guidelines
3.2.2 5.2.2 Information labelling and handling

4 Personnel security
4.1 6.1 Security in job definition and Resourcing
4.1.1 6.1.1 Including security in job responsibilities

4.1.2 6.1.2 Personnel screening and policy

4.1.3 6.1.3 Confidentiality agreements

4.1.4 6.1.4 Terms and conditions of employment


4.2 6.2 User training
4.2.1 6.2.1 Information security education and training
4.3 6.3 Responding to security incidents and malfunctions
4.3.1 6.3.1 Reporting security incidents
4.3.2 6.3.2 Reporting security weaknesses
4.3.3 6.3.3 Reporting software malfunctions
4.3.4 6.3.4 Learning from incidents
4.3.5 6.3.5 Disciplinary process

5 Physical and Environmental Security


5.1 7.1 Secure Area
5.1.1 7.1.1 Physical Security Perimeter

5.1.2 7.1.2 Physical entry Controls


5.1.3 7.1.3 Securing Offices, rooms and facilities

5.1.4 7.1.4 Working in Secure Areas


5.1.5 7.1.5 Isolated delivery and loading areas

5.2 7.2 Equipment Security


5.2.1 7.2.1 Equipment siting protection

5.2.2 7.2.2 Power Supplies


5.2.3 7.2.3 Cabling Security

5.2.4 7.2.4 Equipment Maintenance

5.2.5 7.2.5 Securing of equipment off-premises

5.2.6 7.2.6 Secure disposal or re-use of equipment


5.3 7.3 General Controls
5.3.1 7.3.1 Clear Desk and clear screen policy

5.3.2 7.3.2 Removal of property

6 Communications and Operations Management


6.1 8.1 Operational Procedure and responsibilities
6.1.1 8.1.1 Documented Operating procedures

6.1.2 8.1.2 Operational Change Control

6.1.3 8.1.3 Incident management procedures


6.1.4 8.1.4 Segregation of duties
6.1.5 8.1.5 Separation of development and operational facilities
6.1.6 8.1.6 External facilities management

6.2 8.2 System planning and acceptance


6.2.1 8.2.1 Capacity Planning

6.2.2 8.2.2 System acceptance

6.3 8.3 Protection against malicious software


6.3.1 8.3.1 Control against malicious software

6.4 8.4 Housekeeping


6.4.1 8.4.1 Information back-up

6.4.2 8.4.2 Operator logs

6.4.3 8.4.3 Fault Logging


6.5 8.5 Network Management
6.5.1 8.5.1 Network Controls

6.6 8.6 Media handling and Security


6.6.1 8.6.1 Management of removable computer media
6.6.2 8.6.2 Disposal of Media

6.6.3 8.6.3 Information handling procedures

6.6.4 8.6.4 Security of system documentation

6.7 8.7 Exchange of Information and software


6.7.1 8.7.1 Information and software exchange agreement

6.7.2 8.7.2 Security of Media in transit

6.7.3 8.7.3 Electronic Commerce security


6.7.4 8.7.4 Security of Electronic email

6.7.5 8.7.5 Security of Electronic office systems

6.7.6 8.7.6 Publicly available systems

6.7.7 8.7.7 Other forms of information exchange

7 Access Control
7.1 9.1 Business Requirements for Access Control
7.1.1 9.1.1 Access Control Policy

7.2 9.2 User Access Management


7.2.1 9.2.1 User Registration
7.2.2 9.2.2 Privilege Management
7.2.3 9.2.3 User Password Management

7.2.4 9.2.4 Review of user access rights


7.3 9.3 User Responsibilities
7.3.1 9.3.1 Password use
7.3.2 9.3.2 Unattended user equipment

7.4 9.4 Network Access Control


7.4.1 9.4.1 Policy on use of network services

7.4.2 9.4.2 Enforced path


7.4.3 9.4.3 User authentication for external connections

7.4.4 9.4.4 Node Authentication


7.4.5 9.4.5 Remote diagnostic port protection
7.4.6 9.4.6 Segregation in networks
7.4.7 9.4.7 Network connection protocols
7.4.8 9.4.8 Network routing control

7.4.9 9.4.9 Security of network services


7.5 9.5 Operating system access control
7.5.1 9.5.1 Automatic terminal identification
7.5.2 9.5.2 Terminal log-on procedures

7.5.3 9.5.3 User identification and authorisation

7.5.4 9.5.4 Password management system


7.5.5 9.5.5 Use of system utilities
7.5.6 9.5.6 Duress alarm to safeguard users
7.5.7 9.5.7 Terminal time-out
7.5.8 9.5.8 Limitation of connection time
7.6 9.6 Application Access Control
7.6.1 9.6.1 Information access restriction
7.6.2 9.6.2 Sensitive system isolation
7.7 9.7 Monitoring system access and use
7.7.1 9.7.1 Event logging
7.7.2 9.7.2 Monitoring system use

7.7.3 9.7.3 Clock synchronisation

7.8 9.8 Mobile computing and teleworking


7.8.1 9.8.1 Mobile computing

7.8.2 9.8.2 Teleworking

8 System development and maintenance


8.1 10.1 Security requirements of systems
8.1.1 10.1.1 Security requirements analysis and specification

8.2 10.2 Security in application systems


8.2.1 10.2.1 Input data validation

8.2.2 10.2.2 Control of internal processing

8.2.3 10.2.3 Message authentication

8.2.4 10.2.4 Output data validation


8.3 10.3 Cryptographic controls
8.3.1 10.3.1 Policy on use of cryptographic controls

8.3.2 10.3.2 Encryption

8.3.3 10.3.3 Digital Signatures


8.3.4 10.3.4 Non-repudiation services

8.3.5 10.3.5 Key management

8.4 10.4 Security of system files


8.4.1 10.4.1 Control of operational software
8.4.2 10.4.2 Protection of system test data
8.4.3 10.4.3 Access Control to program source library
8.5 10.5 Security in development and support process
8.5.1 10.5.1 Change control procedures
8.5.2 10.5.2 Technical review of operating system changes

8.5.3 10.5.3 Technical review of operating system changes

8.5.4 10.5.4 Covert channels and Trojan code

8.5.5 10.5.5 Outsourced software development

9 Business Continuity Management


9.1 11.1 Aspects of Business Continuity Management
9.1.1 11.1.1 Business continuity management process

9.1.2 11.1.2 Business continuity and impact analysis

9.1.3 11.1.3 Writing and implementing continuity plan

9.1.4 11.1.4 Business continuity planning framework

9.1.5 11.1.5 Testing, maintaining and re-assessing business continuity plan

10 Compliance
10.1 12.1 Compliance with legal requirements
10.1.1 12.1.1 Identification of applicable legislation

10.1.2 12.1.2 Intellectual property rights (IPR)

10.1.3 12.1.3 Safeguarding of organisational records


10.1.4 12.1.4 Data protection and privacy of personal information
10.1.5 12.1.5 Prevention of misuse of information processing facility

10.1.6 12.1.6 Regulation of cryptographic controls


10.1.7 12.1.7 Collection of evidence
10.2 12.2 Reviews of Security Policy and technical compliance
10.2.1 12.2.1 Compliance with security policy
10.2.2 12.2.2 Technical compliance checking

10.3 12.3 System audit considerations


10.3.1 12.3.1 System audit controls
10.3.2 12.3.2 Protection of system audit tools
Audit Question

Whether there exists an Information security policy, which is approved


by the management,
Whether it states the published
management andcommitment
communicated andas appropriate
set out the to all
employees.
organisational approach to managing information
Whether the Security policy has an owner, who is responsible for its security.
maintenance
Whether and review
the process according
ensures that atoreview
a defined
takesreview
place process.
in response to
any changes affecting the basis of the original assessment, example:
significant security incidents, new vulnerabilities or changes to
organisational or technical infrastructure.
Whether there is a management forum to ensure there is a clear
direction
Whether and therevisible management support
is a cross-functional forum of formanagement
security initiatives within
the organisation.
representatives from relevant parts of the organisation
Whether responsibilities for the protection of individual assets to coordinate
and for
the implementation
carrying out
Whether therespecific of information security
security processes
is a management controls.
were clearly
authorisation process defined.
in place for any
new information
Whether specialist processing
informationfacility.
security This should
advice is include
obtainedallwhere
new
facilities such
appropriate. as hardware and software.
A specific individual may be identified to co-ordinate in-house
knowledge
Whether and experiences
appropriate contactstowith
ensurelaw consistency,
enforcement and provide help in
authorities,
security
regulatory decision
bodies, making.
information service providers
Whether the implementation of security policy is reviewed and telecommunication
operators
independently wereon maintained to ensure
regular basis. This is that appropriate
to provide action can
assurance that be
quickly taken and
organisational adviceproperly
practices obtained, in thethe
reflect event of aand
policy, security
that itincident.
is feasible
Whether risks from third party access are identified and appropriate
and effective.
security
Whethercontrols
the types implemented.
of accesses are identified, classified and reasons for
access are
Whether justified.
security risks with third party contractors working onsite was
identified
Whether thereand appropriate controls containing,
is a formal contract are implemented.or referring to, all the
security requirements to ensure compliance with the organisation’s
security
Whetherpolicies
securityand standards.are addressed in the contract with the
requirements
third party, when
The contract theaddress
should organisation haslegal
how the outsourced the management
requirements are to be met,
and control
how of all of
the security or the
some of its information
organisation’s assetssystems, networks
are maintained and/ or
and
desktopand
tested, environments.
the right of audit, physical security issues and how the
availability of the services is to be maintained in the event of disaster.
Whether an inventory or register is maintained with the important
assets associated
Whether each asset with each information
identified system.
has an owner, the security classification
defined and agreed and the location identified.
Whether there is an Information classification scheme or guideline in
place; which
Whether will assist inset
an appropriate determining how are
of procedures the defined
information is to be
for information
handled
labelling and
and protected.
handling in accordance with the classification scheme
adopted by the organisation.

Whether security roles and responsibilities as laid in Organisation’s


information
This should security policy isresponsibilities
include general documented where appropriate. or
for implementing
maintaining
Whether security checks
verification policy as onwell as specific
permanent responsibilities
staff for at the
were carried out
protection
time of job of particular
applications. assets, or for extension of particular
This should include character reference, confirmation of claimed security
processes
academic or activities.
and professional qualifications and independent identity
Whether employees are asked to sign Confidentiality or non-disclosure
checks.
agreement
Whether asagreement
this a part of their initial
covers theterms andof
security conditions of the
the information
employment.
processing facility and organisation assets.
Whether terms and conditions of the employment covers the
employee’s responsibility for information security. Where appropriate,
these
Whetherresponsibilities
all employees might continue
of the for a defined
organisation and thirdperiod
partyafter the
users end
(where
of the employment.
relevant) receive appropriate Information Security training and regular
updates
Whether in organisational
a formal reportingpolicies and exists,
procedure procedures.
to report security
incidents through appropriate management channels
Whether a formal reporting procedure or guideline exists as quickly as to
for users,
possible.
report security weakness in, or threats to, systems or
Whether procedures were established to report any softwareservices.
malfunctions.
Whether there are mechanisms in place to enable the types, volumes
and coststhere
Whether of incidents anddisciplinary
is a formal malfunctions to be quantified
process and
in place for monitored.
employees
who have violated organisational security policies and procedures.
Such a process can act as a deterrent to employees who might
otherwise be inclined to disregard security procedures.

What physical border security facility has been implemented to protect


the Information
Some examplesprocessing service.
of such security facility are card control entry gate,
walls, manned reception etc.,
What entry controls are in place to allow only authorised personnel into
various
Whetherareas within which
the rooms, organisation.
have the Information processing service, are
locked orthe
Whether have lockable cabinets
Information processingor safes.
service is protected from natural
and man-made disaster.
Whether there is any potential threat from neighbouring premises.
The information is only on need to know basis. Whether there exists
any security
Whether the control
deliveryfor third
area parties
and or for personnel
information working
processing in secure
area are isolated
area.
from each other to avoid any unauthorised access.
Whether a risk assessment was conducted to determine the security in
such areas.
Whether the equipment was located in appropriate place to minimise
unnecessary
Whether the items access into work
requiring areas.protection were isolated to reduce
special
the general
Whether level of
controls protection
were adoptedrequired.
to minimise risk from potential threats
such as theft, fire, explosives,
Whether there is a policy towards eating,smoke, water, dist, vibration,
drinking and smokingchemical
on in
effects,
Whether environmental conditions are monitored which would flood.
proximity electrical
to supply
information interfaces,
processing electromagnetic
services. radiation,
adverselythe
Whether affect the information
equipment processing
is protected facilities.
from power failures by using
permanence of power supplies such as multiple
Whether the power and telecommunications cable carrying feeds, uninterruptible
data or
power supply
supporting (ups),
information backup generator
services are etc.,
protected from interception
Whether there are any additional security controls in place for sensitive or
damage.
or critical the
Whether information.
equipment is maintained as per the supplier’s
recommended service intervals
Whether the maintenance and specifications.
is carried out only by authorised personnel.
Whether logs are maintained with all suspected or actual faults and all
preventive
Whether and corrective
appropriate measures.
controls are implemented while sending
equipment off premises.
If the equipment is covered by insurance, whether the insurance
requirements
Whether are satisfied.
any equipment usage outside an organisation’s premises for
information
Whether theprocessing has to be
security provided forauthorised by the management.
these equipments while outside the
premises
Whether storage device containing sensitive information are inside
are on par with or more than the security provided the
physically
premises.
destroyed or securely over written.
Whether automatic computer screen locking facility is enabled. This
would
Whetherlock the screenare
employees when the computer
advised to leave anyis left unattended
confidential for a in
material
period.
the form of
Whether paper documents,
equipment, media
information etc., in acan
or software locked manner
be taken while
offsite
unattended.
without appropriate authorisation.
Whether spot checks or regular audits were conducted to detect
unauthorised removal
Whether individuals areofaware
property.
of these types of spot checks or regular
audits.

Whether the Security Policy has identified any Operating procedures


such
Whetheras Back-up, Equipment
such procedures are maintenance
documented andetc.,used.
Whether all programs running on production systems are subject to
strict change
Whether auditcontrol i.e.,maintained
logs are any changefortoany
be change
made tomade
thosetoproduction
the
programs
production need to go
programs. through the change control authorisation.
Whether an Incident Management procedure exist to handle security
incidents.
Whether the procedure addresses the incident management
responsibilities, orderly and
Whether the procedure quick response
addresses to security
different types incidents.
of incidents ranging
from denial of service to breach of confidentiality etc., and ways to
handle them.
Whether the audit trails and logs relating to the incidents are
maintained
Whether and and
duties proactive
areasaction taken in a are
of responsibility wayseparated
that the incident
in order to
doesn’t
reduce reoccur.
opportunities for unauthorised modification or
Whether the development and testing facilities are isolated from misuse of
information
operational
Whether or services.
anyfacilities. For example
of the Information development
processing software
facility should
is managed byrun on
a different
external
Whether computer
company
the or to that of with
contractor
risks associated the computer
(third
suchparty). with production
management software.
is identified in
Where
advance,necessary
discussed development
with the and
third production
party and network should
appropriate controlsbewere
Whether
separated necessary
from approval
other. is obtained from business and application
incorporated
owners. intoeach
the contract.
Whether the capacity demands are monitored and projections of future
capacity
Example:requirements are made.
Monitoring Hard This RAM,
disk space, is to ensure
CPU onthat adequate
critical servers.
processing power and storage are available.
Whether System acceptance criteria are established for new
information systems,
Whether suitable testsupgrades and new
were carried versions.
out prior to acceptance.

Whether there exists any control against malicious software usage.


Whether the security policy does address software licensing issues
such as prohibiting
Whether there exists usage of unauthorised
any Procedure software.
to verify all warning bulletins are
accurate Antivirus
Whether and informative
software with regards to
is installed onthe
themalicious
computers software
to checkusage.
and
isolate or remove any viruses from computer and media.
Whether this software signature is updated on a regular basis to check
any latestallviruses.
Whether the traffic originating from un-trusted network in to the
organisation is checked for viruses. Example: Checking for viruses on
email,
Whether email attachments
Back-up and on
of essential the web,
business FTP traffic.
information such as production
server,
Example:critical network
Mon-Thu: components,
Incremental configuration
Backup backup
and Fri: Full etc., were
Backup.
taken regularly.
Whether the backup media along with the procedure to restore the
backup
Whetherarethestored
backupsecurely andregularly
media are well awaytested
from to
theensure
actual that
site.they
could be Operational
Whether restored within themaintain
staffs time frame allotted
a log in activities
of their the operational
such as
procedure
name of thefor recovery.
person, errors, corrective action etc.,
Whether Operator logs are checked on regular basis against the
Operating procedures.
Whether faults are reported and well managed. This includes corrective
action being taken, review of the fault logs and checking the actions
taken
Whether effective operational controls such as separate network and
system administration
Whether facilities
responsibilities were be established
and procedures whereof
for management necessary.
remote
equipment,
Whether including
there equipment
exist any in user areas
special controls were established.
to safeguard confidentiality
and integrity of data processing over the public network and to protect
the connected
Whether there systems. Example:for
exist a procedure Virtual Private Networks,
management other
of removable
encryption
computer and
media hashing
such mechanisms
asare
tapes, etc.,
disks, required
cassettes,
Whether the media that no longer arememory
disposedcards
off and
reports. and safely.
securely
Whether disposal of sensitive items are logged where necessary in
order to maintain
Whether an audit
there exists trail.
a procedure for handling the storage of
information. Does this procedure address issues such as information
protection
Whether thefrom unauthorised
system disclosure
documentation or misuse.
is protected from unauthorised
access.
Whether the access list for the system documentation is kept to
minimum and authorised by the application owner. Example: System
documentation need to
Whether there exists beformal
any kept onor ainformal
shared agreement
drive for specific purposes,
between the
the document need to have Access Control Lists
organisations for exchange of information and software. enabled (to be
accessible only by limited users.)
Whether the agreement does addresses the security issues based on
the sensitivity
Whether securityof the business
of media information
while involved. taken into account.
being transported
Whether the media is well protected from unauthorised access, misuse
or corruption.
Whether Electronic commerce is well protected and controls
implemented
Whether Securityto protect against
controls such fraudulent activity, contract
as Authentication, dispute
Authorisation areand
disclosure
considered or
inmodification
the ECommerce of information.
environment.
Whether electronic commerce arrangements between trading partners
include a documented agreement, which commits both parties to the
agreed terms of trading, including details of security issues.
Whether there is a policy in place for the acceptable use of electronic
mail or does
Whether security
controls suchpolicy does address
as antivirus the isolating
checking, issues with regards to
potentially
use of
unsafe electronic mail.
Whether there is an Acceptable use policy to address the useinofplace to
attachments, spam control, anti relaying etc., are put
reduce theoffice
Electronic risks created
systems.by electronic email.
Whether there are any guidelines in place to effectively control the
business and security
Whether there risks associated
is any formal authorisationwithprocess
the electronic
in placeoffice
for the
systems.
information
Whether to be
there aremade publicly in
any controls available.
place to Such asthe
protect approval from
integrity of such
Change Control
information which
publicly includes
available Business,
from any Application
unauthorised owner
access.
This might include controls such as firewalls, Operating system etc.,
hardening, anyare
Whether there Intrusion detection
any policies, type of tools
procedures used toin
or controls monitor
place tothe
system
Whether etc.,
protect the exchange
staffs of information
are reminded through
to maintain the the use of voice,
confidentiality facsimile
of sensitive
and video communication
information while using such facilities.
forms of information exchange facility.

Whether the business requirements for access control have been


defined
Whetherand
the documented.
Access control policy does address the rules and rights for
each userthe
Whether or users
a group of service
and user. providers were given a clear statement
of the business requirement to be met by access controls.
Whether there is any formal user registration and de-registration
procedurethe
Whether forallocation
granting access
and usetoofmulti-user information
any privileges systems and
in multi-user
services.
information system environment is restricted and controlled
The allocation and reallocation of passwords should be controlled i.e.,
Privileges
Whether the users are asked to sign a statement to keep theallocated
through a are allocated
formal on
managementneed-to-use
process. basis; privileges are password
only after formal authorisation process.
confidential.
Whether there exist a process to review user access rights at regular
intervals. Example: Special privilege review every 3 months, normal
privileges everyare
Whether there 6 moths.
any guidelines in place to guide users in selecting
and maintaining
Whether secure
the users passwords.are made aware of the security
and contractors
requirements
Example: Logoff when sessionfor
and procedures is protecting
finished orunattended
set up auto equipment,
log off, as
well as their
terminate responsibility
sessions to implement
when finished etc., such protection.
Whether there exists a policy that does address concerns relating to
networks and network
Parts of network to be services
accessed, such as:
Authorisation services to determine who is allowed to do what,
Procedures to protect the access to network connections and network
services.
Whether there is any control that restricts the route between the user
terminal and
Whether therethe designated
exist computer mechanism
any authentication services theforuser is authorised
challenging
to access
external example:
connections. enforced
Examples:path to reduce the
Cryptography based technique, hardware tokens, software tokens, risk.
challenge/ response protocol
Whether connections to remoteetc.,computer systems that are outside
organisations
Whether security
accesses management
to diagnostic ports are authenticated.
are Node i.e.,
securely controlled
authentication
protected by a can serve
security as an
mechanism. alternate means of authenticating
Whether the network (where business partner’s and/ or third parties
groups
need of remote
access users where
toexists
information they are
system) connected using
is segregated to a secure, shared
perimeter
Whether
computer there
facility. any network connection control for shared
security
networksmechanisms
Whether that extend
there exist anysuch
beyondas the
network firewalls.
organisational
control to ensureboundaries. Example:
that computer
electronic
connections mail,
and web access,
information file
flows transfers,
do not etc.,
Whether the routing controls are based on the positive sourcecontrol
breach the access and
policy of the
destination
Whether business
theidentification
organisation,applications.
mechanism.
using public This orisprivate
oftenNetwork
Example: essential for networks
networkAddress
service does
shared with (NAT).
Translation
ensure that anon-organisations
clear description users.
of security attributes of all services used
is provided.
Whether automatic terminal identification mechanism is used to
authenticate
Whether connections.
access to information system is attainable only via a secure
log-on process.
Whether there is a procedure in place for logging in to an information
system.
WhetherThis is toidentifier
unique minimise is the opportunity
provided of unauthorised
to every user such as access.
operators,
system
The administrators
generic user accountsand all otheronly
should staffbe
including
suppliedtechnical.
under exceptional
circumstances where there is
Whether the authentication a clearused
method business
does benefit. Additional
substantiate the claimed
controls
identity may
of thebe necessary
user; commonly to maintain
used accountability.
method:
Whether there exists a password management system thatPassword that enforces
only the
user knows.
various password controls such as: individual password for
accountability, enforce password changes, store passwords in
encrypted form, not display passwords on screen etc.,
Whether the system utilities that comes with computer installations, but
may override
Whether system
provision and
of a application
duress alarm iscontrol is tightly
considered forcontrolled.
users who might
be the target of coercion.
Inactive terminal in public areas should be configured to clear the
screen orthere
Whether shut exist
downany
automatically
restriction after a defined time
on connection period
forofhigh-risk
inactivity.
applications. This type of set up should be considered for sensitive
applications for which
Whether access the terminals
to application are installed
by various groups/inpersonnel
high-risk locations.
within the
organisation
Whether shouldsystems
sensitive be defined in the access
are provided with control
isolatedpolicy as per the
computing
individual
environmentbusiness
such as application requirement
running on a dedicatedand is consistent
computer, sharewith the
organisation’s
resources onlyInformation
trustedaccess
with recording policy.
application systems, etc.,
Whether audit logs exceptions and other security relevant
events are
Whether produced are
procedures andset
kept upfor
foran agreed period
monitoring to assist
the use in future
of information
investigations
processing and
facility. access control monitoring.
The procedure should ensure that the users are performing only the
activities
Whether thethatresults
are explicitly authorised.activities are reviewed regularly.
of the monitoring
Whether the computer or communication device has the capability of
operating
The correct a real time
setting ofclock, it shouldclock
the computer be set
is to an agreed
important standard
to ensure thesuch
as Universal co-ordinated
accuracy of the audit logs. time or local standard time.
Whether a formal policy is adopted that takes into account the risks of
working
Whetherwith computing
trainings facilities such
were arranged as notebooks,
for staff palmtops
to use mobile etc.,
computing
especially
facilities to
Whether in
there unprotected
raiseis their environments.
awareness
any policy, on theand/
procedure additional risks resulting
or standard to controlfrom
this way
teleworkingof working and
activities, controls
this should that
be need to
consistentbe implemented
with to
organisation’s
Whether suitable protection of teleworking site is in place against
mitigate the
securitysuch
threats risks.
policy.as theft of equipment, unauthorised disclosure of
information etc.,
Whether security requirements are incorporated as part of business
requirement statementand
Security requirements for new systems
controls or forshould
identified enhancement to existing
reflect business
systems.
value of information
Whether assets are
risk assessments involved and the
completed consequence
prior from failure
to commencement of
of Security.
system development.
Whether data input to application system is validated to ensure that it is
correct and
Whether theappropriate.
controls such as: Different type of inputs to check for error
messages, Procedures
Whether areas of risks are for responding
identified in tothevalidation
processingerrors,
cycledefining
and
responsibilities of
validationappropriate
Whether all
checks were personnel
included.
controls involved
areIn in data
some cases
identified input process
the data that
for applications etc.,been
to has are
mitigate
considered.
correctly entered
fromcontrols
risks during can be corrupted
internal on
processing. by processing errors or through
The will depend nature of application and business impact
deliberate
of any acts. of data.
corruption
Whether an assessment of security risk was carried out to determine if
Message authentication
Message authentication is is a
required;
technique andused
to identify most
to detect appropriate
unauthorised
method
changes of implementation
to, or corruption if
of, it is
the necessary.
Whether the data output of application system is validated toelectronic
contents of the transmitted ensure
message.
that the processing of stored information is correct and appropriate to
circumstances.
Whether there is a “Policy in use of cryptographic controls for
protection
Whether a of information”
risk assessment is was
in place.
carried out to identify the level of
protection the information should
Whether encryption techniques were be given.
used to protect the data.
Whether assessments were conducted to analyse the sensitivity of the
data and Digital
Whether the level of protection
signatures wereneeded.
used to protect the authenticity and
integrity of electronic documents.
Whether non-repudiation services were used, where it might be
necessaryDispute
Example: to resolve disputes
involving useabout occurrence
of a digital or non-occurrence
signature of
on an electronic
an event
payment or
or action.
contract.
Whether there is a management system is in place to support the
organisation’s
Whether usemanagement
the Key of cryptographic techniques
system is basedsuch as Secret
on agreed key
set of
technique
standards,and Public key
procedures andtechnique.
secure methods.
Whether there are any controls in place for the implementation of
software system
Whether on operational systems.
test data This is
is protected andto controlled.
minimise theTherisk of of
use
corruption
operational of operational
database systems.
containing personal information should
Whether strict controls are in place over access to program source be
avoided for
libraries. test
This is purposes. If such
to reduce the information
potential is used,ofthe
for corruption data should
computer
be depersonalised before use.
programs.
Whether there are strict control procedures in place over
implementation
Whether there areof changes
process or to procedure
the information system.
in place This is
to ensure to
application
minimise
system is the corruption
reviewed and of information
tested after system.
change in operating system.
Periodically it is necessary to upgrade operating system i.e., to install
service packs,
Whether there patches, hot fixes etc.,
are any restrictions in place to limit changes to software
packages.
As far as possible the vendor supplied software packages should be
used without
Whether theremodification.
are controlsIfinchanges
place toare deemed
ensure essential
that the covertthe original
channels
software
and
A Trojan
covert should be
codescan
channel retained
are expose and the
not introduced changes
into new
information applied only
or upgraded
by some to a clearly
system.
indirect and obscure
identified
means. copy.code
Trojan All changes
is should
designed to be clearly
affect a testedinand
system a documented,
way that is not
Whether
so they cantherebe are controls
reapplied in place over
if necessary outsourcing
to future softwaresoftware.
upgrades.
authorised.
The points to be noted includes: Licensing arrangements, escrow
arrangements, contractual requirement for quality assurance, testing
before installation to detect Trojan code etc.,
Whether there is a managed process in place for developing and
maintaining
This business
might include continuity throughout
Organisation wide Business the organisation.
continuity plan, regular
testing
Whether events that could cause interruptions to documenting
and updating of the plan, formulating and a
business process
business
Whether continuity
were identified strategy
a risk assessment etc.,
example: equipment failure, to
was conducted flood and fire.impact of such
determine
interruptions.
Whether a strategy plan was developed based on the risk assessment
results
Whether toplans
determine
were an overall approach
developed to restoretobusiness
businessoperations
continuity.within
the required
Whether the time
plan frame following
is regularly testedan and
interruption
updated.or failure to business
process.
Whether there is a single framework of Business continuity plan.
Whether this framework is maintained to ensure that all plans are
consistentthis
Whether and identify conditions
identifies priorities for
fortesting and and
activation maintenance.
individuals
responsible for executing each component of the plan.
Whether Business continuity plans are tested regularly to ensure that
they are up
Whether to date continuity
Business and effective.
plans were maintained by regular reviews
and updates
Whether to ensure
procedures theirincluded
were continuing effectiveness.
within the organisations change
management programme to ensure that Business continuity matters
are appropriately addressed.
Whether all relevant statutory, regulatory and contractual requirements
were
Whetherexplicitly defined
specific andand
controls documented
individual for each information
responsibilities to meetsystem.
these
requirements
Whether therewere
existdefined and documented.
any procedures to ensure compliance with legal
restrictions
Whether theonprocedures
use of material in respect
are well of which there may be
implemented.
intellectual property rights such as copyright,
Whether proprietary software products are supplied design under
rights,atrade
license
marks.
agreement that limits the use
Whether important records of of
thethe products toisspecified
organisation protectedmachines.
from loss
The only there
destruction
Whether exception
andisfalsimight be for making
function.
a management structureown
and back-up
controlcopies
in place ofto
the
software.
protect
Whetherdatauseand privacy of personal
of information processing information.
facilities for any non-business
or unauthorised
Whether purpose,
at the log-on withoutmessage
a warning management approvalon
is presented is the
treated as
improper
computer use of the facility.
Whether the regulation of cryptographic control is as per the private
screen indicating that the system being entered is sector and
and that agreement.
national
Whether unauthorised access is
the process involved in not permitted.
collecting the evidence is in
accordance with legal and industry best practise.
Whether all areas within the organisation is considered for regular
review
Whetherto information
ensure compliance
systemswith
weresecurity policy,
regularly standards
checked and
for compliance
procedures.
with security
Whether implementation
the technical standards.
compliance check is carried out by, or under the
supervision of, competent, authorised persons.
Whether audit requirements and activities involving checks on
operational
Whether systems
access shouldaudit
to system be carefully planned
tools such and agreed
as software to files are
or data
minimise the
protected risk of disruptions
to prevent to misuse
any possible business orprocess.
compromise.

You might also like