SIG Question # Question Text . Ris! ssess"ent an# T$eat"ent A.1 !

s there a risk assess%ent progra%&

ISO 27002:2005 Relevance '.1 Assessing Sec#rit$ Risks Allocation of infor%ation sec#rit$ ,.1.responsi0ilities '.1 Assessing Sec#rit$ Risks 7#siness Contin#it$ And Risk 1'.1.2 Assess%ent 12A 12A 12A '.1 Assessing Sec#rit$ Risks 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A '.1 Assessing Sec#rit$ Risks 12A 12A 12A 12A 12A '.1 Assessing Sec#rit$ Risks '.1 Assessing Sec#rit$ Risks '.1 Assessing Sec#rit$ Risks '.1 Assessing Sec#rit$ Risks 12A 12A '.1 Assessing Sec#rit$ Risks 12A '.2 Treating Sec#rit$ Risks 12A '.2.0 '.2.c '.2.d '.2.d 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A '.2 Treating Sec#rit$ Risks 12A 12A 12A 12A 12A 12A '.2 Treating Sec#rit$ Risks '.2 Treating Sec#rit$ Risks Treating Sec#rit$ Risks '.1 Assessing Sec#rit$ Risks Treating Sec#rit$ Risks Treating Sec#rit$ Risks Treating Sec#rit$ Risks

COBIT 4.1 Relevance P().' P('.'5 P('.,5 P('.95 P('.)5 P('.10 P().' P().15 P().25 P().'5 DS'.15 DS'.12A 12A 12A P().' 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A P().' 12A 12A 12A 12A 12A P().' P().' P().' P().' 12A 12A P().' 12A P().' 12A P().' P().' P().' P().' P().' 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A P().' 12A 12A 12A 12A 12A 12A P().' P().'

A.1.1 A.1.2 A.1.2.1 A.1.2.1.1 A.1.2.2 A.1.2.A.1.2.-.1 A.1.2.-.1.1 A.1.2.-.1.2 A.1.2.-.1.A.1.2.-.1.' A.1.2.-.1.6 A.1.2.-.1., A.1.2.-.1. A.1.2.-.1.9 A.1.2.-.1.) A.1.2.-.1.10 A.1.2.' A.1.2.'.1 A.1.2.'.1.1 A.1.2.'.1.2 A.1.2.'.1.A.1.2.'.1.' A.1.2.6 A.1.2., A.1.2. A.1.2.9 A.1.2.9.1 A.1.2.9.2 A.1.2.) A.1.2.10 A.1.A.1.-.1 A.1.-.1.1 A.1.-.1.1.1 A.1.-.1.2 A.1.-.1.A.1.-.1.' A.1.' A.1.'.1 A.1.'.2 A.1.'.A.1.'.' A.1.6 A.1.6.1 A.1.6.1.1 A.1.6.1.2 A.1.6.1.A.1.6.1.' A.1.6.2 A.1.6.A.1.6.-.1 A.1.6.-.1.1 A.1.6.-.1.2 A.1., A.1.,.1 A.1.,.1.1 A.1.,.1.2 A.1.,.1.A.1.,.1.' A.1. A.1. .1 A.1. .2

!s there an o*ner to %aintain and revie* the Risk +anage%ent progra%& Does the risk assess%ent progra% incl#de. A risk assess%ent& /as the risk assess%ent 0een cond#cted *ithin the last 12 %onths& Risk "overnance& Range of 0#siness assets& Do the assets incl#de the follo*ing. People& Process& !nfor%ation 3ph$sical and electronic4& Technolog$ 3applications5 %iddle*are5 servers5 storage5 net*ork4& Ph$sical 30#ildings5 energ$4& !T s$ste% %anage%ent soft*are 37S+5 C+D75 8ire*alls5 !DS2!PS5 etc.4& Servers& Storage& Co%%#nications& Ph$sical facilities& Range of threats& Do the threats incl#de the follo*ing. +alicio#s& 1at#ral& Accidental& 7#siness changes 3e.g.5 transaction vol#%e4& Risk scoping& Risk conte:t& Risk training plan& Risk scenarios& /ave scenarios 0een created for a variet$ of events *ith a range of possi0le threats that co#ld i%pact the range of assets& Do the scenarios incl#de threat t$pes i%pacting all assets res#lting in 0#siness i%pact& Risk eval#ation criteria& Align%ent *ith ind#str$ standards 3e.g.5 Co0iT;5 etc4& !s there a for%al strateg$ for each identified risk& Does the strateg$ incl#de. Risk acceptance& !s accepted risk revie*ed on a periodic 0asis to ens#re contin#ed disposition& Risk avoidance& Risk transfer& !ns#rance& !s there a process in place that provides for responses to risk as assigned that incl#de. Assign%ent of o*nership& Action plan& Stat#s of response action ite%s to clos#re& Stat#s #pdates to %anage%ent& !s there a process to %onitor all identified risks on an ongoing 0asis& Does the process incl#de the follo*ing. A %onitoring plan& +onitoring data revie*ed 0$ %anage%ent& Action initiated *here conditions are o#tside of defined controls& Report stat#s on actions initiation& /as the process 0een e:ec#ted in the last 12 %onths& /as the process 0een #pdated in the last 12 %onths& Does the process #pdate take into consideration the follo*ing. Changes in the environ%ent& Data fro% %onitoring& Are controls identified for each risk discovered& Are controls classified as. Preventive& Detective& Corrective& Predictive& Are controls eval#ated d#ring the follo*ing. Pro<ect re=#ire%ents specification phase& Pro<ect design phase&

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 1 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text B. Secu$it% &olic%

ISO 27002:2005 Relevance

COBIT 4.1 Relevance

7.1

!s there an infor%ation sec#rit$ polic$&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. 12A 12A 12A 12A 12A P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. 12A 12A P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 12A P('.105 P(,.2 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A S!" to !nd#str$ Standard Relevance

7.1.1 7.1.1.1 7.1.1.2 7.1.1.7.1.1.' 7.1.1.6

>hich of the follo*ing leadership levels approve the infor%ation sec#rit$ polic$. 7oard of directors& C?(& C@level e:ec#tive& Senior leader& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4&

6.1.2 12A 12A 12A 12A 12A

Revie* of !nfor%ation Sec#rit$ Polic$

7.1.2

/as the sec#rit$ polic$ 0een p#0lished&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

7.1.7.1.-.1 7.1.'

!s there an o*ner to %aintain and revie* the polic$& Does sec#rit$ o*n the content of the polic$& Do infor%ation sec#rit$ policies contain the follo*ing.

Revie* of !nfor%ation Sec#rit$ Polic$5 Allocation of infor%ation sec#rit$ 6.1.25 ,.1.- responsi0ilities 12A 12A

7.1.'.1

Definition of infor%ation sec#rit$&

6.1.1.a

!nfor%ation Sec#rit$ Polic$ Doc#%ent

7.1.'.2

(0<ectives&

6.1.1.a

!nfor%ation Sec#rit$ Polic$ Doc#%ent

7.1.'.-

Scope&

6.1.1.a

!nfor%ation Sec#rit$ Polic$ Doc#%ent

7.1.'.'

!%portance of sec#rit$ as an ena0ling %echanis%&

6.1.1.a

!nfor%ation Sec#rit$ Polic$ Doc#%ent

7.1.'.6

State%ent of +anage%ent !ntent&

6.1.1.0

!nfor%ation Sec#rit$ Polic$ Doc#%ent

7.1.'.,

Risk assess%ent&

6.1.1.c

!nfor%ation Sec#rit$ Polic$ Doc#%ent

7.1.'.

Risk %anage%ent&

6.1.1.c

!nfor%ation Sec#rit$ Polic$ Doc#%ent

7.1.'.9

Begislative5 reg#lator$5 and contract#al co%pliance re=#ire%ents&

6.1.1.d.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

7.1.'.)

Sec#rit$ a*areness training2ed#cation&

6.1.1.d.2

!nfor%ation Sec#rit$ Polic$ Doc#%ent

7.1.'.10

7#siness contin#it$&

6.1.1.d.-

!nfor%ation Sec#rit$ Polic$ Doc#%ent

7.1.'.11

Penalties for non@co%pliance *ith corporate policies&

6.1.1.d

!nfor%ation Sec#rit$ Polic$ Doc#%ent

7.1.'.12

Responsi0ilities for infor%ation sec#rit$ %anage%ent&

6.1.1.e

!nfor%ation Sec#rit$ Polic$ Doc#%ent

7.1.'.17.1.6 7.1.6.1 7.1.6.2 7.1.6.7.1.6.' 7.1.6.6 7.1.6., 7.1.6. 7.1.6.9 7.1.6.) 7.1.6.10 7.1.6.11 7.1.6.12 7.1.6.17.1.6.1'

References to doc#%entation to s#pport policies& Are the follo*ing topics covered 0$ policies. Accepta0le #se& Access control& Application sec#rit$& Change control& Clean desk& Co%p#ter and co%%#nication s$ste%s access and #se& Data handling& Desktop co%p#ting& Disaster recover$& ?%ail& Constit#ent acco#nta0ilit$& ?ncr$ption& ?:ception process& !nfor%ation classification&

6.1.1.f 12A .1.12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A

!nfor%ation Sec#rit$ Polic$ Doc#%ent Accepta0le #se of assets

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 2 of

SIG Question # 7.1.6.16 7.1.6.1, 7.1.6.1 7.1.6.19 7.1.6.1) 7.1.6.20 7.1.6.21 7.1.6.22 7.1.6.27.1.6.2' 7.1.6.26 7.1.6.2, 7.1.6.2

Question Text !nternet2!ntranet access and #se& +o0ile co%p#ting& 1et*ork sec#rit$& (perating s$ste% sec#rit$& Personnel sec#rit$ and ter%ination& Ph$sical access& Polic$ %aintenance& Privac$& Re%ote access& Sec#rit$ incident and privac$ event %anage%ent& Sec#re disposal& Cse of personal e=#ip%ent& V#lnera0ilit$ %anage%ent&

ISO 27002:2005 Relevance 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A

COBIT 4.1 Relevance 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. 12A P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. S!" to !nd#str$ Standard Relevance

7.1.,

/ave the policies 0een revie*ed in the last 12 %onths&

6.1.2

Revie* of !nfor%ation Sec#rit$ Polic$

7.1. 7.1. .1

!s there a process to revie* p#0lished policies& Does the revie* of policies incl#de the follo*ing.

6.1.25 ,.1.9 Revie* of !nfor%ation Sec#rit$ Polic$ 12A

7.1. .1.1

8eed0ack fro% interested parties&

6.1.2.a

Revie* of !nfor%ation Sec#rit$ Polic$

7.1. .1.2

Res#lts of independent revie*s&

6.1.2.0

Revie* of !nfor%ation Sec#rit$ Polic$

7.1. .1.-

Stat#s of preventative or corrective actions&

6.1.2.c

Revie* of !nfor%ation Sec#rit$ Polic$

7.1. .1.'

Res#lts of previo#s %anage%ent revie*s&

6.1.2.d

Revie* of !nfor%ation Sec#rit$ Polic$

7.1. .1.6

Process perfor%ance&

6.1.2.e

Revie* of !nfor%ation Sec#rit$ Polic$

7.1. .1.,

Polic$ co%pliance&

6.1.2.e

Revie* of !nfor%ation Sec#rit$ Polic$

7.1. .1.

Changes that co#ld affect the approach to %anaging infor%ation sec#rit$&

6.1.2.f

Revie* of !nfor%ation Sec#rit$ Polic$

7.1. .1.9

Trends related to threats and v#lnera0ilities&

6.1.2.g

Revie* of !nfor%ation Sec#rit$ Polic$

7.1. .1.)

Reported infor%ation sec#rit$ incidents&

6.1.2.h

Revie* of !nfor%ation Sec#rit$ Polic$

7.1. .1.10

Reco%%endations provided 0$ relevant a#thorities&

6.1.2.i

Revie* of !nfor%ation Sec#rit$ Polic$

7.1. .2

!s a record of %anage%ent revie* %aintained&

6.1.2

Revie* of !nfor%ation Sec#rit$ Polic$

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page - of

SIG Question # 7.1. .7.1. .' 7.1. .'.1 7.2 7.2.1 7.2.2

Question Text !s there a process to assess the risk presented 0$ e:ceptions to the polic$& !s there a process to approve e:ceptions to the polic$& Does sec#rit$ o*n the approval process& !s there an Accepta0le Cse Polic$& /as the Accepta0le Cse Polic$ 0een revie*ed *ithin the last 12 %onths& Are constit#ents re=#ired to revie* and accept the polic$ at least ever$ 12 %onths&

ISO 27002:2005 Relevance 12A 12A 12A .1.12A 12A

Accepta0le #se of assets

COBIT 4.1 Relevance 12A 12A 12A P('.105 P(,.2 12A 12A P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A

7.-

Are an$ polic$3ies4 process3es4 or proced#re3s4 co%%#nicated to constit#ents&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

7.-.1 7.-.1.1 7.-.1.1.1 7.-.1.1.1.1 7.-.1.1.1.2 7.-.1.1.1.7.-.1.1.1.' 7.-.1.1.2 7.-.1.1.2.1 7.-.1.1.2.2 7.-.1.1.2.7.-.1.1.2.' 7.-.1.1.7.-.1.1.-.1 7.-.1.1.-.2 7.-.1.1.-.7.-.1.1.-.' 7.-.1.1.' 7.-.1.1.'.1 7.-.1.1.'.2 7.-.1.1.'.7.-.1.1.'.' 7.-.1.1.6 7.-.1.1.6.1 7.-.1.1.6.2 7.-.1.1.6.7.-.1.1.6.' 7.-.1.1., 7.-.1.1.,.1 7.-.1.1.,.2 7.-.1.1.,.7.-.1.1.,.'

!s the infor%ation sec#rit$ polic$ co%%#nicated to constit#ents& !s the infor%ation sec#rit$ polic$ co%%#nicated via the follo*ingD to the follo*ing constit#ents. ?%ail. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& !ntranet or 7#lletin 7oard. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& Doc#%entation Repositor$. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& !nstr#ctor Bead Training. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& >e0 7ased Training. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& Ph$sical %edia 3e.g.5 paper5 CD5 etc.4. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers&

6.1.1 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A

!nfor%ation Sec#rit$ Polic$ Doc#%ent

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page ' of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text C. O$'ani(ational Secu$it%

ISO 27002:2005 Relevance

COBIT 4.1 Relevance

C.1

!s there an infor%ation sec#rit$ f#nction responsi0le for sec#rit$ initiatives *ithin the organiEation&

,.1.1

P(-.-5 P(-.65 P('.-5 P('.'5 P('.65 P('.95 +anage%ent co%%it%ent to infor%ation P(,.-5 P(,.'5 P(,.65 sec#rit$ DS6.1 P(-.-5 P(-.65 P('.-5 P('.'5 P('.65 P('.95 +anage%ent co%%it%ent to infor%ation P(,.-5 P(,.'5 P(,.65 sec#rit$ DS6.1 +anage%ent co%%it%ent to infor%ation 12A sec#rit$ P(-.-5 P(-.65 P('.-5 P('.'5 P('.65 P('.95 +anage%ent co%%it%ent to infor%ation P(,.-5 P(,.'5 P(,.65 sec#rit$ DS6.1 P(-.-5 P(-.65 P('.-5 P('.'5 P('.65 P('.95 +anage%ent co%%it%ent to infor%ation P(,.-5 P(,.'5 P(,.65 sec#rit$ DS6.1 P(-.-5 P(-.65 P('.-5 P('.'5 P('.65 P('.95 +anage%ent co%%it%ent to infor%ation P(,.-5 P(,.'5 P(,.65 sec#rit$ DS6.1 P(-.-5 P(-.65 P('.-5 P('.'5 P('.65 P('.95 +anage%ent co%%it%ent to infor%ation P(,.-5 P(,.'5 P(,.65 sec#rit$ DS6.1 P(-.-5 P(-.65 P('.-5 P('.'5 P('.65 P('.95 +anage%ent co%%it%ent to infor%ation P(,.-5 P(,.'5 P(,.65 sec#rit$ DS6.1 P(-.-5 P(-.65 P('.-5 P('.'5 P('.65 P('.95 +anage%ent co%%it%ent to infor%ation P(,.-5 P(,.'5 P(,.65 sec#rit$ DS6.1 P(-.-5 P(-.65 P('.-5 P('.'5 P('.65 P('.95 +anage%ent co%%it%ent to infor%ation P(,.-5 P(,.'5 P(,.65 sec#rit$ DS6.1 P(-.-5 P(-.65 P('.-5 P('.'5 P('.65 P('.95 +anage%ent co%%it%ent to infor%ation P(,.-5 P(,.'5 P(,.65 sec#rit$ DS6.1 P(-.-5 P(-.65 P('.-5 P('.'5 P('.65 P('.95 +anage%ent co%%it%ent to infor%ation P(,.-5 P(,.'5 P(,.65 sec#rit$ DS6.1 P(-.-5 P(-.65 P('.-5 P('.'5 P('.65 P('.95 +anage%ent co%%it%ent to infor%ation P(,.-5 P(,.'5 P(,.65 sec#rit$ DS6.1 P(-.-5 P(-.65 P('.-5 P('.'5 P('.65 P('.95 +anage%ent co%%it%ent to infor%ation P(,.-5 P(,.'5 P(,.65 sec#rit$ DS6.1 P('.'5 P('.65 P('.,5 P('.95 P('.105 P(,.65 DS6.15 DS6.25 DS6.P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'.

C.2 C.2.1

!s there an individ#al or gro#p responsi0le for sec#rit$ *ithin the organiEation& Does this individ#al or gro#p have the follo*ing responsi0ilities.

,.1.1 12A

C.2.1.1

!dentif$ infor%ation sec#rit$ goals that %eet organiEational re=#ire%ents&

,.1.1.a

C.2.1.2

!ntegrate infor%ation sec#rit$ controls into relevant processes&

,.1.1.a

C.2.1.-

8or%#late5 revie* and approve infor%ation sec#rit$ policies&

,.1.1.0

C.2.1.'

Revie* the effectiveness of infor%ation sec#rit$ polic$ i%ple%entation&

,.1.1.c

C.2.1.6

Approve %a<or initiatives to enhance infor%ation sec#rit$&

,.1.1.d

C.2.1.,

Provide needed infor%ation sec#rit$ reso#rces&

,.1.1.e

C.2.1.

Approve assign%ent of specific roles and responsi0ilities for infor%ation sec#rit$&

,.1.1.f

C.2.1.9

!nitiate plans and progra%s to %aintain infor%ation sec#rit$ a*areness&

,.1.1.g

C.2.1.)

?ns#re the i%ple%entation of infor%ation sec#rit$ controls is co@coordinated&

,.1.1.h

C.2.1.10

Develop and %aintain an overall sec#rit$ plan&

,.1.1

C.2.1.11

Revie* advice e:ternal infor%ation sec#rit$ specialists&

,.1.1

C.2.1.12

Coordination of infor%ation sec#rit$ fro% different parts of the organiEation&

,.1.2

!nfor%ation sec#rit$ co@ordination

C.2.1.1-

Revie* and %onitor infor%ation sec#rit$ 2 privac$ incidents or events&

6.1.2.h

Revie* (f The !nfor%ation Sec#rit$ Polic$

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 6 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text Assets and sec#rit$ processes *ith each partic#lar s$ste% are identified and clearl$ defined&

ISO 27002:2005 Relevance Allocation of infor%ation sec#rit$ responsi0ilities Allocation of infor%ation sec#rit$ responsi0ilities Allocation of infor%ation sec#rit$ responsi0ilities Allocation of infor%ation sec#rit$ responsi0ilities Allocation of infor%ation sec#rit$ responsi0ilities A#thoriEation process for infor%ation processing facilities

COBIT 4.1 Relevance P('.'5 P('.,5 P('.95 P('.)5 P('.10 P('.'5 P('.,5 P('.95 P('.)5 P('.10 P('.'5 P('.,5 P('.95 P('.)5 P('.10 P('.'5 P('.,5 P('.95 P('.)5 P('.10 P('.'5 P('.,5 P('.95 P('.)5 P('.10 P('.-5 P('.'5 P('.)5 A!1.'5 A!2.'5 A! .,5 DS6. P('.165 DS'.15 DS'.25 +?-.15 +?-.-5 +?-.' P('.165 DS'.15 DS'.2 P(,.'5 DS6.65 +?2.25 +?2.65 +?'. P(,.'5 DS6.65 +?2.25 +?2.65 +?'. P('.95 P(,.25 +?2.15 +?2.25 +?2.-5 +?2.'5 +?2.65 +?2.,5 +?2. 12A 12A P('.,5 P('.1'5 P(9.-5 A!6.15 A!6.25 DS6.25 DS6.-5 DS6.' 12A P('.,5 P('.1'5 P(9.-5 A!6.15 A!6.25 DS6.25 DS6.-5 DS6.' P('.,5 P('.1'5 P(9.-5 A!6.15 A!6.25 DS6.25 DS6.-5 DS6.' P('.,5 P('.1'5 P(9.-5 A!6.15 A!6.25 DS6.25 DS6.-5 DS6.' P('.,5 P('.1'5 P(9.-5 A!6.15 A!6.25 DS6.25 DS6.-5 DS6.' P('.,5 P('.1'5 P(9.-5 A!6.15 A!6.25 DS6.25 DS6.-5 DS6.' P('.,5 P('.1'5 P(9.-5 A!6.15 A!6.25 DS6.25 DS6.-5 DS6.' P('.,5 P('.1'5 P(9.-5 A!6.15 A!6.25 DS6.25 DS6.-5 DS6.' P('.,5 P('.1'5 P(9.-5 A!6.15 A!6.25 DS6.25 DS6.-5 DS6.' P('.,5 P('.1'5 P(9.-5 A!6.15 A!6.25 DS6.25 DS6.-5 DS6.' P('.,5 P('.1'5 P(9.-5 A!6.15 A!6.25 DS6.25 DS6.-5 DS6.' P(,.'5 DS6.65 +?2.25 +?2.65 +?'. P('.1'5 DS2.15 DS2.-5 DS6.'5 DS6.)5 DS6.115 DS12.12A P('.1'5 DS2.15 DS2.-5 DS6.'5 DS6.)5 DS6.115 DS12.12A

C.2.1.1-.1

,.1.-.a

C.2.1.1-.2

Definition of a#thoriEation levels&

,.1.-.c

C.2.1.1-.-

!%ple%entation 2 e:ec#tion of sec#rit$ processes in s#pport of policies&

,.1.-.0

C.2.1.1-.'

+onitor significant changes in the e:pos#re of infor%ation assets&

,.1.-.0

C.2.2

Are infor%ation sec#rit$ responsi0ilities allocated to an individ#al or gro#p&

,.1.-

C.2.-

!s there an a#thoriEation process for ne* infor%ation processing facilities&

,.1.'

C.2.' C.2.6 C.2., C.2.,.1

!s a process or proced#re %aintained that specifies *hen and 0$ *ho% a#thorities ,.1., sho#ld 0e contacted& Are contacts *ith infor%ation sec#rit$ special interest gro#ps5 specialist sec#rit$ ,.1. for#%s5 or professional associations %aintained& !s there an independent third part$ revie* of the infor%ation sec#rit$ progra%& 3!f ,.1.9 so5 note the fir% in the AAdditional !nfor%ationA col#%n.4& !f so5 is there a re%ediation plan to address findings& ,.1.9

Contact *ith A#thorities Contact *ith special interest gro#ps !ndependent revie* of infor%ation sec#rit$ !ndependent revie* of infor%ation sec#rit$

C.2. C.2.9 C.2.9.1

!s there an individ#al or gro#p responsi0le for ens#ring co%pliance *ith sec#rit$ policies& Are ke$ !nfor%ation Technolog$ constit#ents identified& Are there 0ack#p plans in place for replace%ent of ke$ !T constit#ents& Does %anage%ent re=#ire the #se of confidentialit$ or non@disclos#re agree%ents& Does the confidentialit$ or non@disclos#re agree%ent contain the follo*ing.

16.2.1 12A 12A

Co%pliance *ith sec#rit$ policies and standards

C.C.-.1

,.1.6 12A

Confidentialit$ agree%ents

C.-.1.1

Definition of the infor%ation to 0e protected&

,.1.6.a

Confidentialit$ agree%ents

C.-.1.2

?:pected d#ration of an agree%ent&

,.1.6.0

Confidentialit$ agree%ents

C.-.1.-

Re=#ired actions *hen an agree%ent is ter%inated& Responsi0ilities and actions of signatories to avoid #na#thoriEed infor%ation disclos#re&

,.1.6.c

Confidentialit$ agree%ents

C.-.1.'

,.1.6.d

Confidentialit$ agree%ents

C.-.1.6

(*nership of infor%ation5 trade secrets and intellect#al propert$& The per%itted #se of confidential infor%ation5 and rights of the signator$ to #se infor%ation&

,.1.6.e

Confidentialit$ agree%ents

C.-.1.,

,.1.6.f

Confidentialit$ agree%ents

C.-.1.

The right to a#dit and %onitor activities that involve confidential infor%ation& Process for notification and reporting of #na#thoriEed disclos#re or confidential infor%ation 0reaches& Ter%s for infor%ation to 0e ret#rned or destro$ed *hen the agree%ent has e:pired&

,.1.6.g

Confidentialit$ agree%ents

C.-.1.9

,.1.6.h

Confidentialit$ agree%ents

C.-.1.)

,.1.6.i

Confidentialit$ agree%ents

C.-.1.10 C.'

?:pected actions to 0e taken in case of a 0reach of this agree%ent& ,.1.6.< !s access to5 Target Data provided to or the processing facilities #tiliEed 0$ e:ternal parties&

Confidentialit$ agree%ents ,.2 ?:ternal parties !dentification of risks related to e:ternal parties

C.'.1 C.'.1.1

!s a risk assess%ent of e:ternal parties perfor%ed& !s access to Target Data prohi0ited prior to.

,.2.1 12A

C.'.1.1.1 C.'.1.1.2

Risk assess%ent 0eing cond#cted& An$ findings of the e:ternal parties risk assess%ent are either re%ediated or re%ediation plan is in place&

,.2.1 12A

!dentification of risks related to e:ternal parties

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page , of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text C.'.2 Are agree%ents in place *hen c#sto%ers access Target Data& ,.2.2

ISO 27002:2005 Relevance Addressing sec#rit$ *hen dealing *ith c#sto%ers

COBIT 4.1 Relevance P(,.25 DS6.' P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 DS2.15 DS2.-5 DS6.'5 DS6.)5 DS6.115 DS12.P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2.,

C.'.2.1

Do contracts *ith third part$ service providers *ho %a$ have access to Target Data incl#de.

,.2.-

Addressing sec#rit$ in third part$ agree%ents !dentification of risks related to e:ternal parties

C.'.2.1.1

1on@Disclos#re agree%ent&

,.2.1

C.'.2.1.2

Confidentialit$ Agree%ent&

,.2.-.0.

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.-

+edia handling&

,.2.-.0.

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.'

Re=#ire%ent of an a*areness progra% to co%%#nicate sec#rit$ standards and e:pectations&

,.2.-.d

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.6

Responsi0ilities regarding hard*are and soft*are installation and %aintenance&

,.2.-.f

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.,

Clear reporting str#ct#re and agreed reporting for%ats&

,.2.-.g

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.

Clear and specified process of change %anage%ent&

,.2.-.h

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.9

1otification of change&

,.2.-.h

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.)

A process to address an$ identified iss#es&

,.2.-.h

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.10

Access control polic$&

,.2.-.i

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.11

7reach notification&

,.2.-.<

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.12

Description of the prod#ct or service to 0e provided&

,.2.-.k

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.1-

Description of the infor%ation to 0e %ade availa0le along *ith its sec#rit$ classification&

,.2.-.k

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.1'

SBAs&

Addressing sec#rit$ in third part$ ,.2.- l F % agree%ents

C.'.2.1.16

A#dit reporting&

,.2.-.%

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.1,

(ngoing %onitoring&

,.2.-.n

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.1

A process to reg#larl$ %onitor to ens#re co%pliance *ith sec#rit$ standards&

,.2.-.n

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.19

(nsite revie*&

,.2.-.o

Addressing sec#rit$ in third part$ agree%ents

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page

of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text

ISO 27002:2005 Relevance

COBIT 4.1 Relevance P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., 12A 12A 12A 12A

C.'.2.1.1)

Right to a#dit&

,.2.-.o

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.20

Right to inspect&

,.2.-.o

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.21

Pro0le% reporting and escalation proced#res&

,.2.-.p

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.22

7#siness res#%ption responsi0ilities&

,.2.-.=

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.2-

!nde%nification2lia0ilit$&

,.2.-.r

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.2'

Privac$ re=#ire%ents&

,.2.-.s

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.26

Disp#te resol#tion&

,.2.-.s

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.2,

Choice of la*&

,.2.-.s

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.2

Data o*nership&

,.2.-.t

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.29

(*nership of intellect#al propert$&

,.2.-.t

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.2)

!nvolve%ent of the third part$ *ith s#0contractors&

,.2.-.#

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.2).1

Sec#rit$ controls these s#0contractors need to i%ple%ent&

,.2.-.#

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.-0

Ter%ination2e:it cla#se&

,.2.-.v

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.-1

Contingenc$ plan in case either part$ *ishes to ter%inate the relationship 0efore the end of the agree%ents&

,.2.-.v.1

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.-2

Renegotiation of agree%ents if the sec#rit$ re=#ire%ents of the organiEation change&

,.2.-.v.2

Addressing sec#rit$ in third part$ agree%ents

C.'.2.1.-C.'.2.1.-' C.'.2.1.-6 C.'.2.1.-, C.'.2.1.-

C#rrent doc#%entation of asset lists5 licenses5 agree%ents or rights relating to the%& Co%pliance *ith sec#rit$ standards& !ns#rance re=#ire%ents& Re=#ire%ents for dependent service providers located o#tside of the Cnited States& Constit#ent screening practices&

,.2.-.v.12A 12A 12A 12A

Addressing sec#rit$ in third part$ agree%ents

C.'.-

!s there an independent a#dit perfor%ed on dependent third parties&

,.2.1

!dentification of risks related to e:ternal parties

P('.1'5 DS2.15 DS2.-5 DS6.'5 DS6.)5 DS6.115 DS12.-

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 9 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text ). sset *ana'e"ent

ISO 27002:2005 Relevance

COBIT 4.1 Relevance

D.1 D.1.1

!s there an asset %anage%ent progra%& !s there an asset %anage%ent polic$&

.1.1

.1 Responsi0ilit$ 8or Assets !nventor$ (f Assets

P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., P(2.25 DS).25 DS).P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P('.'5 P('.,5 P('.95 P('.)5 P('.10 P(2.25 DS).25 DS).12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A P('.)5 DS).2 12A P('.)5 DS).2 P('.)5 DS).2 P('.105 P(,.2 P(25 A!25 DS) P(25 A!25 DS) P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P('.)5 DS).2 P(25 A!25 DS) 12A

D.1.1.1

/as it 0een approved 0$ %anage%ent&

6.1.2

Revie* (f The !nfor%ation Sec#rit$ Polic$

D.1.1.2

/as it 0een co%%#nicated to all constit#ents&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent Allocation (f !nfor%ation Sec#rit$ Responsi0ilities !nventor$ (f Assets

D.1.1.D.1.2 D.1.2.1 D.1.2.1.1 D.1.2.1.2 D.1.2.1.D.1.2.1.' D.1.2.1.6 D.1.2.1., D.1.2.1. D.1.2.1.9 D.1.2.1.) D.1.2.1.10 D.1.2.1.11 D.1.D.1.' D.1.'.1 D.1.'.1.1 D.1.'.1.2 D.1.'.1.D.2 D.2.1

!s there an o*ner to %aintain and revie* the polic$& !s there an inventor$ of hard*are2soft*are assets& Does the inventor$ record the follo*ing attri0#tes. Asset control tag& (perating s$ste%& Ph$sical location& Serial n#%0er& S$ste% class& S$ste% o*ner& S$ste% ste*ard& 7#siness f#nction s#pported& ?nviron%ent 3dev5 test5 etc.4& /ost na%e& !P address& !s there a detailed description of soft*are licenses5 3e.g.5 n#%0er of seats5 conc#rrent #sers5 etc.4 & !s o*nership assigned for infor%ation assets& !s the asset o*ner responsi0le for the follo*ing. ?ns#ring that infor%ation and assets are appropriatel$ classified& Revie*ing and approving access to those infor%ation assets& ?sta0lishing5 doc#%enting and i%ple%enting r#les for the accepta0le #se of infor%ation and assets& Are infor%ation assets classified& !s there an infor%ation asset classification polic$&

,.1..1.1 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A .1.2 12A .1.2.0 .1.2.0 .1..2.1 .2.1

(*nership (f Assets (*nership (f Assets (*nership (f Assets Accepta0le Cse (f Assets Classification "#idelines Classification "#idelines

D.2.1.1

/as it 0een approved 0$ %anage%ent&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

D.2.1.2

/as the polic$ 0een p#0lished&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

D.2.1.D.2.1.' D.2.2 D.2.2.1 D.2.2.1.1 D.2.2.1.2 D.2.2.1.D.2.2.1.' D.2.2.1.6 D.2.2.1., D.2.2.1. D.2.2.1.9 D.2.2.1.) D.2.2.1.10 D.2.2.1.11 D.2.2.2 D.2.D.2.' D.2.6

/as it 0een co%%#nicated to all constit#ents& 6.1.1 !s there an o*ner to %aintain and revie* the polic$& .1.2 !s there a proced#re for handling of infor%ation assets& .2.2 Does the proced#re address the handling of infor%ation assets in accordance *ith 12A the follo*ing classifications. .1.2.05 Data access controls& 10. .-.0 Data in transit& .2.2 .2.25 Data la0eling& 10. .-.a Data on re%ova0le %edia& Data o*nership& Data reclassification& Data retention& Data destr#ction& Data disposal& Data encr$ption& Data in storage& !s infor%ation reclassified at least ann#all$& Are there proced#res for infor%ation la0eling and handling in accordance *ith the classification sche%e& Are there proced#res for the disposal and2or destr#ction of ph$sical %edia 3e.g.5 paper doc#%ents5 CDs5 DVDs5 tapes5 disk drives5 etc.4& Are there proced#res for the re#se of ph$sical %edia 3e.g.5 tapes5 disk drives5 etc.4& 10. .1 .1.2 .1.2.0 12A .2.25 10. .2 10. .2.0 12.-.1 10. .-.f .2.1 .2.2 10. .2 ).2.,

!nfor%ation Sec#rit$ Polic$ Doc#%ent (*nership (f Assets !nfor%ation Ba0eling And /andling

(*nership (f Assets5 !nfor%ation /andling Proced#res !nfor%ation Ba0eling And /andling !nfor%ation Ba0eling And /andling +anage%ent (f Re%ova0le +edia (*nership (f Assets (*nership (f Assets !nfor%ation Ba0eling And /andling5 Disposal (f +edia Disposal (f +edia Polic$ (n The Cse (f Cr$ptographic Controls !nfor%ation /andling Proced#res Classification "#idelines !nfor%ation Ba0eling And /andling Disposal (f +edia Sec#re Disposal (r Re@Cse (f ?=#ip%ent

P('.)5 DS).2 P(25 A!25 DS) P(,.25 DS11., P(2.-5 DS11.25 DS11.-5 DS11.' P('.)5 DS).2 P('.)5 DS).2 12A DS11.-5 DS11.' DS11.-5 DS11.' P(,5 A!25 DS6 P(,.25 DS11., P(25 A!25 DS) P(25 A!25 DS) DS11.-5 DS11.' DS11.'

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page ) of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text !s there ins#rance coverage for 0#siness interr#ptions or general services interr#ption&

ISO 27002:2005 Relevance !ncl#ding !nfor%ation Sec#rit$ !n The 7#siness Contin#it$ +anage%ent Process !ncl#ding !nfor%ation Sec#rit$ !n The 7#siness Contin#it$ +anage%ent Process !ncl#ding !nfor%ation Sec#rit$ !n The 7#siness Contin#it$ +anage%ent Process

COBIT 4.1 Relevance P(-.15 P().15 P().25 DS'.15 DS'.-5 DS'.95 DS9.P(-.15 P().15 P().25 DS'.15 DS'.-5 DS'.95 DS9.P(-.15 P().15 P().25 DS'.15 DS'.-5 DS'.95 DS9.-

D.-

1'.1.1.d

D.-.1

!f $es5 are there li%itations 0ased on the ca#se of the interr#ption&

1'.1.1.d

D.-.2

!s there ins#rance coverage for prod#cts and services provided to clients&

1'.1.1.d

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 10 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text +. ,u"an Resou$ce Secu$it% Are sec#rit$ roles and responsi0ilities of constit#ents defined and doc#%ented in accordance *ith the organiEationGs infor%ation sec#rit$ polic$& Are sec#rit$ roles and responsi0ilities of dependent service providers defined and doc#%ented in accordance *ith the organiEationGs infor%ation sec#rit$ polic$& Are 0ackgro#nd screenings of applicants perfor%ed to incl#de cri%inal5 credit5 professional 2 acade%ic5 references and dr#g screening&

ISO 27002:2005 Relevance

COBIT 4.1 Relevance

?.1

9.1.1

Roles and responsi0ilities

P('.,5 P('.95 P(,.-5 P( .15 P( .25 P( .-5 DS6.' P('.,5 P('.95 P(,.-5 P( .15 P( .25 P( .-5 DS6.' P('.,5 P( .15 P( .,5 DS2.P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 12A 12A P('.,5 P( .15 P( .,5 DS2.12A 12A 12A 12A P('.,5 P( .15 P( .,5 DS2.12A 12A 12A 12A P('.,5 P( .15 P( .,5 DS2.12A 12A 12A 12A P('.,5 P( .15 P( .,5 DS2.12A 12A 12A 12A P('.,5 P( .15 P( .,5 DS2.12A 12A 12A 12A 12A 12A 12A 12A 12A P('.,5 P( .15 P( .-5 DS2.12A P('.105 P(,.2 12A 12A 12A 12A P('.,5 P( .15 P( .-5 DS2.12A 12A 12A 12A P('.,5 P( .15 P( .-5 DS2.12A 12A 12A 12A

?.1.1 ?.2

9.1.1 9.1.2

Roles and responsi0ilities Screening

?.2.1

!s there a pre@screening polic$&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

?.2.1.1

/as it 0een approved 0$ %anage%ent&

6.1.2

Revie* of !nfor%ation Sec#rit$ Polic$

?.2.1.2 ?.2.1.?.2.1.' ?.2.1.6 ?.2.1.6.1 ?.2.1.6.2 ?.2.1.6.?.2.1.6.' ?.2.1., ?.2.1.,.1 ?.2.1.,.2 ?.2.1.,.?.2.1.,.' ?.2.1. ?.2.1. ?.2.1. ?.2.1. ?.2.1.

!s there an o*ner to %aintain and revie* the polic$& !s there an e:ternal 0ackgro#nd screening agenc$& Are the follo*ing 0ackgro#nd checks perfor%ed on. Cri%inal. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& Credit. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& Acade%ic. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& Reference. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& Res#%e or c#rric#l#% vitae. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& Dr#g Screening. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& Are ne* hires re=#ired to sign an$ agree%ents that pertain to non2disclos#re5 confidentialit$5 accepta0le #se or code of ethics #pon hire& Are the follo*ing agree%entsD signed 0$. Accepta0le Cse. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& Code of Cond#ct 2 ?thics. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& 1on@Disclos#re Agree%ent. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers&

6.1.1 12A 12A 9.1.2.e 12A 12A 12A 12A 9.1.2.e 12A 12A 12A 12A 9.1.2.c 12A 12A 12A 12A 9.1.2.a 12A 12A 12A 12A 9.1.2.0 12A 12A 12A 12A 12A 12A 12A 12A 12A 9.1.12A .1.12A 12A 12A 12A 9.1.12A 12A 12A 12A 9.1.-.a 12A 12A 12A 12A

!nfor%ation Sec#rit$ Polic$ Doc#%ent

Screening

Screening

Screening

.1 .2 ..'

?.2.1.9 ?.2.1.9.1 ?.2.1.9.2 ?.2.1.9.?.2.1.9.' ?.2.1.) ?.2.1.).1 ?.2.1.).2 ?.2.1.).?.2.1.).' ?.2.1.10 ?.2.1.10.1 ?.2.1.10.2 ?.2.1.10.?.2.1.10.' ?.?.-.1 ?.-.2 ?.-.2.1 ?.-.2.2 ?.-.2.?.-.2.' ?.-.?.-.-.1 ?.-.-.2 ?.-.-.?.-.-.' ?.-.' ?.-.'.1 ?.-.'.2 ?.-.'.?.-.'.'

Screening

Screening

Ter%s and conditions of e%plo$%ent Accepta0le #se of assets

Ter%s and conditions of e%plo$%ent

Ter%s and conditions of e%plo$%ent

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 11 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text ?.-.6 ?.-.6.1 ?.-.6.2 ?.-.6.?.-.6.' ?.-., ?.-.,.1 ?.-.,.2 ?.-.,.?.-.,.' ?.-. ?.-. .1 ?.-. .2 ?.-. .?.-. .' ?.-.9 ?.-.9.1 ?.-.9.2 ?.-.9.2.1 ?.-.9.2.2 ?.-.9.2.?.-.9.2.' ?.-.9.?.-.9.-.1 ?.-.9.-.2 ?.-.9.-.?.-.9.-.' ?.-.9.' ?.-.9.'.1 ?.-.9.'.2 ?.-.9.'.?.-.9.'.' ?.-.9.6 ?.-.9.6.1 ?.-.9.6.2 ?.-.9.6.?.-.9.6.' Confidentialit$ Agree%ent. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& !nfor%ation handling. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& Prohi0ition of #na#thoriEed soft*areD #se or installation. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& Are an$ agree%ents re=#ired to 0e re@read and re@accepted at least ever$ 12 %onths& Are the follo*ing agree%ents re=#ired to 0e re@read and re@accepted 0$. Accepta0le Cse. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& Code of Cond#ct 2 ?thics. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& 1on@Disclos#re Agree%ent. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& Confidentialit$ Agree%ent. 8#ll ti%e e%plo$ees& Part ti%e e%plo$ees& Contractors& Te%porar$ *orkers& 9.1.-.a 12A 12A 12A 12A 9.1.-.d 12A 12A 12A 12A 10.'.1.a 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A

ISO 27002:2005 Relevance Ter%s and conditions of e%plo$%ent

Ter%s and conditions of e%plo$%ent

Controls Against +alicio#s Code

COBIT 4.1 Relevance P('.,5 P( .15 P( .-5 DS2.12A 12A 12A 12A P('.,5 P( .15 P( .-5 DS2.12A 12A 12A 12A DS6.) 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A P('.,5 P(,.25 P(,.'5 P( .25 P( .'5 P( . 5 A!1.15 A! .15 DS6.15 DS6.25 DS6.-5 DS .15 DS .2 P('.,5 P(,.25 P(,.'5 P( .25 P( .'5 P( . 5 A!1.15 A! .15 DS6.15 DS6.25 DS6.-5 DS .15 DS .2 12A 12A 12A P('.,5 P(,.25 P(,.'5 P( .25 P( .'5 P( . 5 A!1.15 A! .15 DS6.15 DS6.25 DS6.-5 DS .15 DS .2

?.'

!s there a sec#rit$ a*areness training progra%&

9.2.2

!nfor%ation sec#rit$ a*areness5 ed#cation5 and training

?.'.1 ?.'.2 ?.'.?.'.-.1

Does the sec#rit$ a*areness training incl#de sec#rit$ policies5 proced#res and processes& Does the sec#rit$ a*areness training incl#de a testing co%ponent& Do constit#ents participate in sec#rit$ a*areness training& Do the$ attend training.

9.2.2 12A 12A 12A

!nfor%ation sec#rit$ a*areness5 ed#cation5 and training

?.'.-.1.1

Cpon hire&

9.2.2

!nfor%ation sec#rit$ a*areness5 ed#cation5 and training

?.'.-.1.2

At least ann#all$&

!nfor%ation sec#rit$ a*areness5 ed#cation5 and training5 +anage%ent 9.2.25 9.2.1 responsi0ilities

12A P('.,5 P(,.25 P(,.'5 P( .25 P( .'5 P( . 5 A!1.15 A! .15 DS6.15 DS6.25 DS6.-5 DS .15 DS .2 P('.,5 P(,.25 P(,.'5 P( .25 P( .'5 P( . 5 A!1.15 A! .15 DS6.15 DS6.25 DS6.-5 DS .15 DS .2 P('.165 DS'.15 DS'.2 P('.95 P( .95 DS6., P('.95 P( .95 DS6., P('.95 P( .95 DS6., 12A 12A

?.'.'

!s sec#rit$ training co%%ens#rate *ith levels of responsi0ilities and access&

9.2.2

!nfor%ation sec#rit$ a*areness5 ed#cation5 and training

?.'.6 ?.'.6.1 ?.6 ?., ?.,.1 ?.,.1.1 ?.,.1.2

Do constit#ents responsi0le for infor%ation sec#rit$ #ndergo additional training& Are infor%ation sec#rit$ personnel re=#ired to o0tain professional sec#rit$ certifications 3e.g.5 "S?C5 C!SSP5 C!S+5 C!SA4& !s there a disciplinaril$ process for non@co%pliance *ith infor%ation sec#rit$ polic$& !s there a constit#ent ter%ination or change of stat#s process& !s there a doc#%ented ter%ination or change of stat#s polic$ or process& /as it 0een approved 0$ %anage%ent& /as the polic$ 0een p#0lished&

9.2.2 ,.1. 9.2.9.-.1 9.-.1 12A 12A

!nfor%ation sec#rit$ a*areness5 ed#cation5 and training Contact *ith special interest gro#ps Disciplinar$ process Ter%ination responsi0ilities Ter%ination responsi0ilities

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 12 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text

ISO 27002:2005 Relevance

COBIT 4.1 Relevance P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 12A P( .95 DS6.' 12A 12A 12A 12A P( .95 DS6.' 12A 12A 12A 12A

?.,.1.?.,.1.' ?.,.2 ?.,.2.1 ?.,.2.1.1 ?.,.2.1.2 ?.,.2.1.?.,.?.,.-.1 ?.,.-.1.1 ?.,.-.1.2 ?.,.-.1.-

/as it 0een co%%#nicated to appropriate constit#ents& !s there an o*ner to %aintain and revie* the polic$& Does /R notif$ sec#rit$ 2 access ad%inistration of ter%ination of constit#ents for access rights re%oval& !s the ter%ination notification provided. (n the act#al date& T*o to seven da$s after ter%ination& "reater than seven da$s after ter%ination& Does /R notif$ sec#rit$ 2 access ad%inistration of a constit#entHs change of stat#s for access rights re%oval& !s the stat#s change notification provided. (n the act#al date of the change of stat#s& T*o to seven da$s after the change of stat#s& "reater than seven da$s after the change of stat#s& Are constit#ents re=#ired to ret#rn assets 3laptop5 desktop5 PDA5 cell phones5 access cards5 tokens5 s%art cards5 ke$s5 proprietar$ doc#%entation4 #pon the follo*ing. Ter%ination& Change of Stat#s&

6.1.1 12A 9.-.12A 12A 12A 12A 9.-.12A 12A 12A 12A

!nfor%ation Sec#rit$ Polic$ Doc#%ent

Re%oval of access rights

Re%oval of access rights

?.,.' ?.,.'.1 ?.,.'.2

9.-.2 9.-.2 9.-.2

Ret#rn of assets Ret#rn of assets Ret#rn of assets

P(,.25 P( .9 P(,.25 P( .9 P(,.25 P( .9

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 1- of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text -. &.%sical an# +nvi$on"ental Secu$it%

ISO 27002:2005 Relevance

COBIT 4.1 Relevance

8.1

!s there a ph$sical sec#rit$ progra%&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. 12A 12A

8.1.1

!s there a doc#%ented ph$sical sec#rit$ polic$&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

8.1.1.1

/as it 0een approved 0$ %anage%ent&

6.1.2

Revie* of !nfor%ation Sec#rit$ Polic$

8.1.1.2

/as the polic$ 0een p#0lished&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

8.1.1.-

/as it 0een co%%#nicated to appropriate constit#ents&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

8.1.1.' 8.1.2 8.1.8.1.-.1 8.1.-.2 8.1.-.8.1.-.' 8.1.-.6 8.1.-., 8.1.-. 8.1.-.9 8.1.-.) 8.1.-.10 8.1.-.11 8.1.-.12 8.1.-.18.1.-.1' 8.1.-.16 8.1.-.1, 8.1.-.1 8.1.' 8.1.'.1 8.1.'.2 8.1.'.8.1.6 8.1.6.1 8.1.6.1.1 8.1.6.1.2 8.1.6.1.8.1., 8.1.,.1 8.1.,.1.1 8.1. 8.1. .1

!s there an o*ner to %aintain and revie* the polic$& !s there a doc#%ented polic$ or process that contains a right to search visitors or constit#ents *hile in the facilit$& 8or the 0#ilding or pri%ar$ facilit$ that stores Target Data 3address noted in ro* ' a0ove45 !s it located *ithin 20 %iles of. 1#clear po*er plant& Che%ical plant5 haEardo#s %an#fact#ring or processing facilit$& 1at#ral gas5 petrole#%5 or other pipeline& Tornado prone area& Airport& Railroad& Active fa#lt line& "overn%ent 0#ilding& +ilitar$ 0ase or facilit$& /#rricane prone area& Volcano& "as 2 (il refiner$& Coast5 har0or5 port& 8orest fire prone area& 8lood prone area& ?%ergenc$ response services 3e.g.5 fire5 police5 etc.4& Cr0an center or %a<or cit$& Are the follo*ing controls present in the 0#ilding that contains the Target Data& Signs or %arkings that identif$ the operations of the facilit$ 3e.g.5 data center4& Per%it onl$ a#thoriEedD photographic5 video5 a#dio or other recording e=#ip%ent *ithin the facilit$& Roof access sec#red and alar%ed& Does the 0#ilding reside on a ca%p#s& !s the ca%p#s. Shared *ith other tenants& S#rro#nded 0$ a ph$sical 0arrier& !s the 0arrier %onitored 3e.g.5 g#ards5 technolog$5 etc4& Does the peri%eter of the 0#ilding have. A ph$sical 0arrier 3e.g.5 fence or *all4& !s the ph$sical 0arrier %onitored 3e.g.5 g#ards5 technolog$5 etc4& Can vehicles co%e in close pro:i%it$ to the 0#ilding& Can the$ co%e in close pro:i%it$ via the follo*ing.

6.1.2 12A 12A ).1.' ).1.' ).1.' ).1.' ).1.' ).1.' ).1.' ).1.' ).1.' ).1.' ).1.' ).1.' ).1.' ).1.' ).1.' ).1.' ).1.' 12A ).1.).1.6 12A 12A 12A ).1.1.g ).1.1.d ).1.1.d 12A ).1.1 ).1.1 12A 12A

Revie* of !nfor%ation Sec#rit$ Polic$

Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats

DS12.' DS12.' DS12.' DS12.' DS12.' DS12.' DS12.' DS12.' DS12.' DS12.' DS12.' DS12.' DS12.' DS12.' DS12.' DS12.' DS12.' 12A

Sec#ring offices5 roo%s5 and facilities >orking in sec#re areas

DS12.15 DS12.2 12A 12A 12A 12A DS12.15 DS12.2 DS12.15 DS12.2 DS12.15 DS12.2 12A DS12.15 DS12.2 DS12.15 DS12.2 12A 12A

Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 1' of

S!" to !nd#str$ Standard Relevance

SIG Question # 8.1. .1.1 8.1. .1.2 8.1. .1.8.1. .1.' 8.1.9 8.1.) 8.1.).1 8.1.).2 8.1.).8.1.).' 8.1.).6 8.1.)., 8.1.). 8.1.).9 8.1.).) 8.1.).10 8.1.).11 8.1.).12 8.1.).18.1.).1' 8.1.).16 8.1.).16.1 8.1.).16.2 8.1.).16.8.1.).16.' 8.1.).1, 8.1.).1,.1 8.1.).1 8.1.).19 8.1.).19.1 8.1.).19.2 8.1.).19.8.1.).19.' 8.1.).19.6 8.1.).1) 8.1.).20 8.1.).20.1 8.1.).20.2 8.1.).20.8.1.).20.-.1 8.1.).20.-.2 8.1.).20.'

Question Text Ad<acent roads& Ad<acent parking lots2garage to the ca%p#s& Ad<acent parking lots2garage to the 0#ilding& Parking garage connected to the 0#ilding 3e.g.5 #ndergro#nd parking4& Are 0arriers #sed to protect the 0#ilding& Does the 0#ilding that contains the Target Data. Shared *ith other tenants& +ore than one floor& 7#ilding and roof rated to *ithstand *ind speeds greater then 100 %ile per ho#r& Roof rated to *ithstand loads greater than 200 Po#nds per s=#are foot& /ave a single point of entr$& /ave e:terior *indo*s& /ave *indo*s have contact alar%s that *ill trigger if opened& /ave glass 0reak detection& /ave e:ternal lighting& /ave concealed *indo*s& /ave glass *alls or doors& /ave glass 0reak detection& /ave e:ternal lighting on all doors& /ave e:ternal hinge pins on an$ e:ternal doors& Cse CCTV& +onitored 2': :-,6& Pointed at entr$ points& Digitall$ recorded& Stored for at least )0 da$s& /ave all entr$ and e:its alar%ed& !f so5 are the$. +onitored 2': :-,6& /ave and #se prop alar%s on all doors& /ave sec#rit$ g#ards& !f so. Are the$ contractors& Do the$ %onitor sec#rit$ s$ste%s and alar%s& Do the$ patrol the facilit$& Do the$ check doors2alar%s d#ring ro#nds& Do the$ co%plete a g#ard report at the end of ro#nds& Do e%ergenc$ doors onl$ per%it egress& /ave restricted access to the facilit$& An electronic s$ste% 3ke$ card5 token5 fo05 etc.4 to control access to the facilit$& !f so5 is there. A 0io%etric reader at the points of entr$ to the facilit$& Are cipher locks 3electronic or %echanical4 #sed to control access to the facilit$& !f so5 is there. A process to change the code at least ever$ )0 da$s& !s the code changed *henever an a#thoriEed individ#al is ter%inated or transferred to another role& !s there a process for re=#esting access to the facilit$& !f so5 is there. Segregation of d#ties for iss#ing and approving access to the facilit$ 3e.g.5 ke$s5 0adge5 etc.4& A process to revie* *ho has access to the facilit$ at least ever$ si: %onths& A process to collect access e=#ip%ent 3e.g.5 0adges5 ke$s5 change pin n#%0ers5 etc.4 *hen a constit#ent is ter%inated or changes stat#s and no longer re=#ire access& A process to report lost or stolen access cards 2 ke$s& A %echanis% to prevent tailgating 2 pigg$0acking& Are visitors per%itted in the facilit$& Are the$ re=#ired to sign in and o#t& Are the$ re=#ired to provide a govern%ent iss#ed !D& Are the$ escorted thro#gh sec#re areas& Are visitor logs %aintained for at least )0 da$s& Are the$ re=#ired to *ear 0adges disting#ishing the% fro% e%plo$ees& !s there a loading dock at the facilit$& Do tenants share the #se of the loading dock& Does the loading dock area contain the follo*ing. S%oke detector& 8ire alar%& >et fire s#ppression& 8ire e:ting#ishers& Sec#rit$ g#ards at points of entr$& CCTV %onitoring the loading dock area& !s the loading dock area %onitored 2': :-,6& !s CCTV digital& !s CCTV stored for )0 da$s or greater&

).1.1.d ).1.1.d ).1.1 ).1.1 ).1.1 12A ).1.1.g ).1.1 ).1.' ).2.1 ).1.1 ).1.1.0 ).1.1.f ).1.1.f ).1.1.0 ).1.1.0 ).1.1.0 ).1.1.f ).1.1.0 12A 12A ).1.1.e 12A 12A 12A ).1.1.f ).1.1.e ).1.1.f ).1.1.c 12A ).1.1.e ).1.1.f ).1.1.0 12A ).1.1.e ).1.2 ).1.2 ).1.2 ).1.2 12A 9.-.).1.1.a

ISO 27002:2005 Relevance Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter

COBIT 4.1 Relevance DS12.15 DS12.2 DS12.15 DS12.2 DS12.15 DS12.2 DS12.15 DS12.2 DS12.15 DS12.2 12A DS12.15 DS12.2 DS12.15 DS12.2 DS12.' DS6. 5 DS12.' DS12.15 DS12.2 DS12.15 DS12.2 DS12.15 DS12.2 DS12.15 DS12.2 DS12.15 DS12.2 DS12.15 DS12.2 DS12.15 DS12.2 DS12.15 DS12.2 DS12.15 DS12.2 12A 12A DS12.15 DS12.2 12A 12A 12A DS12.15 DS12.2 DS12.15 DS12.2 DS12.15 DS12.2 DS12.15 DS12.2 12A DS12.15 DS12.2 DS12.15 DS12.2 DS12.15 DS12.2 12A DS12.15 DS12.2 DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.12A P( .95 DS6.' DS12.15 DS12.2 P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS12.15 DS12.2

Ph$sical sec#rit$ peri%eter

Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls

Re%oval of access rights Ph$sical sec#rit$ peri%eter

8.1.).20.'.1 8.1.).20.'.2

11.1.1.h ).1.1

Access control polic$ Ph$sical sec#rit$ peri%eter

8.1.).20.'.8.1.).20.'.' 8.1.).21 8.1.).22 8.1.).22.1 8.1.).22.2 8.1.).22.8.1.).22.' 8.1.).22.6 8.1.10 8.1.10.1 8.1.10.2 8.1.10.2.1 8.1.10.2.2 8.1.10.2.8.1.10.2.' 8.1.10.2.6 8.1.10.2., 8.1.10.2.,.1 8.1.10.2.,.2 8.1.10.2.,.-

).1.2.e ).1.2 ).1.2 ).1.2 ).1.2.a ).1.2 ).1.2.c ).1.2.a ).1.2.c ).1., ).1.,.f 12A ).2.1.d ).2.1.d ).1.'.c ).1.'.c ).1.,.a ).1.1.e 12A 12A 12A

Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls P#0lic access5 deliver$5 and loading areas P#0lic access5 deliver$5 and loading areas ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats P#0lic access5 deliver$5 and loading areas Ph$sical sec#rit$ peri%eter

DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS6. 5 DS12.15 DS12.DS6. 5 DS12.15 DS12.12A DS6. 5 DS12.' DS6. 5 DS12.' DS12.' DS12.' DS6. 5 DS12.15 DS12.DS12.15 DS12.2 12A 12A 12A S!" to !nd#str$ Standard Relevance

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 16 of

SIG Question # 8.1.10.8.1.10.-.1 8.1.10.-.2 8.1.10.-.8.1.10.-.' 8.1.10.-.'.1 8.1.10.-.'.2 8.1.10.-.6 8.1.10.-.,

Question Text !s entr$ to the loading dock restricted& 7adge readers at points of entr$& Are 0io%etric readers #sed at points of entr$& Are there locked doors re=#iring a ke$ or P!1 at points of entr$& Are cipher locks 3electronic or %echanical4 #sed to control access the loading dock& Are the codes changed at least ever$ )0 da$s& !s the code changed *henever an a#thoriEed individ#al is ter%inated or transferred to another role&

).1.2 ).1.2 ).1.2 ).1.2 ).1.2 12A 9.-.-

ISO 27002:2005 Relevance Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls

COBIT 4.1 Relevance DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.12A P( .95 DS6.' DS12.25 DS12.DS12.25 DS12.P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS12.25 DS12.12A 12A DS6. 5 DS12.' DS12.15 DS12.2 DS6. 5 DS12.' DS6. 5 DS12.' DS6. 5 DS12.' DS6. 5 DS12.' DS6. 5 DS12.' DS6. 5 DS12.' DS6. 5 DS12.' DS12.' DS12.' DS12.' DS12.' DS12.15 DS12.2 12A 12A 12A DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.12A P( .95 DS6.' DS12.25 DS12.DS12.25 DS12.P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS12.25 DS12.DS6. 5 DS12.15 DS12.DS12.15 DS12.2 DS12.25 DS12.12A 12A 12A 12A 12A 12A P(,.25 DS6. 12A 12A 12A 12A 12A 12A 12A DS12.25 DS12.-

Re%oval of access rights Ph$sical entr$ controls Ph$sical entr$ controls

!s there a process for approving access to the loading dock fro% inside the facilit$& ).1.2 !s there a process to revie* access to the loading dock at least ever$ si: %onths& ).1.2.e !s there segregation of d#ties for iss#ing and approving access to the loading dock via the #se of 0adges2ke$s...& !s there a process to report lost access cards 2 ke$s& !s there a 7atter$2CPS Roo%& Does the 0atter$ roo% contain the follo*ing. /$drogen sensors& >indo*s or glass *alls along the peri%eter& >alls e:tending fro% tr#e floor to tr#e ceiling& Air conditioning& 8l#id or *ater sensor& /eat detector& Pl#%0ing a0ove ceiling 3e:cl#ding fire s#ppression s$ste%4& S%oke detector& 8ire alar%& >et fire s#ppression& Dr$ fire s#ppression& Che%ical fire s#ppression& 8ire e:ting#ishers& CCTV %onitoring entr$ to the 0atter$2CPS roo%& !s the 0atter$2CPS roo% %onitored 2': :-,6& !s CCTV digital& !s CCTV stored for )0 da$s or greater& !s access to the 0atter$2CPS roo% restricted& Are logs kept of all access& Are 0adge readers #sed at points of entr$& Are 0io%etric readers #sed at points of entr$& Are there locked doors re=#iring a ke$ or P!1 at points of entr$& Are cipher locks 3electronic or %echanical4 #sed to control access to the 0atter$2CPS roo%& Are the codes changed at least ever$ )0 da$s& !s the code changed *henever an a#thoriEed individ#al is ter%inated or transferred to another role& !s there a process for approving access to the 0atter$2CPS roo% & !s there a process to revie* access to the 0atter$2CPS roo% at least ever$ si: %onths&

8.1.10.-. 8.1.10.-.9 8.1.11 8.1.11.1 8.1.11.1.1 8.1.11.1.2 8.1.11.1.8.1.11.1.' 8.1.11.1.6 8.1.11.1., 8.1.11.1. 8.1.11.1.9 8.1.11.1.) 8.1.11.1.10 8.1.11.1.11 8.1.11.1.12 8.1.11.1.18.1.11.1.1' 8.1.11.1.1'.1 8.1.11.1.1'.2 8.1.11.1.1'.8.1.11.2 8.1.11.2.1 8.1.11.2.2 8.1.11.2.8.1.11.2.' 8.1.11.2.6 8.1.11.2.6.1 8.1.11.2.6.2 8.1.11.2., 8.1.11.2.

11.1.1.h ).1.2 ).2.2 12A ).2.1.d ).1.1.0 ).2.1.d ).2.1.f ).2.1.d ).2.1.d ).2.1.d ).2.1.d ).2.1.d ).1.'.c ).1.'.c ).1.'.c ).1.'.c ).1.1.e 12A 12A 12A ).1.2 ).1.2.0 ).1.2 ).1.2 ).1.2 ).1.2 12A 9.-.).1.2 ).1.2.e

Access control polic$ Ph$sical entr$ controls S#pporting #tilities ?=#ip%ent sitting and protection Ph$sical sec#rit$ peri%eter ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Ph$sical sec#rit$ peri%eter

Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls

Re%oval of access rights Ph$sical entr$ controls Ph$sical entr$ controls

8.1.11.2.9 8.1.11.2.) 8.1.11.8.1.11.' 8.1.11.6 8.1.12 8.1.12.1 8.1.12.2 8.1.12.8.1.12.-.1 8.1.12.' 8.1.12.6 8.1.12., 8.1.12. 8.1.12. .1 8.1.12. .2 8.1.12. .8.1.12. .' 8.1.12. .6 8.1.12.9 8.1.12.)

!s there segregation of d#ties for iss#ing and approving access to the 0atter$2CPS 11.1.1.h roo% via the #se of 0adges2ke$s...& !s there a process to report lost access cards 2 ke$s& ).1.2 Are there prop alar%s on points of entr$& Do e%ergenc$ doors onl$ per%it egress& Are visitors per%itted in the 0atter$2CPS roo%& !s there a call center operated or %aintained& Are calls rando%l$ %onitored& Are calls %onitored for co%pliance& !s a call recording s$ste% #sed for all calls& Does the recording sol#tion indicate if recordings have 0een ta%pered *ith 3to 0e co#rt evidence ad%issi0le4& Are paper or electronic files #sed& !s there a clean desk polic$& !s an a#dit trail of all calls retained& Are Asecret callerA penetration tests cond#cted& !f so5 ho* often. Dail$& >eekl$& +onthl$& Se%i@ann#all$& Ann#all$& Are separate access rights re=#ired to gain access to the call center& Are ter%inals set to lock after a specified a%o#nt of ti%e& !f so5 ho* long. ).1., ).1.1.e ).1.2 12A 12A 12A 12A 12A 12A 11.-.12A 12A 12A 12A 12A 12A 12A ).1.2.0 11.-.25 11.-.-

Access control polic$ Ph$sical entr$ controls P#0lic access5 deliver$5 and loading areas Ph$sical sec#rit$ peri%eter Ph$sical entr$ controls

Clear desk and clear screen polic$

Ph$sical entr$ controls Cnattended #ser e=#ip%ent5 Clear desk P(,.25 DS6. and clear screen polic$ Page 1, of

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

S!" to !nd#str$ Standard Relevance

SIG Question # 8.1.12.).1 8.1.12.).2 8.1.12.).8.1.12.).' 8.1.12.).6 8.1.12.)., 8.1.12.10 8.1.12.11 8.1.12.11.1 8.1.12.12 8.1.12.18.1.12.1' 8.1.12.16 8.1.12.1, 8.1.12.1,.1 8.1.12.1,.2 8.1.12.1,.8.1.12.1,.' 8.1.12.1 8.1.12.19 8.1.12.19.1 8.1.12.19.2 8.1.12.19.8.1.12.19.' 8.1.12.19.6 8.1.12.19.6.1 8.1.12.19.6.2 8.1.12.1) 8.1.12.20 8.1.18.1.1-.1 8.1.1-.1.1 8.1.1-.1.1.1 8.1.1-.2 8.1.1-.8.1.1-.' 8.1.1-.6 8.1.1-.6.1 8.1.1-.6.2 8.1.1-.6.8.1.1-.6.' 8.1.1-.6.6 8.1.1-.6.6.1 8.1.1-.6.6.2 8.1.1-.6., 8.1.1-.6.

Question Text 8ive %in#tes or less& 8ive to 16 %in#tes& 1, to -0 %in#tes& "reater than -0 %in#tes& 1ever& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& Are representatives allo*ed access to the internet& Are the$ allo*ed access to e%ail& !s there an e%ail %onitoring s$ste% to check for o#tgoing confidential infor%ation& Are visitors per%itted into the call center& !s the call center incl#ded in the disaster recover$ plan& Are there S!RT instr#ctions for representatives 3e.g.5 escalation proced#res for incident reporting4& Ad%inistrator access to CR+ s$ste% not allo*ed to vie* data 3e.g.5 config#ration and entitle%ents onl$4& >hat t$pe of s$ste%s does the call center #tiliEe& >intel desktop& D#%0 ter%inal& >intel laptop& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& Can representatives %ake personal calls fro% their teleco% s$ste%s& Does the call center #se V(!P& !f so5 *hich protocol does the sol#tion set #p calls *ith& /.-2-& SCCP& +"CP& +?"AC(2/.-'9& S!P& !s S!P a#thentication #sed& !s encr$ption done *ith !PSec or TBS 3SSB4& Are an$ call center representatives ho%e 0ased& Are call center operations o#tso#rced& !s there a generator or generator area& !s there %ore than one generator& Are there %#ltiple generator areas that s#ppl$ 0ack#p po*er to s$ste%s that contain Target Data& Are the ph$sical sec#rit$ and environ%ental controls the sa%e for all of the generator areas& !s the generator area contained *ithin a 0#ilding or s#rro#nded 0$ a ph$sical 0arrier& Are f#el s#pplies for the generator readil$ availa0le to ens#re #ninterr#pted service& Does the generator have the capacit$ to s#ppl$ po*er to the s$ste%s that contain Target Data for at least '9 ho#rs& !s access to the generator area restricted& Are logs kept of all access& Are 0adge readers #sed at points of entr$& Are 0io%etric readers #sed at points of entr$& Are there locked doors re=#iring a ke$ or P!1 at points of entr$& Are cipher locks 3electronic or %echanical4 #sed to control access to the generator area& Are the codes changed at least ever$ )0 da$s& !s the code changed *henever an a#thoriEed individ#al is ter%inated or transferred to another role& !s there a process for approving access to the generator area& !s there a process to revie* access to the generator area at least ever$ si: %onths& !s there segregation of d#ties for iss#ing and approving access to the generator area via the #se of 0adges2ke$s...& !s there a process to report lost access cards 2 ke$s& !s CCTV %onitoring the generator area& !s the generator area %onitored 2': :-,6& !s the CCTV digital& !s CCTV stored for )0 da$s or greater& !s there an !D8 closet& !s access to the !D8 closet restricted& Are logs kept of all access& Are 0adge readers #sed at points of entr$& Are 0io%etric readers #sed at points of entr$& Are there locked doors re=#iring a ke$ or P!1 at points of entr$& Are cipher locks 3electronic or %echanical4 #sed to control access to the !D8 closets& Are the codes changed at least ever$ )0 da$s&

ISO 27002:2005 Relevance 12A 12A 12A 12A 12A 12A 11.'.1.c 11.'.1.c 11.'.,.a ).1.2 12A 1-.1.1.c 11.'.1.a 12A 12A 12A 12A 12A 10.9.1 12A 12A 12A 12A 12A 12A 12A 12A ).2.6 Sec#rit$ of e=#ip%ent off@pre%ises ,.2 ?:ternal parties S#pporting #tilities S#pporting #tilities

Polic$ on #se of net*ork services Polic$ on #se of net*ork services 1et*ork connection control Ph$sical entr$ controls

COBIT 4.1 Relevance 12A 12A 12A 12A 12A 12A DS6.)5 DS6.11 DS6.)5 DS6.11 DS6.)5 DS6.11 DS12.25 DS12.12A P().-5 DS6.,5 DS9.2 DS6.)5 DS6.11 12A 12A 12A 12A 12A P(2.-5 P(,.25 DS11.1 12A 12A 12A 12A 12A 12A 12A 12A P('.)5 DS12.25 DS12.P(,.'5 DS6.65 +?2.25 +?2.65 +?'. 12A 12A 12A 12A

Reporting infor%ation sec#rit$ events Polic$ on #se of net*ork services

!nfor%ation e:change policies and proced#res

).2.2 ).2.2 12A 12A ).1.1.a ).2.2 ).2.2 ).1.1.a ).1.2.0 ).1.2 ).1.2 ).1.2 ).1.2 12A 9.-.).1.2 ).1.2.e

Ph$sical sec#rit$ peri%eter S#pporting #tilities S#pporting #tilities Ph$sical sec#rit$ peri%eter Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls

DS12.15 DS12.2 12A 12A DS12.15 DS12.2 DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.12A P( .95 DS6.' DS12.25 DS12.DS12.25 DS12.P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS12.25 DS12.DS12.15 DS12.2 12A 12A 12A DS6. 5 DS12.' DS6. 5 DS12.' DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.12A

Re%oval of access rights Ph$sical entr$ controls Ph$sical entr$ controls

8.1.1-.6.9 8.1.1-.6.) 8.1.1-., 8.1.1-.,.1 8.1.1-.,.2 8.1.1-.,.8.1.1' 8.1.1'.1 8.1.1'.1.1 8.1.1'.1.2 8.1.1'.1.8.1.1'.1.' 8.1.1'.1.6 8.1.1'.1.6.1

11.1.1.h ).1.2 ).1.1.e 12A 12A 12A ).2.).2.-.f.1 ).1.2.0 ).1.2 ).1.2 ).1.2 ).1.2 12A

Access control polic$ Ph$sical entr$ controls Ph$sical sec#rit$ peri%eter

Ca0ling sec#rit$ Ca0ling sec#rit$ Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 1 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text !s the code changed *henever an a#thoriEed individ#al is ter%inated or 8.1.1'.1.6.2 transferred to another role& 8.1.1'.1., !s there a process for approving access to the !D8 closet& 8.1.1'.1. !s there a process to revie* access to the !D8 closet at least ever$ si: %onths& !s there segregation of d#ties for iss#ing and approving access to the !D8 closets via the #se of 0adges2ke$s...& !s there a process to report lost access cards 2 ke$s& !s there a %ailroo% that stores or processes Target Data& Does the %ailroo% contain the follo*ing. +otion sensors& CCTV pointed at entr$ points& +onitored 2': :-,6& !s CCTV digital& !s CCTV stored for )0 da$s or greater& S%oke detector& 8ire alar%& >et fire s#ppression& Dr$ fire s#ppression& Che%ical fire s#ppression& 8ire e:ting#ishers& !s access to the %ailroo% restricted& Are logs kept of all access& Are 0adge readers #sed at points of entr$& Are 0io%etric readers #sed at points of entr$& Are there locked doors re=#iring a ke$ or P!1 at points of entr$& Are cipher locks 3electronic or %echanical4 #sed to control access to the %ailroo%& Are the codes changed at least ever$ )0 da$s& !s the code changed *henever an a#thoriEed individ#al is ter%inated or transferred to another role& !s there a process for approving access to the %ailroo%& !s there a process to revie* access to the %ailroo% at least ever$ si: %onths&

ISO 27002:2005 Relevance 9.-.).1.2 ).1.2.e Re%oval of access rights Ph$sical entr$ controls Ph$sical entr$ controls

COBIT 4.1 Relevance P( .95 DS6.' DS12.25 DS12.DS12.25 DS12.P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS12.25 DS12.A!1.15 A!'.'5 DS1-.1 12A DS12.15 DS12.2 DS12.15 DS12.2 12A 12A 12A DS6. 5 DS12.' DS6. 5 DS12.' DS12.' DS12.' DS12.' DS12.' DS12.15 DS12.2 DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.12A P( .95 DS6.' DS12.25 DS12.DS12.25 DS12.P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS12.25 DS12.DS6. 5 DS12.15 DS12.DS12.15 DS12.2 DS12.25 DS12.12A 12A DS12.15 DS12.2 DS12.15 DS12.2 12A 12A 12A DS12.25 DS12.DS12.15 DS12.2 DS12.15 DS12.2 DS6. 5 DS12.' DS6. 5 DS12.' DS6. 5 DS12.' DS6. 5 DS12.' DS6. 5 DS12.' 12A DS6. 5 DS12.' DS6. 5 DS12.' DS12.' DS12.' DS12.' DS12.' DS12.15 DS12.2 DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.-

8.1.1'.1.9 8.1.1'.1.) 8.1.16 8.1.16.1 8.1.16.1.1 8.1.16.1.2 8.1.16.1.2.1 8.1.16.1.2.2 8.1.16.1.2.8.1.16.1.8.1.16.1.' 8.1.16.1.6 8.1.16.1., 8.1.16.1. 8.1.16.1.9 8.1.16.2 8.1.16.2.1 8.1.16.2.2 8.1.16.2.8.1.16.2.' 8.1.16.2.6 8.1.16.2.6.1 8.1.16.2.6.2 8.1.16.2., 8.1.16.2.

11.1.1.h ).1.2 10.1.1 12A ).1.1.f ).1.1.e 12A 12A 12A ).2.1.d ).2.1.d ).1.'.c ).1.'.c ).1.'.c ).1.'.c ).1.1.a ).1.2.0 ).1.2 ).1.2 ).1.2 ).1.2 12A 9.-.).1.2 ).1.2.e

Access control polic$ Ph$sical entr$ controls Doc#%ented operating proced#res Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter

?=#ip%ent sitting and protection ?=#ip%ent sitting and protection Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Ph$sical sec#rit$ peri%eter Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls

Re%oval of access rights Ph$sical entr$ controls Ph$sical entr$ controls

8.1.16.2.9 8.1.16.2.) 8.1.16.8.1.16.' 8.1.16.6 8.1.1, 8.1.1,.1 8.1.1,.1.1 8.1.1,.1.2 8.1.1,.1.2.1 8.1.1,.1.2.2 8.1.1,.1.2.8.1.1,.1.8.1.1,.1.' 8.1.1,.1.'.1 8.1.1,.1.6 8.1.1,.1., 8.1.1,.1. 8.1.1,.1.9 8.1.1,.1.) 8.1.1,.1.10 8.1.1,.1.11 8.1.1,.1.12 8.1.1,.1.18.1.1,.1.1' 8.1.1,.1.16 8.1.1,.1.1, 8.1.1,.2 8.1.1,.2.1 8.1.1,.2.2 8.1.1,.2.8.1.1,.2.'

!s there segregation of d#ties for iss#ing and approving access to the %ailroo% via the #se of 0adges2ke$s...& 11.1.1.h !s there a process to report lost access cards 2 ke$s& ).1.2 Are there prop alar%s on points of entr$& Do e%ergenc$ doors onl$ per%it egress& Are visitors per%itted into the %ailroo%& !s there a %edia li0rar$ to store Target Data& Does the %edia li0rar$ contain the follo*ing. +otion sensors& CCTV pointed at entr$ points& +edia li0rar$ %onitored 2': :-,6& !s CCTV digital& !s CCTV stored for )0 da$s or greater& +echanis%s that th*art tailgating2pigg$0acking& >indo*s or glass *alls along the peri%eter& Alar%s on *indo*s2glass *alls& >alls e:tending fro% tr#e floor to tr#e ceiling& Air conditioning& 8l#id or *ater sensor& /eat detector& Pl#%0ing a0ove ceiling 3e:cl#ding fire s#ppression s$ste%4& Raised floor& S%oke detector& 8ire alar%& >et fire s#ppression& Dr$ fire s#ppression& Che%ical fire s#ppression& 8ire e:ting#ishers& !s access to the %edia li0rar$ restricted& Are logs kept of all access& Are 0adge readers #sed at points of entr$& Are 0io%etric readers #sed at points of entr$& Are there locked doors re=#iring a ke$ or P!1 at points of entr$& ).1., ).1.1.e ).1.2 12A 12A ).1.1.f ).1.1.e 12A 12A 12A ).1.2 ).1.1.0 ).1.1.f ).2.1.d ).2.1.f ).2.1.d ).2.1.d ).2.1.d 12A ).2.1.d ).2.1.d ).1.'.c ).1.'.c ).1.'.c ).1.'.c ).1.1.a ).1.2.0 ).1.2 ).1.2 ).1.2

Access control polic$ Ph$sical entr$ controls P#0lic access5 deliver$5 and loading areas Ph$sical sec#rit$ peri%eter Ph$sical entr$ controls

Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter

Ph$sical entr$ controls Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Ph$sical sec#rit$ peri%eter Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 19 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text Are cipher locks 3electronic or %echanical4 #sed to control access to the %edia 8.1.1,.2.6 li0rar$& 8.1.1,.2.6.1 Are the codes changed at least ever$ )0 da$s& !s the code changed *henever an a#thoriEed individ#al is ter%inated or 8.1.1,.2.6.2 transferred to another role& 8.1.1,.2., !s there a process for approving access to the %edia li0rar$& 8.1.1,.2.

ISO 27002:2005 Relevance ).1.2 12A 9.-.).1.2 Ph$sical entr$ controls

COBIT 4.1 Relevance DS12.25 DS12.12A P( .95 DS6.' DS12.25 DS12.DS12.25 DS12.P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS12.25 DS12.DS6. 5 DS12.15 DS12.DS12.15 DS12.2 DS12.25 DS12.12A 12A DS12.15 DS12.2 DS12.15 DS12.2 12A 12A 12A DS12.25 DS12.DS6. 5 DS12.' DS12.15 DS12.2 DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.12A P( .95 DS6.' DS12.25 DS12.DS12.25 DS12.P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS12.25 DS12.DS6. 5 DS12.15 DS12.DS12.15 DS12.2 DS12.25 DS12.12A 12A DS12.15 DS12.2 DS12.15 DS12.2 12A 12A 12A DS12.25 DS12.DS12.15 DS12.2 DS12.15 DS12.2 DS12.15 DS12.2 DS12.25 DS12.A!1.15 A!'.'5 DS1-.1 DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.12A P( .95 DS6.' DS12.25 DS12.DS12.25 DS12.P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS12.25 DS12.DS6. 5 DS12.15 DS12.DS12.15 DS12.2 DS12.25 DS12.P(,.25 DS6. S!" to !nd#str$ Standard Relevance

Re%oval of access rights Ph$sical entr$ controls Ph$sical entr$ controls

!s there a process to revie* access to the %edia li0rar$ at least ever$ si: %onths& ).1.2.e !s there segregation of d#ties for iss#ing and approving access to the %edia li0rar$ via the #se of 0adges2ke$s...& 11.1.1.h !s there a process to report lost access cards 2 ke$s& ).1.2 Are there prop alar%s on points of entr$& Do e%ergenc$ doors onl$ per%it egress& Are visitors per%itted into the %edia li0rar$& !s there a printer roo% to print Target Data& Does the printer roo% contain the follo*ing. +otion sensors& CCTV pointed at entr$ points& !s the printer roo% %onitored 2': :-,6& !s CCTV digital& !s CCTV stored for )0 da$s or greater& +echanis%s that th*art tailgating2pigg$0acking& >alls e:tending fro% tr#e floor to tr#e ceiling& !s access to the printer roo% restricted& Are logs kept of all access& Are 0adge readers #sed at points of entr$& Are 0io%etric readers #sed at points of entr$& Are there locked doors re=#iring a ke$ or P!1 at points of entr$& Are cipher locks 3electronic or %echanical4 #sed to control access to the printer roo%& Are the codes changed at least ever$ )0 da$s& !s the code changed *henever an a#thoriEed individ#al is ter%inated or transferred to another role& !s there a process for approving access to the printer roo%& !s there a process to revie* access to the printer roo% at least ever$ si: %onths& ).1., ).1.1.e ).1.2 12A 12A ).1.1.f ).1.1.e 12A 12A 12A ).1.2 ).2.1.d ).1.1.a ).1.2.0 ).1.2 ).1.2 ).1.2 ).1.2 12A 9.-.).1.2 ).1.2.e

8.1.1,.2.9 8.1.1,.2.) 8.1.1,.8.1.1,.' 8.1.1,.6 8.1.1 8.1.1 .1 8.1.1 .1.1 8.1.1 .1.1.1 8.1.1 .1.1.2 8.1.1 .1.1.8.1.1 .1.2 8.1.1 .1.8.1.1 .1.' 8.1.1 .2 8.1.1 .2.1 8.1.1 .2.2 8.1.1 .2.8.1.1 .2.' 8.1.1 .2.6 8.1.1 .2.6.1 8.1.1 .2.6.2 8.1.1 .2., 8.1.1 .2.

Access control polic$ Ph$sical entr$ controls P#0lic access5 deliver$5 and loading areas Ph$sical sec#rit$ peri%eter Ph$sical entr$ controls

Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter

Ph$sical entr$ controls ?=#ip%ent sitting and protection Ph$sical sec#rit$ peri%eter Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls

Re%oval of access rights Ph$sical entr$ controls Ph$sical entr$ controls

8.1.1 .2.9 8.1.1 .2.) 8.1.1 .8.1.1 .' 8.1.1 .6 8.1.19 8.1.19.1 8.1.19.1.1 8.1.19.1.2 8.1.19.1.2.1 8.1.19.1.2.2 8.1.19.1.2.8.1.19.1.8.1.19.1.' 8.1.19.1.'.1 8.1.19.2 8.1.19.2.1 8.1.19.2.1.1 8.1.19.2.2 8.1.19.2.8.1.19.2.' 8.1.19.2.6 8.1.19.2.6.1 8.1.19.2.6.2 8.1.19.2., 8.1.19.2.

!s there segregation of d#ties for iss#ing and approving access to the printer roo% via the #se of 0adges2ke$s...& 11.1.1.h !s there a process to report lost access cards 2 ke$s& ).1.2 Are there prop alar%s on points of entr$& Do e%ergenc$ doors onl$ per%it egress& Are visitors per%itted in the printer roo%& !s there a sec#red *ork area *here constit#ents access Target Data& Do sec#red *ork area3s4 *ithin the facilit$ contain the follo*ing. +otion sensors& CCTV pointed at entr$ points& Are the sec#red *ork areas %onitored 2': :-,6& !s CCTV digital& !s CCTV stored for )0 da$s or greater& +echanis%s that th*art tailgating2pigg$0acking& >indo*s or glass *alls along the peri%eter& Alar%s on *indo*s2glass *alls& !s access to the sec#red *ork area3s4 restricted& Are logs kept of all access& Are access logs reg#larl$ revie*ed& Are 0adge readers #sed at points of entr$& Are 0io%etric readers #sed at points of entr$& Are there locked doors re=#iring a ke$ or P!1 at points of entr$& Are cipher locks 3electronic or %echanical4 #sed to control access to the sec#red *ork area3s4& Are the codes changed at least ever$ )0 da$s& !s the code changed *henever an a#thoriEed individ#al is ter%inated or transferred to another role& !s there a process for approving access to the sec#red *ork areas& !s there a process to revie* access to the sec#red *ork area3s4 at least ever$ si: %onths& !s there segregation of d#ties for iss#ing and approving access to the sec#red *ork area3s4 via the #se of 0adges2ke$s...& !s there a process to report lost access cards 2 ke$s& Are there prop alar%s on points of entr$& Do e%ergenc$ doors onl$ per%it egress& Are visitors per%itted in the sec#red *ork area3s4& !s there a clean desk polic$& ).1., ).1.1.e ).1.2 12A 12A ).1.1.f ).1.1.e 12A 12A 12A ).1.2 ).1.1.0 ).1.1.f ).1.1.a ).1.2.0 10.1.1.h ).1.2 ).1.2 ).1.2 ).1.2 12A 9.-.).1.2 ).1.2.e

Access control polic$ Ph$sical entr$ controls P#0lic access5 deliver$5 and loading areas Ph$sical sec#rit$ peri%eter Ph$sical entr$ controls

Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter

Ph$sical entr$ controls Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical entr$ controls Doc#%ented operating proced#res Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls

Re%oval of access rights Ph$sical entr$ controls Ph$sical entr$ controls

8.1.19.2.9 8.1.19.2.) 8.1.19.8.1.19.' 8.1.19.6 8.1.19.,

11.1.1.h ).1.2 ).1., ).1.1.e ).1.2 11.-.-

Access control polic$ Ph$sical entr$ controls P#0lic access5 deliver$5 and loading areas Ph$sical sec#rit$ peri%eter Ph$sical entr$ controls Clear desk and clear screen polic$

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 1) of

SIG Question # Question Text 8.1.19.,.1 !s a clean desk revie* perfor%ed at least ever$ si: %onths& Do the sec#red *ork area3s4 contain sec#red disposal containers5 shred 0ins or 8.1.19. shredders& 8.1.19.9 8.1.19.9.1 8.1.19.) 8.1.1) 8.1.1).1 8.1.1).1.1 8.1.1).1.2 8.1.1).1.2.1 8.1.1).1.2.2 8.1.1).1.2.8.1.1).1.8.1.1).1.' 8.1.1).1.'.1 8.1.1).1.6 8.1.1).1., 8.1.1).1. 8.1.1).1.9 8.1.1).1.) 8.1.1).1.10 8.1.1).1.11 8.1.1).1.12 8.1.1).1.18.1.1).1.1' 8.1.1).1.16 8.1.1).1.1, 8.1.1).2 8.1.1).2.1 8.1.1).2.2 8.1.1).2.8.1.1).2.' 8.1.1).2.6 8.1.1).2.6.1 8.1.1).2.6.2 8.1.1).2., 8.1.1).2. Are ph$sical locks re=#ired on porta0le co%p#ters *ithin sec#red *ork areas& Are revie*s perfor%ed to ens#re that porta0le co%p#ters locks are 0eing #sed at least ever$ si: %onths& !s there a process for e=#ip%ent re%oval fro% sec#red *ork areas& !s there a separate roo% for teleco% e=#ip%ent 3e.g.5 P7I4& Does the teleco% closet2roo% contain the follo*ing. +otion sensors& CCTV pointed at entr$ points& !s the teleco% closet2roo% %onitored 2': :-,6& !s CCTV digital& !s CCTV stored for )0 da$s or greater& +echanis%s that th*art tailgating2pigg$0acking& >indo*s or glass *alls along the peri%eter& Alar%s on *indo*s2glass *alls& >alls e:tending fro% tr#e floor to tr#e ceiling& Air conditioning& 8l#id or *ater sensor& /eat detector& Pl#%0ing a0ove ceiling 3e:cl#ding fire s#ppression s$ste%4& Raised floor& S%oke detector& 8ire alar%& >et fire s#ppression& Dr$ fire s#ppression& Che%ical fire s#ppression& 8ire e:ting#ishers& !s access to the teleco% closet2roo% restricted& Are logs kept of all access& Are 0adge readers #sed at points of entr$& Are 0io%etric readers #sed at points of entr$& Are there locked doors re=#iring a ke$ or P!1 at points of entr$& Are cipher locks 3electronic or %echanical4 #sed to control access to the teleco% closet2roo%& Are the codes changed at least ever$ )0 da$s& !s the code changed *henever an a#thoriEed individ#al is ter%inated or transferred to another role& !s there a process for approving access to the teleco% closet2roo%& !s there a process to revie* access to the teleco% closet2roo% at least ever$ si: %onths& !s there segregation of d#ties for iss#ing and approving access to the teleco% closet2roo% via the #se of 0adges2ke$s...& !s there a process to report lost access cards 2 ke$s& Are there prop alar%s on points of entr$& Do e%ergenc$ doors onl$ per%it egress& Are visitors per%itted in the teleco% closet2roo%& Do the target s$ste%s reside in a data center& !s the data center shared *ith other tenants& Does the data center have the follo*ing. Air conditioning& 8l#id or *ater sensor& /eat detector& Pl#%0ing a0ove ceiling 3e:cl#ding fire s#ppression s$ste%4& Raised floor& S%oke detector& Cninterr#pti0le Po*er S#ppl$ 3CPS4& Vi0ration alar% 2 sensor& 8ire alar%& >et fire s#ppression& Dr$ fire s#ppression& Che%ical fire s#ppression& 8ire e:ting#ishers& +#ltiple po*er feeds& Are the %#ltiple po*er feeds fed fro% separate po*er s#0stations& +#ltiple co%%#nication feeds& ?%ergenc$ po*er off 0#tton&

11.-.10.1.1.f 11. .1 12A ).2. 12A 12A ).1.1.f ).1.1.e 12A 12A 12A ).1.2 ).1.1.0 ).1.1.f ).2.1.d ).2.1.f ).2.1.d ).2.1.d ).2.1.d 12A ).2.1.d ).2.1.d ).1.'.c ).1.'.c ).1.'.c ).1.'.c ).2.-.f.1 ).1.2.0 ).1.2 ).1.2 ).1.2 ).1.2 12A 9.-.).1.2 ).1.2.e

ISO 27002:2005 Relevance Clear desk and clear screen polic$ Doc#%ented operating proced#res +o0ile co%p#ting and co%%#nications

COBIT 4.1 Relevance P(,.25 DS6. A!1.15 A!'.'5 DS1-.1 P(,.25 DS6.25 DS6.-5 DS6. 12A P(,.25 DS12.2 12A 12A DS12.15 DS12.2 DS12.15 DS12.2 12A 12A 12A DS12.25 DS12.DS12.15 DS12.2 DS12.15 DS12.2 DS6. 5 DS12.' DS6. 5 DS12.' DS6. 5 DS12.' DS6. 5 DS12.' DS6. 5 DS12.' 12A DS6. 5 DS12.' DS6. 5 DS12.' DS12.' DS12.' DS12.' DS12.' DS6. 5 DS12.' DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.12A P( .95 DS6.' DS12.25 DS12.DS12.25 DS12.P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS12.25 DS12.DS6. 5 DS12.15 DS12.DS12.15 DS12.2 DS12.25 DS12.12A DS12.15 DS12.2 12A DS6. 5 DS12.' DS6. 5 DS12.' DS6. 5 DS12.' DS12.'5 DS12.6 12A DS12.'5 DS12.6 12A DS12.'5 DS12.6 DS12.'5 DS12.6 DS12.' DS12.' DS12.' DS12.' DS12.'5 DS12.6 DS12.'5 DS12.6 DS12.'5 DS12.6 DS12.'5 DS12.6

Re%oval of propert$

Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter

Ph$sical entr$ controls Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Ca0ling sec#rit$ Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls

Re%oval of access rights Ph$sical entr$ controls Ph$sical entr$ controls

8.1.1).2.9 8.1.1).2.) 8.1.1).8.1.1).' 8.1.1).6 8.2 8.2.1 8.2.2 8.2.2.1 8.2.2.2 8.2.2.8.2.2.' 8.2.2.6 8.2.2., 8.2.2. 8.2.2.9 8.2.2.) 8.2.2.10 8.2.2.11 8.2.2.12 8.2.2.18.2.2.1' 8.2.2.1'.1 8.2.2.16 8.2.2.1,

11.1.1.h ).1.2 ).1., ).1.1.e ).1.2 12A ).1.1.g 12A ).2.1.f ).2.1.d ).2.1.d ).2.1.d 12A ).2.1.d ).2.2 ).2.1.d ).2.1.d ).1.'.c ).1.'.c ).1.'.c ).1.'.c ).2.2 ).2.2 ).2.2 ).2.2

Access control polic$ Ph$sical entr$ controls P#0lic access5 deliver$5 and loading areas Ph$sical sec#rit$ peri%eter Ph$sical entr$ controls Ph$sical sec#rit$ peri%eter ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection S#pporting #tilities ?=#ip%ent sitting and protection ?=#ip%ent sitting and protection Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats Protecting against e:ternal and environ%ental threats S#pporting #tilities S#pporting #tilities S#pporting #tilities S#pporting #tilities

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 20 of

S!" to !nd#str$ Standard Relevance

SIG Question # 8.2.2.1 8.2.2.19 8.2.2.19.1 8.2.2.1) 8.2.2.1).1 8.2.2.20 8.2.2.20.1 8.2.2.20.1.1 8.2.2.20.2

Question Text >ater p#%p& CPS s$ste%& Does it s#pport 1J1& !s2are there a generator3s4& Does it s#pport 1J1& !s access to the data center restricted& Are logs kept of all access& Are access logs reg#larl$ revie*ed& A process for re=#esting access to the data center&

).2.2 ).2.2 ).2.2 ).2.2 ).2.2 ).1.1.a ).1.2.0 10.1.1.h ).1.2

ISO 27002:2005 Relevance S#pporting #tilities S#pporting #tilities S#pporting #tilities S#pporting #tilities S#pporting #tilities Ph$sical sec#rit$ peri%eter Ph$sical entr$ controls Doc#%ented operating proced#res Ph$sical entr$ controls

COBIT 4.1 Relevance DS12.'5 DS12.6 DS12.'5 DS12.6 DS12.'5 DS12.6 DS12.'5 DS12.6 DS12.'5 DS12.6 DS12.15 DS12.2 DS12.25 DS12.A!1.15 A!'.'5 DS1-.1 DS12.25 DS12.P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS12.15 DS12.2 DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.15 DS12.2 DS12.15 DS12.2 DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.15 DS12.2 DS12.15 DS12.2 DS12.15 DS12.2 DS6. 5 DS12.15 DS12.DS12.15 DS12.2 DS12.15 DS12.2 12A 12A 12A DS12.'5 DS12.6 DS12.'5 DS12.6 DS12.15 DS12.2 12A 12A DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.15 DS12.2 P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS12.25 DS12.DS12.25 DS12.DS12.15 DS12.2

8.2.2.20.2.1 8.2.2.20.8.2.2.20.' 8.2.2.20.6 8.2.2.20., 8.2.2.21 8.2.2.22 8.2.2.22.1 8.2.2.28.2.2.2-.1 8.2.2.2-.2 8.2.2.2' 8.2.2.2'.1 8.2.2.2'.2 8.2.2.2'.8.2.2.26 8.2.2.2, 8.2.2.2,.1 8.2.2.2,.2 8.2.2.2,.8.2.2.2 8.2.2.29 8.2.2.2) 8.2.8.2.-.1 8.2.-.1.1 8.2.-.1.2 8.2.-.1.8.2.-.1.'

!s there segregation of d#ties for iss#ing and approving access to the data center& A process to revie* access to the data center at least ever$ si: %onths& Are 0adge readers #sed at points of entr$& Are 0io%etric readers #sed at points of entr$& Are there locked doors re=#iring a ke$ or P!1 #sed at points of entr$ to the data center& !s there a %echanis% to th*art tailgating 2 pigg$0acking into the data center& Are there sec#rit$ g#ards at points of entr$& Do the sec#rit$ g#ards %onitor sec#rit$ s$ste%s and alar%s& Are visitors per%itted in the data center& Are the$ re=#ired to sign in and o#t of the data center& Are the$ escorted *ithin the data center& Are all entr$ and e:it points to the data center alar%ed& Are there alar% %otion sensors %onitoring the data center& Are there alar% contact sensors on the data center doors& Are there prop alar%s on data center doors& Do e%ergenc$ doors onl$ per%it egress& CCTV #sed to %onitor data center& Pointed at entr$ points to the data center& +onitored 2': :-,6& Stored at least )0 da$s& >alls e:tending fro% tr#e floor to tr#e ceiling& >alls5 doors and *indo*s at least one ho#r fire rated& >indo*s or glass *alls along the peri%eter& Does the Target Data reside in a caged environ%ent *ithin a data center& Does the caged environ%ent have the follo*ing. 7adge readers #sed at points of entr$& 7io%etric readers #sed at points of entr$& Bocks re=#iring a ke$ or P!1 #sed at points of entr$& A process for re=#esting access& Segregation of d#ties for granting and storage of cage access and access devices 3e.g.5 0adges5 ke$s5 etc.4& A list %aintained of personnel *ith cards 2 ke$s to the caged environ%ent& A process to report lost access cards 2 ke$s& A process to revie* access to the cage at least ever$ si: %onths& A process to collect access e=#ip%ent 3e.g.5 0adges5 ke$s5 change pin n#%0ers5 etc.4 *hen a constit#ent is ter%inated or changes stat#s and no longer re=#ire access& Are visitors per%itted in the caged environ%ent& Are the$ re=#ired to sign in and o#t of the caged area& Are the$ escorted *ithin the cage& CCTV #sed to %onitor entr$ points to the caged environ%ent& +onitored 2': :-,6& Stored at least )0 da$s& Does the Target Data reside in a locked ca0inet3s4& Are ca0inets shared& Does the ca0inet have the follo*ing. !s access to the ca0inet restricted& Are logs kept of all access& A process for re=#esting access& Segregation of d#ties for storage and granting of ca0inet access devices 3e.g.5 0adges5 ke$s5 etc.4&

11.1.1.h ).1.1 ).1.2 ).1.2 ).1.2 ).1.2 ).1.1.c ).1.1.c ).1.2 ).1.2.a ).1.2.c ).1.1.f ).1.1.f ).1.1.f ).1., ).1.1.e ).1.1.e 12A 12A 12A ).2.1.d ).2.1.d ).1.1.0 12A 12A ).1.2 ).1.2 ).1.2 ).1.1.a

Access control polic$ Ph$sical sec#rit$ peri%eter Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter P#0lic access5 deliver$5 and loading areas Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter

?=#ip%ent sitting and protection ?=#ip%ent sitting and protection Ph$sical sec#rit$ peri%eter

Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical sec#rit$ peri%eter

8.2.-.1.6 8.2.-.1., 8.2.-.1. 8.2.-.2

11.1.1.h ).1.2 ).1.2 ).1.1

Access control polic$ Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical sec#rit$ peri%eter

8.2.-.8.2.-.' 8.2.-.'.1 8.2.-.'.2 8.2.-.6 8.2.-.6.1 8.2.-.6.2 8.2.' 8.2.'.1 8.2.'.2 8.2.'.2.1 8.2.'.2.2 8.2.'.2.-

).1.2.e ).1.2 ).1.2.a ).1.2.c ).1.1.e 12A 12A 12A ).1.1.g 12A ).1.1.a ).1.2.0 ).1.1.a

Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical entr$ controls Ph$sical sec#rit$ peri%eter

Ph$sical sec#rit$ peri%eter Ph$sical sec#rit$ peri%eter Ph$sical entr$ controls Ph$sical sec#rit$ peri%eter

DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.25 DS12.DS12.15 DS12.2 12A 12A 12A DS12.15 DS12.2 12A DS12.15 DS12.2 DS12.25 DS12.DS12.15 DS12.2 P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS12.25 DS12.DS12.25 DS12.-

8.2.'.2.'

11.1.1.h

Access control polic$

8.2.'.2.6 8.2.'.2., 8.2.'.2.

Segregation of d#ties in granting and approving access to the ca0inet3s4& A list %aintained of personnel *ith cards 2 ke$s to the ca0inet& A process to report lost access cards 2 ke$s& A process to collect access e=#ip%ent 3e.g.5 0adges5 ke$s5 change pin n#%0ers5 etc.4 *hen a constit#ent is ter%inated or changes stat#s and no longer re=#ire access& !s CCTV #sed to %onitor the ca0inets& +onitored 2': :-,6& Stored at least )0 da$s& !s there a polic$ on #sing locking screensavers on #nattended s$ste% displa$s or locks on consoles *ithin the data center&

11.1.1.h ).1.2 ).1.2

Access control polic$ Ph$sical entr$ controls Ph$sical entr$ controls

8.2.'.2.9 8.2.'.2.) 8.2.'.2.).1 8.2.'.2.).2 8.2.'.-

).1.2.e ).1.1.e 12A 12A 11.-.2.a5 11.-.-

Ph$sical entr$ controls Ph$sical sec#rit$ peri%eter

DS12.25 DS12.DS12.15 DS12.2 12A 12A

Cnattended #ser e=#ip%ent5 Clear desk P(,.25 DS6. and clear screen polic$ Page 21 of S!" to !nd#str$ Standard Relevance

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

SIG Question # Question Text 8.2.'.' !s there a proced#re for e=#ip%ent re%oval fro% the data center& !s there a preventive %aintenance process or c#rrent %aintenance contracts in 8.2.6 place for the follo*ing. 8.2.6.1 8.2.6.2 8.2.6.8.2.6.' 8.2.6.6 8.2.6., 8.2.6. 8.2., 8.2.,.1 8.2.,.2 8.2.,.8.2.,.' 8.2.,.6 8.2.,., CPS s$ste%& Sec#rit$ s$ste%& "enerator& 7atteries& 8ire alar%& 8ire s#ppression s$ste%s& /VAC& Are the follo*ing tested. CPS s$ste% @ ann#all$& Sec#rit$ alar% s$ste% @ ann#all$& 8ire alar%s @ ann#all$& 8ire s#ppression s$ste% @ ann#all$& "enerators @ %onthl$& "enerators f#ll load tested @ %onthl$&

).2. 12A ).2.' ).2.' ).2.' ).2.' ).2.' ).2.' ).2.' 12A 12A 12A 12A 12A 12A 12A

ISO 27002:2005 Relevance Re%oval of propert$

COBIT 4.1 Relevance P(,.25 DS12.2 12A

?=#ip%ent %aintenance ?=#ip%ent %aintenance ?=#ip%ent %aintenance ?=#ip%ent %aintenance ?=#ip%ent %aintenance ?=#ip%ent %aintenance ?=#ip%ent %aintenance

A!-.-5 DS12.65 DS1-.6 A!-.-5 DS12.65 DS1-.6 A!-.-5 DS12.65 DS1-.6 A!-.-5 DS12.65 DS1-.6 A!-.-5 DS12.65 DS1-.6 A!-.-5 DS12.65 DS1-.6 A!-.-5 DS12.65 DS1-.6 12A 12A 12A 12A 12A 12A 12A

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 22 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text G. Co""unications an# O/e$ations *ana'e"ent Are operating proced#res #tiliEed& Are operating proced#res doc#%ented5 %aintained5 and %ade availa0le to all #sers *ho need the%&

ISO 27002:2005 Relevance

COBIT 4.1 Relevance

".1 ".1.1

10.1.1 10.1.1

Doc#%ented (perating Proced#re Doc#%ented (perating Proced#re

A!1.15 A!'.'5 DS1-.1 A!1.15 A!'.'5 DS1-.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 A!1.15 A!'.'5 DS1-.1 12A A!1.15 A!'.'5 DS1-.1 A!1.15 A!'.'5 DS1-.1 A!1.15 A!'.'5 DS1-.1 A!1.15 A!'.'5 DS1-.1 A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 12A A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 12A A!2.,5 A!,.25 A!,.-5 A! .2 12A A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 12A A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 A!2.,5 A!,.25 A!,.-5 A! .2 P('.115 DS6.' S!" to !nd#str$ Standard Relevance

".1.1.1

/as it 0een approved 0$ %anage%ent&

6.1.2

Revie* (f The !nfor%ation Sec#rit$ Polic$

".1.1.2

/as the polic$ 0een p#0lished&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

".1.1.".1.1.' ".1.2 ".1.2.1 ".1.2.2 ".1.2.".1.2.' ".2 ".2.1

/as it 0een co%%#nicated to appropriate constit#ents& !s there an o*ner to %aintain and revie* the polic$& Do proced#res incl#de the follo*ing. Processing and handling of infor%ation& Sched#ling re=#ire%ents5 incl#ding interdependencies *ith other s$ste%s5 earliest <o0 start and latest <o0 co%pletion ti%es& S#pport contacts in the event of #ne:pected operational or technical diffic#lties& S$ste% restart and recover$ proced#res for #se in the event of s$ste% fail#re& !s there a for%al operational change %anage%ent 2 change control process& !s the operational change %anage%ent process doc#%ented&

6.1.1 10.1.1 12A 10.1.1.a 10.1.1.c 10.1.1.e 10.1.1.g 10.1.2 10.1.2

!nfor%ation Sec#rit$ Polic$ Doc#%ent Doc#%ented (perating Proced#re Doc#%ented (perating Proced#re Doc#%ented (perating Proced#re Doc#%ented (perating Proced#re Doc#%ented (perating Proced#re Change +anage%ent Change +anage%ent

".2.1.1

/as it 0een approved 0$ %anage%ent&

6.1.2

Revie* (f The !nfor%ation Sec#rit$ Polic$

".2.1.2

/as the polic$ 0een p#0lished&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

".2.1.".2.1.' ".2.2 ".2.2.1 ".2.2.2 ".2.2.".2.2.' ".2.2.6 ".2.2., ".2.2. ".2.2.9 ".2.2.) ".2.2.10 ".2.2.11 ".2.2.12 ".2.2.1".2.".2.-.1 ".2.-.2 ".2.-.".2.-.' ".2.' ".2.6

/as it 0een co%%#nicated to appropriate constit#ents& !s there an o*ner to %aintain and revie* the polic$& Does the change %anage%ent 2 change control process re=#ire the follo*ing. Doc#%entation of changes& Re=#est5 revie* and approval of proposed changes& Pre@i%ple%entation testing& Post@i%ple%entation testing& Revie* for potential sec#rit$ i%pact& Revie* for potential operational i%pact& C#sto%er 2 client approval 3*hen applica0le4& Changes are co%%#nicated to all relevant constit#ents& Roll0ack proced#res& +aintaining change control logs& Sec#rit$ approval& Code revie*s 0$ infor%ation sec#rit$ prior to the i%ple%entation of internall$ developed applications and 2 or application #pdates& !nfor%ation sec#rit$Hs approval re=#ired prior to the i%ple%entation of changes& Are the follo*ing changes to the prod#ction environ%ent s#0<ect to the change control process. 1et*ork& S$ste%s& Application #pdates& Code changes& Are application o*ners notified of all operating s$ste% changes& !s the re=#estor of the change separate fro% the approver&

6.1.1 10.1.2 12A 10.1.2.a 10.1.2.a5 10.1.2.d 10.1.2.0 10.1.2.0 10.1.2.c 10.1.2.c 10.1.2.d 10.1.2.e 10.1.2.f 10.1.2 12A 12.6.1 12A 10.1.2 12A 10.1.2 10.1.2 10.1.2 12.6.2.c 10.1.-

!nfor%ation Sec#rit$ Polic$ Doc#%ent Change +anage%ent

Change +anage%ent Change +anage%ent Change +anage%ent Change +anage%ent Change +anage%ent Change +anage%ent Change +anage%ent Change +anage%ent Change +anage%ent Change +anage%ent

Change Control Proced#res

Change +anage%ent

Change +anage%ent Change +anage%ent Change +anage%ent Technical Revie* (f Applications After (perating S$ste% Changes Segregation (f D#ties

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 2- of

SIG Question # Question Text !s there a segregation of d#ties for approving a change and those i%ple%enting ".2., the change& ".".-.1 ".-.1.1 ".-.1.1.1 ".-.1.1.2 ".-.1.1.".-.1.1.' ".-.1.1.6 ".-.1.2 ".-.1.2.1 ".-.1.2.2 ".-.1.2.".-.1.2.' ".-.1.".-.1.-.1 ".-.1.-.2 ".-.1.-.".-.1.-.' ".-.1.-.6 ".' ".'.1 ".'.1.1 ".'.1.2 ".'.1.".'.1.' ".'.1.6 ".'.1., ".'.1. ".'.1.9 ".'.1.) ".'.1.10 ".'.1.11 ".'.1.12 ".'.1.1".'.1.1' ".'.1.16 ".'.1.1, ".'.1.1 ".'.1.19 ".'.2 ".'.!s application develop%ent perfor%ed& !s a develop%ent5 test5 staging5 KA or prod#ction environ%ent s#pported and %aintained& >hich of the follo*ing environ%ents are s#pported. Develop%ent& Test& KA& Staging& Prod#ction& /o* are the prod#ction5 test and develop%ent environ%ents segregated. Bogicall$& Ph$sicall$& 7oth& 1o segregation& !s data fro% %#ltiple clients co@%ingled in an$ of the follo*ing. Servers& Data0ase instances& SA1& BPAR& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& Do third part$ vendors have access to Target Data 3e.g.5 0ack#p vendors5 service providers5 e=#ip%ent s#pport vendors5 etc4& Does a third part$ provide. Ph$sical site 3co@location5 etc.4& Site %anage%ent& 1et*ork services @ data& 1et*ork services @ telephon$& 8ire*all %anage%ent& !DS 3!ntr#sion Detection S$ste%4& Ro#ter config#ration and %anage%ent& Anti@vir#s& S$ste% ad%in. 3server %anage%ent and s#pport4&& Sec#rit$ ad%inistration& Develop%ent& +anaged host& +edia va#lting 3offsite storage4& Ph$sical sec#rit$& V#lnera0ilit$ assess%ent 3ethical hack testing4& Sec#rit$ infrastr#ct#re engineering& 7#siness contin#it$ %anage%ent& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& !s there a process to revie* the sec#rit$ of a third part$ vendor prior to engaging their services& !s there a process to revie* the sec#rit$ of a third part$ vendor on an ongoing 0asis&

ISO 27002:2005 Relevance 10.1.Segregation (f D#ties Sec#rit$ !n Develop%ent And S#pport 12.6 Processes

COBIT 4.1 Relevance P('.115 DS6.' A!2.'5 A! .'5 A! .,5 DS11.-5 DS11., 12A 12A 12A 12A 12A 12A 12A

12A 12A 12A 12A 12A 12A 12A 10.1.' 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12.,.1 12A 12A 12A 10.2.1 10.2.2 Control (f Technical V#lnera0ilities Separation (f Develop%ent5 Test5 And (perational 8acilities

P('.115 A!-.'5 A! .' 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A A!-.-5 A!,.25 A!,.-5 DS6.65 DS6. 5 DS).2 12A 12A 12A DS1.15 DS1.25 DS1.-5 DS2.' DS1.65 DS2.'5 +?2., P('.1'5 DS2.15 DS2.-5 DS6.'5 DS6.)5 DS6.115 DS12.12A 12A P('.1'5 P(,.'5 P(9.-5 A!6.25 DS2.25 DS2.-5 DS2.'5 DS6.15 +?2., DS1.65 DS2.25 DS2.12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A DS-.15 DS-.25 DS-.P(-.'5 A!1.15 A!1.'5 A!2.'5 A!2.95 A!'.'5 A! .

Service Deliver$ +onitoring And Revie* (f Third Part$ Services !dentification (f Risks Related To ?:ternal Parties

".'.' ".'.6 ".'.,

Are risk assess%ents or revie*s cond#cted on $o#r third parties& /ave third part$ vendors #ndergone a sec#rit$ a#dit in the last 12 %onths& Are third parties re=#ired to adhere to $o#r policies and standards&

,.2.1 12A 12A

".'. ".'.9 ".'.) ".'.).1 ".'.).2 ".'.).".'.).' ".'.).6 ".'.)., ".'.). ".'.).9 ".'.).) ".'.).10 ".'.).11 ".'.).12 ".'.).1".6

Are confidentialit$ agree%ents and2or 1on Disclos#re Agree%ents re=#ired of third part$ vendors& Are third part$ vendors re=#ired to notif$ of an$ changes that %ight affect services rendered& Are an$ of the follo*ing o#tso#rced to an offshore third part$ vendor. Ph$sical site 3co@location5 etc.4& Site %anage%ent& 1et*ork services @ data& 1et*ork services @ telephon$& 8ire*all %anage%ent& !DS 3!ntr#sion Detection S$ste%4& Ro#ter config#ration and %anage%ent& Anti@vir#s& S$ste% ad%in. 3server %anage%ent and s#pport4&& Sec#rit$ ad%inistration& Develop%ent& +anaged host& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& Are s$ste% reso#rces revie*ed to ens#re ade=#ate capacit$ is %aintained& Are criteria for accepting ne* infor%ation s$ste%s5 #pgrades5 and ne* versions esta0lished&

,.2.-.0. 10.2.12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 10.-.1

Addressing Sec#rit$ !n Third Part$ Agree%ents +anaging Changes To Third Part$ Services

Capacit$ +anage%ent

".,

10.-.2

S$ste% acceptance

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 2' of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text ".,.1 Are the follo*ing criteria taken into consideration prior to for%al acceptance&

12A

ISO 27002:2005 Relevance S$ste% acceptance

COBIT 4.1 Relevance 12A P(-.'5 A!1.15 A!1.'5 A!2.'5 A!2.95 A!'.'5 A! . P(-.'5 A!1.15 A!1.'5 A!2.'5 A!2.95 A!'.'5 A! . P(-.'5 A!1.15 A!1.'5 A!2.'5 A!2.95 A!'.'5 A! . P(-.'5 A!1.15 A!1.'5 A!2.'5 A!2.95 A!'.'5 A! . P(-.'5 A!1.15 A!1.'5 A!2.'5 A!2.95 A!'.'5 A! . P(-.'5 A!1.15 A!1.'5 A!2.'5 A!2.95 A!'.'5 A! . P(-.'5 A!1.15 A!1.'5 A!2.'5 A!2.95 A!'.'5 A! . P(-.'5 A!1.15 A!1.'5 A!2.'5 A!2.95 A!'.'5 A! . P(-.'5 A!1.15 A!1.'5 A!2.'5 A!2.95 A!'.'5 A! . P(-.'5 A!1.15 A!1.'5 A!2.'5 A!2.95 A!'.'5 A! . DS6.) DS6.) P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. 12A 12A 12A 12A 12A 12A 12A DS6.) 12A 12A 12A 12A DS6.) 12A 12A 12A 12A DS6.) DS6.) DS6.) DS6.) 12A DS6.) DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11.,

".,.1.1

Perfor%ance and co%p#ter capacit$ re=#ire%ents&

10.-.2.a

S$ste% acceptance

".,.1.2

?rror recover$ and restart proced#res&

10.-.2.0

S$ste% acceptance

".,.1.-

Preparation and testing of ro#tine operating proced#res to defined standards&

10.-.2.c

S$ste% acceptance

".,.1.'

Agreed set of sec#rit$ controls in place&

10.-.2.d

S$ste% acceptance

".,.1.6

?ffective %an#al proced#res&

10.-.2.e

S$ste% acceptance

".,.1.,

7#siness contin#it$ arrange%ents& ?vidence that installation of the ne* s$ste% *ill not adversel$ affect e:isting s$ste%s5 partic#larl$ at peak processing ti%es5 s#ch as %onth end& ?vidence that consideration has 0een given to the effect the ne* s$ste% has on the overall sec#rit$ of the organiEation&

10.-.2.f

S$ste% acceptance

".,.1.

10.-.2.g

S$ste% acceptance

".,.1.9

10.-.2.h

S$ste% acceptance

".,.1.)

Training in the operation or #se of ne* s$ste%s& Are s#ita0le tests of the s$ste%3s4 carried o#t d#ring develop%ent and prior to acceptance& Are anti@vir#s prod#cts #sed& !s there an anti@vir#s 2 %al*are polic$ or process&

10.-.2.i

S$ste% acceptance

".,.2 ". ". .1

10.-.2 10.'.1 10.'.1.e

S$ste% acceptance Controls Against +alicio#s Code Controls Against +alicio#s Code

". .1.1

/as it 0een approved 0$ %anage%ent&

6.1.2

Revie* (f The !nfor%ation Sec#rit$ Polic$

". .1.2

/as the polic$ 0een p#0lished&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

". .1.-

/as it 0een co%%#nicated to appropriate constit#ents&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

". ". ". ". ". ". ". ". ". ". ". ". ". ". ". ". ". ". ". ". ". ". ".

.1.' .2 .2.1 .2.2 .2..2.' .2.6 ..' .'.1 .'.2 .'..'.' .6 .6.1 .6.2 .6..6.' ., .,.1 . . .1 .9

". .) ".9 ".9.1

!s there an o*ner to %aintain and revie* the polic$& /as anti@vir#s soft*are 0een installed on the follo*ing. >orkstations& +o0ile devices 3e.g.5 PDA5 0lack0err$5 pal% pilot5 etc.4& >indo*s servers& C1!I and C1!I@0ased s$ste%s 3e.g.5 Bin#:5 S#n Solaris5 /P@CI5 etc.4& ?%ail servers& !s there a process for e%ergenc$ anti@vir#s signat#re #pdates& /o* fre=#entl$ do s$ste%s a#to%aticall$ check for ne* signat#re #pdates. An ho#r or less& (ne da$ or less& (ne *eek or less& (ne %onth or less& >hat is the interval 0et*een the availa0ilit$ of the signat#re #pdate and its deplo$%ent. An ho#r or less& (ne da$ or less& (ne *eek or less& (ne %onth or less& Are *orkstation scans sched#led dail$& !f not5 is on@access 2 real@ti%e scanning ena0led on all *orkstations& Are servers scans sched#led dail$& !f not5 is on@access 2 real@ti%e scanning ena0led on all servers& Can a non@ad%inistrative #ser disa0le anti@vir#s soft*are& Are revie*s cond#cted at least %onthl$ to detect #napproved files or #na#thoriEed changes& Are s$ste% 0ack#ps of Target Data perfor%ed& !s there a polic$ s#rro#nding 0ack#p of prod#ction data&

6.1.2 12A 12A 12A 12A 12A 12A 12A 10.'.1.d 12A 12A 12A 12A 10.'.1.d 12A 12A 12A 12A 10.'.1.d 10.'.1.d 10.'.1.d 10.'.1.d 12A 10.'.1.c 10.6.1 10.6.1

Revie* (f The !nfor%ation Sec#rit$ Polic$

Controls Against +alicio#s Code

Controls Against +alicio#s Code

Controls Against +alicio#s Code Controls Against +alicio#s Code Controls Against +alicio#s Code Controls Against +alicio#s Code

Controls Against +alicio#s Code !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 26 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text

ISO 27002:2005 Relevance

COBIT 4.1 Relevance P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., 12A 12A 12A 12A 12A 12A DS'.)5 DS11.25 DS11.65 DS11., 12A 12A 12A 12A 12A 12A 12A DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., 12A DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., 12A DS11., P(2.-5 P(-.'5 A!6.25 DS2.P(2.-5 P(-.'5 A!6.25 DS2.DS11.-5 DS11.' DS11.,

".9.1.1

/as it 0een approved 0$ %anage%ent&

6.1.2

Revie* (f The !nfor%ation Sec#rit$ Polic$

".9.1.2

/as the polic$ 0een p#0lished&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

".9.1.-

/as it 0een co%%#nicated to appropriate constit#ents&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

".9.1.' ".9.2 ".9.2.1 ".9.2.2 ".9.2.".9.2.' ".9.2.6 ".9.2., ".9.2. ".9.".9.-.1 ".9.-.2 ".9.-.".9.-.' ".9.-.6 ".9.-., ".9.' ".9.'.1 ".9.'.2 ".9.'.".9.'.' ".9.'.6 ".9.'., ".9.'. ".9.6 ".9.6.1 ".9.6.2 ".9.6.".9., ".9. ".9. .1 ".9. .2 ".9. .".9. .' ".9.9 ".9.9.1 ".9.9.1.1 ".9.9.1.2 ".9.9.1.".9.9.1.' ".9.9.1.6

!s there an o*ner to %aintain and revie* the polic$& Does the polic$2process incl#de the follo*ing. Acc#rate and co%plete records of 0ack#p copies& Restoration proced#res& The e:tent and fre=#enc$ of 0ack#ps& A re=#ire%ent to store 0ack#ps to avoid an$ da%age fro% a disaster at the %ain site& A re=#ire%ent to test 0ack#p %edia at least ann#all$& The revie* and testing of restoration proced#res& A re=#ire%ent for classified Target Data to 0e encr$pted& !s 0ack#p of Target Data perfor%ed. Real@ti%e& Dail$& >eekl$& +onthl$& 1ever& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& !s 0ack#p data retained. (ne da$ or less& (ne *eek or less& (ne %onth or less& Si: %onths or less& (ne $ear or less& (ne to seven $ears& Seven $ears or %ore& Are tests perfor%ed reg#larl$ to deter%ine. S#ccessf#l 0ack#p of data& A0ilit$ to recover the data& !s Target Data encr$pted on 0ack#p %edia& Are cr$ptographic ke$s5 shared secrets and Rando% 1#%0er "enerator 3R1"4 seeds 0eing encr$pted in 0ack#p or archival *hen necessar$& !s access to 0ack#p %edia. Restricted to a#thoriEed personnel onl$& 8or%all$ re=#ested& 8or%all$ approved& Bogged& !s 0ack#p %edia stored offsite& 8or offsite %edia5 are there processes to address. Sec#re transport& Tracking ship%ents& Verification of receipt& Destr#ction of offsite 0ack#p %edia& Rotation of offsite 0ack#p %edia&

6.1.2 10.6.1 10.6.1.0 10.6.1.0 10.6.1.c 10.6.1.d 10.6.1.f 10.6.1.g 10.6.1.h 10.6.1 12A 12A 12A 12A 12A 12A 10.6.1 12A 12A 12A 12A 12A 12A 12A 10.6.1.f 10.6.1.f 10.6.1.f 10.6.1.h 10.6.1.h 12A 10.6.1.e 10.6.1.e 10.6.1.e 10.6.1.e 10.6.1.d 12A 10.9.10.9.2.a F 10.9.2.0 10.9.2.a F 10.9.2.0 10. .2.a 10.9.-

Revie* (f The !nfor%ation Sec#rit$ Polic$ !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp

!nfor%ation 7ack@Cp

!nfor%ation 7ack@Cp !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp

!nfor%ation 7ack@Cp !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp Ph$sical +edia !n Transit ?:change Agree%ents ?:change Agree%ents Disposal (f +edia Ph$sical +edia !n Transit

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 2, of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text ".9.9.2 ".9.9.2.1 ".9.9.2.2 ".9.9.2.".9.9.2.' ".9.9.2.6 ".9.9.2., ".9.9.2. ".9.9.".9.9.-.1 ".9.9.-.2 ".9.9.-.".9.9.' ".9.9.'.1 ".9.9.'.2 ".9.9.'.".9.9.'.' ".) ".).1 ".).1.1 ".).1.1.1 ".).1.1.2 ".).1.1.".).1.1.' ".).1.1.6 ".).1.1., ".).1.1. ".).1.1.9 ".).1.1.) ".).1.1.10 ".).1.1.11 ".).1.2 /o* long is 0ack#p data retained offsite. (ne da$ or less& (ne *eek or less& (ne %onth or less& Si: %onths or less& (ne $ear or less& (ne to seven $ears& Seven $ears or %ore& Are tests perfor%ed reg#larl$ to deter%ine. S#ccessf#l 0ack#p of data& A0ilit$ to recover the data& !s Target Data encr$pted on offsite 0ack#p %edia& !s access to offsite 0ack#p %edia. Restricted to a#thoriEed personnel onl$& 8or%all$ re=#ested& 8or%all$ approved& Bogged& Are there e:ternal net*ork connections 3!nternet5 !ntranet5 ?:tranet5 etc.4& !s there a doc#%ented process for sec#ring and hardening net*ork devices& !f so5 does it address the follo*ing ite%s. 7ase installation and config#ration standards& ?sta0lishing strong pass*ord controls& Changing defa#lt pass*ords& S1+P co%%#nit$ strings changed& ?sta0lishing and %aintaining access controls& Re%oving kno*n v#lnera0le config#rations& Version %anage%ent& Disa0ling #nnecessar$ services& Re%ote e=#ip%ent %anage%ent& Bogging of all patches& 10.6.1 12A 12A 12A 12A 12A 12A 12A 12A 10.6.1.f 10.6.1.f 10.6.1.h 12A 10.6.1.e 10.6.1.e 10.6.1.e 10.6.1.e 12A 10.,.1.e 12A 12A 11.6.11.2.-.h 11.'.' 11.6.'.i 12.,.1.a 12.,.1 11.'.' 10.,.1.0 12.,.1.h

ISO 27002:2005 Relevance !nfor%ation 7ack@Cp

!nfor%ation 7ack@Cp !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp

!nfor%ation 7ack@Cp !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp !nfor%ation 7ack@Cp

COBIT 4.1 Relevance DS'.)5 DS11.25 DS11.65 DS11., 12A 12A 12A 12A 12A 12A 12A 12A DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., 12A DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., DS'.)5 DS11.25 DS11.65 DS11., 12A P('.15 DS6.)5 DS6.11 12A 12A DS6.' DS6.DS6. 5 DS6.)5 DS6.11 A!,.-5 DS6. A!-.-5 A!,.25 A!,.-5 DS6.65 DS6. 5 DS).2 A!-.-5 A!,.25 A!,.-5 DS6.65 DS6. 5 DS).2 DS6. 5 DS6.)5 DS6.11 P('.15 DS6.)5 DS6.11 A!-.-5 A!,.25 A!,.-5 DS6.65 DS6. 5 DS).2 A!-.-5 A!,.25 A!,.-5 DS6.65 DS6. 5 DS).2 DS6.65 DS6. 5 +?2.6 P('.95 P(,.25 +?2.15 +?2.25 +?2.-5 +?2.'5 +?2.65 +?2.,5 +?2. DS6.)5 DS6.11 DS6.)5 DS6.11 DS6.)5 DS6.11 P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS6.)5 DS6.11 P('.15 DS6.)5 DS6.11 P('.15 DS6.)5 DS6.11 A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6.

1et*ork Controls

Pass*ord +anage%ent S$ste% Cser Pass*ord +anage%ent Re%ote Diagnostic And Config#ration Port Protection Cse (f S$ste% Ctilities Control (f Technical V#lnera0ilities Control (f Technical V#lnera0ilities Re%ote Diagnostic And Config#ration Port Protection 1et*ork Controls Control (f Technical V#lnera0ilities Control (f Technical V#lnera0ilities Technical Co%pliance Checking

/igh risk s$ste%s are patched first& 12.,.1.< Are net*ork devices reg#larl$ revie*ed and2or %onitored for contin#ed co%pliance to sec#rit$ re=#ire%ents& 16.2.2

".).1.2.1 ".).2 ".).".).'

!s non@co%pliance reported and resolved& !s ever$ connection to an e:ternal net*ork ter%inated at a fire*all& Are net*ork devices config#red to prevent co%%#nications fro% #napproved net*orks& Are ro#ting protocols config#red to #se a#thentication&

16.2.1 11.'.6 11.'.6 11.'.

Co%pliance >ith Sec#rit$ Policies And Standards Segregation !n 1et*orks Segregation !n 1et*orks 1et*ork Ro#ting Control

".).6 ".)., ".). ".). ".). ".). ".). ".). ".). ".). .1 .1.1 .1.2 .1..1.' .1.6 .1.,

Do net*ork devices den$ all access 0$ defa#lt& !s there a process to re=#est5 approve5 log5 and revie* access to net*orks across net*ork devices& Are net*ork traffic events logged to s#pport historical or incident research& Do net*ork device logs contain the follo*ing. So#rce !P address& So#rce TCP port& Destination !P address& Destination TCP port& Protocol& Device errors& Config#ration change ti%e& Cser !D %aking config#ration change&

11.1.1.7 11.'.1.0 10.,.1.d 10.,.1.d 10.10.1.< 10.10.1.< 10.10.1.< 10.10.1.< 10.10.1.< 10.10.6 10.10.1.0 F 10.10.1.f 10.10.1.a F 10.10.1.f 10.10.1.d F 10.10.1.e

Access Control Polic$ Polic$ (n Cse (f 1et*ork Services 1et*ork Controls 1et*ork Controls A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging 8a#lt Bogging A#dit Bogging A#dit Bogging

".). .1. ".). .1.9

".). .1.)

Sec#rit$ alerts&

A#dit Bogging

A!2.-5 DS6. Page 2 of S!" to !nd#str$ Standard Relevance

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

SIG Question # ".). .1.10 ".). .1.11 ".). .1.12 ".). ".). ".). ".). ".). ".). ".). ".). ".). ".). ".). ".). ".). ".). ".).9 ".).) ".).10 ".).11 ".).12 ".).1".).1' ".).16 ".).1, ".).1 ".).19 ".).1) ".).1).1 ".).1).1.1 ".).1).1.2 ".).1).1.".).1).2 ".).1).2.1 ".).1).2.2 ".).1).2.".).1).".).1).' ".).1).6 ".).1)., ".).1). ".).1). .1 ".).1). .2 ".).1). .".).20 ".).20.1 ".).20.2 ".).20.".).20.' ".).20.6 ".).20., ".).20. ".).20. .1 ".).20. .2 ".).20. .".).20.9 ".).21 .1.1.1.1' .1.16 .1.1, .1.1 .1.19 .2 .2.1 .2.2 .2...' .6 .,

Question Text S#ccessf#l logins& 8ailed login atte%pts& Config#ration changes& Ad%inistrative activit$& Disa0ling of a#dit logs& Deletion of a#dit logs& Changes to sec#rit$ settings& Changes to access privileges& ?vent date and ti%e& !n the event of a net*ork device a#dit log fail#re5 does the net*ork device. "enerate an alert& Prevent f#rther connections& Contin#e operating nor%all$& Are net*ork s$ste% a#dit log siEes %onitored to ens#re availa0ilit$ of disk space& !s the over*riting of a#dit logs disa0led& Are a#dit logs 0acked #p& Are the logs fro% net*ork devices aggregated to a central server& Are sec#rit$ patches reg#larl$ revie*ed and applied to net*ork devices& !s there an approval process prior to i%ple%enting or installing a net*ork device& !s co%%#nication thro#gh the net*ork device controlled at 0oth the port and !P address level& !s there a doc#%ented standard for the ports allo*ed thro#gh the net*ork devices& Do prod#ction servers share !P s#0net ranges *ith other net*orks& Are critical net*ork seg%ents isolated& !s a sol#tion present to prevent #na#thoriEed devices fro% ph$sicall$ connecting to the internal net*ork& Are internal s$ste%s re=#ired to pass thro#gh a content filtering pro:$ prior to accessing the !nternet&

10.10.1.d 10.10.1.d 10.10.1.f 10.10.' 10.10.1.l 10.10.1.l 10.10.1.f 10.10.1.g 10.10.1.0 10.10.6 12A 12A 12A 10.10.-.c 10.10.-.0 10.10.10.10.12.,.1.d 10.1.2.d 11.'. 10.,.2.c 12A 11.'.6 11.'.11.'.

ISO 27002:2005 Relevance A#dit Bogging A#dit Bogging A#dit Bogging Ad%inistrator And (perator Bogs A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging 8a#lt Bogging

COBIT 4.1 Relevance A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. DS6.65 DS6. 5 +?2.25 +?2.6 A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. 12A 12A 12A DS6.65 DS6. DS6.65 DS6. DS6.65 DS6. DS6.65 DS6. A!-.-5 A!,.25 A!,.-5 DS6.65 DS6. 5 DS).2 A!,.15 A!,.25 A!,.-5 A!,.'5 A!,.6 DS6.)5 DS6.11 DS6. 5 DS6.)5 DS6.11 12A DS6.)5 DS6.11 DS6. 5 DS6.)5 DS6.115 DS).2 DS6.)5 DS6.11 DS6.)5 DS6.11 DS6.)5 DS6.11 DS6. 5 DS6.)5 DS6.11 12A DS6.)5 DS6.11 12A 12A 12A DS6.)5 DS6.11 12A 12A 12A DS6.)5 DS6.11 DS6. 5 DS6.)5 DS6.11

Protection (f Bog !nfor%ation Protection (f Bog !nfor%ation Protection (f Bog !nfor%ation Protection (f Bog !nfor%ation Control (f Technical V#lnera0ilities Change +anage%ent 1et*ork Ro#ting Control Sec#rit$ (f 1et*ork Services Segregation !n 1et*orks ?=#ip%ent !dentification !n 1et*orks 1et*ork Ro#ting Control Polic$ (n Cse (f 1et*ork Services Polic$ on #se of net*ork services Re%ote Diagnostic And Config#ration Port Protection 1et*ork Ro#ting Control

!s there an approval process to allo* the i%ple%entation of e:tranet connections& 11.'.1.0 Are insec#re protocols 3e.g.5 telnet #sed to access net*ork devices4& 11.'.1.d !s assess to diagnostic or %aintenance ports on net*ork devices restricted& Are there ?:tranet connections into the environ%ent& >ho o*ns the net*ork devices and ter%ination points in e:isting e:tranets. Co%pan$& Third part$& +i:ed environ%ent& >ho %anages the net*ork devices and ter%ination points in e:isting e:tranets. Co%pan$& Third part$& +i:ed environ%ent& Are non@co%pan$ o*ned net*ork devices segregated fro% the net*ork via fire*all& Do !nternet@facing net*ork devices 0lock traffic that *o#ld allo* for config#ration changes fro% e:ternal so#rces& Do !nternet@facing net*ork devices 0lock traffic that *o#ld allo* for degradation or denial of service fro% e:ternal so#rces& !s there a separate net*ork seg%ent or endpoints for re%ote access& Are fire*all r#le sets and net*ork access control lists revie*ed. ?ver$ three %onths or less& 7et*een three %onths and one $ear& 1ever& !s there a D+L environ%ent *ithin the net*ork that trans%its5 processes or stores Target Data& Are the !P address associated *ith D+L devices !nternet ro#ta0le& !s the net*ork on *hich !nternet@facing s$ste%s reside segregated fro% the internal net*ork5 i.e.5 D+L& !s the D+L li%ited to onl$ those servers that re=#ire access fro% the !nternet& !s an ad%inistrative rela$ or inter%ediar$ s$ste% present to initiate an$ interactive (S level access into D+L& !s the D+L segregated 0$ t*o ph$sicall$ separate fire*alls& Are the logs for D+L %onitoring tools and devices stored on the internal net*ork& Are there separate D+L seg%ents for devices that. (nl$ accept traffic initiated fro% the !nternet& (nl$ initiate o#t0o#nd traffic to the !nternet& Accept and initiate connections to 2 fro% the !nternet& Are s$ste%s that %anage and %onitor the D+L located in a separate net*ork& !s there a 1et*ork !ntr#sion Detection2Prevention S$ste%& 11.'.' 12A 11.'. 12A 12A 12A 11.'. 12A 12A 12A 11.'. 11.'.' 11.'.' 11. .1 12A 12A 12A 12A 12A 12A 11.'.6 11.'.6 12A 12A 10.10.12A 11.'.6 11.'.6 11.'.6 10.10.10.10.-

1et*ork Ro#ting Control

1et*ork Ro#ting Control Re%ote Diagnostic And Config#ration Port Protection Re%ote Diagnostic And Config#ration Port Protection

DS6. 5 DS6.)5 DS6.11 P(,.25 DS6.25 DS6.-5 +o0ile Co%p#ting And Co%%#nications DS6. 12A 12A 12A 12A 12A 12A Segregation !n 1et*orks Segregation !n 1et*orks DS6.)5 DS6.11 DS6.)5 DS6.11 12A 12A Protection (f Bog !nfor%ation Segregation !n 1et*orks Segregation !n 1et*orks Segregation !n 1et*orks Protection (f Bog !nfor%ation Protection (f Bog !nfor%ation DS6.65 DS6. 12A DS6.)5 DS6.11 DS6.)5 DS6.11 DS6.)5 DS6.11 DS6.65 DS6. DS6.65 DS6.

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 29 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text ".).21.1 ".).21.1.1 ".).21.1.1.1 ".).21.1.1.2 ".).21.1.1.".).21.1.1.' ".).21.1.1.6 ".).21.1.2 ".).21.1.".).21.1.' ".).21.1.6 ".).21.1., ".).21.1. ".).21.1.9 ".).21.2 ".).21.2.1 ".).21.2.1.1 ".).21.2.1.2 ".).21.2.1.".).21.2.1.' ".).21.2.1.6 ".).21.2.2 ".).21.2.".).21.2.' ".10 ".10.1 !s there a net*ork !ntr#sion Detection s$ste%& !f so5 is it in place on the follo*ing net*ork seg%ents. !nternet point@of@presence& D+L& ?:tranet& !nternal prod#ction net*ork& 1et*ork seg%ent hosting Target Data& !s the !DS config#red to generate alerts *hen incidents and val#es e:ceed nor%al thresholds& !s there a process to reg#larl$ #pdate signat#res 0ased on ne* threats& !s the s$ste% %onitored 2': :-,6& !n the event of a 1!DS f#nctionalit$ fail#re5 is an alert generated& Does 1!DS inspect encr$pted traffic& Does 1!DS events feed into the !ncident +anage%ent process& !s a host@0ased intr#sion detection s$ste% e%plo$ed in the prod#ction application environ%ent& !s there a 1et*ork !ntr#sion Prevention S$ste%& !f so5 is it in place on the follo*ing net*ork seg%ents. !nternet point@of@presence& D+L& ?:tranet& !nternal prod#ction net*ork& 1et*ork seg%ent hosting Target Data& !s the !PS config#red to generate alerts *hen incidents and val#es e:ceed nor%al thresholds& !s there a process to reg#larl$ #pdate signat#res 0ased on ne* threats& !n the event of a 1!PS f#nctionalit$ fail#re5 is an alert generated& !s *ireless net*orking technolog$ #sed& !s there *ireless net*orking polic$& 10.,.2 12A 12A 12A 12A 12A 12A

ISO 27002:2005 Relevance Sec#rit$ (f 1et*ork Services

COBIT 4.1 Relevance DS6. 5 DS6.)5 DS6.11 12A 12A 12A 12A 12A 12A DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS6.) P('.15 DS6.)5 DS6.11 DS 6.65 +?1.25 +?2.25 +?2.65 +?'. P(,5 A!25 DS6 12A DS6. 5 DS6.)5 DS6.11 DS6. 5 DS6.)5 DS6.11 DS6. 5 DS6.)5 DS6.11 12A 12A 12A 12A 12A DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS6.) DS 6.65 +?1.25 +?2.25 +?2.65 +?'. P('.15 DS6.)5 DS6.11 P(2.-5 P(,.25 DS11.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. 12A DS6.)5 DS6.11 12A 12A 12A DS6.)5 DS6.11 12A

10.10.2.c.' +onitoring S$ste% Cse 10.'.1.d Controls Against +alicio#s Code 10.,.1.d 10.10.2.d 12.-.1.g 12A 10.,.2 10.,.2 10.,.2 12A 12A 12A 12A 12A 1et*ork Controls +onitoring S$ste% Cse Polic$ (n The Cse (f Cr$ptographic Controls

Sec#rit$ (f 1et*ork Services Sec#rit$ (f 1et*ork Services Sec#rit$ (f 1et*ork Services

10.10.2.c.' +onitoring S$ste% Cse 10.'.1.d Controls Against +alicio#s Code 10.10.2.d 10.,.1.c 10.9.1.e +onitoring S$ste% Cse 1et*ork Controls !nfor%ation ?:change Policies And Proced#res

".10.1.1

/as it 0een approved 0$ %anage%ent&

6.1.2

Revie* (f The !nfor%ation Sec#rit$ Polic$

".10.1.2

/as the polic$ 0een p#0lished&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

".10.1.-

/as it 0een co%%#nicated to appropriate constit#ents&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

".10.1.' ".10.2 ".10.".10.-.1 ".10.-.2 ".10.-.".10.' ".10.6 ".10., ".10.,.1 ".10. ".10.9 ".10.9.1 ".10.9.1.1 ".10.9.1.2 ".10.9.1.".10.9.1.' ".10.) ".10.10 ".11

!s there an o*ner to %aintain and revie* the polic$& !s there an approval process to #se *ireless net*ork devices& /o* are *ireless access points deplo$ed in the net*ork. Bogicall$ segregated fro% the net*ork 3VBA14& Ph$sicall$ segregated& 7oth& !s this *ireless net*ork seg%ent fire*alled fro% the rest of the net*ork& Are t*o active net*ork connections allo*ed at the sa%e ti%e and are the$ ro#ta0le& 3e.g.5 0ridged internet connections4& Are *ireless connections a#thenticated& !s a#thentication t*o factor& Are logins via *ireless connections logged& Are *ireless connections encr$pted& !f so5 *hat encr$ption %ethodolog$ is #sed. >?P& >PA& >PA2& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& Are *ireless access points S1+P co%%#nit$ strings changed& !s there reg#lar scans for rog#e *ireless access points& Are dial lines #sed 3voice5 facsi%ile5 %ode%5 etc.4&

6.1.2 12A 11.'.6 12A 12A 12A 11.'.6 12A 11.'.2 11.'.2 10.10.2 10.,.1 12A 12A 12A 12A 12A 11.'.' 12A 12A

Revie* (f The !nfor%ation Sec#rit$ Polic$ Segregation !n 1et*orks

Segregation !n 1et*orks

Cser A#thentication 8or ?:ternal Connections Cser A#thentication 8or ?:ternal Connections +onitoring S$ste% Cse 1et*ork Controls

DS6.)5 DS6.11 DS6.)5 DS6.11 DS 6.65 +?1.25 +?2.25 +?2.65 +?'. P('.15 DS6.)5 DS6.11 12A 12A 12A 12A 12A DS6. 5 DS6.)5 DS6.11 12A 12A S!" to !nd#str$ Standard Relevance

Re%ote Diagnostic And Config#ration Port Protection

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 2) of

SIG Question # Question Text Are appropriate preca#tions taken *hen Target Data is ver0all$ trans%itted 3e.g.5 ".11.1 phone calls4& ".11.2 ".11.-

10.9.1.k

The #se of facsi%ile %achines controlled& 10.9.1.% Are an$ %ode%s #sed or installed 3dial %ode%5 phone ho%e5 ca0le %ode%5 DSB5 12A etc.4& !s approval re=#ired prior to connecting an$ o#t0o#nd or in0o#nd %ode% lines5 ca0le %ode% lines5 and2or DSB phone lines to a desktop or other access point directl$ connected to the co%pan$@%anaged net*ork& !s a %ode% ever set to a#to@ans*er& !f a#to@ans*er is ena0led5 does it. CtiliEe an a#thentication or encr$ption device& Attach to a host ph$sicall$ and logicall$ isolated fro% the net*ork& Receive fa: trans%issions& Call 0ack& Are dial@#p connections logged& !f so5 do these logs incl#de caller identification& Does the co%pan$ reg#larl$ perfor% *ar@dialing on all analog lines to detect #na#thoriEed %ode%s& !s there an$ re%ova0le %edia 3e.g.5 CDs5 DVD5 tapes5 disk drives5 CS7 devices5 etc4& !s all Target Data encr$pted *hile at rest& !s there a polic$ that addresses the #se and %anage%ent of re%ova0le %edia& 3e.g.5 CDs5 DVDs5 tapes5 disk drives5 etc.4&

ISO 27002:2005 Relevance !nfor%ation ?:change Policies And Proced#res !nfor%ation ?:change Policies And Proced#res

COBIT 4.1 Relevance P(2.-5 P(,.25 DS11.1 P(2.-5 P(,.25 DS11.1 12A

".11.-.1 ".11.-.2 ".11.-.2.1 ".11.-.2.1.1 ".11.-.2.1.2 ".11.-.2.1.".11.-.2.1.' ".11.-.2.2 ".11.-.2.2.1 ".11.' ".12 ".12.1 ".12.2

11.'.1.0 11.'.2 11.'.2 11.'.2 11.'.1.d 11.-.-.c 11.'.2 12A 12A 12A 10. .1 10.9.1.g 10. .1

Polic$ (n Cse (f 1et*ork Services Cser A#thentication 8or ?:ternal Connections Cser A#thentication 8or ?:ternal Connections Cser A#thentication 8or ?:ternal Connections Polic$ (n Cse (f 1et*ork Services Clear Desk And Clear Screen Polic$ Cser A#thentication 8or ?:ternal Connections

DS6.)5 DS6.11 DS6.)5 DS6.11 DS6.)5 DS6.11 DS6.)5 DS6.11 DS6.)5 DS6.11 P(,.25 DS6. DS6.)5 DS6.11 12A 12A 12A P(2.-5 DS11.25 DS11.-5 DS11.' P(2.-5 P(,.25 DS11.1 P(2.-5 DS11.25 DS11.-5 DS11.' P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(2.-5 DS11.25 DS11.-5 DS11.' P(2.-5 DS11.25 DS11.-5 DS11.' P(2.-5 DS11.25 DS11.-5 DS11.' P(2.-5 DS11.25 DS11.-5 DS11.' P(2.-5 DS11.25 DS11.-5 DS11.' P(,5 A!25 DS6 DS11.-5 DS11.' DS11.-5 DS11.' 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A DS11.-5 DS11.'

+anage%ent (f Re%ova0le +edia !nfor%ation ?:change Policies And Proced#res +anage%ent (f Re%ova0le +edia

".12.2.1

/as it 0een approved 0$ %anage%ent&

6.1.2

Revie* (f The !nfor%ation Sec#rit$ Polic$

".12.2.2

/as the polic$ 0een p#0lished&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

".12.2.-

/as it 0een co%%#nicated to appropriate constit#ents&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

".12.2.' ".12.2.6 ".12.2.6.1 ".12.2.6.2 ".12.2.6.".12.2.6.' ".12.".12.' ".12.'.1 ".12.'.2 ".12.'.2.1 ".12.'.2.2 ".12.'.2.".12.'.2.' ".12.'.2.6 ".12.'.2., ".12.'.2. ".12.'.2.9 ".12.'.2.) ".12.'.2.10 ".12.'.2.11 ".12.'.2.12 ".12.'.".12.6 ".12.6.1 ".12.6.2

!s there an o*ner to %aintain and revie* the polic$& Does the polic$ incl#de the follo*ing. >hen no longer re=#ired5 Target Data is %ade #nrecovera0le& A proced#re and doc#%ented a#dit log a#thoriEing %edia re%oval& A registration process for the #se of re%ova0le %edia 3e.g.5 CS7 drives4& Controlling the #se of CS7 ports on all co%p#ters& !s sensitive data on re%ova0le %edia encr$pted& !s there a process for the disposal of %edia& Does the process define the approved %ethod for the disposal of %edia& Does the process address the follo*ing. CDs& Paper doc#%ents& /ard drives& Diskettes& Tapes& +e%or$ sticks& DVDs& 8lash cards& CS7 drives& L!P drives& /andheld 2 +o0ile devices& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& !s the disposal2destr#ction of %edia logged in order to %aintain an a#dit trail& !s ph$sical %edia that contains Target Data re@#sed *hen no longer re=#ired& !s all Target Data %ade #n@recovera0le 3*iped or over*ritten4 prior to re@#se& !s ph$sical %edia that contains Target Data destro$ed *hen no longer re=#ired&

6.1.2 10. .1 10. .1.a 10. .1.0 10. .1.e 10. .1.f 12.-.1.c 10. .2 10. .2 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 10. .2.e ).2., ).2., 10. .2

Revie* (f The !nfor%ation Sec#rit$ Polic$ +anage%ent (f Re%ova0le +edia +anage%ent (f Re%ova0le +edia +anage%ent (f Re%ova0le +edia +anage%ent (f Re%ova0le +edia +anage%ent (f Re%ova0le +edia Polic$ (n The Cse (f Cr$ptographic Controls Disposal (f +edia Disposal (f +edia

Disposal (f +edia

Sec#re disposal or re@#se of e=#ip%ent DS11.' Sec#re disposal or re@#se of e=#ip%ent DS11.' Disposal (f +edia DS11.-5 DS11.' Page -0 of S!" to !nd#str$ Standard Relevance

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

SIG Question # Question Text ".12.6.".12.6.' ".12.6.'.1 ".12.6.6 ".12.6.6.1 ".12.6.6.2 ".12.6.6.".12.6.6.' ".12.6.6.6 ".12.6.6., ".12.6.6. ".12.6.6.9 ".12.6.6.) ".12.6.6.10 ".12.6.6.11 ".12.6.6.12 ".12.6., ".12., !s %edia checked for Target Data or licensed soft*are prior to disposal& !s there a process for the destr#ction of %edia& Does the process define the approved %ethod for the destr#ction of %edia& Does the process address the follo*ing. CDs& Paper doc#%ents& /ard drives& Diskettes& Tapes& +e%or$ sticks& DVDs& 8lash cards& CS7 drives& L!P drives& /andheld 2 +o0ile devices& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& !s the destr#ction of %edia logged in order to %aintain an a#dit trail& !s there a process to address the re#se of %edia& ).2., 10. .2 10. .2 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 10. .2.e 10. .-

ISO 27002:2005 Relevance

COBIT 4.1 Relevance

Sec#re disposal or re@#se of e=#ip%ent DS11.' Disposal (f +edia DS11.-5 DS11.' Disposal (f +edia DS11.-5 DS11.' 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A Disposal (f +edia DS11.-5 DS11.' !nfor%ation /andling Proced#res P(,.25 DS11., P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. 12A 12A 12A 12A 12A 12A 12A P(2.-5 P(,.25 DS11.1 P(2.-5 P(,.25 DS11.1 12A P(2.-5 P(,.25 DS11.1 P(2.-5 P(,.25 DS11.1 P(2.-5 P(,.25 DS11.1 P(,.25 DS6. P(2.-5 P(,.25 DS11.1 P(2.-5 P(,.25 DS11.1 P(2.-5 P(,.25 DS11.1 P(2.-5 P(,.25 DS11.1 P(2.-5 P(,.25 DS11.1 P(2.-5 P(,.25 DS11.1 P(2.-5 P(,.25 DS11.1 P(2.-5 P(,.25 DS11.1 P(2.-5 P(,.25 DS11.1 12A P('.95 DS11.2 12A 12A 12A 12A 12A S!" to !nd#str$ Standard Relevance

".12.,.1

/as it 0een approved 0$ %anage%ent&

6.1.2

Revie* (f The !nfor%ation Sec#rit$ Polic$

".12.,.2

/as the polic$ 0een p#0lished&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

".12.,.-

/as it 0een co%%#nicated to appropriate constit#ents&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

".12.,.' ".12.,.6 ".12.,.6.1 ".12.,.6.2 ".12.,.6.".12.,.6.' ".1".1-.1 ".1-.1.1 ".1-.1.2 ".1-.1.2.1 ".1-.1.2.1.1 ".1-.1.2.1.2 ".1-.1.2.1.".1-.1.2.1.' ".1-.1.".1-.1.-.1 ".1-.1.-.2 ".1-.1.-.".1-.1.-.' ".1-.1.-.6 ".1-.1.-., ".1-.1.-. ".1-.1.-.9 ".1-.1.' ".1-.1.6 ".1-.1.6.1 ".1-.1.6.2 ".1-.1.6.".1-.1.6.' ".1-.1.6.6

!s there an o*ner to %aintain and revie* the polic$& !s an inventor$ of re%ova0le %edia cond#cted. ?ver$ three %onths or less& 7et*een three %onths and one $ear& "reater than one $ear& 1ever& !s data sent or received 3ph$sical or electronic4& !s Target Data trans%itted electronicall$& !s all Target Data encr$pted *hile in transit& Are there polic$3s4 or proced#re3s4 for infor%ation e:change& Do the policies or proced#res incl#de the follo*ing. Detection and protection against %alicio#s code& Protecting Target Data in the for% of an attach%ent& 1ot leaving hard cop$ contain Target Data on printing or facsi%ile facilities& Re=#iring %edia *ith Target Data is locked a*a$ *hen not re=#ired& !s there a polic$ or proced#re to protect data for the follo*ing trans%issions. ?lectronic file transfer& Transporting on re%ova0le electronic %edia& ?%ail& 8a:& Paper doc#%ents& Peer@to@peer& !nstant +essaging& 8ile sharing& Do file transfer re=#ests #ndergo a revie* and approval process& 8or inco%ing file transfers5 *hen is data re%oved fro% the D+L. !%%ediatel$ #pon receipt& /o#rl$ via sched#led process& Dail$ via sched#led process& >eekl$ sched#led process& +an#all$ 0$ recipient&

6.1.2 12A 12A 12A 12A 12A 12A 12A 10.9.1.g 10.9.1 12A 10.9.1.0 10.9.1.c 10.9.1.i 11.-.-.a 10.9.1 10.9.1 10.9.1 10.9.1 10.9.1 10.9.1 10.9.1 10.9.1 10.9.1 12A 16.1.12A 12A 12A 12A 12A

Revie* (f The !nfor%ation Sec#rit$ Polic$

!nfor%ation ?:change Policies And Proced#res !nfor%ation ?:change Policies And Proced#res !nfor%ation ?:change Policies And Proced#res !nfor%ation ?:change Policies And Proced#res !nfor%ation ?:change Policies And Proced#res Clear Desk And Clear Screen Polic$ !nfor%ation ?:change Policies And Proced#res !nfor%ation ?:change Policies And Proced#res !nfor%ation ?:change Policies And Proced#res !nfor%ation ?:change Policies And Proced#res !nfor%ation ?:change Policies And Proced#res !nfor%ation ?:change Policies And Proced#res !nfor%ation ?:change Policies And Proced#res !nfor%ation ?:change Policies And Proced#res !nfor%ation ?:change Policies And Proced#res Protection (f (rganiEational Records

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page -1 of

SIG Question # Question Text ".1-.1.6., 1ever& ".1-.1., !s all Target Data encr$pted o#tside of co%pan$ o*ned facilities& ".1-.1.,.1 ".1-.1.,.1.1 ".1-.1.,.1.2 ".1-.1.,.1.".1-.1.,.1.' ".1-.1.,.1.6 ".1-.1.,.2 ".1-.1. ".1-.1.9 ".1-.1.) ".1-.1.10 ".1-.1.11 ".1-.1.11.1 ".1-.1.11.1.1 ".1-.1.11.1.2 ".1-.1.11.1.".1-.1.11.1.' ".1-.1.11.1.6 ".1-.1.11.1., ".1-.1.11.1. ".1-.1.11.1.9 ".1-.2 ".1-.2.1 ".1-.2.2 ".1-.2.".1-.2.-.1 ".1-.2.-.1.1 ".1-.2.-.1.2 ".1-.2.-.1.".1-.2.-.1.' ".1-.2.-.1.6 ".1-.2.-.1., ".1-.2.-.1. ".1-.2.' ".1-.2.'.1 ".1-.2.'.1.1 ".1-.2.'.1.2 ".1-.2.6 ".1-.".1-.-.1 ".1-.-.2 ".1-.-.".1-.-.' ".1-.-.'.1 ".1-.-.'.1.1 ".1-.-.'.1.2 ".1-.-.'.1.".1-.-.'.2 ".1-.-.'.".1-.-.6 ".1-.-.6.1 ".1-.-.6.1.1 ".1-.-.6.1.2 ".1-.-.6.1.".1-.-.6.2 ".1-.-.6.".1-.-.6.' Are trans%issions of Target Data encr$pted #sing. The !nternet& Dedicated line to e:ternal parties& The D+L& 7et*een the D+L and internal net*ork& The internal net*ork& Are trans%issions of Target Data encr$pted end@to@end *ithin the net*ork& !s a %#t#al a#thentication protocol #tiliEed 0et*een the net*ork and a third part$ to validate the integrit$ and origin of the data& Does the file transfer soft*are send notification to the sender #pon co%pletion of the trans%ission& Does the file transfer soft*are send notification to the sender #pon fail#re of the trans%ission& !n the event of trans%ission fail#re5 does the file transfer soft*are atte%pt to retr$ the trans%ission& Are file transfers logged& !f so5 do the logs incl#de the follo*ing. Connection atte%pted& Connection esta0lished& 8ile e:change co%%enced& 8ile e:change error occ#rred& 8ile e:change acco%plished& Connection ter%inated& A#thentication atte%pted& Sec#rit$ events& !s data sent or received via ph$sical %edia& Are transport containers for ph$sical %edia s#fficient to protect the contents fro% an$ ph$sical da%age likel$ d#ring transit& Are transport containers for ph$sical %edia locked or have ta%per evident packaging d#ring transit& !s the location of ph$sical %edia tracked& Are the follo*ing tracking ele%ents recorded. Cni=#e %edia tracking identifier& Date %edia *as shipped or received& Transport co%pan$ na%e& 1a%e2signat#re of transport co%pan$ e%plo$ee& Destination of %edia& So#rce of %edia& Deliver$ confir%ation& !s the shipped %edia la0eled& Does the la0el incl#de an$ of the follo*ing. Cni=#e !dentifier& Co%pan$ na%e& !s a 0onded co#rier #sed to transport ph$sical %edia& !s !nstant +essaging #sed& !s there a polic$ that prohi0its the e:change of Target Data or confidential infor%ation thro#gh !nstant +essaging& Do !nstant +essaging sol#tions #ndergo a sec#rit$ revie* and approval process prior to i%ple%entation& Are all !nstant +essaging trans%issions encr$pted& !s there an internal instant %essaging sol#tion& Are the follo*ing f#nctions per%itted #sing internal instant %essaging. 8ile transfer& Video conferencing& Desktop sharing& Are %essages encr$pted& Are %essages logged and %onitored& !s there e:ternal instant %essaging sol#tion& Are an$ of the follo*ing per%itted #sing e:ternal instant %essaging. 8ile transfer& Video conferencing& Personal co%%#nications& Desktop sharing& Are %essages encr$pted& Are %essages logged and %onitored&

ISO 27002:2005 Relevance 12A 12A 10.9.1.g 12A 12A 12A 12A 12A 12A !nfor%ation ?:change Policies And Proced#res

COBIT 4.1 Relevance 12A 12A P(2.-5 P(,.25 DS11.1 12A 12A 12A 12A 12A 12A 12A P(2.-5 P(-.'5 A!6.25 DS2.P(2.-5 P(-.'5 A!6.25 DS2.12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A DS11., DS11., DS11., P(2.-5 P(-.'5 A!6.25 DS2.12A P(2.-5 P(-.'5 A!6.25 DS2.12A P(2.-5 P(-.'5 A!6.25 DS2.P(2.-5 P(-.'5 A!6.25 DS2.12A 12A P(2.-5 P(-.'5 A!6.25 DS2.P(2.-5 P(-.'5 A!6.25 DS2.12A 12A 12A DS11., DS6.95 DS11., P(2.-5 P(,.25 DS11.1 12A

12A 10.9.2.a F ?:change Agree%ents 10.9.2.0 10.9.2.a F ?:change Agree%ents 10.9.2.0 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 10.9.10.9.-.0 10.9.-.c 10.9.2.c 12A 10.9.2.h 12A 10.9.2.f

Ph$sical +edia !n Transit Ph$sical +edia !n Transit Ph$sical +edia !n Transit ?:change Agree%ents

?:change Agree%ents

?:change Agree%ents

10.9.2.f ?:change Agree%ents 12A 12A 10.9.2.a F ?:change Agree%ents 10.9.2.0 10.9.2.h 12A 12A 12A 10.9.-.0 10.9.' 10.9.1 12A 10.9.1.g 12A 12A 12A 12A 12A 10.9.1.g 10.10.2.a 12A 12A 12A 12A 10.9.'.e 12A 10.9.1.g 10.10.2.a !nfor%ation ?:change Policies And Proced#res ?:change Agree%ents

Ph$sical +edia !n Transit ?lectronic +essaging !nfor%ation ?:change Policies And Proced#res

P(2.-5 P(,.25 DS11.1 12A 12A 12A 12A 12A P(2.-5 P(,.25 DS11.1 DS 6.65 +?1.25 +?2.25 +?2.65 +?'. 12A 12A 12A 12A DS6.95 DS11., 12A P(2.-5 P(,.25 DS11.1 DS 6.65 +?1.25 +?2.25 +?2.65 +?'. S!" to !nd#str$ Standard Relevance

!nfor%ation ?:change Policies And Proced#res +onitoring S$ste% Cse

?lectronic +essaging !nfor%ation ?:change Policies And Proced#res +onitoring S$ste% Cse

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page -2 of

SIG Question # Question Text ".1-.' !s e@%ail #sed& ".1-.'.1 ".1-.'.2 ".1-.'.".1-.'.' ".1-.'.6 ".1-.'.6.1 ".1-.'.6.1.1 ".1-.'.6.1.2 ".1-.'.6.1.".1-.'.6.1.' ".1-.6 ".1-.6.1 ".1-.6.2 ".1-.6.".1-.6.-.1 ".1-.6.' ".1-., ".1-.,.1 ".1-.,.1.1 ".1-.,.1.2 ".1-.,.1.".1-.,.1.' ".1-.,.1.6 ".1-.,.1., ".1-.,.2 ".1' ".1'.1 ".1'.1.1 !s there a polic$ to protect Target Data *hen trans%itted thro#gh e%ail& !s a#to%atic for*arding of e%ail %essages prohi0ited& !s Target Data trans%itted thro#gh e%ail encr$pted& !s e%ail rela$ing disa0led on all e%ail servers for #na#thoriEed s$ste%s& !s there a content filtering sol#tion that scans inco%ing2o#tgoing e%ail for Target Data& !f so5 does it filter for the follo*ing. Content& Spa%& Vir#ses 2 %al*are& Attach%ent t$pe& Are application servers #sed for processing or storing Target Data& Do application servers processing Target Data re=#ire %#t#al a#thentication *hen co%%#nicating *ith other s$ste%s& Do applications #sing !7+Hs +KSeries onl$ #se certificate@0ased %#t#al a#thentication& Are logs generated for sec#rit$ relevant activities on net*ork devices5 operating s$ste%s5 and applications& Are these logs anal$Eed in near real@ti%e thro#gh an a#to%atic process& Do incidents and ano%alo#s activit$ feed into the !ncident +anage%ent process& Do s$ste%s and net*ork devices #tiliEe a co%%on ti%e s$nchroniEation service& Are an$ of the follo*ing s$ste%s2devices s$nchroniEed off of this central ti%e so#rce. C1!I2Bin#: s$ste%s& >indo*s s$ste%s& Ro#ters& 8ire*alls& +ainfra%e co%p#ters& (pen V+S s$ste%s& Are all s$ste%s and net*ork devices s$nchroniEed off the sa%e ti%e so#rce& Are C1!I or Bin#: operating s$ste%s #sed for storing or processing Target Data& Are C1!I hardening standards doc#%ented& Are C1!I servers periodicall$ %onitored for contin#ed co%pliance to sec#rit$ re=#ire%ents&

10.9.' 10.9.1 10.9.1.< 10.9.1.g 12A 10.'.1.d.2 12A 12A 12A 12A 12A 10.9.6 11.,.1.c 12A 10.10.1 10.,.1.d 12A 10.10., 12A 10.10., 10.10., 10.10., 10.10., 10.10., 10.10., 10.10., 12A 10.,.1.e 16.2.2

ISO 27002:2005 Relevance ?lectronic +essaging !nfor%ation ?:change Policies And Proced#res !nfor%ation ?:change Policies And Proced#res !nfor%ation ?:change Policies And Proced#res

COBIT 4.1 Relevance DS6.95 DS11., P(2.-5 P(,.25 DS11.1 P(2.-5 P(,.25 DS11.1 P(2.-5 P(,.25 DS11.1 12A DS6.) 12A 12A 12A 12A 12A DS11., DS6.' 12A

Controls Against +alicio#s Code

7#siness !nfor%ation S$ste%s !nfor%ation Access Restriction

A#dit Bogging 1et*ork Controls

A!2.-5 DS6. P('.15 DS6.)5 DS6.11 12A

Clock S$nchroniEation

DS6. 12A DS6. DS6. DS6. DS6. DS6. DS6. DS6. 12A

Clock S$nchroniEation Clock S$nchroniEation Clock S$nchroniEation Clock S$nchroniEation Clock S$nchroniEation Clock S$nchroniEation Clock S$nchroniEation

1et*ork Controls Technical Co%pliance Checking

P('.15 DS6.)5 DS6.11 DS6.65 DS6. 5 +?2.6 P('.95 P(,.25 +?2.15 +?2.25 +?2.-5 +?2.'5 +?2.65 +?2.,5 +?2. A!'.'5 DS6. 5 DS).25 DS).-5 DS1-.1 P('.95 P(,.25 +?2.15 +?2.25 +?2.-5 +?2.'5 +?2.65 +?2.,5 +?2. 12A 12A

".1'.1.1.1 ".1'.1.2

!s non@co%pliance reported and resolved& !s access to s$ste% doc#%entation restricted&

16.2.1 10. .'

Co%pliance >ith Sec#rit$ Policies And Standards Sec#rit$ of s$ste% doc#%entation

".1'.1.".1'.1.' ".1'.1.6 ".1'.1., ".1'.1. ".1'.1.9 ".1'.1.) ".1'.1.10 ".1'.1.11 ".1'.1.12 ".1'.1.1".1'.1.1' ".1'.1.16 ".1'.1.1, ".1'.1.1 ".1'.1.19 ".1'.1.1) ".1'.1.20 ".1'.1.21 ".1'.1.22

Are C1!I servers periodicall$ revie*ed to ens#re co%pliance *ith server 0#ild 16.2.1 standards& !s there a process to doc#%ent file s$ste% i%ple%entations that are different fro% 12A the standard 0#ild& Do application acco#nts share ho%e directories& 12A Do application acco#nts share their pri%ar$ gro#p *ith non@application gro#ps& Do application processes r#n #nder #ni=#e application acco#nts& Do application processes r#n #nder "!D 0& Do #sers o*n their #ser acco#ntGs ho%e director$& !s file sharing restricted 0$ gro#p privileges& Are #ser files assigned privileges& Are root@level rights to access or %odif$ cronta0s re=#ired& Are #sers re=#ired to Ms#G or Ms#doG into root& !s direct root logon per%itted fro% a re%ote session& Does re%ote SC2root access re=#ire d#al@factor a#thentication& Do search paths for a s#per#ser contain the c#rrent *orking director$& !s per%ission to edit service config#ration files restricted to a#thoriEed personnel& Are distri0#ted file s$ste%s i%ple%ented& Are per%issions for device special files restricted to the o*ner& !s >rite access to acco#nt ho%e directories restricted to o*ner and root& Are re%ote access tools that do not re=#ire a#thentication 3e.g.5 rhost5 shost5 etc.4 allo*ed& !s access to %odif$ start#p and sh#tdo*n scripts restricted to root@level #sers& 12A 12A 12A 12A 10.9.6.c .2.1 11.6.' 11.6.2 11. .1 11. .1 12A 11.6.' 12A 10.9.6.g 10.9.6.g 11.'.2 11.6.'

Co%pliance >ith Sec#rit$ Policies And Standards

12A 12A 12A 12A 7#siness !nfor%ation S$ste%s DS11., Classification "#idelines P(25 A!25 DS) Cse (f S$ste% Ctilities A!,.-5 DS6. Cser !dentification And A#thentication DS6.P(,.25 DS6.25 DS6.-5 +o0ile Co%p#ting And Co%%#nications DS6. P(,.25 DS6.25 DS6.-5 +o0ile Co%p#ting And Co%%#nications DS6. 12A Cse (f S$ste% Ctilities 7#siness !nfor%ation S$ste%s 7#siness !nfor%ation S$ste%s Cser A#thentication 8or ?:ternal Connections Cse (f S$ste% Ctilities A!,.-5 DS6. 12A DS11., DS11., DS6.)5 DS6.11 A!,.-5 DS6. Page -- of S!" to !nd#str$ Standard Relevance

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

SIG Question # Question Text ".1'.1.2Are #nnecessar$ services t#rned off& 11.6.'.h !s there a process to reg#larl$ revie* logs #sing a specific %ethodolog$ to #ncover ".1'.1.2' 10.10.2 potential incidents& ".1'.1.2'.1 ".1'.1.26 ".1'.1.26.1 ".1'.1.26.2 ".1'.1.26.".1'.1.26.' ".1'.1.26.6 ".1'.1.26., ".1'.1.26. ".1'.1.26.9 ".1'.1.26.) ".1'.1.26.10 ".1'.1.26.11 ".1'.1.26.12 ".1'.1.2, ".1'.1.2,.1 ".1'.1.2,.2 ".1'.1.2,.".1'.1.2,.' ".1'.1.2,.6 ".1'.1.2,., ".1'.1.2 ".1'.1.2 .1 ".1'.1.2 .2 ".1'.1.29 ".1'.1.2) ".1'.1.-0 ".1'.1.-0.1 ".1'.1.-0.1.1 ".1'.1.-0.1.2 ".1'.1.-0.1.".1'.1.-0.1.' ".1'.1.-0.1.6 ".1'.1.-0.1., ".1'.1.-1 ".1'.1.-1.1 ".1'.1.-1.2 ".1'.1.-1.".1'.1.-1.' ".1'.1.-1.6 ".1'.1.-2 ".1'.1.-2.1 ".1'.1.-2.2 ".1'.1.-2.".1'.1.-2.' ".1'.1.-".1'.1.--.1 ".1'.1.--.2 ".1'.1.--.".1'.1.--.' ".1'.1.-' ".1'.1.-'.1 ".1'.1.-'.2 ".1'.1.-'.".1'.1.-6 ".1'.1.-6.1 ".1'.1.-6.2 ".1'.1.-6.".1'.1.-, ".1'.1.".1'.1.-9 ".1'.1.-) ".1'.1.'0 ".1'.1.'1 ".1'.1.'2 ".1'.1.'".1'.1.'-.1 ".1'.1.'-.2 ".1'.1.'-.".1'.1.'' ".1'.1.''.1 !f so5 is this process doc#%ented and %aintained& Do operating s$ste% logs contain the follo*ing. S#ccessf#l logins& 8ailed login atte%pts& S$ste% config#ration changes& Ad%inistrative activit$& Disa0ling of a#dit logs& Deletion of a#dit logs& Changes to sec#rit$ settings& Changes to access privileges& Cser ad%inistration activit$& 8ile per%ission changes& 8ailed SC 2 s#do co%%ands& S#ccessf#l s# 2 s#do co%%ands& (perating s$ste% logs are retained for a %ini%#% of. (ne da$ or less& 7et*een one da$ and one *eek& 7et*een one *eek and one %onth& 7et*een one %onth and si: %onths& 7et*een si: %onths and one $ear& "reater than one $ear& !n the event of an operating s$ste% a#dit log fail#re5 does the s$ste%. "enerate an alert& S#spend processing& Do a#dit logs trace an event to a specific individ#al and2or #ser !D& Are a#dit logs stored on alternate s$ste%s& Are a#dit logs protected against %odification5 deletion5 and2or inappropriate access& !f so5 are the follo*ing controls in place. Access control lists& Alternate storage location& Bi%ited ad%inistrative access& Real@ti%e replication& /ashing& ?ncr$ption& !s the %ini%#% pass*ord length. 8ive characters or less& Si: characters& Seven characters& ?ight characters& 1ine characters or %ore& Pass*ord co%position re=#ires. Cppercase letter& Bo*ercase letter& 1#%0er& Special character& !s the %ini%#% pass*ord e:piration. -0 da$s or less& -1 to ,0 da$s& ,1 to )0 da$s& "reater than )1 da$s& Pass*ord histor$ contains. 8ive or less& Si: to 11& 12 or %ore& Pass*ord can 0e changed at a %ini%#% of. (ne ho#r& (ne da$& +ore than one da$& Are initial pass*ord re=#ired to 0e changed at first logon& Can a P!1 or secret =#estion 0e a stand@alone %ethod of a#thentication& Are all pass*ords encr$pted in transit& Are all pass*ords encr$pted or hashed in storage& Are pass*ords displa$ed *hen entered into a s$ste%& !s pass*ord shado*ing ena0led& Are all #ser acco#nts #ni=#el$ assigned to a specific individ#al& !nvalid atte%pts prior to locko#t. T*o or less& Three to five& Si: or %ore& 8ailed login atte%pt co#nt resets to Eero at a %ini%#% of. (ne ho#r or less& 10.10.2 10.10.1 10.10.1.d 10.10.1.d 10.10.1.f 10.10.1.g 10.10.1.l 10.10.1.l 10.10.1.f 10.10.'.c 10.10.1.g 10.10.1.i 10.10.'.c 10.10.'.c 10.10.12A 12A 12A 12A 12A 12A 10.10.6 12A 12A 10.10.1.a 10.10.10.10.12A 12A 12A 12A 12A 12A 12A 11.-.1.d 12A 12A 12A 12A 12A 11.-.1.d 12A 12A 12A 12A 11.-.1.c 12A 12A 12A 12A 11.6.-.f 12A 12A 12A 12A 12A 12A 12A 11.-.1.f 11.-.1.d 11.6.1.i 11.6.-.i 11.6.1.g 11.6.-.i 11.6.2 11.6.1.e 12A 12A 12A 11.6.1.e.2 12A

ISO 27002:2005 Relevance Cse (f S$ste% Ctilities +onitoring S$ste% Cse +onitoring S$ste% Cse A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging Ad%inistrator And (perator Bogs A#dit Bogging A#dit Bogging Ad%inistrator And (perator Bogs Ad%inistrator And (perator Bogs Protection (f Bog !nfor%ation

8a#lt Bogging

A#dit Bogging Protection (f Bog !nfor%ation Protection (f Bog !nfor%ation

COBIT 4.1 Relevance A!,.-5 DS6. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. DS6.65 DS6. 5 +?2.25 +?2.6 A!2.-5 DS6. A!2.-5 DS6. DS6.65 DS6. 5 +?2.25 +?2.6 DS6.65 DS6. 5 +?2.25 +?2.6 DS6.65 DS6. 12A 12A 12A 12A 12A 12A A!2.-5 DS6. 12A 12A A!2.-5 DS6. DS6.65 DS6. DS6.65 DS6. 12A 12A 12A 12A 12A 12A 12A P(,.25 DS6.' 12A 12A 12A 12A 12A P(,.25 DS6.' 12A 12A 12A 12A P(,.25 DS6.' 12A 12A 12A 12A DS6.' 12A 12A 12A 12A 12A 12A 12A P(,.25 DS6.' P(,.25 DS6.' DS6.'5 DS6. DS6.' DS6.'5 DS6. DS6.' DS6.DS6.'5 DS6. 12A 12A 12A DS6.'5 DS6. 12A S!" to !nd#str$ Standard Relevance

Pass*ord Cse

Pass*ord Cse

Pass*ord Cse

Pass*ord +anage%ent S$ste%

Pass*ord #se Pass*ord Cse Sec#re Bog@(n Proced#res Pass*ord +anage%ent S$ste% Sec#re Bog@(n Proced#res Pass*ord +anage%ent S$ste% Cser !dentification And A#thentication Sec#re Bog@(n Proced#res

Sec#re Bog@(n Proced#res

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page -' of

SIG Question # Question Text ".1'.1.''.2 1ever 5 i.e.5 ad%inistrator intervention re=#ired& ".16 Are >indo*s s$ste%s #sed for storing or processing Target Data& ".16.1 ".16.1.1 Are >indo*s hardening standards doc#%ented& Are >indo*s servers %onitored for contin#ed co%pliance to sec#rit$ re=#ire%ents&

ISO 27002:2005 Relevance 12A 12A 10.,.1.e 16.2.2 1et*ork Controls Technical Co%pliance Checking

COBIT 4.1 Relevance 12A 12A P('.15 DS6.)5 DS6.11 DS6.65 DS6. 5 +?2.6 P('.95 P(,.25 +?2.15 +?2.25 +?2.-5 +?2.'5 +?2.65 +?2.,5 +?2. A!'.'5 DS6. 5 DS).25 DS).-5 DS1-.1 P('.95 P(,.25 +?2.15 +?2.25 +?2.-5 +?2.'5 +?2.65 +?2.,5 +?2. A!-.-5 A!,.25 A!,.-5 DS6.65 DS6. 5 DS).2 DS11., 12A P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS6.DS6.' DS6.' 12A

".16.1.1.1 ".16.1.2

!s non@co%pliance reported and resolved& !s access to s$ste% doc#%entation restricted&

16.2.1 10. .'

Co%pliance >ith Sec#rit$ Policies And Standards Sec#rit$ of s$ste% doc#%entation

".16.1.".16.1.' ".16.1.6 ".16.1.,

Are >indo*s servers revie*ed to ens#re co%pliance *ith server 0#ild standards& 16.2.1 Are s$ste%s #pdated *ith the latest patches& Are file and director$ per%issions strictl$ applied to gro#ps& Are file partitions other than 1T8S #sed on >indo*s s$ste%s& 12.,.1.d 10.9.6.c 12A

Co%pliance >ith Sec#rit$ Policies And Standards Control (f Technical V#lnera0ilities 7#siness !nfor%ation S$ste%s

".16.1. ".16.1.9 ".16.1.) ".16.1.10 ".16.1.11 ".16.1.12 ".16.1.1".16.1.1' ".16.1.16 ".16.1.1, ".16.1.1 ".16.1.19 ".16.1.1) ".16.1.1).1 ".16.1.20 ".16.1.20.1 ".16.1.20.2 ".16.1.20.".16.1.20.' ".16.1.20.6 ".16.1.20., ".16.1.20. ".16.1.20.9 ".16.1.20.) ".16.1.20.10 ".16.1.20.11 ".16.1.21 ".16.1.21.1 ".16.1.21.2 ".16.1.21.".16.1.21.' ".16.1.21.6 ".16.1.21., ".16.1.22 ".16.1.22.1 ".16.1.22.2 ".16.1.2".16.1.2' ".16.1.26 ".16.1.26.1 ".16.1.26.1.1 ".16.1.26.1.2 ".16.1.26.1.".16.1.26.1.' ".16.1.26.1.6 ".16.1.26.1., ".16.1.2,

Are #ser rights set to onl$ allo* access to those *ith a need to kno*& Are g#est acco#nts disa0led& Are acco#nt options set to %ini%iEe #na#thoriEed #se5 change of acco#nt content or stat#s& Are device options set to %ini%iEe #na#thoriEed access or #se& Are do%ain options set to #se encr$ption5 signing5 and %achine pass*ord change %anage%ent& Are interactive logon options config#red to %ini%iEe #na#thoriEed access or #se& Are +icrosoft net*ork client and server options set to #se encr$ption and digital signing& !s the s$ste% config#red to restrict anon$%o#s connections 3e.g.5 RestrictAnon$%o#s registr$ setting4& !s the server sh#tdo*n right onl$ availa0le to s$ste% ad%inistrators& !s the recover$ console *rite onl$ availa0le to s$ste% ad%inistrators& Are all #n#sed services t#rned off&

11.1.1.c 11.2.-.h 11.2.2.0 11.2.2.0 12A 11.2.2.d 12A 12A 11.6.' 11.6.' 11.6.'.h

Access Control Polic$ Cser Pass*ord +anage%ent Privilege +anage%ent Privilege +anage%ent

Privilege +anage%ent

DS6.' 12A 12A A!,.-5 DS6. A!,.-5 DS6. A!,.-5 DS6. 12A DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. DS6.65 DS6. 5 +?2.25 +?2.6 A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. DS6.65 DS6. 12A 12A 12A 12A 12A 12A A!2.-5 DS6. 12A 12A A!2.-5 DS6. DS6.65 DS6. DS6.65 DS6. 12A 12A 12A 12A 12A 12A 12A P(,.25 DS6.' Page -6 of S!" to !nd#str$ Standard Relevance

Cse (f S$ste% Ctilities Cse (f S$ste% Ctilities Cse (f S$ste% Ctilities

Are >indo*s servers re=#ired to <oin the corporate do%ain or Active Director$& 12A !s there a process to reg#larl$ revie* logs #sing a specific %ethodolog$ to #ncover 10.10.2 potential incidents& !f so5 is this process doc#%ented and %aintained& Do operating s$ste% logs contain the follo*ing. S#ccessf#l logins& 8ailed login atte%pts& S$ste% config#ration changes& Ad%inistrative activit$& Disa0ling of a#dit logs& Deletion of a#dit logs& Changes to sec#rit$ settings& Changes to access privileges& Cser ad%inistration activit$& 8ile per%ission changes& >indo*s 2 Active Director$ polic$ changes& (perating s$ste% logs are retained for a %ini%#% of. (ne da$ or less& 7et*een one da$ and one *eek& 7et*een one *eek and one %onth& 7et*een one %onth and si: %onths& 7et*een si: %onths and one $ear& "reater than one $ear& !n the event of an operating s$ste% a#dit log fail#re5 does the s$ste%. "enerate an alert& S#spend processing& Do a#dit logs trace an event to a specific individ#al and2or #ser !D& Are a#dit logs stored on alternate s$ste%s& Are a#dit logs protected against %odification5 deletion5 and2or inappropriate access& !f so5 are the follo*ing controls in place. Access control lists& Alternate storage location& Bi%ited ad%inistrative access& Real@ti%e replication& /ashing& ?ncr$ption& !s the %ini%#% pass*ord length. 10.10.2 10.10.1 10.10.1.d 10.10.1.d 10.10.1.f 10.10.1.g 10.10.1.l 10.10.1.l 10.10.1.f 10.10.'.c 10.10.1.g 10.10.1.i 10.10.1.f 10.10.12A 12A 12A 12A 12A 12A 10.10.6 12A 12A 10.10.1.a 10.10.10.10.12A 12A 12A 12A 12A 12A 12A 11.-.1.d

+onitoring S$ste% Cse +onitoring S$ste% Cse A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging Ad%inistrator And (perator Bogs A#dit Bogging A#dit Bogging A#dit Bogging Protection (f Bog !nfor%ation

8a#lt Bogging

A#dit Bogging Protection (f Bog !nfor%ation Protection (f Bog !nfor%ation

Pass*ord Cse

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

SIG Question # ".16.1.2,.1 ".16.1.2,.2 ".16.1.2,.".16.1.2,.' ".16.1.2,.6 ".16.1.2 ".16.1.2 .1 ".16.1.2 .2 ".16.1.2 .".16.1.2 .' ".16.1.29 ".16.1.29.1 ".16.1.29.2 ".16.1.29.".16.1.29.' ".16.1.2) ".16.1.2).1 ".16.1.2).2 ".16.1.2).".16.1.-0 ".16.1.-0.1 ".16.1.-0.2 ".16.1.-0.".16.1.-1 ".16.1.-2 ".16.1.-".16.1.-' ".16.1.-6 ".16.1.-, ".16.1.".16.1.-9 ".16.1.-) ".16.1.-).1 ".16.1.-).2 ".16.1.-).".16.1.'0 ".16.1.'0.1 ".16.1.'0.2 ".1, ".1,.1

Question Text 8ive characters or less& Si: characters& Seven characters& ?ight characters& 1ine characters or %ore& Pass*ord co%position re=#ires. Cppercase letter& Bo*ercase letter& 1#%0er& Special character& !s the %ini%#% pass*ord e:piration. -0 da$s or less& -1 to ,0 da$s& ,1 to )0 da$s& "reater than )1 da$s& Pass*ord histor$ contains. 8ive or less& Si: to 11& 12 or %ore& Pass*ord can 0e changed at a %ini%#% of. (ne ho#r& (ne da$& +ore than one da$& Are initial pass*ord re=#ired to 0e changed at first logon& Can a P!1 or secret =#estion 0e a stand@alone %ethod of a#thentication& Are all pass*ords encr$pted in transit& Are all pass*ords encr$pted or hashed in storage& Are pass*ords displa$ed *hen entered into a s$ste%& Are Ban+an 3B+4 hashes disa0led& Are s$ste%s set to prevent the trans%ission and reception of B+ a#thentication& Are all #ser acco#nts #ni=#el$ assigned to a specific individ#al& !nvalid atte%pts prior to locko#t. T*o or less& Three to five& Si: or %ore& 8ailed login atte%pt co#nt resets to Eero at a %ini%#% of. (ne ho#r or less& 1ever 5 i.e.5 ad%inistrator intervention re=#ired& !s a %ainfra%e #sed for storing or processing Target Data& Are +ainfra%e sec#rit$ controls doc#%ented&

ISO 27002:2005 Relevance 12A 12A 12A 12A 12A 11.-.1.d 12A 12A 12A 12A 11.-.1.c 12A 12A 12A 12A 11.6.-.f 12A 12A 12A 12A 12A 12A 12A 11.-.1.f 11.-.1.d 11.6.1.i 11.6.-.i 11.6.1.g 12A 12A 11.6.2 11.6.1.e 12A 12A 12A 11.6.1.e.2 12A 12A 12A 10.,.1.e

Pass*ord Cse

Pass*ord Cse

Pass*ord +anage%ent S$ste%

Pass*ord #se Pass*ord Cse Sec#re Bog@(n Proced#res Pass*ord +anage%ent S$ste% Sec#re Bog@(n Proced#res

COBIT 4.1 Relevance 12A 12A 12A 12A 12A P(,.25 DS6.' 12A 12A 12A 12A P(,.25 DS6.' 12A 12A 12A 12A DS6.' 12A 12A 12A 12A 12A 12A 12A P(,.25 DS6.' P(,.25 DS6.' DS6.'5 DS6. DS6.' DS6.'5 DS6. 12A 12A DS6.DS6.'5 DS6. 12A 12A 12A DS6.'5 DS6. 12A 12A 12A P('.15 DS6.)5 DS6.11 P('.95 P(,.25 +?2.15 +?2.25 +?2.-5 +?2.'5 +?2.65 +?2.,5 +?2. P('.95 P(,.25 +?2.15 +?2.25 +?2.-5 +?2.'5 +?2.65 +?2.,5 +?2. A!'.'5 DS6. 5 DS).25 DS).-5 DS1-.1 12A 12A 12A 12A 12A 12A 12A P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS11., P('.15 DS6.)5 DS6.11 P(2.-5 P(,.25 DS11.1 12A DS11., DS6.' DS6.' 12A 12A

Cser !dentification And A#thentication Sec#re Bog@(n Proced#res

Sec#re Bog@(n Proced#res

1et*ork Controls

".1,.1.1

Are revie*s perfor%ed to validate co%pliance *ith doc#%ented standards&

16.2.1

Co%pliance >ith Sec#rit$ Policies And Standards

".1,.1.1.1 ".1,.1.2 ".1,.1.".1,.1.-.1 ".1,.1.-.2 ".1,.1.-.".1,.1.' ".1,.1.6 ".1,.1.,

!s non@co%pliance reported and resolved& !s access to s$ste% doc#%entation restricted& Does the ?S+ data0ase environ%ent and contents possess. Data integrit$& Config#ration integrit$& Ass#red availa0ilit$& Are installation@*ritten e:it ro#tines #sed for the ?S+& /ave installation@*ritten e:it ro#tines 0een verified the$ do not d#plicate ?S+ sec#rit$ f#nctions& Does ?S+ control the a0ilit$ to r#n a started task to the environ%ent&

16.2.1 10. .' 12A 12A 12A 12A 12A 12A 12A

Co%pliance >ith Sec#rit$ Policies And Standards Sec#rit$ of s$ste% doc#%entation

".1,.1. ".1,.1.9 ".1,.1.) ".1,.1.10 ".1,.1.11 ".1,.1.12 ".1,.1.1".1,.1.1' ".1,.1.16 ".1,.1.1, ".1,.1.1

Does ?S+ protect the a#thoriEed progra% facilit$& !s the <o0 entr$ s#0s$ste% protected& Are S1A and TCP2!P %ainfra%e net*orks protected& !s the transfer of Target Data encr$pted& Does net*ork %onitoring soft*are #se a sec#rit$ interface& Are transaction5 co%%ands5 data0ases5 and reso#rces protected& !s a#thentication re=#ired for access to an$ transaction or data0ase s$ste%& !s there connection sec#rit$ for data0ases and transaction s$ste%s& Does %onitoring soft*are for transaction and data0ase s$ste%s #se a sec#rit$ interface& Are reso#rce access5 trans%ission links5 and sec#rit$ interfaces active for data transport s$ste%s&

11.1.1.c 10.9.6.g 10.,.1 10.9.1.g 12A 10.9.6.g 11.,.1 11.,.1 12A 12A

Access Control Polic$ 7#siness !nfor%ation S$ste%s 1et*ork Controls !nfor%ation ?:change Policies And Proced#res 7#siness !nfor%ation S$ste%s !nfor%ation Access Restriction !nfor%ation Access Restriction

Are <o0 sched#ling s$ste%s sec#red to control the s#0%ission of prod#ction <o0s& 11.6.'

Cse (f S$ste% Ctilities

A!,.-5 DS6.

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page -, of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text Do storage %anage%ent personnel 3e.g.5 tape operators4 have privileged access ".1,.1.19 to %ainfra%e s$ste%s& ".1,.1.1) !s the #se of data transfer prod#cts sec#red& ".1,.1.20 Are the controls the sa%e for archive and prod#ction data& ".1,.1.21 Are sec#rit$ interfaces for s$ste%s %onitoring soft*are al*a$s active& ".1,.1.22 Are C1!I s$ste%s services sec#red on the %ainfra%e& Are ?S+ 3RAC84 and inherent sec#rit$ config#ration settings config#red to s#pport ".1,.1.2the access control standards and re=#ire%ents& !s there a process to reg#larl$ revie* logs #sing a specific %ethodolog$ to #ncover ".1,.1.2' potential incidents& ".1,.1.2'.1 ".1,.1.26 ".1,.1.26.1 ".1,.1.26.2 ".1,.1.26.".1,.1.26.' ".1,.1.26.6 ".1,.1.26., ".1,.1.26. ".1,.1.26.9 ".1,.1.26.) ".1,.1.26.10 ".1,.1.2, ".1,.1.2,.1 ".1,.1.2,.2 ".1,.1.2,.".1,.1.2,.' ".1,.1.2,.6 ".1,.1.2,., ".1,.1.2 ".1,.1.2 .1 ".1,.1.2 .2 ".1,.1.29 ".1,.1.2) ".1,.1.-0 ".1,.1.-0.1 ".1,.1.-0.1.1 ".1,.1.-0.1.2 ".1,.1.-0.1.".1,.1.-0.1.' ".1,.1.-0.1.6 ".1,.1.-0.1., ".1,.1.-1 ".1,.1.-1.1 ".1,.1.-1.2 ".1,.1.-1.".1,.1.-1.' ".1,.1.-1.6 ".1,.1.-2 ".1,.1.-2.1 ".1,.1.-2.2 ".1,.1.-2.".1,.1.-2.' ".1,.1.-".1,.1.--.1 ".1,.1.--.2 ".1,.1.--.".1,.1.--.' ".1,.1.-' ".1,.1.-'.1 ".1,.1.-'.2 ".1,.1.-'.".1,.1.-6 ".1,.1.-6.1 ".1,.1.-6.2 ".1,.1.-6.".1,.1.-, ".1,.1.".1,.1.-9 ".1,.1.-) ".1,.1.'0 ".1,.1.'1 ".1,.1.'2 ".1,.1.'2.1 ".1,.1.'2.2 ".1,.1.'2.!f so5 is this process doc#%ented and %aintained& Do operating s$ste% logs contain the follo*ing. S#ccessf#l logins& 8ailed login atte%pts& S$ste% config#ration changes& Ad%inistrative activit$& Disa0ling of a#dit logs& Deletion of a#dit logs& Changes to sec#rit$ settings& Changes to access privileges& Cser ad%inistration activit$& 8ile per%ission changes& (perating s$ste% logs are retained for a %ini%#% of. (ne da$ or less& 7et*een one da$ and one *eek& 7et*een one *eek and one %onth& 7et*een one %onth and si: %onths& 7et*een si: %onths and one $ear& "reater than one $ear& !n the event of an operating s$ste% a#dit log fail#re5 does the s$ste%. "enerate an alert& S#spend processing& Do a#dit logs trace an event to a specific individ#al and2or #ser !D& Are a#dit logs stored on alternate s$ste%s& Are a#dit logs protected against %odification5 deletion5 and2or inappropriate access& !f so5 are the follo*ing controls in place. Access control lists& Alternate storage location& Bi%ited ad%inistrative access& Real@ti%e replication& /ashing& ?ncr$ption& !s the %ini%#% pass*ord length. 8ive characters or less& Si: characters& Seven characters& ?ight characters& 1ine characters or %ore& Pass*ord co%position re=#ires. Cppercase letter& Bo*ercase letter& 1#%0er& Special character& !s the %ini%#% pass*ord e:piration. -0 da$s or less& -1 to ,0 da$s& ,1 to )0 da$s& "reater than )1 da$s& Pass*ord histor$ contains. 8ive or less& Si: to 11& 12 or %ore& Pass*ord can 0e changed at a %ini%#% of. (ne ho#r& (ne da$& +ore than one da$& Are initial pass*ord re=#ired to 0e changed at first logon& Can a P!1 or secret =#estion 0e a stand@alone %ethod of a#thentication& Are all pass*ords encr$pted in transit& Are all pass*ords encr$pted or hashed in storage& Are pass*ords displa$ed *hen entered into a s$ste%& Are all #ser acco#nts #ni=#el$ assigned to a specific individ#al& !nvalid atte%pts prior to locko#t. T*o or less& Three to five& Si: or %ore&

ISO 27002:2005 Relevance 11.6.' 11.6.' 10. .11.,.1.d 12A 10.,.1.e 10.10.2 10.10.2 10.10.1 10.10.1.d 10.10.1.d 10.10.1.f 10.10.1.g 10.10.1.l 10.10.1.l 10.10.1.f 10.10.'.c 10.10.1.g 10.10.1.i 10.10.12A 12A 12A 12A 12A 12A 10.10.6 12A 12A 10.10.1.a 10.10.10.10.12A 12A 12A 12A 12A 12A 12A 11.-.1.d 12A 12A 12A 12A 12A 11.-.1.d 12A 12A 12A 12A 11.-.1.c 12A 12A 12A 12A 11.6.-.f 12A 12A 12A 12A 12A 12A 12A 11.-.1.f 11.-.1.d 11.6.1.i 11.6.-.i 11.6.1.g 11.6.2 11.6.1.e 12A 12A 12A Cse (f S$ste% Ctilities Cse (f S$ste% Ctilities !nfor%ation /andling Proced#res !nfor%ation Access Restriction

COBIT 4.1 Relevance A!,.-5 DS6. A!,.-5 DS6. P(,.25 DS11., DS6.' 12A P('.15 DS6.)5 DS6.11 DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. DS6.65 DS6. 5 +?2.25 +?2.6 A!2.-5 DS6. A!2.-5 DS6. DS6.65 DS6. 12A 12A 12A 12A 12A 12A A!2.-5 DS6. 12A 12A A!2.-5 DS6. DS6.65 DS6. DS6.65 DS6. 12A 12A 12A 12A 12A 12A 12A P(,.25 DS6.' 12A 12A 12A 12A 12A P(,.25 DS6.' 12A 12A 12A 12A P(,.25 DS6.' 12A 12A 12A 12A DS6.' 12A 12A 12A 12A 12A 12A 12A P(,.25 DS6.' P(,.25 DS6.' DS6.'5 DS6. DS6.' DS6.'5 DS6. DS6.DS6.'5 DS6. 12A 12A 12A S!" to !nd#str$ Standard Relevance

1et*ork Controls +onitoring S$ste% Cse +onitoring S$ste% Cse A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging Ad%inistrator And (perator Bogs A#dit Bogging A#dit Bogging Protection (f Bog !nfor%ation

8a#lt Bogging

A#dit Bogging Protection (f Bog !nfor%ation Protection (f Bog !nfor%ation

Pass*ord Cse

Pass*ord Cse

Pass*ord Cse

Pass*ord +anage%ent S$ste%

Pass*ord #se Pass*ord Cse Sec#re Bog@(n Proced#res Pass*ord +anage%ent S$ste% Sec#re Bog@(n Proced#res Cser !dentification And A#thentication Sec#re Bog@(n Proced#res

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page - of

SIG Question # ".1,.1.'".1,.1.'-.1 ".1,.1.'-.2 ".1,.1.'-.".1 ".1 .1 ".1 .1.1

Question Text 8ailed login atte%pt co#nt resets to Eero at a %ini%#% of. (ne ho#r or less& 1ever 5 i.e.5 ad%inistrator intervention re=#ired& Are #sers re=#ired to log off %ainfra%e co%p#ters *hen the session is finished& !s an AS'00 #sed for storing or processing Target Data& Are AS'00 sec#rit$ controls doc#%ented& Are AS'00 s$ste%s periodicall$ %onitored to ens#re contin#ed co%pliance *ith the doc#%ented standards&

11.6.1.e.2 12A 12A 11.-.2.0 12A 10.,.1.e 16.2.2

ISO 27002:2005 Relevance Sec#re Bog@(n Proced#res

COBIT 4.1 Relevance DS6.'5 DS6. 12A 12A P(,.25 DS6. 12A P('.15 DS6.)5 DS6.11 DS6.65 DS6. 5 +?2.6 P('.95 P(,.25 +?2.15 +?2.25 +?2.-5 +?2.'5 +?2.65 +?2.,5 +?2. A!'.'5 DS6. 5 DS).25 DS).-5 DS1-.1 P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS6.' DS6.' DS6.' 12A DS6.' DS6.' DS6.' DS6.' 12A 12A DS6.' P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' 12A 12A DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. DS6.65 DS6. 5 +?2.25 +?2.6 A!2.-5 DS6. A!2.-5 DS6. DS6.65 DS6. 12A 12A 12A 12A 12A 12A A!2.-5 DS6. 12A 12A A!2.-5 DS6. DS6.65 DS6. Page -9 of S!" to !nd#str$ Standard Relevance

Cnattended Cser ?=#ip%ent

1et*ork Controls Technical Co%pliance Checking

".1 .1.1.1 ".1 .1.2

!s non@co%pliance reported and resolved& !s access to s$ste% doc#%entation restricted&

16.2.1 10. .'

Co%pliance >ith Sec#rit$ Policies And Standards Sec#rit$ of s$ste% doc#%entation

".1 .1.-

Are gro#p profile assign%ents 0ased on constit#ent role&

11.1.1.f

Access Control Polic$

".1 .1.'

Do gro#p profile assign%ents #ndergo an approval process&

11.1.1.i

Access Control Polic$

".1 .1.6 ".1 .1., ".1 .1. ".1 .1.9 ".1 .1.) ".1 .1.10 ".1 .1.11 ".1 .1.12 ".1 .1.1".1 .1.1' ".1 .1.16 ".1 .1.1,

Are #ser profiles created *ith the principle of least privilege& Do #sers have NSAVSOS a#thorit$ to do saves and restores& !s a#thorit$ to start and stop TCP2!P and its servers restricted to ad%inistrative@ level #sers& !s a#thorit$ to r#n AS2'00 config#ration co%%ands restricted to ad%inistrative@ level #sers& !s the KSOS li0rar$ the first li0rar$ in the li0rar$ list& Are #sers restricted fro% signing on the s$ste% fro% %ore than one *orkstation& !s p#0lic a#thorit$ set to N?:cl#de for Sensitive Co%%ands& !s access to li0rar$ list co%%ands on prod#ction AS'00 s$ste%s restricted to appropriate #sers& /as a#thorit$ NPC7B!C to the KP>8S?RV?R a#thoriEation list 0een revoked& Are sec#rit$ e:it progra%s installed and f#nctioning for server f#nctions that provide an e:it& Are li0rar$@level and o0<ect@level protections on s$ste% li0raries 3K@Bi0raries4 shipped fro% the vendor i%ple%ented to the vendorGs specifications& !s each li0rar$ list constr#cted for a co%%#nit$ of #sers& Are <o0 descriptions #sed to provide application@specific li0rar$ lists to an applicationGs #ser co%%#nit$& Are o0<ects config#red to allo* #sers access *itho#t re=#iring AS'00 Special A#thorities& /as the sec#rit$ a#dit <o#rnal 3KCADPR14 0een created& !s the siEe of the <o#rnal receivers defined in KCADPR1& !s there a process to reg#larl$ revie* logs #sing a specific %ethodolog$ to #ncover potential incidents& !f so5 is this process doc#%ented and %aintained& Do operating s$ste% logs contain the follo*ing. S#ccessf#l logins& 8ailed login atte%pts& S$ste% config#ration changes& Ad%inistrative activit$& Disa0ling of a#dit logs& Deletion of a#dit logs& Changes to sec#rit$ settings& Changes to access privileges& Cser ad%inistration activit$& 8ile per%ission changes& (perating s$ste% logs are retained for a %ini%#% of. (ne da$ or less& 7et*een one da$ and one *eek& 7et*een one *eek and one %onth& 7et*een one %onth and si: %onths& 7et*een si: %onths and one $ear& "reater than one $ear& !n the event of an operating s$ste% a#dit log fail#re5 does the s$ste%. "enerate an alert& S#spend processing& Do a#dit logs trace an event to a specific individ#al and2or #ser !D& Are a#dit logs stored on alternate s$ste%s&

11.1.1.7 11.2.1.c 11.2.2.0 11.2.2.0 12A 11.2.1.a 11.2.2.0 11.2.2.a 11.2.2.0 12A 12A 11.2.2.0

Access Control Polic$ Cser Registration Privilege +anage%ent Privilege +anage%ent

Cser Registration Privilege +anage%ent Privilege +anage%ent Privilege +anage%ent

Privilege +anage%ent

".1 .1.1

11.1.1.f

Access Control Polic$

".1 .1.19 ".1 .1.1) ".1 .1.20 ".1 .1.21 ".1 ".1 ".1 ".1 ".1 ".1 ".1 ".1 ".1 ".1 ".1 ".1 ".1 ".1 ".1 ".1 ".1 ".1 ".1 ".1 ".1 ".1 ".1 ".1 .1.21.1 .1.22 .1.22.1 .1.22.2 .1.22..1.22.' .1.22.6 .1.22., .1.22. .1.22.9 .1.22.) .1.22.10 .1.2.1.2-.1 .1.2-.2 .1.2-..1.2-.' .1.2-.6 .1.2-., .1.2' .1.2'.1 .1.2'.2 .1.26 .1.2,

11.1.1.a 12A 12A 10.10.2 10.10.2 10.10.1 10.10.1.d 10.10.1.d 10.10.1.f 10.10.1.g 10.10.1.l 10.10.1.l 10.10.1.f 10.10.'.c 10.10.1.g 10.10.1.i 10.10.12A 12A 12A 12A 12A 12A 10.10.6 12A 12A 10.10.1.a 10.10.-

Access Control Polic$

+onitoring S$ste% Cse +onitoring S$ste% Cse A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging Ad%inistrator And (perator Bogs A#dit Bogging A#dit Bogging Protection (f Bog !nfor%ation

8a#lt Bogging

A#dit Bogging Protection (f Bog !nfor%ation

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

SIG Question # Question Text Are a#dit logs protected against %odification5 deletion5 and2or inappropriate ".1 .1.2 access& ".1 .1.2 .1 !f so5 are the follo*ing controls in place. ".1 .1.2 .1.1 Access control lists& ".1 .1.2 .1.2 Alternate storage location& ".1 .1.2 .1.Bi%ited ad%inistrative access& ".1 .1.2 .1.' Real@ti%e replication& ".1 .1.2 .1.6 /ashing& ".1 .1.2 .1., ?ncr$ption& ".1 .1.29 !s the %ini%#% pass*ord length. ".1 .1.29.1 8ive characters or less& ".1 .1.29.2 Si: characters& ".1 .1.29.Seven characters& ".1 .1.29.' ?ight characters& ".1 .1.29.6 1ine characters or %ore& ".1 .1.2) Pass*ord co%position re=#ires. ".1 .1.2).1 Cppercase letter& ".1 .1.2).2 Bo*ercase letter& ".1 .1.2).1#%0er& ".1 .1.2).' Special character& ".1 .1.-0 !s the %ini%#% pass*ord e:piration. ".1 .1.-0.1 -0 da$s or less& ".1 .1.-0.2 -1 to ,0 da$s& ".1 .1.-0.,1 to )0 da$s& ".1 .1.-0.' "reater than )1 da$s& ".1 .1.-1 Pass*ord histor$ contains. ".1 .1.-1.1 8ive or less& ".1 .1.-1.2 Si: to 11& ".1 .1.-1.12 or %ore& ".1 .1.-2 Pass*ord can 0e changed at a %ini%#% of. ".1 .1.-2.1 (ne ho#r& ".1 .1.-2.2 (ne da$& ".1 .1.-2.+ore than one da$& ".1 .1.-Are initial pass*ord re=#ired to 0e changed at first logon& ".1 .1.-' Can a P!1 or secret =#estion 0e a stand@alone %ethod of a#thentication& ".1 .1.-6 Are all pass*ords encr$pted in transit& ".1 .1.-, Are all pass*ords encr$pted or hashed in storage& ".1 .1.Are pass*ords displa$ed *hen entered into a s$ste%& ".1 .1.-9 Are all #ser acco#nts #ni=#el$ assigned to a specific individ#al& ".1 .1.-) !nvalid atte%pts prior to locko#t. ".1 .1.-).1 T*o or less& ".1 .1.-).2 Three to five& ".1 .1.-).Si: or %ore& ".1 .1.'0 8ailed login atte%pt co#nt resets to Eero at a %ini%#% of. ".1 .1.'0.1 (ne ho#r or less& ".1 .1.'0.2 1ever 5 i.e.5 ad%inistrator intervention re=#ired& ".1 .1.'1 Are #sers re=#ired to log off *hen the session is finished& !s an (pen V+S 3VAI or Alpha4 s$ste% #sed for storing or processing Target ".19 Data& ".19.1 ".19.1.1

ISO 27002:2005 Relevance 10.10.12A 12A 12A 12A 12A 12A 12A 11.-.1.d 12A 12A 12A 12A 12A 11.-.1.d 12A 12A 12A 12A 11.-.1.c 12A 12A 12A 12A 11.6.-.f 12A 12A 12A 12A 12A 12A 12A 11.-.1.f 11.-.1.d 11.6.1.i 11.6.-.i 11.6.1.g 11.6.2 11.6.1.e 12A 12A 12A 11.6.1.e.2 12A 12A 11.-.2.0 12A 1et*ork Controls Technical Co%pliance Checking Protection (f Bog !nfor%ation

COBIT 4.1 Relevance DS6.65 DS6. 12A 12A 12A 12A 12A 12A 12A P(,.25 DS6.' 12A 12A 12A 12A 12A P(,.25 DS6.' 12A 12A 12A 12A P(,.25 DS6.' 12A 12A 12A 12A DS6.' 12A 12A 12A 12A 12A 12A 12A P(,.25 DS6.' P(,.25 DS6.' DS6.'5 DS6. DS6.' DS6.'5 DS6. DS6.DS6.'5 DS6. 12A 12A 12A DS6.'5 DS6. 12A 12A P(,.25 DS6. 12A P('.15 DS6.)5 DS6.11 DS6.65 DS6. 5 +?2.6 P('.95 P(,.25 +?2.15 +?2.25 +?2.-5 +?2.'5 +?2.65 +?2.,5 +?2. A!'.'5 DS6. 5 DS).25 DS).-5 DS1-.1 12A P(25 A!25 DS) DS6.' DS11., DS6.' 12A DS6.' DS6.' DS 6.65 +?1.25 +?2.25 +?2.65 +?'. A!2.-5 DS6. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. Page -) of S!" to !nd#str$ Standard Relevance

Pass*ord Cse

Pass*ord Cse

Pass*ord Cse

Pass*ord +anage%ent S$ste%

Pass*ord #se Pass*ord Cse Sec#re Bog@(n Proced#res Pass*ord +anage%ent S$ste% Sec#re Bog@(n Proced#res Cser !dentification And A#thentication Sec#re Bog@(n Proced#res

Sec#re Bog@(n Proced#res

Cnattended Cser ?=#ip%ent

Are (pen V+S sec#rit$ controls doc#%ented& 10.,.1.e Are V+S s$ste%s periodicall$ %onitored for contin#ed co%pliance to doc#%ented standards& 16.2.2

".19.1.1.1 ".19.1.2 ".19.1.".19.1.' ".19.1.6 ".19.1., ".19.1. ".19.1.9 ".19.1.) ".19.1.10 ".19.1.11 ".19.1.12 ".19.1.1".19.1.1' ".19.1.16

!s non@co%pliance reported and resolved& !s access to s$ste% doc#%entation restricted& Do s$ste% files and directories prevent the presence of #nsec#red #ser %ail files& Are C!C protections in place on V+S s$ste%s& Are >(RBD >R!T? per%issions ever allo*ed& !s a#to logon per%itted& Are d#plicate Cser !Ds present& !s there a polic$ to re=#ire #sers to activate acco#nts *ithin seven da$s& !s ad%inistrative privilege restricted to those constit#ents responsi0le for V+S ad%inistration& Are *ildcard characters allo*ed in the node or #ser na%e co%ponents of a pro:$ specification& Are access atte%pts to o0<ects that have alar% AC?s %onitored and alar%ed& !s the S?T ACD!T co%%and ena0led&

16.2.1 10. .' 12A .2.1 11.2.2.0 10.9.6.g 11.2.1.i 12A 11.2.2.0 11.2.1.a 10.10.2.c 10.10.1

Co%pliance >ith Sec#rit$ Policies And Standards Sec#rit$ of s$ste% doc#%entation

Classification "#idelines Privilege +anage%ent 7#siness !nfor%ation S$ste%s Cser Registration

Privilege +anage%ent Cser Registration +onitoring S$ste% Cse A#dit Bogging +onitoring S$ste% Cse +onitoring S$ste% Cse +onitoring S$ste% Cse

Are changes to the s$ste% a#thoriEation files a#dited& 10.10.2.e Are #na#thoriEed atte%pts 3detached5 dial@#p5 local5 net*ork5 and re%ote4 alar%ed 10.10.2.a and a#dited& Are the follo*ing (0<ect Access ?vents alar%ed and a#dited. 10.10.2

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

SIG Question # Question Text ".19.1.16.1 ".19.1.16.2 ".19.1.1, ".19.1.1 ".19.1.19 ".19.1.1) ".19.1.20 ".19.1.20.1 ".19.1.21 ".19.1.21.1 ".19.1.21.2 ".19.1.21.".19.1.21.' ".19.1.21.6 ".19.1.21., ".19.1.21. ".19.1.21.9 ".19.1.21.) ".19.1.21.10 ".19.1.22 ".19.1.22.1 ".19.1.22.2 ".19.1.22.".19.1.22.' ".19.1.22.6 ".19.1.22., ".19.1.2".19.1.2-.1 ".19.1.2-.2 ".19.1.2' ".19.1.26 ".19.1.2, ".19.1.2,.1 ".19.1.2,.1.1 ".19.1.2,.1.2 ".19.1.2,.1.".19.1.2,.1.' ".19.1.2,.1.6 ".19.1.2,.1., ".19.1.2 ".19.1.2 .1 ".19.1.2 .2 ".19.1.29 ".19.1.2) ".19.1.2).1 ".19.1.2).2 ".19.1.2).".19.1.2).' ".19.1.2).6 ".19.1.-0 ".19.1.-0.1 ".19.1.-0.2 ".19.1.-0.".19.1.-0.' ".19.1.-1 ".19.1.-1.1 ".19.1.-1.2 ".19.1.-1.".19.1.-1.' ".19.1.-2 ".19.1.-2.1 ".19.1.-2.2 ".19.1.-2.".19.1.-".19.1.--.1 8ile access thro#gh privileges 7OPASS5 SOSPRV& 8ile access fail#res& !s the #se of the !1STABB #tilit$ to %ake changes to installed i%ages a#dited and alar%ed& Are login fail#res 30atch5 detached5 dial#p5 local5 net*ork5 re%ote5 and s#0process4 alar%ed and a#dited& 10.10.2.0 10.10.2.c 10.10.2.0 10.10.2.c

ISO 27002:2005 Relevance +onitoring S$ste% Cse +onitoring S$ste% Cse +onitoring S$ste% Cse +onitoring S$ste% Cse +onitoring S$ste% Cse +onitoring S$ste% Cse +onitoring S$ste% Cse +onitoring S$ste% Cse A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging Ad%inistrator And (perator Bogs A#dit Bogging A#dit Bogging Protection (f Bog !nfor%ation

Are changes to the operating s$ste% para%eters alar%ed and a#dited& 10.10.2.e Are acco#nting events 3e.g.5 0atch5 detached5 interactive5 login fail#re5 %essage5 10.10.2.a net*ork5 print5 process5 and s#0process4 a#dited& !s there a process to reg#larl$ revie* logs #sing a specific %ethodolog$ to #ncover 10.10.2 potential incidents& !f so5 is this process doc#%ented and %aintained& Do operating s$ste% logs contain the follo*ing. S#ccessf#l logins& 8ailed login atte%pts& S$ste% config#ration changes& Ad%inistrative activit$& Disa0ling of a#dit logs& Deletion of a#dit logs& Changes to sec#rit$ settings& Changes to access privileges& Cser ad%inistration activit$& 8ile per%ission changes& (perating s$ste% logs are retained for a %ini%#% of. (ne da$ or less& 7et*een one da$ and one *eek& 7et*een one *eek and one %onth& 7et*een one %onth and si: %onths& 7et*een si: %onths and one $ear& "reater than one $ear& !n the event of an operating s$ste% a#dit log fail#re5 does the s$ste%. "enerate an alert& S#spend processing& Do a#dit logs trace an event to a specific individ#al and2or #ser !D& Are a#dit logs stored on alternate s$ste%s& Are a#dit logs protected against %odification5 deletion5 and2or inappropriate access& !f so5 are the follo*ing controls in place. Access control lists& Alternate storage location& Bi%ited ad%inistrative access& Real@ti%e replication& /ashing& ?ncr$ption& Are the follo*ing sec#rit$ a#diting co%ponents ena0led. (perator Co%%#nication +anager 3(PC(+4 process& A#dit Server 3ACD!TQS?RV?R4 process& Does open V+S perfor% a#diting and logging to s#pport incident and access research& !s the %ini%#% pass*ord length. 8ive characters or less& Si: characters& Seven characters& ?ight characters& 1ine characters or %ore& Pass*ord co%position re=#ires. Cppercase letter& Bo*ercase letter& 1#%0er& Special character& !s the %ini%#% pass*ord e:piration. -0 da$s or less& -1 to ,0 da$s& ,1 to )0 da$s& "reater than )1 da$s& Pass*ord histor$ contains. 8ive or less& Si: to 11& 12 or %ore& Pass*ord can 0e changed at a %ini%#% of. (ne ho#r& 10.10.2 10.10.1 10.10.1.d 10.10.1.d 10.10.1.f 10.10.1.g 10.10.1.l 10.10.1.l 10.10.1.f 10.10.'.c 10.10.1.g 10.10.1.i 10.10.12A 12A 12A 12A 12A 12A 10.10.6 12A 12A 10.10.1.a 10.10.10.10.12A 12A 12A 12A 12A 12A 12A 10.10.2 10.10.2.0 10.10.2.e 10.10.2.a 11.-.1.d 12A 12A 12A 12A 12A 11.-.1.d 12A 12A 12A 12A 11.-.1.c 12A 12A 12A 12A 11.6.-.f 12A 12A 12A 12A 12A

8a#lt Bogging

A#dit Bogging Protection (f Bog !nfor%ation Protection (f Bog !nfor%ation

COBIT 4.1 Relevance DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. DS6.65 DS6. 5 +?2.25 +?2.6 A!2.-5 DS6. A!2.-5 DS6. DS6.65 DS6. 12A 12A 12A 12A 12A 12A A!2.-5 DS6. 12A 12A A!2.-5 DS6. DS6.65 DS6. DS6.65 DS6. 12A 12A 12A 12A 12A 12A 12A DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. DS 6.65 +?1.25 +?2.25 +?2.65 +?'. P(,.25 DS6.' 12A 12A 12A 12A 12A P(,.25 DS6.' 12A 12A 12A 12A P(,.25 DS6.' 12A 12A 12A 12A DS6.' 12A 12A 12A 12A 12A Page '0 of S!" to !nd#str$ Standard Relevance

+onitoring S$ste% Cse +onitoring S$ste% Cse +onitoring S$ste% Cse +onitoring S$ste% Cse Pass*ord Cse

Pass*ord Cse

Pass*ord Cse

Pass*ord +anage%ent S$ste%

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

SIG Question # ".19.1.--.2 ".19.1.--.".19.1.-' ".19.1.-6 ".19.1.-, ".19.1.".19.1.-9 ".19.1.-) ".19.1.'0 ".19.1.'0.1 ".19.1.'0.2 ".19.1.'0.".19.1.'1 ".19.1.'1.1 ".19.1.'1.2 ".19.1.'2 ".1) ".1).1 ".1).1.1 ".1).1.2 ".1).1.".1).2 ".1).2.1 ".1).2.2 ".1).2.".1).2.' ".1).2.6 ".1).2., ".1).2. ".1).2.9 ".1).2.) ".1).2.10 ".1).".1).-.1 ".1).-.2 ".1).-.".1).-.' ".1).-.6 ".1).-., ".1).-. ".1).-.9 ".20

Question Text (ne da$& +ore than one da$& Are initial pass*ord re=#ired to 0e changed at first logon& Can a P!1 or secret =#estion 0e a stand@alone %ethod of a#thentication& Are all pass*ords encr$pted in transit& Are all pass*ords encr$pted or hashed in storage& Are pass*ords displa$ed *hen entered into a s$ste%& Are all #ser acco#nts #ni=#el$ assigned to a specific individ#al& !nvalid atte%pts prior to locko#t. T*o or less& Three to five& Si: or %ore& 8ailed login atte%pt co#nt resets to Eero at a %ini%#% of. (ne ho#r or less& 1ever 5 i.e.5 ad%inistrator intervention re=#ired& Are #sers re=#ired to log off *hen the session is finished& Are >e0 services provided& Are electronic co%%erce *e0 sites or applications #sed to process Target Data& Are cr$ptographic controls #sed for the electronic co%%erce application 3e.g.5 SSB4& Are all parties re=#ired to a#thenticate to the application& Are an$ transaction details stored in the D+L& !s >indo*s !!S for these >e0 services #sed& !s anon$%o#s access to 8TP disa0led& !s %e%0ership to the !!S Ad%inistrators gro#p restricted to those *ith *e0 ad%inistration roles and responsi0ilities& Does each *e0site have its o*n dedicated virt#al director$ str#ct#re& Are !!S sec#rit$ options restricted to a#thoriEed #sers& Are all #n#sed services t#rned off on !!S servers& Do !!S services r#n on standard ports& !s !!S config#red to perfor% logging to s#pport incident investigation& Are all sa%ple applications and scripts re%oved& !s least privilege #sed *hen setting !!S content per%issions& !s the !!S content folder on the sa%e drive as the operating s$ste%& !s Apache #sed for these >e0 services& !s Apache config#red to perfor% logging to s#pport incident investigation& !s anon$%o#s access to 8TP disa0led& !s %e%0ership to the Apache gro#p restricted to those *ith *e0 ad%inistration roles and responsi0ilities& Does each *e0site have its o*n dedicated virt#al director$ str#ct#re& Are Apache config#ration options restricted to a#thoriEed #sers& Do Apache services r#n on standard ports& Are all sa%ple applications and scripts re%oved& !s least privilege #sed *hen setting Apache per%issions& Are desktop co%p#ters #sed&

ISO 27002:2005 Relevance 12A 12A 11.-.1.f 11.-.1.d 11.6.1.i 11.6.-.i 11.6.1.g 11.6.2 11.6.1.e 12A 12A 12A 11.6.1.e.2 12A 12A 11.-.2.0 12A 10.).1 10.).1 10.).1.a 10.).2.e 12A 10.9.2 11.2.2.0 10.9.1 10.9.6.g 11.6.'.h 12A 10.10.1 11.6.'.h 11.2.1.c 12A 12A 10.10.1 10.9.2 11.2.2.0 12A 10.9.6.g 12A 11.6.'.h 11.2.1.c 12A

Pass*ord #se Pass*ord Cse Sec#re Bog@(n Proced#res Pass*ord +anage%ent S$ste% Sec#re Bog@(n Proced#res Cser !dentification And A#thentication Sec#re Bog@(n Proced#res

Sec#re Bog@(n Proced#res

Cnattended Cser ?=#ip%ent

COBIT 4.1 Relevance 12A 12A P(,.25 DS6.' P(,.25 DS6.' DS6.'5 DS6. DS6.' DS6.'5 DS6. DS6.DS6.'5 DS6. 12A 12A 12A DS6.'5 DS6. 12A 12A P(,.25 DS6. 12A AC'5 AC,5 DS6.11 AC'5 AC,5 DS6.11 AC'5 AC,5 DS6.11 AC-5 AC'5 AC65 AC, 12A P(2.-5 P(-.'5 A!6.25 DS2.DS6.' P(2.-5 P(,.25 DS11.1 DS11., A!,.-5 DS6. 12A A!2.-5 DS6. A!,.-5 DS6. DS6.' 12A 12A A!2.-5 DS6. P(2.-5 P(-.'5 A!6.25 DS2.DS6.' 12A DS11., 12A A!,.-5 DS6. DS6.' 12A P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' P(2.-5 DS11.25 DS11.-5 DS11.' P('.115 DS6.' P('.115 DS6.' P('.115 DS6.' P('.15 DS6.)5 DS6.11 DS6.)5 DS6.11 P('.1'5 P(,.25 DS).25 DS).P('.1'5 P(,.25 DS).25 DS).12A DS6.)5 DS6.11

?lectronic Co%%erce ?lectronic Co%%erce ?lectronic Co%%erce (n@Bine Transactions

?:change Agree%ents Privilege +anage%ent !nfor%ation ?:change Policies And Proced#res 7#siness !nfor%ation S$ste%s Cse (f S$ste% Ctilities A#dit Bogging Cse (f S$ste% Ctilities Cser Registration

A#dit Bogging ?:change Agree%ents Privilege +anage%ent 7#siness !nfor%ation S$ste%s Cse (f S$ste% Ctilities Cser Registration

".20.1 ".20.2 ".20.".20.' ".20.6 ".20., ".20. ".20.9 ".20.) ".20.10 ".20.11 ".20.12 ".20.1".20.1' ".20.1'.1 ".20.1'.2

!s there a segregation of d#ties for granting access and accessing to Target Data& !s a #ser a0le to %ove Target Data to an$ Re%ova0le +edia 3e.g.5 flopp$ disk5 recorda0le CD5 CS7 drive4 *itho#t detection& !s the #ser of a s$ste% also responsi0le for revie*ing its sec#rit$ a#dit logs& !s the segregation of d#ties esta0lished to prevent the #ser of a s$ste% fro% %odif$ing or deleting its sec#rit$ a#dit logs& !s there a segregation of d#ties for approving access re=#ests and i%ple%enting the re=#est& Are constit#ents re=#ired to #se an approved standard operating environ%ent& Are internal #sers re=#ired to pass thro#gh a content filtering pro:$ prior to accessing the !nternet& Do applications that are not in the standard operating environ%ent re=#ire an approval fro% sec#rit$ prior to i%ple%entation& Do free*are or share*are applications re=#ire approval fro% sec#rit$ prior to installation& !s Target Data ever stored on non@co%pan$ %anaged PC3s4& Can a non@co%pan$ %anaged PC connect directl$ into the co%pan$ net*ork& !s the installation of soft*are on co%pan$@o*ned *orkstations restricted to ad%inistrators& Are #sers per%itted to e:ec#te %o0ile code& Are %o0ile co%p#ting devices 3laptop5 PDA5 etc.4 #sed to store5 process or access Target Data& Are laptops re=#ired to 0e attended at all ti%es *hen in p#0lic places& Are laptops re=#ired to 0e sec#red at all ti%es&

11.1.1.h 10. .1.0 10.1.10.1.10.1.10.,.1.e 11.'. 16.1.6 16.1.6 12A 11.'.1 10.9.6.g 10.'.2 11. .1 11. .1 11. .1

Access Control Polic$ +anage%ent of re%ova0le %edia Segregation (f D#ties Segregation (f D#ties Segregation (f D#ties 1et*ork Controls 1et*ork Ro#ting Control Prevention (f +is#se (f !nfor%ation Processing 8acilities Prevention (f +is#se (f !nfor%ation Processing 8acilities Polic$ (n Cse (f 1et*ork Services 7#siness !nfor%ation S$ste%s Controls Against +o0ile Code

DS11., DS6.) P(,.25 DS6.25 DS6.-5 +o0ile Co%p#ting And Co%%#nications DS6. P(,.25 DS6.25 DS6.-5 +o0ile Co%p#ting And Co%%#nications DS6. P(,.25 DS6.25 DS6.-5 +o0ile Co%p#ting And Co%%#nications DS6.

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page '1 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text !s the installation of soft*are on co%pan$@o*ned %o0ile co%p#ting devices ".20.1'.restricted to ad%inistrators& !s Target Data 3e:cept for e%ail4 ever stored on re%ote %o0ile devices 3e.g.5 ".20.1'.' 7lack0err$ or Pal% Pilot4& Are these devices s#0<ect to the sa%e re=#ire%ents as *orkstations *hen ".20.1'.6 applica0le& ".20.1'., !s encr$ption #sed to sec#re %o0ile co%p#ting devices&

ISO 27002:2005 Relevance 10.9.6.g 11. .1 11. .1 11. .1 7#siness !nfor%ation S$ste%s

COBIT 4.1 Relevance

DS11., P(,.25 DS6.25 DS6.-5 +o0ile Co%p#ting And Co%%#nications DS6. P(,.25 DS6.25 DS6.-5 +o0ile Co%p#ting And Co%%#nications DS6. +o0ile Co%p#ting And Co%%#nications 12A

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page '2 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text ,. ccess Cont$ol Are electronic s$ste%s #sed to store5 process and2or transport Target Data&

ISO 27002:2005 Relevance

COBIT 4.1 Relevance

/.1

12A

12A P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS6.' 12A 12A 12A 12A 12A 12A 12A DS6.' DS6.' 12A P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' DS6.' DS6.' 12A 12A 12A DS6.' 12A 12A DS6.' 12A 12A 12A 12A 12A 12A 12A 12A 12A DS6.' DS6. 12A 12A 12A 12A 12A 12A DS6.' DS6.' 12A 12A 12A 12A Page '- of S!" to !nd#str$ Standard Relevance

/.1.1

!s there an access control polic$&

11.1.1

Access Control Polic$

/.1.1.1

/as it 0een approved 0$ %anage%ent&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

/.1.1.2

/as the polic$ 0een p#0lished&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

/.1.1.-

/as it 0een co%%#nicated to appropriate constit#ents&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

/.1.1.'

!s there an o*ner to %aintain and revie* the polic$& Do policies re=#ire access controls 0e in place on applications5 operating s$ste%s5 data0ases5 and net*ork devices to ens#re #sers have least privilege& Are #ni=#e #ser !Ds #sed for access& Can a #ser!D contain data 3s#ch as SS14 that co#ld reveal private infor%ation of the #ser& Can a #ser!D contain data that co#ld reveal the access level assigned to the #ser 3e.g.5 Ad%in4& Are inactive #ser!D3s4 deleted or disa0led after. ?ver$ three %onths or less& Three %onths to fo#r %onths& "reater than fo#r %onths& 1ever& Can a #ser share a #ser!D& !s there a process to grant and approve access to s$ste%s holding5 processing5 or transporting Target Data& Do access re=#est approvals incl#de.

6.1.2

Revie* (f The !nfor%ation Sec#rit$ Polic$

/.1.2 /.2 /.2.1 /.2.2 /.2./.2.-.1 /.2.-.2 /.2.-./.2.-.' /.2.' /.2.6 /.2.6.1

11.1.1.c 11.2.1.a 12A 12A 12A 12A 12A 12A 12A 11.2.1.a 11.2.1 12A

Access Control Polic$ Cser Registration

Cser Registration Cser Registration

/.2.6.1.1

8or%al re=#est&

11.1.1.i

Access Control Polic$

/.2.6.1.2

+anage%ent approval&

11.1.1.i

Access Control Polic$

/.2.6.1./.2.6.1.' /.2., /.2.,.1 /.2.,.1.1 /.2.,.1.2 /.2.,.1./.2.,.1.' /.2.,.1.6 /.2.,.1., /.2.,.1. /.2.,.1.9 /.2.,.2 /.2.,.2.1 /.2.,.2.2 /.2.,.2./.2.,.2.' /.2.,.2.6 /.2.,.2., /.2. /.2. .1 /.2. .2 /.2. ./.2. .' /.2. .6 /.2. ., /.2. . /.2.9 /.2.9.1 /.2.9.1.1 /.2.9.1.2 /.2.9.1./.2.9.1.'

!%ple%entation 0$ ad%inistrator& Data o*ner approval& Are approved re=#ests for granting access logged or archived& !f so5 does it incl#de. Re=#estorHs na%e& Date and ti%e re=#ested& Doc#%ented re=#est& ApproverHs na%e& Date and ti%e approved& ?vidence of approval& Ad%inistratorHs na%e& Date and ti%e i%ple%ented& Approvals are retained for a %ini%#% of. (ne %onth or less& 7et*een one %onth and si: %onths& 7et*een si: %onths and one $ear& 7et*een one $ear and three $ears& "reater than three $ears& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& S$ste% access is li%ited 0$. Ti%e of da$& Cser acco#nt lifeti%e& Privilege lifeti%e& Ph$sical location& Ph$sical device& 1et*ork s#0net& !P address& !s there a process to revie*D access is onl$ granted to those *ith a 0#siness need to kno*& Cser access rights are revie*ed. >eekl$& +onthl$& K#arterl$& Ann#all$&

11.1.1.D 11.2.1.0 11.2.1.g 12A 12A 12A 11.2.1.g 12A 12A 11.2.1.0 12A 12A 12A 12A 12A 12A 12A 12A 12A 11.2.1.c 11.6., 12A 12A 12A 12A 12A 12A 11.2.' 11.2.'.a 12A 12A 12A 12A

Access Control Polic$ Cser Registration Cser Registration

Cser Registration

Cser Registration

Cser Registration Bi%itation (f Connection Ti%e

Revie* (f Cser Access Rights Revie* (f Cser Access Rights

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

SIG Question # /.2.9.1.6 /.2.9.1., /.2.9.2 /.2.9./.2.9.-.1 /.2.9.-.1.1 /.2.9.-.1.2 /.2.9.-.1./.2.9.-.1.' /.2.9.-.1.6 /.2.9.-.1., /.2.9.' /.2.9.6 /.2.9.6.1 /.2.9.6.2 /.2.9.6./.2.9.6.' /.2.9.6.6 /.2.9.6., /.2.) /.2.10 /.2.11 /.2.12 /.2.1/.2.1' /.2.1'.1 /.2.1'.2 /.2.1'./.2.1'.' /.2.16 /.2.16.1 /.2.16.2 /.2.16./.2.16.' /.2.1, /.2.1,.1 /.2.1,.2

Question Text 1ever& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& Are access rights revie* *hen a constit#ent changes roles& Are revie*s of privileged s$ste%s cond#cted to ens#re #na#thoriEed privileges have not 0een o0tained& Are privileged #ser access rights revie*ed. >eekl$& +onthl$& K#arterl$& Ann#all$& 1ever& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& Are changes to privileged #ser access rights logged& Are logon 0anners presented at. >orkstations& Prod#ction s$ste%s& !nternet@facing applications& !nternet@facing servers& !nternal applications& Re%ote access& Cpon logon fail#re5 does the error %essage descri0e the ca#se of the fail#re 3e.g.5 !nvalid pass*ord5 invalid #ser !D5 etc.4& Cpon s#ccessf#l logon5 does a %essage indicate the last ti%e of s#ccessf#l logon& !s %#lti@factor a#thentication deplo$ed for Rhigh@riskS environ%ents& Do all #sers have a #ni=#e #ser!D *hen accessing applications& !s the #se of s$ste% #tilities restricted to a#thoriEed #sers onl$& Screen locks on an inactive *orkstation occ#rs at. 16 %in#tes or less& 1, to -0 %in#tes& -1 to ,0 %in#tes& ,1J %in#tes& Session ti%eo#t for inactivit$ occ#rs at. 8ive %in#tes or less& Si: to 16 %in#tes& 1, to -0 %in#tes& -0 %in#tes5 or greater& !s application develop%ent perfor%ed& Are developers per%itted access to prod#ction environ%ents5 incl#ding read access& !s there a process for e%ergenc$ access to prod#ction s$ste%s& !s access to s$ste%s and applications 0ased on defined roles and responsi0ilities or <o0 f#nctions& Are the follo*ing roles defined. Developer& Prod#ction S#pport& Ad%inistrative Csers& Are <o0 role profiles esta0lished&

ISO 27002:2005 Relevance 12A 12A 11.2.'.0 11.2.'.d 11.2.'.c 12A 12A 12A 12A 12A 12A 11.2.'.e 11.6.1.0 12A 12A 12A 12A 12A 12A 11.6.1.c 11.6.1.g 11.6.2 11.6.2 11.6.' 11.6.6 12A 12A 12A 12A 11.6.6 12A 12A 12A 12A

Revie* (f Cser Access Rights Revie* (f Cser Access Rights Revie* (f Cser Access Rights

COBIT 4.1 Relevance 12A 12A DS6.' DS6.' DS6.' 12A 12A 12A 12A 12A 12A DS6.' DS6.'5 DS6. 12A 12A 12A 12A 12A 12A DS6.'5 DS6. DS6.'5 DS6. DS6.DS6.A!,.-5 DS6. DS6. 12A 12A 12A 12A DS6. 12A 12A 12A 12A DS6. A!2.'5 A! .'5 A! .,5 DS11.-5 DS11., DS6.' P(2.25 P(2.-5 P(,.25 DS6.25 DS6.-5 DS6.' 12A 12A 12A 12A 12A DS6.' 12A

Revie* (f Cser Access Rights Sec#re Bog@(n Proced#res

Sec#re Bog@(n Proced#res Sec#re Bog@(n Proced#res Cser !dentification And A#thentication Cser !dentification And A#thentication Cse (f S$ste% Ctilities Session Ti%e@(#t

Session Ti%e@(#t

Application and infor%ation access 11., control Access Control To Progra% So#rce 12.'.-.c Code 11.2.2.c Privilege +anage%ent

/.2.1,./.2.1,.' /.2.1,.'.1 /.2.1,.'.2 /.2.1,.'./.2.1,.6 /.2.1,., /.2.1,.

11.1.1 12A 12A 12A 12A 12A

Access Control Polic$

!s there a process *hen an individ#al re=#ires access o#tside an esta0lished role& 11.2.2.0 !s there a process to revise and #pdate constit#ent access d#ring internal %oves& 12A Are #ser acco#nts not assigned to a designated person 3i.e.5 s$ste%5 vendor5 or service acco#nts4 disallo*ed for nor%al operations and %onitored for #sage& Are pass*ords re=#ired to access s$ste%s holding5 processing5 or transporting Target Data& !s there pass*ord polic$ for s$ste%s holding5 processing5 or transporting Target Data&

Privilege +anage%ent

/.2.1 /./.-.1

12A 11.2.11.2.Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent

12A DS6.DS6.P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. DS6.DS6.' Page '' of S!" to !nd#str$ Standard Relevance

/.-.1.1

/as it 0een approved 0$ %anage%ent&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

/.-.1.2

/as the polic$ 0een p#0lished&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

/.-.1.-

/as it 0een co%%#nicated to appropriate constit#ents&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

/.-.1.' /.-.2 /.-.-

!s there an o*ner to %aintain and revie* the polic$& Are strong pass*ords re=#ired on s$ste%s holding5 processing5 or transporting Target Data& Are pass*ord files and application s$ste% data stored in different file s$ste%s&

6.1.2 11.6.2 11.6.-.h

Revie* (f The !nfor%ation Sec#rit$ Polic$ Cser !dentification And A#thentication Pass*ord +anage%ent S$ste%

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

SIG Question # /.-.' /.-.'.1 /.-.'.2 /.-.'./.-.'.' /.-.'.6 /.-.'., /.-.'. /.-.'.9 /.-.'.) /.-.6 /.-., /.-. /.-.9 /.-.9.1 /.-.9.2 /.-.9./.-.9.' /.-.) /.-.).1 /.-.).2 /.-.)./.-.).' /.-.).6 /.-.)., /.-.). /.-.10 /.-.11 /.-.12 /.-.1/.-.1' /.-.1'.1 /.-.1'.2 /.-.1'./.-.1'.' /.-.1'.6 /.-.1'., /.-.1'. /.-.1'.9 /.-.1'.) /.' /.'.1

Question Text Are !nitial pass*ords co%%#nicated to #sers 0$. ?%ail& Telephone call& !nstant +essaging& Cser selected& Cell phone te:t %essage& Paper doc#%ent& Ver0al& ?ncr$pted co%%#nication& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& Are ne* constit#ents iss#ed rando% initial pass*ords& Are #sers forced to change the pass*ord #pon first logon& Are te%porar$ pass*ords #ni=#e to an individ#al& Do te%porar$ pass*ords e:pire after. 10 da$s or less& 10 da$s to -0 da$s& "reater than -0 da$s& 1ever& /o* is a #serGs identit$ verified prior to resetting a pass*ord. ?%ail ret#rn& Voice recognition& Secret =#estions& Ad%inistrator call ret#rn& !dentified ph$sical presence& +anage%ent approval& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& !s there a polic$ to prohi0it #sers fro% sharing pass*ords& Are #sers prohi0ited fro% keeping paper records of pass*ords& Are vendor defa#lt pass*ords re%oved5 disa0led or changed prior to placing the device or s$ste% into prod#ction& !s pass*ord reset a#thorit$ restricted to a#thoriEed persons and2or an a#to%ated pass*ord reset tool& Are #sers re=#ired to. Teep pass*ords confidential& 1ot keep a record of pass*ords 3paper5 soft*are file or handheld device4& Change pass*ords *hen there is an indication of possi0le s$ste% or pass*ord co%pro%ise& Change pass*ords at reg#lar intervals& Change te%porar$ pass*ords at first logon& 1ot incl#de pass*ords in a#to%ated logon processes& 3e.g.5 stored in a %acro or f#nction ke$4& Ter%inate or sec#re active sessions *hen finished& Bogoff ter%inals5 PC or servers *hen the session is finished& Bock 3#sing ke$ lock or e=#ivalent control4 *hen s$ste%s are #nattended& !s re%ote access per%itted into the environ%ent& !s there a re%ote access polic$&

ISO 27002:2005 Relevance 12A 11.2.-.d 11.2.-.d 11.2.-.d 11.2.-.d 11.2.-.d 11.2.-.d 11.2.-.d 11.2.-.d 11.2.-.d 11.2.-.0 11.2.-.0 11.2.-.e 12A 12A 12A 12A 12A 12A 11.2.-.c 11.2.-.c 11.2.-.c 11.2.-.c 11.2.-.c 11.2.-.c 11.2.-.c 11.2.-.a 11.2.-.g 11.2.-.h 11.2.-.c 12A 11.-.1.a 11.-.1.0 11.-.1.c 11.-.1.e 11.-.1.f 11.-.1.g 11.-.2.a 11.-.2.0 11.-.2.c Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent

Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser Pass*ord +anage%ent Cser pass*ord %anage%ent Pass*ord Cse Pass*ord Cse Pass*ord Cse Pass*ord Cse Pass*ord Cse Pass*ord Cse Cnattended Cser ?=#ip%ent Cnattended Cser ?=#ip%ent Cnattended Cser ?=#ip%ent

COBIT 4.1 Relevance 12A DS6.DS6.DS6.DS6.DS6.DS6.DS6.DS6.DS6.DS6.DS6.DS6.12A 12A 12A 12A 12A 12A DS6.DS6.DS6.DS6.DS6.DS6.DS6.DS6.DS6.DS6.DS6.12A P(,.25 DS6.' P(,.25 DS6.' P(,.25 DS6.' P(,.25 DS6.' P(,.25 DS6.'

P(,.25 DS6.' P(,.25 DS6. P(,.25 DS6. P(,.25 DS6. A!1.25 A!2.'5 DS6. 5 11. +o0ile Co%p#ting And Tele*orking DS6.105 DS6.11 P(,.25 DS6.25 DS6.-5 11. .1 +o0ile Co%p#ting And Co%%#nications DS6. P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. 12A 12A P(,.25 DS6.25 DS6.-5 DS6. P(,.25 DS6.25 DS6.-5 DS6. P(,.25 DS6.25 DS6.-5 DS6. P(,.25 DS6.25 DS6.-5 DS6. 12A P(,.25 DS6.25 DS6.-5 DS6. P(,.25 DS6.25 DS6.-5 DS6.

/.'.1.1

/as it 0een approved 0$ %anage%ent&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

/.'.1.2

/as the polic$ 0een p#0lished&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

/.'.1.-

/as it 0een co%%#nicated to appropriate constit#ents&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

/.'.1.' /.'.2 /.'./.'.-.1 /.'.-.2 /.'.-./.'.-.' /.'.' /.'.'.1 /.'.'.2

!s there an o*ner to %aintain and revie* the polic$& Are t*o active net*ork connections allo*ed at the sa%e ti%e and are the$ ro#ta0le& 3e.g.5 0ridged internet connections4& >hat t$pe of hard*are can #sers #se for re%ote access into the net*ork. Baptop& Desktop& PDA& 7lack0err$& !s there a process to ens#re that connecting s$ste%s have the follo*ing. C#rrent patch levels& Anti@vir#s soft*are&

6.1.2 12A 12A 11. .1 11. .1 11. .1 11. .1 12A 11. .1 11. .1

Revie* (f The !nfor%ation Sec#rit$ Polic$

+o0ile Co%p#ting And Co%%#nications +o0ile Co%p#ting And Co%%#nications +o0ile Co%p#ting And Co%%#nications +o0ile Co%p#ting And Co%%#nications

+o0ile Co%p#ting And Co%%#nications +o0ile Co%p#ting And Co%%#nications

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page '6 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text /.'.'./.'.'.' /.'.'.6 /.'.'., /.'.'. /.'.'.9 /.'.'.) /.'.6 /.'., /.6 C#rrent vir#s signat#re files& Personal fire*all& S#pported operating s$ste%& Anti@sp$*are soft*are& S#pported soft*are& S#pported hard*are& ?ncr$pted co%%#nications& !s %#lti@factor a#thentication re=#ired for re%ote access& Are t*o active net*ork connections allo*ed at the sa%e ti%e and are the$ ro#ta0le& 3e.g.5 0ridged internet connections4& !s there a tele*orking polic$& 11. .1 12A 12A 11. .1 12A 12A 12.-.1.c 11. .1 12A 11. .2

ISO 27002:2005 Relevance

COBIT 4.1 Relevance P(,.25 DS6.25 DS6.-5 +o0ile Co%p#ting And Co%%#nications DS6. 12A 12A P(,.25 DS6.25 DS6.-5 +o0ile Co%p#ting And Co%%#nications DS6. 12A 12A Polic$ on the #se of cr$ptographic P(,5 A!25 DS6 controls P(,.25 DS6.25 DS6.-5 +o0ile Co%p#ting And Co%%#nications DS6. 12A P(-.'5 P(,.25 DS6.25 DS6.-5 DS6. P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. 12A P(-.'5 P(,.25 DS6.25 DS6.-5 DS6. P(-.'5 P(,.25 DS6.25 DS6.-5 DS6. P(-.'5 P(,.25 DS6.25 DS6.-5 DS6.

Tele*orking

/.6.1

/as it 0een approved 0$ %anage%ent&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

/.6.1.1

/as the polic$ 0een p#0lished&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

/.6.1.2

/as it 0een co%%#nicated to appropriate constit#ents&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

/.6.1./.6.2 /.6.2.1 /.6.2.2 /.6.-

!s there an o*ner to %aintain and revie* the polic$& Does the polic$ address the follo*ing. ?=#ip%ent sec#rit$& Protection of data& !s the tele*orking polic$ consistent *ith the organiEationHs sec#rit$ polic$&

6.1.2 12A 11. .2 11. .2 11. .2

Revie* (f The !nfor%ation Sec#rit$ Polic$

Tele*orking Tele*orking Tele*orking

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page ', of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text I. In0o$"ation S%ste"s c1uisition )evelo/"ent 2 *aintenance Are 0#siness infor%ation s$ste%s #sed for processing5 storing or trans%itting Target Data& Are sec#rit$ re=#ire%ents doc#%ented& Does the #se or installation of open so#rce soft*are 3e.g.5 Bin#:5 Apache5 etc.4 #ndergo an infor%ation sec#rit$ revie* and approval process& !s application develop%ent perfor%ed& Are applications independentl$ eval#ated or certified 0$ the follo*ing. Third@part$ testing la0& 7!TS Certification& !nternal a#dit& !nfor%ation sec#rit$& C++& !S(& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& Does the application develop%ent process e:plicitl$ g#ard against the follo*ing. !nvalidated inp#t& 7roken access control& 7roken a#thentication& Repla$ attacks& Cross site scripting& 7#ffer overflo*& !n<ection fla*s 3e.g.5 SKB in<ection4& !%proper error handling& Data #nder@r#n 2 overr#n& !nsec#re storage& Application denial of service& !nsec#re config#ration %anage%ent& !%proper application session ter%ination& !s an applicationGs a#thenticated state %aintained for ever$ data transaction for the d#ration of that session& Does the application provide a %eans for re@a#thenticating a #ser& Do *e0@facing s$ste%s that perfor% a#thentication also re=#ire session validation for s#0se=#ent re=#ests& Are a#thoriEation checks present for all tiers or points in a %#lti@tiered application architect#re& Does application error@handling address the follo*ing. !nco%plete transactions& /#ng transactions& 8ailed operating s$ste% calls& 8ailed application calls& 8ailed li0rar$ calls& P!1 or pass*ord& Transaction !D& S#0<ect !D& Application !D& Transaction specific ele%ents 3e.g.5 to 2 fro% acco#nt n#%0ers for f#nds transfer4& !n the event of an application a#dit log fail#re does the application. "enerate an alert& /alt processing& !s there a Soft*are Develop%ent Bife C$cle 3SDBC4 process& !s it doc#%ented& Does the develop%ent lifec$cle process incl#de. !nitiation& Planning& Design& Develop%ent& Testing& !%ple%entation& ?val#ation& +aintenance& Disposal& Peer code revie*& !nfor%ation sec#rit$ code revie*& S$ste% testing& !ntegration 3end@to@end4 testing& Regression testing& Boad testing& !nstallation testing& +igration testing& V#lnera0ilit$ testing& 12.6.1 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A

ISO 27002:2005 Relevance

COBIT 4.1 Relevance

!.1 !.1.1 !.1.2 !.2 !.2.1 !.2.1.1 !.2.1.2 !.2.1.!.2.1.' !.2.1.6 !.2.1., !.2.1. !.2.2 !.2.2.1 !.2.2.2 !.2.2.!.2.2.' !.2.2.6 !.2.2., !.2.2. !.2.2.9 !.2.2.) !.2.2.10 !.2.2.11 !.2.2.12 !.2.2.1!.2.!.2.' !.2.6 !.2., !.2. !.2. .1 !.2. .2 !.2. .!.2. .' !.2. .6 !.2. ., !.2. . !.2. .9 !.2. .) !.2. .10 !.2.9 !.2.9.1 !.2.9.2 !.2.) !.2.).1 !.2.).2 !.2.).2.1 !.2.).2.2 !.2.).2.!.2.).2.' !.2.).2.6 !.2.).2., !.2.).2. !.2.).2.9 !.2.).2.) !.2.).2.10 !.2.).2.11 !.2.).2.12 !.2.).2.1!.2.).2.1' !.2.).2.16 !.2.).2.1, !.2.).2.1 !.2.).2.19

Sec#rit$ Re=#ire%ents Anal$sis And Specification Sec#rit$ Re=#ire%ents Anal$sis And 12.1.1 Specification Sec#rit$ Re=#ire%ents Anal$sis And 12.1.1 Specification Sec#rit$ !n Develop%ent And S#pport 12.6 Processes 12A 12A 12A 12A 12A 12A 12A 12A 12.1.1 12A 12.2.1.a 12A 12A 12A 12A 12.2.2.d 12.2.2.a 12.2.2.c 12.2.1 10. .12A 12A 12.2.2.g 11.6., 11.6., 12A 10.).2.0 12.2.2 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 10.10.6 12A 12A (n@Bine Transactions Control (f !nternal Processing

A!1.25 A!2.'5 A!-.2 A!1.25 A!2.'5 A!-.2 A!1.25 A!2.'5 A!-.2 A!2.'5 A! .'5 A! .,5 DS11.-5 DS11., 12A 12A 12A 12A 12A 12A 12A 12A 12A A!2.12A 12A 12A 12A A!2.A!2.A!2.A!2.P(,.25 DS11., 12A 12A A!2.DS6. DS6. 12A AC-5 AC'5 AC65 AC, A!2.12A 12A 12A 12A 12A 12A 12A 12A 12A 12A A!2.-5 DS6. 12A 12A A!2.'5 A! .'5 A! .,5 DS11.-5 DS11., A!2.'5 A! .'5 A! .,5 DS11.-5 DS11., A!2.,5 A!,.25 A!,.-5 A! .2 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A S!" to !nd#str$ Standard Relevance

!np#t Data Validation

Control (f !nternal Processing Control (f !nternal Processing Control (f !nternal Processing !np#t Data Validation !nfor%ation /andling Proced#res

Control (f !nternal Processing Bi%itation (f Connection Ti%e Bi%itation (f Connection Ti%e

8a#lt Bogging

Sec#rit$ !n Develop%ent And S#pport 12.6 Processes Sec#rit$ !n Develop%ent And S#pport 12.6 Processes Change Control Proced#res

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page ' of

SIG Question # Question Text !.2.).2.1) Acceptance testing& !.2.).2.20 (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& !.2.10 !.2.11 !.2.12 !.2.1!.2.1' !.2.16 !.2.16.1 !.2.16.2 !.2.16.!.2.16.' !.2.1, !.2.1,.1 !.2.1,.2 !.2.1,.!.2.1,.' !.2.1,.6 !.2.1,., !.2.1,. !.2.1,.9 !.2.1,.) !.2.1 !.2.1 .1 !.2.1 .2 !.2.1 .!.2.1 .' !.2.1 .6 !.2.19 !.2.19.1 !.2.19.2 !.2.19.!.2.19.' !.2.1) !.2.1).1 !.2.1).2 !.2.1).!.2.1).' !.2.20 !.2.20.1 !.2.20.2 !.2.20.!.2.21 !.2.21.1 !.2.21.2 !.2.21.!.2.21.' !.2.22 !.2.22.1 !.2.22.2 !.2.22.!.2.22.' !.2.2!.2.2' !.2.2'.1 !.2.2'.2 !.2.2'.Are there different so#rce code repositories for prod#ction and non@prod#ction& Do s#pport personnel have access to progra% so#rce li0raries& !s all access to progra% so#rce li0raries logged& Are change control proced#res re=#ired for all changes to the prod#ction environ%ent& !s the sensitivit$ of an application e:plicitl$ identified and doc#%ented& !s there a process to ens#re that application code is digitall$ signed for the follo*ing. !nternall$ developed applications& Applications developed for e:ternal 2 client #se& !nternal applications developed 0$ a third part$& ?:ternal 2 client applications developed 0$ a third part$& Do applications log the follo*ing. Access& (riginator #ser !D& ?vent 2 transaction ti%e& ?vent 2 transaction stat#s& A#thentication& ?vent 2 transaction t$pe& Target Data access& Target Data transfor%ations& Target Data deliver$& Are application sessions set to ti%e o#t. 16 %in#tes& 1, to -0 %in#tes& -1 to ,0 %in#tes& ,1J %in#tes& 1ever& !s application develop%ent perfor%ed 0$. !nternal developers onshore& !nternal developers offshore& Third part$ 2 o#tso#rced developers onshore& Third part$ 2 o#tso#rced developers offshore& !s there access control to protect the follo*ing. So#rce code& 7inaries& Data0ases& Test data& Are the follo*ing co%ponents for version %anage%ent segregated. Code& Data& environ%ent 3e.g.5 prod#ction5 test5 KA5 etc.4& Do changes to applications or application code go thro#gh the follo*ing. 8or%al doc#%ented risk assess%ent process& !nfor%ation sec#rit$ revie*& !nfor%ation sec#rit$ approval& Application testing& !s Target Data ever #sed in the test5 develop%ent5 or KA environ%ents& !s a#thoriEation re=#ired for an$ ti%e prod#ction data is copied to the test environ%ent& !s test data containing Target Data destro$ed follo*ing the testing phase& !s test data containing Target Data %asked or o0f#scated d#ring the testing phase& !s cop$ing Target Data to the test environ%ent logged& Are the access control proced#res the sa%e for 0oth the test and prod#ction environ%ent& Prior to i%ple%entation do applications go thro#gh the follo*ing. 8or%al doc#%ented risk assess%ent process& !nfor%ation sec#rit$ revie*& !nfor%ation sec#rit$ approval&

ISO 27002:2005 Relevance 12A 12A 12.'.-.a 12.'.-.c 12.'.-.f 12.'.-.g 11.,.2.a 12.-.1.7 12A 12A 12A 12A 10.10.1 10.10.1.e 10.10.1.a 10.10.1.0 10.10.1.0 10.10.1.0 10.10.1.0 10.10.1.e 10.10.1.e 10.10.1.e 11.6.6 12A 12A 12A 12A 12A 12A 12A 12A 12.6.6 12.6.6 12.'.12.'.12A 12A 12.'.2.a 12A 12.'.1.0 12A 12.'.1 12.6.1 12.6.1.c 12A 12A 12.6.1 12.'.2 12.'.2.0 12.'.2.c 12.'.2 12.'.2.d 12.'.2.a 12.6.1 12.6.1.c 12A 12A Access Control To Progra% So#rce Code Access Control To Progra% So#rce Code Access Control To Progra% So#rce Code Access Control To Progra% So#rce Code Sensitive S$ste% !solation Polic$ (n The Cse (f Cr$ptographic Controls

COBIT 4.1 Relevance 12A 12A A!2.'5 A! .'5 A! .,5 DS11.-5 DS11., A!2.'5 A! .'5 A! .,5 DS11.-5 DS11., A!2.'5 A! .'5 A! .,5 DS11.-5 DS11., A!2.'5 A! .'5 A! .,5 DS11.-5 DS11., A!1.25 A!2.'5 DS6. 5 DS6.105 DS6.11 P(,5 A!25 DS6 12A 12A 12A 12A A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. A!2.-5 DS6. DS6. 12A 12A 12A 12A 12A 12A 12A 12A P(9.-5 A!2. 5 A!6.25 DS2.'5 P(9 P(9.-5 A!2. 5 A!6.25 DS2.'5 P(9 A!2.'5 A! .'5 A! .,5 DS11.-5 DS11., A!2.'5 A! .'5 A! .,5 DS11.-5 DS11., 12A 12A A!-.-5 DS2.'5 DS).15 DS).25 DS11., 12A DS6. 5 DS).1 12A DS6. 5 DS).1 A!2.,5 A!,.25 A!,.-5 A! .2 A!2.,5 A!,.25 A!,.-5 A! .2 12A 12A A!2.,5 A!,.25 A!,.-5 A! .2 A!-.-5 DS2.'5 DS).15 DS).25 DS11., A!-.-5 DS2.'5 DS).15 DS).25 DS11., A!-.-5 DS2.'5 DS).15 DS).25 DS11., A!-.-5 DS2.'5 DS).15 DS).25 DS11., A!-.-5 DS2.'5 DS).15 DS).25 DS11., A!-.-5 DS2.'5 DS).15 DS).25 DS11., A!2.,5 A!,.25 A!,.-5 A! .2 A!2.,5 A!,.25 A!,.-5 A! .2 12A 12A S!" to !nd#str$ Standard Relevance

A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging A#dit Bogging Session Ti%e@(#t

(#tso#rced Soft*are Develop%ent (#tso#rced Soft*are Develop%ent Access Control To Progra% So#rce Code Access Control To Progra% So#rce Code

Protection (f S$ste% Test Data Control (f (perational Soft*are Control (f (perational Soft*are Change Control Proced#res Change Control Proced#res

Change Control Proced#res Protection (f S$ste% Test Data Protection (f S$ste% Test Data Protection (f S$ste% Test Data Protection (f S$ste% Test Data Protection (f S$ste% Test Data Protection (f S$ste% Test Data Change Control Proced#res Change Control Proced#res

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page '9 of

SIG Question # Question Text !.2.26 !s there a pro<ect %anage%ent f#nction& !.2.2, !.2.2 !.2.2 .1 !.2.2 .2 !.2.2 .!.2.29 !.2.29.1 !.2.29.1.1 !.2.29.1.2 !.2.29.1.!.2.29.1.' !.2.29.1.6 !.2.29.1., !.2.29.1. !.2.29.1.9 !.2.29.1.) !.2.29.1.10 !.2.29.1.11 !.2.29.1.12 !.2.29.1.1!.2.29.1.1' !.2.29.1.16 !.2.2) !.2.-0 !.!.-.1 !.-.1.1 !.-.1.1.1 !.-.1.1.2 !.-.1.1.!.-.1.1.' !.-.2 !.-.2.1 !.' !.'.1 !.'.2 !.'.2.1 !.'.2.2 !.'.2.!.'.2.' !.'.!.'.-.1 !.'.-.2 !.'.-.!.'.-.' !.'.-.6 !.'.-., !s soft*are and infrastr#ct#re independentl$ tested prior to i%ple%entation& Does =#alit$ ass#rance testing of soft*are and infrastr#ct#re prior to i%ple%entation incl#de. !ss#e tracking and resol#tion& +etrics on soft*are defects and release incidents& Csing the %etrics to i%prove the =#alit$ of the progra%& !s there a doc#%ented change %anage%ent 2 change control process& Does the change %anage%ent change 2 control process incl#de the follo*ing. Testing prior to deplo$%ent& +anage%ent approval prior to deplo$%ent& ?sta0lish%ent of restart points& +anage%ent approval for sign off on changes& Doc#%ented r#les for the transfer of soft*are fro% develop%ent to prod#ction& A revie* of code changes 0$ infor%ation sec#rit$& Change approvals are a#thoriEed 0$ appropriate individ#als& A list of a#thoriEed individ#als a#thoriEed to approve changes& A re=#ire%ent to revie* all affected s$ste%s5 applications5 etc.& S$ste% doc#%entation is #pdated *ith the changes %ade& Version controls is %aintained for all soft*are& Change re=#ests are logged& Changes onl$ take place d#ring specified and agreed #pon ti%es 3e.g.5 green Eone4& Changes are revie*ed and tested prior to 0eing introd#ced into prod#ction& Checks to ens#re %odifications and essential changes to soft*are packages are strictl$ controlled& Are a#dit logs %aintained and revie*ed for all progra% li0rar$ #pdates& Are co%pilers5 editors or other develop%ent tools present in the prod#ction environ%ent& Are s$ste%s and applications patched& !s there a doc#%ented process to patch s$ste%s and applications& Does the process incl#de the follo*ing. Testing of patches5 service packs5 and hot fi:es prior to installation& ?val#ation and prioritiEe v#lnera0ilities& All patching is logged& /igh risk s$ste%s are patched first&

ISO 27002:2005 Relevance 12A ,.1.9 ,.1.9 ,.1.9 ,.1.9 12A 12.6.1 12A 12.'.1.c 12.6.1.e 12.'.1.e 12.6.1.e 10.'.2.a 12.'.1.c 12.6.1.a 12.6.1.0 12.6.1.d 12.6.1.g 12.6.1.h 12.6.1.i 12.6.1.k 12.'.1.c 12.6.1 12.'.1.f 10.1.'.c 12.,.1 12.,.1 12A 12.,.1.g 12.,.1.g 12.,.1.h 12.,.1.< !ndependent Revie* (f !nfor%ation Sec#rit$ !ndependent Revie* (f !nfor%ation Sec#rit$ !ndependent Revie* (f !nfor%ation Sec#rit$ !ndependent Revie* (f !nfor%ation Sec#rit$

Change Control Proced#res Control (f (perational Soft*are Change Control Proced#res Control (f (perational Soft*are Change Control Proced#res Controls Against +o0ile Code Control (f (perational Soft*are Change Control Proced#res Change Control Proced#res Change Control Proced#res Change Control Proced#res Change Control Proced#res Change Control Proced#res Change Control Proced#res Control (f (perational Soft*are Change Control Proced#res Control (f (perational Soft*are Separation (f Develop%ent5 Test5 And (perational 8acilities Control (f Technical V#lnera0ilities Control (f Technical V#lnera0ilities

COBIT 4.1 Relevance 12A P(,.'5 DS6.65 +?2.25 +?2.65 +?'. P(,.'5 DS6.65 +?2.25 +?2.65 +?'. P(,.'5 DS6.65 +?2.25 +?2.65 +?'. P(,.'5 DS6.65 +?2.25 +?2.65 +?'. 12A A!2.,5 A!,.25 A!,.-5 A! .2 12A DS6. 5 DS).1 A!2.,5 A!,.25 A!,.-5 A! .2 DS6. 5 DS).1 A!2.,5 A!,.25 A!,.-5 A! .2 DS6.) DS6. 5 DS).1 A!2.,5 A!,.25 A!,.-5 A! .2 A!2.,5 A!,.25 A!,.-5 A! .2 A!2.,5 A!,.25 A!,.-5 A! .2 A!2.,5 A!,.25 A!,.-5 A! .2 A!2.,5 A!,.25 A!,.-5 A! .2 A!2.,5 A!,.25 A!,.-5 A! .2 A!2.,5 A!,.25 A!,.-5 A! .2 DS6. 5 DS).1 A!2.,5 A!,.25 A!,.-5 A! .2 DS6. 5 DS).1 P('.115 A!-.'5 A! .' A!-.-5 A!,.25 A!,.-5 DS6.65 DS6. 5 DS).2 A!-.-5 A!,.25 A!,.-5 DS6.65 DS6. 5 DS).2 12A A!-.-5 A!,.25 A!,.-5 DS6.65 DS6. 5 DS).2 A!-.-5 A!,.25 A!,.-5 DS6.65 DS6. 5 DS).2 A!-.-5 A!,.25 A!,.-5 DS6.65 DS6. 5 DS).2 A!-.-5 A!,.25 A!,.-5 DS6.65 DS6. 5 DS).2 A!-.-5 A!,.25 A!,.-5 DS6.65 DS6. 5 DS).2 A!-.-5 A!,.25 A!,.-5 DS6.65 DS6. 5 DS).2 12A DS6.65 DS6. 5 +?2.6 DS6.' A!1.25 A!2.'5 DS6. 5 DS6.105 DS6.11 A!1.25 A!2.'5 DS6. 5 DS6.105 DS6.11 A!1.25 A!2.'5 DS6. 5 DS6.105 DS6.11 A!1.25 A!2.'5 DS6. 5 DS6.105 DS6.11 12A DS6.' DS6.' 12A 12A 12A 12A

Control (f Technical V#lnera0ilities Control (f Technical V#lnera0ilities Control (f Technical V#lnera0ilities Control (f Technical V#lnera0ilities Control (f Technical V#lnera0ilities Control (f Technical V#lnera0ilities

Are third part$ alert services #sed to keep #p to date *ith the latest v#lnera0ilities& 12.,.1.0 !f so5 is this initiated i%%ediatel$ #pon receipt of third part$ alerts& !s a *e0 site s#pported5 hosted or %aintained that has access to Target Data& Are reg#lar penetration tests e:ec#ted against *e0@0ased applications& Do an$ of the follo*ing reside on the sa%e ph$sical s$ste%. >e0 server and application server& Application server and data0ase server& >e0 server and data0ase server& >e0 server5 application server5 and data0ase server& Are *e0 applications config#red for the follo*ing. /TTP "?T is #sed onl$ *ithin the conte:t of a safe interaction& 8or%s are #sed to i%ple%ent #nsafe operations *ith /TTP P(ST even if the application does not re=#ire #ser inp#t& !s the Hcache@controlH setting set to Hno@cacheH& Are cookies set *ith the HSec#reH flag& Are persistent cookies #sed& Cse rando% session !Ds& 12.,.1.c 12A 16.2.2 11.,.1 11.,.2 11.,.2 11.,.2 11.,.2 12A 11.,.1.0 11.,.1.a 12A 12A 12A 12A

Technical Co%pliance Checking !nfor%ation Access Restriction Sensitive S$ste% !solation Sensitive S$ste% !solation Sensitive S$ste% !solation Sensitive S$ste% !solation !nfor%ation Access Restriction !nfor%ation Access Restriction

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page ') of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text Are applications #sing server@side scripting protected fro% the follo*ing !.'.' v#lnera0ilities. !.'.'.1 Vie*ing instr#ctions or code in the server script& !.'.'.2 +odification 0$ *e0 page #sers& !.'.'.Cser@entered inp#t #sed for script code in<ection& !.'.'.' Access via other non@*e0@0ased services& !.'.'.6 D$na%ic generation of other server@side scripts& !.'.'., D$na%icall$ generating e:ec#ta0le content 30e$ond /T+B4& !.'.'. 1ot r#nning as a Cser !D *ith least privilege& !.'.'.9 R#nning *ith s$ste% level privilege& !.'.'.) R#nning in a s$ste% shell conte:t& !.'.6 !s data inp#t into applications validated for acc#rac$& !.'., !.6 Are validation checks perfor%ed on applications to detect an$ corr#ption of data& Are v#lnera0ilit$ tests 3internal2e:ternal4 perfor%ed on all applications&

ISO 27002:2005 Relevance 12A 12A 12.2.2 12.2.1.a 12.2.2 12.2.2.g 12.2.2.g 12.2.2 12.2.2 12.2.2 12.2.1 12.2.1 16.2.2

COBIT 4.1 Relevance 12A 12A A!2.A!2.A!2.A!2.A!2.A!2.A!2.A!2.A!2.A!2.DS6.65 DS6. 5 +?2.6 P('.95 P(,.25 +?2.15 +?2.25 +?2.-5 +?2.'5 +?2.65 +?2.,5 +?2. P('.95 P(,.25 +?2.15 +?2.25 +?2.-5 +?2.'5 +?2.65 +?2.,5 +?2. DS6.65 DS6. 5 +?2.6 12A 12A A!-.-5 A!,.25 A!,.-5 DS6.65 DS6. 5 DS).2 12A A!2.65 A!,.15 A!,.25 A!,.-5 DS).2 DS6.65 DS6. 5 +?2.6

Control (f !nternal Processing !np#t Data Validation Control (f !nternal Processing Control (f !nternal Processing Control (f !nternal Processing Control (f !nternal Processing Control (f !nternal Processing Control (f !nternal Processing !np#t Data Validation !np#t Data Validation Technical Co%pliance Checking

!.6.1

Are res#lts reported&

16.2.1.a

Co%pliance >ith Sec#rit$ Policies And Standards

!.6.2 !.6.!.6.' !.6.'.1 !.6.'.1.1 !.6.'.1.2 !.6.'.1.!.6.'.1.' !.6.6 !.6.6.1 !.6.6.2 !.6.6.!.6.6.' !.6.6.6 !.6.6., !.6.6.,.1 !.6.6.,.1.1 !.6.6.,.1.2 !., !.,.1

Are iss#es resolved& /as an e:ternal co%pan$ perfor%ed a v#lnera0ilit$ assess%ent of the !T environ%ent *ithin the last 12 %onths& Are v#lnera0ilit$ assess%ents re=#ired d#ring a %erger 2 ac=#isition event& Are the v#lnera0ilit$ tests perfor%ed. d#ring testing& after i%ple%entation& after application changes& reg#larl$ sched#led& Are penetration5 threat or v#lnera0ilit$ assess%ent tools #sed& !s there a process to %anage threat and v#lnera0ilit$ assess%ent tools and the data the$ collect&

16.2.1.c 16.2.2 12A 12A 12.,.1.g 12A 12.6.16.2.2 16.-.2 16.-.2

Co%pliance >ith Sec#rit$ Policies And Standards Technical Co%pliance Checking

Control (f Technical V#lnera0ilities

!s there a process to approve the #se of threat and v#lnera0ilit$ assess%ent tools& 16.-.2 !s there a doc#%ented process in place for the #se of these tools& 12A !s the #se of these tools logged& 12A Are onl$ a#thoriEed personnel allo*ed to #se these tools& Do an$ of these tools capt#re data& !f so5 is there a process to. P#rge the capt#red data& Verif$ the data is p#rged& Are encr$ption tools %anaged and %aintained& !s there an encr$ption polic$& 16.-.2 16.-.1.d 12A 16.-.1.d 16.-.1.g 12A 12.-.1

Restrictions (n Changes To Soft*are Packages Technical Co%pliance Checking Protection (f !nfor%ation S$ste%s A#dit A!2.-5 A!2.'5 DS6. Tools Protection (f !nfor%ation S$ste%s A#dit A!2.-5 A!2.'5 DS6. Tools Protection (f !nfor%ation S$ste%s A#dit A!2.-5 A!2.'5 DS6. Tools 12A 12A Protection (f !nfor%ation S$ste%s A#dit A!2.-5 A!2.'5 DS6. Tools !nfor%ation S$ste%s A#dit Controls A!2.-5 DS6.65 +?2.6 12A !nfor%ation S$ste%s A#dit Controls A!2.-5 DS6.65 +?2.6 !nfor%ation S$ste%s A#dit Controls A!2.-5 DS6.65 +?2.6 12A Polic$ (n The Cse (f Cr$ptographic P(,5 A!25 DS6 Controls

!.,.1.1

/as it 0een approved 0$ %anage%ent&

6.1.2

Revie* (f The !nfor%ation Sec#rit$ Polic$

P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. DS6 P(2.-5 P(,.25 DS11.1 DS6 12A DS6 DS6 DS6 DS6 DS6

!.,.1.2

/as the polic$ 0een p#0lished&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

!.,.1.-

/as it 0een co%%#nicated to appropriate constit#ents&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

!.,.1.' !.,.2 !.,.!.,.' !.,.'.1 !.,.'.1.1 !.,.'.1.2 !.,.'.2 !.,.6 !.,.,

!s there an o*ner to %aintain and revie* the polic$& Are encr$ption ke$s encr$pted *hen trans%itted& !s Target Data encr$pted in storage 2 at rest& !s there a centraliEed ke$ %anage%ent s$ste%& !s the ad%inistration of ke$ %anage%ent handled 0$. !nternal reso#rces& ?:ternal third part$& !s there a process to revie* and approve ke$ %anage%ent s$ste%s #sed 0$ third parties& Are p#0lic2private ke$s #sed& !s there a ke$ %anage%ent polic$&

6.1.2 12.-.2 10.9.1.g 12.-.2 12A 12.-.2 12.-.2 12.-.2 12.-.2 12.-.2

Revie* (f The !nfor%ation Sec#rit$ Polic$ Te$ +anage%ent !nfor%ation ?:change Policies And Proced#res Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 60 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text

ISO 27002:2005 Relevance

COBIT 4.1 Relevance P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P(-.15 P(6.-5 P(6.'5 P(,.-5 P().'5 DS6.25 DS6.-5 +?2.25 +?2.65 +?2. 5 +?'. DS6 DS6 DS6 DS6 DS6 DS6 DS6 DS6 DS6 DS6 DS6 DS6 DS6 DS6 DS6 12A 12A P('.115 DS6.' DS6 12A 12A 12A 12A 12A 12A 12A 12A 12A DS6 12A 12A 12A P('.115 A!-.'5 A! .' DS6 DS6 DS6 12A P(,5 A!25 DS6 P(,5 A!25 DS6 P(,5 A!25 DS6 DS6.12A DS6 12A 12A 12A 12A 12A 12A 12A DS6 DS6 12A 12A 12A 12A 12A Page 61 of S!" to !nd#str$ Standard Relevance

!.,.,.1

/as it 0een approved 0$ %anage%ent&

6.1.2

Revie* (f The !nfor%ation Sec#rit$ Polic$

!.,.,.2

/as the polic$ 0een p#0lished&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

!.,.,.-

/as it 0een co%%#nicated to appropriate constit#ents&

6.1.1

!nfor%ation Sec#rit$ Polic$ Doc#%ent

!.,.,.' !.,.,.'.1 !.,.,.'.1.1 !.,.,.'.1.2 !.,.,.'.1.!.,.,.'.1.' !.,.,.'.1.6 !.,.,.'.1., !.,.,.'.1. !.,.,.'.1.9 !.,.,.'.1.) !.,.,.'.1.10 !.,.,.'.1.11 !.,.,.'.1.12 !.,.,.'.1.1!.,.,.'.1.1' !.,.,.'.1.16 !.,. !.,.9 !.,.) !.,.).1 !.,.).2 !.,.).!.,.).' !.,.).6 !.,.)., !.,.). !.,.).9 !.,.).) !.,.10 !.,.10.1 !.,.10.2 !.,.10.!.,.11 !.,.12 !.,.12.1 !.,.12.2 !.,.12.!.,.12.-.1 !.,.12.-.2 !.,.12.-.!.,.12.' !.,.1!.,.1-.1 !.,.1-.2 !.,.1-.2.1 !.,.1-.2.2 !.,.1-.2.!.,.1-.2.' !.,.1-.2.6 !.,.1-.2., !.,.1-.!.,.1-.-.1 !.,.1' !.,.1'.1 !.,.1'.1.1 !.,.1'.1.2 !.,.1'.1.-

!s there an o*ner to %aintain and revie* the polic$& Do ke$ %anage%ent controls address the follo*ing. Te$ generation& "enerating and o0taining p#0lic ke$ certificates& Te$ distri0#tion and activation& /ard copies& Te$ escro*& Ph$sical controls& Te$ storage& Te$ e:change and #pdate& Te$ co%pro%ise& Te$ revocation& Te$ recover$& Te$ archiving& Te$ destr#ction& Te$ %anage%ent logging& Te$ loading& !s a ke$ ring sol#tion #sed& !s there a %echanis% to enforce segregation of d#ties 0et*een ke$ %anage%ent roles and nor%al operational roles& >here are encr$ption ke$s stored. Server hard drive& Server %e%or$& Diskette& CDs 2 DVD& S%art card& CS7 drive& Paper& Corporate *orkstation& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& >here are encr$ption ke$s generated and %anaged. Soft*are& /ard*are& 8!PS 1'0@co%pliant device& Can the sa%e ke$2certificate 0e shared 0et*een prod#ction and non@prod#ction& Are digital certificates #sed& !s an e:ternal Certificate A#thorit$ #sed& !s an internal Certificate A#thorit$ #sed& Are certificates #sed for. A#thentication& ?ncr$ption& 1on@rep#diation& Are defa#lt certificates provided 0$ vendors replaced *ith proprietar$ certificates& Are s$%%etric ke$s #sed& Can an individ#al have access to 0oth parts of a s$%%etric ke$& !s the encr$ption lifeti%e of s$%%etric ke$s a %ini%#% of. (ne ho#r& (ne da$& (ne *eek& (ne %onth& (ne $ear& !ndefinitel$& Are s$%%etric ke$s generated in at least t*o parts& !f so5 are parts stored on separate ph$sical %edia& Are as$%%etric ke$s #sed& !s the encr$ption lifeti%e of as$%%etric ke$s a %ini%#% of. (ne ho#r& (ne da$& (ne *eek&

6.1.2 12.-.2 12.-.2.a 12.-.2.0 12.-.2.c 12.-.2.d 12.-.2.d 12.-.2.d 12.-.2.d 12.-.2.e 12.-.2.g 12.-.2.g 12.-.2.h 12.-.2.i 12.-.2.< 12.-.2.k 12A 12A 10.1.12.-.2.d 12A 12A 12A 12A 12A 12A 12A 12A 12A 12.-.2.a 12A 12A 12A 10.1.'.f 12.-.2.0 12.-.2 12.-.2 12A 12.-.1.7 12.-.1.A 12.-.1.C 11.2.-.h 12A 12.-.2.A 12A 12A 12A 12A 12A 12A 12A 12.-.2.A 12.-.2.A 12A 12A 12A 12A 12A

Revie* (f The !nfor%ation Sec#rit$ Polic$ Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent

Segregation (f D#ties Te$ +anage%ent

Te$ +anage%ent

Separation (f Develop%ent5 Test5 And (perational 8acilities Te$ +anage%ent Te$ +anage%ent Te$ +anage%ent Polic$ (n The Cse (f Cr$ptographic Controls Polic$ (n The Cse (f Cr$ptographic Controls Polic$ (n The Cse (f Cr$ptographic Controls Cser Pass*ord +anage%ent Te$ +anage%ent

Te$ +anage%ent Te$ +anage%ent

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

SIG Question # !.,.1'.1.' !.,.1'.1.6 !.,.1'.1., !.,.1'.2 !.,.1'.2.1 !.,.1'.2.2 !.,.1'.2.!.,.1'.2.'

Question Text (ne %onth& (ne $ear& !ndefinitel$& >hat is the length of a as$%%etric encr$ption ke$. 0 @ ,'& ,6 @ 129& 12) @ 26,& "reater than 26,&

ISO 27002:2005 Relevance 12A 12A 12A 12A 12A 12A 12A 12A

COBIT 4.1 Relevance 12A 12A 12A 12A 12A 12A 12A 12A

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 62 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text 3. Inci#ent +vent an# Co""unications *ana'e"ent !s there an !ncident +anage%ent progra%& !s there a doc#%ented incident %anage%ent polic$& /as it 0een approved 0$ %anage%ent& /as the polic$ 0een p#0lished& /as it 0een co%%#nicated to all constit#ents& !s there a designated individ#al or gro#p responsi0le for oversight and ad%inistration of the incident %anage%ent progra%& !s there an !ncident Response Plan 3for%al or infor%al4& Does the !ncident Response Plan 2 Progra% incl#de. A for%al reporting proced#re for an$ infor%ation sec#rit$ event3s4& An escalation proced#re& A point of contact that is kno*n thro#gho#t the organiEation and is al*a$s availa0le& A re=#ire%ent for all constit#ents to 0e %ade a*are of their responsi0ilit$ to report an$ infor%ation sec#rit$ event as =#ickl$ as possi0le& A feed0ack processes to ens#re that those reporting infor%ation sec#rit$ events are notified of res#lts after the iss#e has 0een dealt *ith and closed& ?vent reporting for%s to s#pport the reporting action5 and to list all necessar$ actions in case of an infor%ation sec#rit$ event& The correct 0ehavior to 0e #ndertaken in case of an infor%ation sec#rit$ event& A for%al disciplinar$ process for dealing *ith constit#ents or third part$ #sers *ho co%%it sec#rit$ 0reaches& Process for assessing and e:ec#ting specific client and other third part$ notification re=#ire%ents 3legal5 reg#lator$5 and contract#al4& Sec#rit$ *eaknesses reporting& !dentification of incident& Are there proced#res to address the follo*ing. Cna#thoriEed ph$sical access& !nfor%ation s$ste% fail#re or loss of service& +al*are activit$ 3anti@vir#s5 *or%s5 Tro<ans4& Denial of service& ?rrors res#lting fro% inco%plete or inacc#rate 0#siness data& 7reach or loss of confidentialit$& S#spected 0reach of confidentialit$& S$ste% e:ploit& Cna#thoriEed logical access& Cna#thoriEed #se of s$ste% reso#rces& Anal$sis& Contain%ent& Re%ediation& 1otification of stakeholders& Tracking& Repair& Recover$&

ISO 27002:2005 Relevance

COBIT 4.1 Relevance

P.1 P.1.1 P.1.1.1 P.1.1.2 P.1.1.P.1.1.' P.2 P.2.1 P.2.1.1 P.2.1.2 P.2.1.P.2.1.' P.2.1.6 P.2.1., P.2.1. P.2.1.9 P.2.1.) P.2.1.10 P.2.1.11 P.2.2 P.2.2.1 P.2.2.2 P.2.2.P.2.2.' P.2.2.6 P.2.2., P.2.2. P.2.2.9 P.2.2.) P.2.2.10 P.2.2.11 P.2.2.12 P.2.2.1P.2.2.1' P.2.2.16 P.2.2.1, P.2.2.1

12A 1-.1.1 1-.1.1 1-.1.1 1-.1.1 1-.1.1 1-.1.1 12A 1-.1.1 1-.1.1 1-.1.1 1-.1.1 1-.1.1.a 1-.1.1.0 1-.1.1.c 1-.1.1.d 1-.1.1 1-.1.2 12A 12A 1-.1.1 1-.2.1.a.1 1-.2.1.a.2 1-.2.1.a.1-.2.1.a.' 1-.2.1.a.6 1-.2.1.a.6 1-.2.1.a., 1-.2.1.a., 1-.2.1.a., 1-.2.1.0.1 1-.2.1.0.2 1-.2.1.0.1-.2.1.0.' 1-.2.1.c 1-.2.1.d 1-.2.1.d

Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting Sec#rit$ >eaknesses

12A P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 12A P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.65 DS6.,5 DS6. 5 DS9.25 DS9.12A 12A P().-5 DS6.,5 DS9.2 P(,.15 DS6.,5 DS9.2 P(,.15 DS6.,5 DS9.2 P(,.15 DS6.,5 DS9.2 P(,.15 DS6.,5 DS9.2 P(,.15 DS6.,5 DS9.2 P(,.15 DS6.,5 DS9.2 P(,.15 DS6.,5 DS9.2 P(,.15 DS6.,5 DS9.2 P(,.15 DS6.,5 DS9.2 P(,.15 DS6.,5 DS9.2 P(,.15 DS6.,5 DS9.2 P(,.15 DS6.,5 DS9.2 P(,.15 DS6.,5 DS9.2 P(,.15 DS6.,5 DS9.2 P(,.15 DS6.,5 DS9.2 P(,.15 DS6.,5 DS9.2 P(6.'5 A!'.'5 DS9.'5 DS9.65 DS10.15 DS10.2

Reporting !nfor%ation Sec#rit$ ?vents Responsi0ilities And Proced#res Responsi0ilities And Proced#res Responsi0ilities And Proced#res Responsi0ilities And Proced#res Responsi0ilities And Proced#res Responsi0ilities And Proced#res Responsi0ilities And Proced#res Responsi0ilities And Proced#res Responsi0ilities And Proced#res Responsi0ilities And Proced#res Responsi0ilities And Proced#res Responsi0ilities And Proced#res Responsi0ilities And Proced#res Responsi0ilities And Proced#res Responsi0ilities And Proced#res Responsi0ilities And Proced#res Bearning 8ro% !nfor%ation Sec#rit$ !ncidents Addressing sec#rit$ *hen dealing *ith c#sto%ers Bearning 8ro% !nfor%ation Sec#rit$ !ncidents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents

P.2.2.19

8eed0ack and lessons learned&

1-.2.2

P.2.2.1)

Cni=#e5 specific5 applica0le data 0reach notification re=#ire%ents5 incl#ding ti%ing of notification 3e.g.5 /!PAA2/!T?C/5 state 0reach la*s5 client contracts4& ,.2.2.e

P(,.25 DS6.' P(6.'5 A!'.'5 DS9.'5 DS9.65 DS10.15 DS10.2 12A P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 12A 12A 12A 12A P().-5 DS6.,5 DS9.2 12A P().-5 DS6.,5 DS9.2 P().-5 DS6.,5 DS9.2 12A

P.2.P.2.' P.2.'.1 P.2.'.2 P.2.'.P.2.'.' P.2.'.6 P.2.'., P.2.'. P.2.'.9 P.2.'.) P.2.'.10 P.2.'.11 P.2.'.12 P.2.6 P.2.6.1 P.2.6.2 P.2.6.P.2.6.'

Are the proced#res tested at least ann#all$& Are the follo*ing considered !nfor%ation Sec#rit$ events. Boss of service5 e=#ip%ent or facilities& S$ste% %alf#nctions or overloads& /#%an errors& 1on@co%pliances *ith policies or g#idelines& 7reaches of ph$sical sec#rit$ arrange%ents& Cncontrolled s$ste% changes& +alf#nctions of soft*are or hard*are& Access violations& Cop$right infringe%ent& Boss of e=#ip%ent 2%edia& Ph$sical asset theft& Scan or pro0e& !s there an !ncident 2 ?vent Response tea% *ith defined roles and responsi0ilities& Does this Response Tea% receive an$ incident@response related training or =#alifications& !s this Response Tea% availa0le 2': :-,6& !s there a Response Tea% contact list or calling tree %aintained& Does this Response Tea% have Begal and +edia relations personnel assigned&

1-.2.2 12A 1-.1.1.A 1-.1.1.7 1-.1.1.C 1-.1.1.D 1-.1.1.? 1-.1.1.8 1-.1.1." 1-.1.1./ 12A 12A 12A 12A 1-.1.1 12A 1-.1.1 1-.1.1 12A

Reporting !nfor%ation Sec#rit$ ?vents

Reporting !nfor%ation Sec#rit$ ?vents Reporting !nfor%ation Sec#rit$ ?vents

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 6- of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text !s doc#%entation %aintained on incidents 2 events 3iss#es5 notifications5 P.2., o#tco%es5 and re%ediation4& Are there doc#%ented proced#res to collect and %aintain a chain of c#stod$ for P.2. evidence d#ring incident investigations&

ISO 27002:2005 Relevance 1-.2..2.2 Collection (f ?vidence !nfor%ation la0eling and handling

COBIT 4.1 Relevance A!2.-5 DS6.,5 DS6. 5 DS9.25 DS9.-5 DS9.' 12A

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 6' of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text 4. Business Continuit% an# )isaste$ Recove$% T.1 T.1.1 !s there a 7#siness Contin#it$2Disaster Recover$ 37C2DR4 progra%& !s there a doc#%ented polic$ for 0#siness contin#it$ and disaster recover$& 1'.1.' 12A

ISO 27002:2005 Relevance

COBIT 4.1 Relevance

7#siness Contin#it$ Planning 8ra%e*ork

DS'.15 DS9.15 DS9.12A P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P().15 P().25 P().'5 DS'.15 DS'.P(-.15 P().15 P().25 DS'.15 DS'.-5 DS'.95 DS9.P(,.15 P(,.25 P(,.-5 P(,.65 DS6.25 DS6.-5 +?2.1 P().15 P().25 P().'5 DS'.15 DS'.P(-.15 P().15 P().25 DS'.15 DS'.-5 DS'.95 DS9.12A 12A

T.1.2 T.1.2.1

!s there a 7#siness Contin#it$ plan& /as the 7#siness Contin#it$ plan 0een approved 0$ %anage%ent& !s there a designated individ#al or gro#p responsi0le for oversight and ad%inistration of the 0#siness contin#it$ plan&

6.1.1.d.1'.1.2

!nfor%ation sec#rit$ polic$ doc#%ent 7#siness Contin#it$ And Risk Assess%ent !ncl#ding !nfor%ation Sec#rit$ !n The 7#siness Contin#it$ +anage%ent Process

T.1.2.2

1'.1.1.<

T.1.T.1.-.1

!s there a Disaster Recover$ plan& /as the Disaster Recover$ plan 0een approved 0$ %anage%ent& !s there a designated individ#al or gro#p responsi0le for oversight and ad%inistration of the disaster recover$ plan& /as an internal gro#p eval#ated the 7C2DR Progra% *ithin the past 12 %onths& /as an independent e:ternal third part$ eval#ated the 7C2DR Progra% *ithin the past 12 %onths& Are there an$ 0#siness disr#ptions $o#r organiEation anticipates *o#ld ca#se an e:ception to $o#r c#rrent planned recover$ strategies 3e.g.5 Rlarge scale regional flooding5 large scale regional teleco%%#nications fail#re affecting the internetS5 etc.4& Does the 7C2DR plan incl#de.

6.1.1.d.1'.1.2

!nfor%ation sec#rit$ polic$ doc#%ent 7#siness Contin#it$ And Risk Assess%ent !ncl#ding !nfor%ation Sec#rit$ !n The 7#siness Contin#it$ +anage%ent Process

T.1.-.2 T.1.' T.1.6

1'.1.1.< 12A 12A

T.1., T.1. T.1. .1 T.1. .2 T.1. .T.1. .' T.1. .6

1'.1.2 12A

7#siness Contin#it$ And Risk Assess%ent 7#siness Contin#it$ Planning 8ra%e*ork 7#siness Contin#it$ Planning 8ra%e*ork 7#siness Contin#it$ Planning 8ra%e*ork 7#siness Contin#it$ Planning 8ra%e*ork

P().15 P().25 P().'5 DS'.15 DS'.12A DS'.15 DS9.15 DS9.DS'.15 DS9.15 DS9.DS'.15 DS9.15 DS9.DS'.15 DS9.15 DS9.12A

Conditions for activating the plan& 1'.1.'.a A %aintenance sched#le that specifies ho* and *hen the plan is to 0e revised and tested& 1'.1.'.f A*areness and ed#cation activities& Roles and responsi0ilities descri0ing *ho is responsi0le for e:ec#ting all aspects of the plan& Change %anage%ent to ens#re changes are replicated to contingenc$ environ%ents& !dentification of applications5 e=#ip%ent5 facilities5 personnel5 s#pplies and vital records necessar$ for recover$& 1'.1.'.g 1'.1.'.h 12A

T.1. .,

1'.1.1.0

!ncl#ding !nfor%ation Sec#rit$ !n The 7#siness Contin#it$ +anage%ent Process !ncl#ding !nfor%ation Sec#rit$ !n The 7#siness Contin#it$ +anage%ent Process 7#siness Contin#it$ Planning 8ra%e*ork Developing And !%ple%enting Contin#it$ Plans !ncl#ding !nfor%ation Sec#rit$

P(-.15 P().15 P().25 DS'.15 DS'.-5 DS'.95 DS9.P(-.15 P().15 P().25 DS'.15 DS'.-5 DS'.95 DS9.DS'.15 DS9.15 DS9.-

T.1. . T.1. .9

Cpdates fro% the inventor$ of !T and teleco% assets& Designated personnel and trained alternates *ith the capa0ilit$5 responsi0ilit$ and a#thorit$ to invoke the plan& Alternate and diverse %eans of co%%#nications if the event incl#des general po*er o#tages5 land line and cell phone o#tages or overloads5 etc.& Recover$ site capacit$& A doc#%ented process for %edia interaction d#ring an event& Res#%ption proced#res *hich descri0e the actions to 0e taken to ret#rn to nor%al 0#siness operations& Proced#res for disaster declaration& 1otification and escalation to clients&

1'.1.1.0 1'.1.'.h

T.1. .) T.1. .10 T.1. .11 T.1. .12 T.1. .1T.1. .1'

1'.1.-.c 12A 12A 1'.1.'.e 12A 12A

DS'.25 DS'.9 12A 12A DS'.15 DS9.15 DS9.12A 12A

7#siness Contin#it$ Planning 8ra%e*ork

T.1. .16 T.1. T.1. T.1. T.1. T.1. T.1. .16.1 .16.2 .16.2.1 .16.2.2 .16.2..16.2.'

Dependencies #pon critical service provider3s4& Contact infor%ation for ke$ personnel 3and alternates4 fro% critical service providerHs #pdated at least ann#all$& Does that contact infor%ation incl#de the follo*ing. Cell phone n#%0ers& (ffice phone n#%0ers& (ff@ho#rs phone n#%0ers& Pri%ar$ and *here availa0le5 alternate e%ail addresses& 1otification and escalation to critical service provider3s4& Co%%#nications *ith the critical service provider3s4 in the event of a disr#ption at an$ of the their facilities& A process to ens#re that the 0#siness contin#it$ capa0ilities of critical service provider3s4 are ade=#ate to s#pport the 7C2DR plans either thro#gh contract re=#ire%ents5 SAS 0 revie*s or 0oth& A re=#ire%ent for all critical service provider3s4 to provide notification *hen their 7CP is %odified& !s a revie* of the plan cond#cted at least ann#all$&

1'.1.-.c 1'.1.'.h 12A 12A 12A 12A 12A 1'.1.'.0

Developing And !%ple%enting Contin#it$ Plans !ncl#ding !nfor%ation Sec#rit$ 7#siness Contin#it$ Planning 8ra%e*ork

DS'.25 DS'.9 DS'.15 DS9.15 DS9.12A 12A 12A 12A 12A DS'.15 DS9.15 DS9.-

T.1. .16.-

7#siness Contin#it$ Planning 8ra%e*ork Developing And !%ple%enting Contin#it$ Plans !ncl#ding !nfor%ation Sec#rit$ Developing And !%ple%enting Contin#it$ Plans !ncl#ding !nfor%ation Sec#rit$ Developing And !%ple%enting Contin#it$ Plans !ncl#ding !nfor%ation Sec#rit$

T.1. .16.'

1'.1.-.c

DS'.25 DS'.9

T.1. .16.6

1'.1.-.c

DS'.25 DS'.9

T.1. .16., T.1.9

1'.1.12A

DS'.25 DS'.9 12A S!" to !nd#str$ Standard Relevance

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 66 of

SIG Question # Question Text T.1.9.1 Does the revie* consider the follo*ing changes.

ISO 27002:2005 Relevance 12A Testing5 +aintaining And Re@Assessing 7#siness Contin#it$ Plans Testing5 +aintaining And Re@Assessing 7#siness Contin#it$ Plans Testing5 +aintaining And Re@Assessing 7#siness Contin#it$ Plans

COBIT 4.1 Relevance 12A P(-.15 DS'.'5 DS'.65 DS'.,5 DS'. 5 DS'.10 P(-.15 DS'.'5 DS'.65 DS'.,5 DS'. 5 DS'.10 P(-.15 DS'.'5 DS'.65 DS'.,5 DS'. 5 DS'.10 12A 12A 12A P().15 P().25 P().'5 DS'.15 DS'.-

T.1.9.1.1

Critical f#nctions&

1'.1.6.?

T.1.9.1.2

(rganiEational str#ct#re&

1'.1.6."

T.1.9.1.T.1.9.1.' T.1.9.1.6 T.1.9.1., T.1.)

Personnel& Ph$sical environ%ent& Reg#lator$ re=#ire%ents& Technolog$& !s the capacit$ at the recover$ location revie*ed on a reg#lar 0asis to ens#re that ade=#ate capacit$ is availa0le in the event of a disaster&

1'.1.6.A 12A 12A 12A 1'.1.2

7#siness Contin#it$ And Risk Assess%ent Developing And !%ple%enting Contin#it$ Plans !ncl#ding !nfor%ation Sec#rit$

T.1.10 T.1.11 T.1.12 T.1.1T.1.1' T.1.1'.1

Do $o# %aintain copies of 7C2DR plans at sec#re off@site locations& Are clients notified *hen a 7C and2or DR test is perfor%ed& Are provisions %ade for the contin#o#s replenish%ent of generator f#el fro% %#ltiple vendors& Are clients provided contact infor%ation for #se in e%ergencies& !s there a plan for a pande%ic or %ass a0sentee sit#ation& !s the plan s#0<ect to revie* at least ann#all$& !s there an individ#al or co%%ittee responsi0le for oversight of the pande%ic readiness progra%& Are 0#siness f#nctions prioritiEed to deter%ine *hat services *o#ld contin#e d#ring a pande%ic& Does the plan incl#de %onitoring of pande%ic sit#ations else*here in the *orld& Does periodic testing incl#de pande%ic testing& Are critical service providersH pande%ic plans verified to 0e in place& Does the 7#siness !%pact Anal$sis cover a pande%ic sit#ation& Does the plan incl#de the follo*ing. Trigger point3s4 for activating the plan 0ased on the stage of the pande%ic& !%ple%entation of travel and visitor restrictions& !ncreased cleaning and disinfecting protocols& Pande%ic@specific /R policies and proced#res& Specific ASocial DistancingA criteria 2 techni=#es5 i.e.5 *orking fro% ho%e& Personal protective e=#ip%ent for constit#ents 3e.g.5 face %asks4& Special food handling proced#res in cafeterias& Constit#entsH #se of hand sanitiEer& Seasonal fl# vaccinations for constit#ents& !s a 7#siness !%pact Anal$sis cond#cted at least ann#all$& Does the 7#siness !%pact Anal$sis address the follo*ing. 7#siness Process Criticalit$ 3high5 %edi#%5 lo* or n#%erical rating4 that disting#ishes the relative i%portance of each process& Recover$ Ti%e (0<ective& Recover$ Point (0<ective& +a:i%#% allo*a0le do*nti%e& Costs associated *ith do*nti%e& !%pact to clients& !s a periodic revie* cond#cted on the 7C progra% *ith %anage%ent to consider the ade=#ac$ of reso#rces 3people5 technolog$5 facilities5 and f#nding4 to s#pport the 7C2DR progra%& !s there a virt#al or ph$sical co%%and center *here %anage%ent can %eet5 organiEe5 and cond#ct e%ergenc$ operations in a sec#re setting& !s there a A0ack#p co%%and centerA if the pri%ar$ co%%and center is not availa0le&

1'.1.12A 12A 12A 1'.1.2 12A

DS'.25 DS'.9 12A 12A 12A P().15 P().25 P().'5 DS'.15 DS'.12A P(-.15 P().15 P().25 DS'.15 DS'.-5 DS'.95 DS9.12A 12A 12A 12A P().15 P().25 P().'5 DS'.15 DS'.12A 12A 12A 12A 12A 12A 12A 12A 12A 12A P().15 P().25 P().'5 DS'.15 DS'.12A P(-.15 P().15 P().25 DS'.15 DS'.-5 DS'.95 DS9.12A 12A 12A 12A 12A

7#siness Contin#it$ And Risk Assess%ent !ncl#ding !nfor%ation Sec#rit$ !n The 7#siness Contin#it$ +anage%ent Process

T.1.1'.2 T.1.1'.T.1.1'.' T.1.1'.6 T.1.1'., T.1.1'. T.1.1'.9 T.1.1'.9.1 T.1.1'.9.2 T.1.1'.9.T.1.1'.9.' T.1.1'.9.6 T.1.1'.9., T.1.1'.9. T.1.1'.9.9 T.1.1'.9.) T.1.16 T.1.16.1

1'.1.1.< 12A 12A 12A 12A 1'.1.2 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 1'.1.2 12A

7#siness Contin#it$ And Risk Assess%ent

7#siness Contin#it$ And Risk Assess%ent !ncl#ding !nfor%ation Sec#rit$ !n The 7#siness Contin#it$ +anage%ent Process

T.1.16.1.1 T.1.16.1.2 T.1.16.1.T.1.16.1.' T.1.16.1.6 T.1.16.1.,

1'.1.1.a 12A 12A 12A 12A 12A

T.1.1, T.1.1 T.1.1 .1

12A 12A 12A Testing5 +aintaining And Re@Assessing 7#siness Contin#it$ Plans

12A 12A 12A P(-.15 DS'.'5 DS'.65 DS'.,5 DS'. 5 DS'.10 12A 12A P(-.15 DS'.'5 DS'.65 DS'.,5 DS'. 5 DS'.10 P(-.15 DS'.'5 DS'.65 DS'.,5 DS'. 5 DS'.10 P(-.15 DS'.'5 DS'.65 DS'.,5 DS'. 5 DS'.10

T.1.19 T.1.19.1 T.1.19.1.1

!s there an ann#al sched#le of re=#ired tests& Does the testing progra% incl#de the follo*ing. Test o0<ectives for a technolog$ o#tage5 loss of facilit$ or personnel& !dentification of all parties involved5 incl#ding contractors and critical service provider3s4&

1'.1.6 12A 12A

T.1.19.1.2

1'.1.6

Testing5 +aintaining And Re@Assessing 7#siness Contin#it$ Plans Testing5 +aintaining And Re@Assessing 7#siness Contin#it$ Plans Testing5 +aintaining And Re@Assessing 7#siness Contin#it$ Plans

T.1.19.1.-

Recover$ site tests&

1'.1.6.d

T.1.19.1.'

Assess%ent of the a0ilit$ to retrieve vital records&

1'.1.6.c

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 6, of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text

ISO 27002:2005 Relevance Testing5 +aintaining And Re@Assessing 7#siness Contin#it$ Plans

COBIT 4.1 Relevance P(-.15 DS'.'5 DS'.65 DS'.,5 DS'. 5 DS'.10 12A 12A 12A P(-.15 DS'.'5 DS'.65 DS'.,5 DS'. 5 DS'.10 12A 12A P(-.15 DS'.'5 DS'.65 DS'.,5 DS'. 5 DS'.10 P(-.15 DS'.'5 DS'.65 DS'.,5 DS'. 5 DS'.10 P(-.15 DS'.'5 DS'.65 DS'.,5 DS'. 5 DS'.10 P(-.15 DS'.'5 DS'.65 DS'.,5 DS'. 5 DS'.10 P(-.15 DS'.'5 DS'.65 DS'.,5 DS'. 5 DS'.10 12A

T.1.19.1.6 T.1.19.2 T.1.19.2.1 T.1.19.2.2

?val#ation of testing res#lts and re%ediation of deficiencies& Are the follo*ing perfor%ed d#ring testing. ?vac#ation drills& 1otification tests&

1'.1.6 12A 12A 12A

T.1.19.2.T.1.19.2.' T.1.19.2.6

Ta0letop e:ercises& Application recover$ tests& Re%ote access tests&

1'.1.6.a 12A 12A

Testing5 +aintaining And Re@Assessing 7#siness Contin#it$ Plans

T.1.19.2.,

R8#ll scaleS e:ercises&

1'.1.6.f

Testing5 +aintaining And Re@Assessing 7#siness Contin#it$ Plans Testing5 +aintaining And Re@Assessing 7#siness Contin#it$ Plans Testing5 +aintaining And Re@Assessing 7#siness Contin#it$ Plans Testing5 +aintaining And Re@Assessing 7#siness Contin#it$ Plans Testing5 +aintaining And Re@Assessing 7#siness Contin#it$ Plans

T.1.19.2.

7#siness relocation tests&

1'.1.6.e

T.1.19.2.9

Data Center 8ailover test&

1'.1.6.e

T.1.19.2.)

Critical service provider3s4&

1'.1.6.e

T.1.19.T.1.19.'

Are critical service provider3s4 incl#ded in testing& Are clients involved in testing&

1'.1.6.e 12A

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 6 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text 4 . Business Continuit% an# )isaste$ Recove$% &$o#uct5 Se$vice o$ //lication Does the prod#ct or service in =#estion have an ass#red 0#siness contin#it$ 1'.1.' capa0ilit$& !s *ork fro% clients prioritiEed for s#pport& 12A

ISO 27002:2005 Relevance

COBIT 4.1 Relevance

TA.1 TA.1.1

7#siness Contin#it$ Planning 8ra%e*ork !ncl#ding infor%ation sec#rit$ in the 0#siness contin#it$ %anage%ent process !ncl#ding infor%ation sec#rit$ in the 0#siness contin#it$ %anage%ent process

DS'.15 DS9.15 DS9.12A P(-.15 P().15 P().25 DS'.15 DS'.-5 DS'.95 DS9.P(-.15 P().15 P().25 DS'.15 DS'.-5 DS'.95 DS9.12A 12A 12A 12A 12A 12A

TA.1.2

!s there a contingenc$ plan if the pri%ar$ recover$ location is not availa0le& >o#ld an$ of the follo*ing events of a %etropolitan or regional i%pact %ake the pri%ar$ and alternate facilities si%#ltaneo#sl$ #n#sa0le& Transportation 0lockages& >eather 3h#rricane5 tornado5 t$phoon5 sno*4& Che%ical conta%ination& 7iological haEards& Po*er v#lnera0ilities& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4& Does the recover$ strateg$ ass#re the contin#ed %aintenance of the service level agree%ents& !s there a Recover$ Ti%e (0<ective 3RT(4 for this prod#ct5 service or application& >hat is the RT( for the prod#ct5 service or application provided&

1'.1.1

TA.1.TA.1.-.1 TA.1.-.2 TA.1.-.TA.1.-.' TA.1.-.6 TA.1.-.,

1'.1.1.c 12A 12A 12A 12A 12A 12A

TA.1.' TA.1.'.1 TA.1.'.1.1 TA.1.'.2 TA.1.'.2.1 TA.1.6

1'.1.12A 12A

Developing and i%ple%enting contin#it$ plans incl#ding infor%ation sec#rit$ DS'.25 DS'.9 12A 12A 12A 12A 7#siness contin#it$ planning fra%e*ork DS'.15 DS9.15 DS9.Testing5 %aintaining and re@assessing 0#siness contin#it$ plans Testing5 %aintaining and re@assessing 0#siness contin#it$ plans P(-.15 DS'.'5 DS'.65 DS'.,5 DS'. 5 DS'.10 P(-.15 DS'.'5 DS'.65 DS'.,5 DS'. 5 DS'.10 12A 12A 7#siness contin#it$ planning fra%e*ork DS'.15 DS9.15 DS9.12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A Page 69 of S!" to !nd#str$ Standard Relevance

!s there a Recover$ Point (0<ective 3RP(4 for this prod#ct5 service or application& 12A >hat is the RP( for the prod#ct5 service or application provided& 12A Are agree%ents in place *ith s#ppliers to provide additional e=#ip%ent in the 1'.1.'.i event of a disaster&

TA.1.,

Are 7C2DR tests cond#cted at least ann#all$&

1'.1.6

TA.1.,.1 TA.1.,.2 TA.1. TA.1.9 TA.1.) TA.1.).1 TA.1.).1.1 TA.1.).1.2 TA.1.).1.TA.1.).1.' TA.1.).1.6 TA.1.10 TA.1.10.1 TA.1.10.2 TA.1.10.2.1 TA.1.10.2.2 TA.1.10.2.TA.1.10.TA.1.10.' TA.1.10.6 TA.1.10., TA.1.10. TA.1.10.9 TA.1.10.) TA.1.10.10 TA.1.10.10.1 TA.1.10.10.2 TA.1.11 TA.1.11.1 TA.1.11.1.1 TA.1.11.1.2 TA.1.11.2 TA.1.11.TA.1.11.' TA.1.12

Are c#sto%ers allo*ed to participate in 7C2DR tests& /as an$thing 0een discovered as a res#lt of testing that *o#ld i%pair $o#r organiEationGs a0ilit$ to recover& !s a split prod#ction %odel in place *here critical 0#siness f#nctions are perfor%ed at geographicall$ diverse locations in an active2active %ode& Does the 7#siness Contin#it$ and2or Disaster Recover$ plan address C#sto%er notification *hen incidents occ#r& Do $o# provide $o#r clients *ith detailed contact infor%ation for #se in e%ergencies& !s the contact infor%ation #pdated2co%%#nicated. >eekl$& +onthl$& K#arterl$& Se%i@ann#all$& Ann#all$& !s an alternate data center #sed& !s the alternate data center a third part$& Are recover$ services. Shared& Dedicated& 7oth& >hat is the distance 0et*een the pri%ar$ site and the alternate site& Does the alternate site3s4 #se a different po*er grid fro% the pri%ar$ site& Does the alternate site3s4 #se a different teleco%%#nications grid fro% the pri%ar$ site& Are co%%#nications links *ith the alternate site3s4 %aintained and tested as part of the ongoing disaster recover$ testing& !s the processing capacit$ of the alternate site capa0le of accepting f#ll prod#ction& Are all s$ste%s at the pri%ar$ site f#ll$ red#ndant at the alternate site3s4& /as all processing ever 0een transferred to the alternate site3s4& Does the alternate site contain and #tiliEe the follo*ing. CPS& "enerator& !s an alternate office location3s4 #sed& Does the alternate office location3s4 contain and #tiliEe the follo*ing. CPS& "enerator& Does the alternate office location3s4 #se a different po*er grid fro% the pri%ar$ site& Does the alternate office location3s4 #se a different teleco%%#nications grid fro% the pri%ar$ site& Are co%%#nications links *ith alternate office location3s4 %aintained and tested as part of the ongoing disaster recover$ testing& Are there provisions in place to recover *ork in progress at the ti%e of an interr#ption&

1'.1.6.f 12A 12A 1'.1.'.0 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

SIG Question # Question Text TA.1.1TA.1.1-.1 TA.1.1-.1.1 TA.1.1-.2 TA.1.1-.TA.1.1-.' Are data and s$ste%s 0ack#ps. Stored offsite& !s the offsite storage provided 0$ a third part$& Capt#red and taken offsite fre=#entl$ eno#gh to s#pport the re=#ired recover$ point o0<ective 3RP(4& Ro#tinel$ verified to 0e so#nd for recover$ p#rposes& Doc#%ented in proced#res for read$ access in an e%ergenc$& Are e:plicit instr#ctions in the plan for the notification of all critical vendors5 incl#ding all re=#ired acco#nt infor%ation 3e.g.5 contract n#%0ers5 a#thoriEed representatives5 etc.4& Are there e:plicit instr#ctions in the plan for the notification and activation of the people responsi0le for recover$ %edia and facilities& 10.6.1 12A 12A 12A 10.6.1.f 12A

ISO 27002:2005 Relevance !nfor%ation 7ack@Cp

COBIT 4.1 Relevance DS'.)5 DS11.25 DS11.65 DS11., 12A 12A 12A DS'.)5 DS11.25 DS11.65 DS11., 12A P(-.15 DS'.'5 DS'.65 DS'.,5 DS'. 5 DS'.10 12A

!nfor%ation 7ack@Cp

TA.1.1' TA.1.16

1'.1.6.e 12A

Testing5 %aintaining and re@assessing 0#siness contin#it$ plans

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 6) of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text 6. Co"/liance Are there reg#lator$ 0odies that s#pervise the co%pan$ 3Please list the reg#lator$ 0odies in the AAdditional !nfor%ationA col#%n4& !s there an internal a#dit5 risk %anage%ent or co%pliance depart%ent *ith responsi0ilit$ for identif$ing and tracking resol#tion of o#tstanding reg#lator$ iss#es& Are there re=#ire%ents to co%pl$ *ith an$ legal5 reg#lator$ or ind#str$ re=#ire%ents5 etc. 3Please list the% in the AAdditional !nfor%ationA col#%n4& Are a#dits perfor%ed to ens#re co%pliance *ith an$ legal5 reg#lator$ or ind#str$ re=#ire%ents& !s the Co0iT process #sed to %anage the controls on a life c$cle 0asis& Are proced#res i%ple%ented to ens#re co%pliance *ith legislative5 reg#lator$5 and contract#al re=#ire%ents on the #se of %aterial *here intellect#al propert$ rights %a$ 0e applied and on the #se of proprietar$ soft*are prod#cts& Do the proced#res address the follo*ing. Soft*are is ac=#ired onl$ thro#gh kno*n and rep#ta0le so#rces5 to ens#re that cop$right is not violated& ?vidence of o*nership of licenses5 %aster disks5 %an#als5 etc is %aintained& Controls are i%ple%ented to ens#re that an$ %a:i%#% n#%0er of #sers per%itted is not e:ceeded& Checks are carried o#t to verif$ that onl$ a#thoriEed soft*are and licensed prod#cts are installed& Are i%portant records protected fro% loss5 destr#ction5 and falsification5 in accordance *ith stat#tor$5 reg#lator$5 contract#al5 and 0#siness re=#ire%ents& !s there a records retention polic$& Does the records retention polic$ contain. A retention sched#le identif$ing records and the period of ti%e for *hich the$ sho#ld 0e retained& An inventor$ of so#rces of ke$ infor%ation& Controls i%ple%ented to protect records and infor%ation fro% loss5 destr#ction5 and falsification& Are encr$ption tools %anaged and %aintained& Are cr$ptographic controls #sed in co%pliance *ith all relevant agree%ents5 la*s5 and reg#lations& !s there a cr$ptographic co%pliance process or progra%& Does the cr$ptographic co%pliance process or progra% consider. Restrictions on i%port and2or e:port of co%p#ter hard*are and soft*are for perfor%ing cr$ptographic f#nctions& Restrictions on i%port and2or e:port of co%p#ter hard*are and soft*are *hich is designed to have cr$ptographic f#nctions added& Restrictions on the #sage of encr$ption& +andator$ or discretionar$ %ethods of access 0$ the co#ntriesG a#thorities to infor%ation encr$pted 0$ hard*are or soft*are to provide confidentialit$ of content& Does %anage%ent reg#larl$ revie* the co%pliance of infor%ation processing *ithin their area of responsi0ilit$ *ith the appropriate sec#rit$ policies5 standards5 and an$ other sec#rit$ re=#ire%ents& !s a SAS 0 T$pe !! cond#cted at least ann#all$&

ISO 27002:2005 Relevance

COBIT 4.1 Relevance

B.1

16.1.1

!dentification (f Applica0le Begislation

P('.95 +?-.1 P('.'5 P('.65 P('.,5 P('.95 P('.105 P(,.65 DS6.15 DS6.25 DS6.P('.95 +?-.1 12A 12A

B.1.1 B.2 B.2.1 B.-

,.1.2 16.1.1 12A 12A

!nfor%ation sec#rit$ co@ordination !dentification (f Applica0le Begislation

B.' B.'.1 B.'.1.1 B.'.1.2 B.'.1.B.'.1.'

16.1.2 12A 16.1.2.0 16.1.2.e 16.1.2.f 16.1.2.g

!ntellect#al Propert$ Rights 3!pr4

P('.9 12A P('.9 P('.9 P('.9 P('.9

!ntellect#al Propert$ Rights 3!pr4 !ntellect#al Propert$ Rights 3!pr4 !ntellect#al Propert$ Rights 3!pr4 !ntellect#al Propert$ Rights 3!pr4

B.'.1.6 B.6 B.6.1 B.6.1.1 B.6.1.2 B.6.1.B., B.,.1 B.,.2 B.,.B.,.-.1 B.,.-.2 B.,.-.-

16.1.16.1.12A 16.1.-.0 16.1.-.c 16.1.-.d 12A 16.1., 16.1., 12A 16.1.,.a 16.1.,.0 16.1.,.c

Protection (f (rganiEational Records Protection (f (rganiEational Records

P('.95 DS11.2 P('.95 DS11.2 12A P('.95 DS11.2 P('.95 DS11.2 P('.95 DS11.2 12A P('.95 DS6.9 P('.95 DS6.9 12A P('.95 DS6.9 P('.95 DS6.9 P('.95 DS6.9

Protection (f (rganiEational Records Protection (f (rganiEational Records Protection (f (rganiEational Records

Reg#lation (f Cr$ptographic Controls Reg#lation (f Cr$ptographic Controls

Reg#lation (f Cr$ptographic Controls Reg#lation (f Cr$ptographic Controls Reg#lation (f Cr$ptographic Controls

B.,.-.'

16.1.,.d

Reg#lation (f Cr$ptographic Controls

P('.95 DS6.9 P('.95 P(,.25 +?2.15 +?2.25 +?2.-5 +?2.'5 +?2.65 +?2.,5 +?2. 12A P('.95 P(,.25 +?2.15 +?2.25 +?2.-5 +?2.'5 +?2.65 +?2.,5 +?2. 12A 12A 12A 12A 12A 12A 12A P('.95 P(,.25 +?2.15 +?2.25 +?2.-5 +?2.'5 +?2.65 +?2.,5 +?2. 12A 12A 12A 12A 12A 12A 12A P('.95 P(,.25 +?2.15 +?2.25 +?2.-5 +?2.'5 +?2.65 +?2.,5 +?2. S!" to !nd#str$ Standard Relevance

B. B. .1

16.2.1 12A

Co%pliance >ith Sec#rit$ Policies And Standards

B. B. B. B. B. B. B. B.

.2 ..-.1 .-.2 .-..-.' .-.6 .-.,

/as an$ other t$pe of assess%ent or a#dit 0een perfor%ed& Do the a#dits or assess%ents incl#de the follo*ing. Privac$& !nfor%ation Sec#rit$& Disaster Recover$& (perations& Technolog$& (ther 3Please e:plain in the AAdditional !nfor%ationA col#%n4&

16.2.1 12A 12A 12A 12A 12A 12A 12A

Co%pliance >ith Sec#rit$ Policies And Standards

B. .-. B.9 B.9.1 B.9.2 B.9.2.1 B.9.2.2 B.9.2.B.9.2.'

Are there re%ediation plans for identified e:ceptions& Are there re=#ire%ents to co%pl$ *ith an$ S?C reg#lations& !s there a process to capt#re clear te:t %essages sent 0$ constit#ents *ho are s#0<ect to S?C reg#lations& !f so5 are the follo*ing addressed. ?%ail& !nstant +essaging& Paging& >e0%ail&

16.2.1 12A 12A 12A 12A 12A 12A 12A

Co%pliance >ith Sec#rit$ Policies And Standards

B.)

/as a revie* of sec#rit$ policies5 standards5 proced#res5 and2or g#idelines 0een perfor%ed *ithin the last 12 %onths&

16.2.1

Co%pliance >ith Sec#rit$ Policies And Standards

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page ,0 of

SIG Question # B.).1 B.).1.1 B.).1.2 B.).1.B.).2 B.).2.1 B.).2.2 B.).2.B.).2.' B.).2.6 B.).2., B.).2. B.).2.9 B.).2.) B.).2.10 B.10 B.10.1 B.11 B.11.1

Question Text 7$ *ho%. !nternal a#dit& ?:ternal a#dit& Co%pliance gro#p& Did the scope of the revie* incl#de. !nfor%ation sec#rit$& 7#siness contin#it$& Disaster recover$& Ph$sical sec#rit$& !nfor%ation s$ste%s& /#%an reso#rces& Soft*are develop%ent& Bine of 0#siness operational proced#res and standards& !nfor%ation technolog$ operational proced#res and standards& (perational sta0ilit$ F availa0ilit$ of infor%ation 3or infor%ation s$ste%s4& Are infor%ation s$ste%s reg#larl$ checked for co%pliance *ith sec#rit$ i%ple%entation standards& /as a net*ork penetration test 0een cond#cted *ithin the last 12 %onths& !s there an independent a#dit f#nction *ithin the organiEation& Are the constit#ents carr$ing o#t the a#dits independent of the activities a#dited& Are infor%ation s$ste%s a#dit tools 3e.g.5 soft*are or data files4 protected and separated fro% develop%ent and operational s$ste%s nor held in tape li0raries or #ser areas&

ISO 27002:2005 Relevance 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 16.2.2 16.2.2 16.-.1 16.-.1.i Technical Co%pliance Checking Technical Co%pliance Checking !nfor%ation S$ste%s A#dit Controls !nfor%ation S$ste%s A#dit Controls

COBIT 4.1 Relevance 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A DS6.65 DS6. 5 +?2.6 DS6.65 DS6. 5 +?2.6 A!2.-5 DS6.65 +?2.6 A!2.-5 DS6.65 +?2.6

B.11.2

16.-.2

Protection (f !nfor%ation S$ste%s A#dit Tools A!2.-5 A!2.'5 DS6.

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page ,1 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text &. &$ivac% +A1A"?+?1T A1D (R"A1!LAT!(1 Are there doc#%ented Privac$ Policies for Target Privac$ Data for each Data S#0<ect Categor$ handled& Are there doc#%ented Privac$ 1otices for Target Privac$ Data for each Data S#0<ect Categor$ handled& Are there doc#%ented internal privac$ proced#res for the privac$ progra% 3incl#ding for Privac$ 1otices4& !s there an individ#al in the organiEation *ho is responsi0le for privac$& /as the organiEationHs Privac$ Polic$ 0een revie*ed 0$ an attorne$ =#alified to practice in that <#risdiction or e:ternal legal co#nsel& 8or all Third Part$ contracts5 is standard lang#age incl#ded for handling Target Privac$ Data to ens#re co%pliance according to the organiEationHs Privac$ Policies5 Privac$ 1otices5 practices and Privac$ Applica0le Ba*&

ISO 27002:2005 Relevance

COBIT 4.1 Relevance

12A 16.1.' 12A 12A 12A 12A Data protection and privac$ of personal infor%ation

12A 12A 12A 12A 12A 12A

P.1 P.1.1 P.1.2 P.2 P.2.1

P.-

12A

12A

P.-.1 P.-.1.1 P.-.1.2 P.-.1.P.-.1.' P.-.1.6

Are the follo*ing re=#ire%ents incl#ded in all contracts *ith Third Parties that collect5 store5 access5 #se5 share5 transfer5 protect5 retain and retire Target Privac$ 12A Data. All parties to protect all Target Privac$ Data and Protected Target Privac$ Data& All parties to #nderstand the flo* of Target Privac$ Data& All parties to process Target Privac$ Data in accordance *ith the organiEationHs doc#%ented instr#ctions& All parties to collect or so#rce onl$ the %ini%#% Target Privac$ Data necessar$& All parties to collect or so#rce infor%ation 0$ legal %eans& All parties to i%ple%ent policies5 proced#res and safeg#ards consistent *ith the organiEationHs privac$ re=#ire%ents for the collection5 storage5 #se5 access5 sharing5 transfer5 retention and disposal of Target Privac$ Data& All parties to notif$ the other organiEation of an$ potential 0reach affecting Target Privac$ Data& All parties to notif$ the other of a Data S#0<ect re=#esting access5 correction5 deletion5 =#estioning or co%plaint& All parties to co%pl$ *ith Privac$ Applica0le Ba*5 incl#ding co#ntries *ith protective privac$ la*s that transcend the 0orders of their co#ntr$ or region 3e.g.5 ?C2??A5 Canadian5 AR5 AC5 1L5 /T5 PP and other on*ard transfer re=#ire%ents for privac$ of Target Privac$ Data5 s#ch as AP?C or vario#s seal progra%s4& All parties to retain or delete Target Privac$ Data at doc#%ented5 designated points in ti%e& All parties to retain Target Privac$ Data *ithin certain co#ntr$2region 0o#ndaries5 in accordance *ith the organiEationHs doc#%ented instr#ctions& All parties to protect the organiEationHs e%plo$ee Target Privac$ Data& Contract#all$ pass on Aat least as stringentA privac$ o0ligations to Third Parties& Prohi0ition on the sale of Target Privac$ Data& All parties to defend and inde%nif$ the organiEation for an$ losses that %a$ arises fro% an$ disclos#res or %is#se of the Target Privac$ Data d#e to the negligence or defa#lt of an$ Third Part$ s#0@contractor& !s there a change %anage%ent progra% in place for the organiEationHs privac$ progra%& Are the follo*ing #pdated *hen there is a change to Privac$ Applica0le Ba*5 polic$ or 0#siness re=#ire%ents. Doc#%ented Privac$ Policies& Doc#%ented Privac$ 1otices& Proced#res& A*areness training& Contracts *ith Third Parties& R?"CBAT!(1S A1D DATA 8B(>S 12A 12A 12A 12A 12A

12A 12A 12A 12A 12A 12A

P.-.1., P.-.1. P.-.1.9

12A 12A 12A

12A 12A 12A

P.-.1.) P.-.1.10 P.-.1.11 P.-.1.12 P.-.1.1P.-.1.1'

12A 12A 12A 12A 12A 12A

12A 12A 12A 12A 12A 12A

P.-.1.16 P.' P.'.1 P.'.1.1 P.'.1.2 P.'.1.P.'.1.' P.'.1.6

12A 12A 12A 12A 12A 12A 12A 12A 12A

12A 12A 12A 12A 12A 12A 12A 12A 12A

P.6

Are the re=#ired reg#lator$ registration and per%it processes for each Data S#0<ect for each treat%ent strateg$ or #se of Target Privac$ Data 0een co%pleted 12A in accordance *ith Privac$ Applica0le Ba*5 s#ch as /R5 Sales5 Service5 etc& >here re=#ired5 has the organiEation co%pleted the *orks co#ncil and la0or #nion revie* and2or approval of the relevant principles5 Privac$ Policies and Privac$ 1otices& 12A !s the organiEation a Data Processor of Target Privac$ Data fro% Data S#0<ects in 12A the ?C& /as the Target Privac$ Data for each Data S#0<ect Categor$ handled 0een 12A classified and doc#%ented for sec#rit$ p#rposes& Are doc#%ented sec#rit$ classifications for Target Privac$ Data verified to %eet all Privac$ Applica0le Ba*s of each co#ntr$ incl#ding an$ cross 0order transfer 12A re=#ire%ents& Are there policies and proced#res for handling Target Privac$ Data o#tside of the 12A co#ntr$ in *hich it *as collected& Do the policies and proced#res incl#de appropriate safeg#ards to ens#re co%pliance *ith Privac$ Applica0le Ba*5 incl#ding cross 0order transfers of Target Privac$ Data& 12A

12A

P., P. P.9

12A 12A 12A

P.9.1 P.9.2

12A 12A

P.9.-

12A

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page ,2 of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text !s there a doc#%ented Data 8lo* of Target Privac$ Data for each Data S#0<ect P.) Categor$ for each <#risdiction& P.).1 Does the Data 8lo* incl#de the follo*ing attri0#tes. P.).1.1 Protected Target Privac$ Data& P.).1.2 So#rces of Target Privac$ Data& P.).1.Data o*nership& P.).1.' Data Controllership& +edia t$pes #sed for storage5 access5 processing5 transport5 retention5 reporting5 P.).1.6 archiving and destr#ction& P.).1., Storage location& P.).1. Retention criteria& P.).1.9 Destr#ction criteria& P.).1.) (verall p#rpose for collection and #se& P.).1.10 >ho 3role4 #ses the Target Privac$ Data for *hat p#rposes& P.).1.11 >ho 3role4 receives the Target Privac$ Data *ithin the organiEation& P.).1.12 >ho 3role4 receives the Target Privac$ Data o#tside the organiEation& >hat Target Privac$ Data is transferred 3incl#ding on %edia5 in processing or on P.).1.1displa$4 across 0orders 3state or international4& 1(T!C? Does the organiEation control2o*n the deliver$ of Privac$ 1otices to each Data P.10 S#0<ect&

ISO 27002:2005 Relevance 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A

COBIT 4.1 Relevance 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A

P.10.1

Are there doc#%ented proced#res for e%plo$ees and Third Parties for deliver$ of Privac$ 1otices to Data S#0<ects as re=#ired 0$ polic$ or Privac$ Applica0le Ba*& 12A Do Privac$ 1otices per%it or restrict the #se or disclos#re of Target Privac$ Data to Third Parties for per%itted p#rposes to provide the end services to the Data S#0<ects& Do the Privac$ 1otices contain the follo*ing ke$ e:planation sections5 *here re=#ired 0$ Privac$ or Sec#rit$ Applica0le Ba*. Collection and #se section& Protected Target Privac$ Data section& Transfer and share section& Co%%it%ent to ade=#ac$ for cross 0order transfers& 3if applica0le4 Sec#rit$ section& Access and correction section& Contact section& Do Privac$ 1otices give details of transfers to. Affiliates& Categories of Third Parties& Are there an$ transfer restrictions in the Privac$ 1otices that prevent flo* to or fro% a <#risdiction& Are Privac$ 1otices delivered to Data S#0<ects prior to the disclos#re of their Target Privac$ Data to $o#& Are the Privac$ 1otices other*ise co%plied *ith& C(1S?1TS 8or the Privac$ 1otices that $o#r organiEation controls2o*ns5 do the$ contain 1otice Consent Bang#age& Are there doc#%ented proced#res for the organiEationHs e%plo$ees and Third Parties to ens#re that 1otice Consent Bang#age is follo*ed5 as re=#ired 0$ polic$5 practice or Privac$ Applica0le Ba*& !s there a process to allo* a Data S#0<ect to re%ove a consent fro% 1otice Consent Bang#age5 if re=#ired 0$ Privac$ Applica0le Ba*& Does the 1otice Consent Bang#age cover the collection5 #se and cross@0order transfer of Target Privac$ Data5 in accordance *ith Privac$ Applica0le Ba*s& Are there an$ restrictions to consider& P?R+!SS!(1S Does the organiEation control2o*n and deliver Per%issions to Data S#0<ect and also respect those Per%ission& Are there doc#%ented proced#res for the organiEationHs e%plo$ees and Third Parties to ens#re that Per%issions are delivered and respected as re=#ired 0$ polic$5 practice or Privac$ Applica0le Ba* to Data S#0<ects& D?B!V?R 1(T!C?S5 1(T!C? C(1S?1T BA1"CA"? (R P?R+!SS!(1S (1 7?/AB8 (8 CB!?1TS Does the organiEation deliver clientHs Privac$ 1otices5 1otice Consent Bang#age5 or Per%issions to Data S#0<ects 3i.e.5 the organiEation does not o*n2control the Privac$ 1otices5 1otice Consent Bang#age or Per%issions4& Does the organiEation deliver Privac$ 1otices for Data S#0<ects on 0ehalf of its clients& 3i.e.5 the organiEation does not o*n2control the Privac$ 1otice4 Are there doc#%ented proced#res for the organiEationHs e%plo$ees and Third Parties to ens#re that Privac$ 1otices are delivered to Data S#0<ects as re=#ired 0$ $o#r clients5 in accordance *ith polic$5 practice or Privac$ Applica0le Ba*& Are Privac$ 1otices delivered to Data S#0<ects prior to the disclos#re of their Target Privac$ Data to $o#5 as re=#ired 0$ the clients& Are clientHs 1otice Consent Bang#age delivered to Data S#0<ects 3i.e.5 the organiEation does not o*n2control the 1otice Consent Bang#age4& Does the organiEation follo* its clientHs proced#res for delivering notices *ithin the organiEation and pass those proced#res on to Third Parties&

12A

P.10.2 P.10.P.10.-.1 P.10.-.2 P.10.-.P.10.-.' P.10.-.6 P.10.-., P.10.-. P.10.-.9 P.10.-.) P.10.-.10 P.10.' P.10.6 P.10.,

12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A

12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A 12A

P.11

P.11.1 P.11.2 P.11.P.11.'

12A 12A 12A 12A 12A 12A

12A 12A 12A 12A 12A 12A

P.12

P.12.1

12A 12A

12A 12A

P.1P.1-.1

12A 12A

12A 12A

P.1-.1.1 P.1-.1.2 P.1-.2 P.1-.2.1

12A 12A 12A 12A

12A 12A 12A 12A

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page ,- of

S!" to !nd#str$ Standard Relevance

SIG Question # Question Text Are clientHs Per%issions delivered to Data S#0<ects and also respected 3i.e.5 the P.1-.organiEation does not o*n2control the Per%issions4& Does the organiEation follo* its clientHs proced#res for delivering and respecting Per%issions *ithin the organiEation and pass those proced#res on to Third Parties& Target Privac$ Data C(BB?CT!(15 ST(RA"?5 CS?5 S/AR!1"5 TRA1S8?R5 PR(T?CT!(15 R?T?1T!(1 A1D R?T!R?+?1T Does the organiEation or an$ of its Third Parties process Target Privac$ Data in co#ntries that re=#ire processing and protection for Target Privac$ Data 0e$ond their 0orders in accordance *ith Privac$ Applica0le Ba*& These co#ntries incl#de co#ntries s#ch as the ?C2??A5 Argentina5 A#stralia5 Canada5 Papan5 /ong Tong and 1e* Lealand. Does the organiEation or an$ of its Third Parties transfer 3incl#ding access to5 vie*ing of4 Target Privac$ Data o#tside these co#ntries&

ISO 27002:2005 Relevance 12A

COBIT 4.1 Relevance 12A

P.1-.-.1

12A 12A

12A 12A

P.1' P.1'.1

12A 12A

12A 12A

P.16

P.1,

Does the organiEation or an$ of its Third Parties process Target Privac$ Data for co#ntries that restrict certain Target Privac$ Data fro% leaving the co#ntr$ 3e:a%ples 3not all incl#sive list4. the national !D n#%0er in ToreaD personal infor%ation in general in T#nisia as there is no data protection a#thorit$ to process a re=#est in accordance *ith Privac$ Applica0le Ba*D certain %ilitar$ personal infor%ationD certain personal infor%ation fro% R#ssia4& 12A C(BB?CT!(15 CS? A1D ST(R? 12A Are there doc#%ented policies or proced#res to ens#re Target Privac$ Data is onl$ 12A collected5 stored and #sed for the p#rposes for *hich it *as collected& Are there doc#%ented policies or proced#res to ens#re access to Target Privac$ Data 0$ e%plo$ees and Third Parties Service Providers is provided on a need@to@ kno* 0asis and that Target Privac$ Data is onl$ #sed for the p#rpose for *hich it *as collected& Are there doc#%ented proced#res that re=#ire 0ackgro#nd5 cri%inal5 health or vario#s t$pes of screening of individ#als *ho have access to Target Privac$ Data 3incl#ding credit5 dr#g5 %edical or ps$chological tests45 *here per%itted 0$ local la*& Are there doc#%ented proced#res to ens#re that all Data S#0<ect screening and testing co%plies *ith Privac$ Applica0le Ba* and that an$ res#lting Target Privac$ Data is protected to a higher standard or is not received or stored& Are there *ritten proced#res to re=#ire e%plo$ees and Third Parties to take special care and protect Protected Target Privac$ Data& Are there *ritten proced#res to address co%pliance *ith Privac$ Applica0le Ba* concerning the retention of Target Privac$ Data& Are there *ritten proced#res that address privac$ related %atters for the sec#re deletion of Target Privac$ Data. Are there an$ iss#es res#lting fro% co%pliance *ith Privac$ Applica0le Ba* or polic$ that are in conflict fro% a retention and deletion perspective5 e.g.5 pending re=#est of discover$ of doc#%ents in litigation vs. doc#%ent deletion reg#lation of Target Privac$ Data& ACC?SS5 C(RR?CT!(15 D?B?T!(15 C(+PBA!1TS A1D KC?ST!(1S Are there *ritten proced#res to process Data S#0<ectsH =#estions5 co%plaints and re=#ests to. access5 correct and delete their Target Privac$ Data5 if re=#ired& Are there *ritten proced#res to process data protection a#thorities 2 reg#latorsH co%plaints5 if re=#ired& Are the n#%0er of =#estions5 co%plaints5 re=#ests for access5 correction and deletion5 and their resol#tion fro% Data S#0<ects and data protection a#thorities2reg#lators tracked5 if re=#ired& !s this infor%ation anal$Eed on at least an ann#al 0asis and the res#lts #sed to esta0lish a re%ediation plan to i%prove proced#res& /ave all =#estions5 co%plaints and re=#ests 0een addressed& S/AR? A1D TRA1S8?R Are there doc#%ented proced#res for e%plo$ees and Third PartiesH Service Providers that instr#ct the% a0o#t sharing and cross 0order transfer of Target Privac$ Data in accordance *ith Privac$ Applica0le Ba*5 Privac$ Polic$5 Privac$ 1otice and practice& Does the organiEationHs Privac$ Polic$ allo* the sharing of Target Privac$ Data *ith affiliated entities Service Providers& Does the organiEationHs Privac$ Polic$ allo* the sharing of Target Privac$ Data *ith #n@affiliated Third Parties for #se& S?CCR!TO

12A 12A 12A

P.1,.1

12A

12A

P.1,.2

12A

12A

P.1,.P.1,.' P.1,.6 P.1,.,

12A 12A 12A 12A

12A 12A 12A 12A

P.1,.

12A 12A

12A 12A

P.1 P.1 .1

12A 12A

12A 12A

P.19 P.19.1 P.19.2

12A 12A 12A 12A

12A 12A 12A 12A

P.1) P.1).1 P.1).2

12A 12A 12A 12A

12A 12A 12A 12A

P.20 P.20.1

Are there appropriate ad%inistrative5 ph$sical and technical safeg#ards to protect Target Privac$ Data in accordance *ith all Privac$ Applica0le Ba*5 ind#str$ standards and polic$ to ens#re appropriate handling thro#gho#t its lifec$cle5 incl#ding collecting5 #sing5 accessing5 sharing5 storing5 trans%itting5 transferring5 disposing of and destro$ing Target Privac$ Data& 12A Does the organiEationHs infor%ation sec#rit$ progra% incl#de for%al proced#res for identit$ and access %anage%ent controls& 12A PR!VACO ?V?1T 12A Are there doc#%ented proced#res to notif$ Data S#0<ects *hose Target Privac$ Data has 0een 0reached5 as re=#ired 0$ polic$5 practice or Privac$ Applica0le Ba*& KCAB!TO A1D ACCCRACO

12A 12A 12A

P.21

12A 12A

12A 12A Page ,' of S!" to !nd#str$ Standard Relevance

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

SIG Question # Question Text Are there doc#%ented proced#res to %aintain the acc#rac$ and c#rrenc$ of P.22 Target Privac$ Data& +(1!T(R A1D ?18(RC?

ISO 27002:2005 Relevance 12A 12A

COBIT 4.1 Relevance 12A 12A

P.2P.2-.1

Are their internal or Third Part$ revie* proced#res for co%pliance *ith Privac$ Applica0le Ba*5 polic$ and practice or Third Part$ revie* proced#res for co%pliance *ith Privac$ Applica0le Ba*5 polic$ and practice prior to esta0lishing a 12A 0#siness relationship& Are the organiEationHs Privac$ Polic$ and proced#res revie*ed at least ann#all$ to ens#re co%pliance *ith Privac$ Applica0le Ba* and polic$& 12A Are the Third Parties 3that *ill access Target Privac$ Data4 revie*ed for co%pliance *ith Privac$ Applica0le Ba* and polic$ prior to esta0lishing a 0#siness relationship& 12A Are the Third Parties 3that *ill have access to Target Privac$ Data4 revie*ed 12A reg#larl$ for co%pliance *ith Privac$ Applica0le Ba* and polic$& !s there internal %onitoring for co%pliance *ith Privac$ Policies and proced#res& Does the organiEation have a doc#%ented proced#re that is risk@0ased and #sed *hen e:a%ining the control environ%ents of $o#r Third Parties& Are a#dits perfor%ed of the sec#rit$ progra% 3i.e.5 co%pliance *ith esta0lished policies and proced#res addressing data safeg#ards4 to ens#re Target Privac$ Data is 0eing protected& Are there doc#%ented actions for the organiEationHs e%plo$ees and its Third Parties that can 0e taken *hen Privac$ Policies5 proced#res or other re=#ire%ents have 0een violated& /ave the$ 0een enforced& !n the past 12 %onths have there 0een an$ reg#lator$ or legal findings that are p#0licl$ availa0le regarding privac$ or data sec#rit$ related to $o#r organiEation& Are the organiEationHs e%plo$ees and its Third Parties instr#cted to i%%ediatel$ notif$ the appropriate individ#al in the organiEation if or *hen Target Privac$ Data 3either encr$pted or #nencr$pted4 is5 has 0een or is reasona0l$ likel$ to have 0een lost5 accessed 0$5 #sed 0$ or disclosed to #na#thoriEed Third Parties& TRA!1!1" !s there for%al privac$ training for e%plo$ees and Third PartiesH Service Providers *ho %a$ access and #se Target Privac$ Data& Does the training cover. ?%plo$ee and Third Part$ e=#ip%ent %onitoring policies& !nfor%ation classification& 8lo* g#idelines& Personal #se of !nternet and corporate assets g#idelines& +anage%ent of Target Privac$ Data and organiEation proprietar$ infor%ation5 incl#ding collection5 storage5 #se5 sharing5 transfer5 retention5 protection and deletion& The data protection co%%it%ent %ade to each Data S#0<ect5 directing those as re=#ired to the s#pporting policies and proced#res& Personal #se of e@%ail g#idelines& Begal5 reg#lator$ and contract#al responsi0ilities& Penalties for violations of Privac$ Applica0le Ba* or contract#al o0ligations& At the co%pletion of the training5 are constit#ents re=#ired to co%plete and pass a test& !s there a process to identif$ content for the develop%ent of e%plo$ee and Third Part$ privac$ a*areness training& !s on@0oarding privac$ training provided for all e%plo$ees and Third Parties& !s privac$ training provided ann#all$ for all e%plo$ees and Third Parties& Are records %aintained of privac$ training5 participation and testing& 12A 12A

12A 12A

P.2-.2 P.2-.P.2-.' P.2-.6

12A 12A 12A 12A

P.2-.,

12A

12A

P.2-. P.2-.9

12A 12A

12A 12A

P.2'

12A

12A

P.26

12A 12A 12A 12A 12A 12A 12A 12A

12A 12A 12A 12A 12A 12A 12A 12A

P.2, P.2,.1 P.2,.1.1 P.2,.1.2 P.2,.1.P.2,.1.'

P.2,.1.6 P.2,.1., P.2,.1. P.2,.1.9 P.2,.1.) P.2,.2 P.2,.P.2,.' P.2,.6 P.2,.,

12A 12A 12A 12A 12A 12A 12A 12A 12A 12A

12A 12A 12A 12A 12A 12A 12A 12A 12A 12A

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page ,6 of

S!" to !nd#str$ Standard Relevance

!S(2!?C 2 002 Classifi@cations '.1 '.2 6.1

!S( Te:t Assessing sec#rit$ risks Treating sec#rit$ risks !nfor%ation sec#rit$ polic$

Te$ !S(2!?C 2 002 Areas Te$ !S( Area Risk assess%ent '.0 and treat%ent

Co0iT '.1 Control (0<ectives Co0iT '.1 Te:t P().' Risk assess%ent

Co0iT !T Processes Co0iT Process Te:t P() P() +anage !T risks +anage !T risks

6.0

Sec#rit$ polic$ !T polic$ and control environ%ent P(, ?nterprise !T risk and control fra%e*ork DS6 !T policies %anage%ent +?2 Co%%#nication of !T o0<ectives and direction !T sec#rit$ plan !dentit$ %anage%ent +onitoring of internal control fra%e*ork Technological direction planning P(!T 0#dgeting P(6 Co%%#nicate %anage%ent ai%s and direction ?ns#re s$ste%s sec#rit$ +onitor and eval#ate internal control

6.1.1

!nfor%ation sec#rit$ polic$ doc#%ent

P(,.1 P(,.2 P(,.P(,.6 DS6.2 DS6.+?2.1

6.1.2

Revie* of infor%ation sec#rit$ polic$

P(-.1 P(6.-

Deter%ine technological direction +anage the !T invest%ent Co%%#nicate %anage%ent ai%s and direction Assess and %anage !T risks ?ns#re s$ste%s sec#rit$ +onitor and eval#ate internal control Provide !T governance

P(6.' P(,.P().' DS6.2 DS6.+?2.2 +?2.6 +?2. +?'. (rganisation of infor%ation sec#rit$ P(-.-

Cost %anage%ent !T policies %anage%ent Risk assess%ent !T sec#rit$ plan !dentit$ %anage%ent S#pervisor$ revie* Ass#rance of internal control Re%edial actions !ndependent ass#rance

P(, P() DS6 +?2 +?'

,.1 ,.1.1

!nternal organisation +anage%ent co%%it%ent to infor%ation sec#rit$

,.0

+onitor f#t#re trends and reg#lations

P(-

Deter%ine technological direction Define the !T processes5 organisation and relationships Co%%#nicate %anage%ent ai%s and direction ?ns#re s$ste%s sec#rit$

P(-.6

!T architect#re 0oard

P('

P('.P('.' P('.6 P('.9 P(,.P(,.' P(,.6 DS6.1

!T steering co%%ittee (rganisational place%ent of the !T f#nction !T (rganisational str#ct#re Responsi0ilit$ for risk5 sec#rit$ and co%pliance !T policies %anage%ent Polic$5 standard and proced#res rollo#t Co%%#nication of !T o0<ectives and direction +anage%ent of !T sec#rit$ (rganisational place%ent of the !T f#nction

P(, DS6

,.1.2

!nfor%ation sec#rit$ co@ordination

P('.'

P('

Define the !T processes5 organisation and relationships Co%%#nicate %anage%ent ai%s and direction ?ns#re s$ste%s sec#rit$

P('.6 P('., P('.9 P('.10 P(,.6 DS6.1 DS6.2 DS6.Allocation of infor%ation sec#rit$ responsi0ilities

!T organisational str#ct#re ?sta0lish%ent of roles and responsi0ilities Responsi0ilit$ for risk5 sec#rit$ and co%pliance S#pervision Co%%#nication of !T o0<ectives and direction +anage%ent of !T sec#rit$ !T sec#rit$ plan !dentit$ %anage%ent (rganisational place%ent of the !T f#nction ?sta0lish%ent of roles and responsi0ilities Responsi0ilit$ for risk5 sec#rit$ and co%pliance Data and s$ste% o*nership

P(, DS6

,.1.-

P('.' P('., P('.9 P('.)

P('

Define the !T processes5 organisation and relationships

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page ,, of

C(7!T to S!" Relevance

!S(2!?C 2 002 Classifi@cations

!S( Te:t

Te$ !S(2!?C 2 002 Areas Te$ !S( Area

Co0iT '.1 Control (0<ectives Co0iT '.1 Te:t P('.10 S#pervision

Co0iT !T Processes Co0iT Process Te:t Define the !T processes5 organisation and relationships !dentif$ a#to%ated sol#tions Ac=#ire and %aintain application soft*are !nstall and accredit sol#tions and changes ?ns#re s$ste%s sec#rit$

,.1.'

A#thorisation process for infor%ation processing facilities

,.0

(rganisation of infor%ation sec#rit$ P('.P('.' P('.) A!1.' A!2.' A! ., DS6.

!T steering co%%ittee (rganisational place%ent of the !T f#nction Data and s$ste% o*nership Re=#ire%ents and feasi0ilit$ decision and approval Application sec#rit$ and availa0ilit$ Testing of changes Protection of sec#rit$ technolog$ ?sta0lish%ent of roles and responsi0ilities Contracted staff policies and proced#res Develop%ent and ac=#isition standards Proc#re%ent control S#pplier contract %anage%ent !T sec#rit$ plan !dentit$ %anage%ent Cser acco#nt %anage%ent Relationships

P(' A!1 A!2 A! DS6

,.1.6

Confidentialit$ agree%ents

P('., P('.1' P(9.A!6.1 A!6.2 DS6.2 DS6.DS6.' P('.16

P(' P(9 A!6 DS6

Define the !T processes5 organisation and relationships +anage =#alit$ Proc#re !T reso#rces ?ns#re s$ste%s sec#rit$

,.1.,

Contact *ith a#thorities

DS'.1 DS'.2

!T contin#it$ fra%e*ork !T contin#it$ plans

P(' DS'

Define the !T processes5 organisation and relationships ?ns#re contin#o#s service

+?-.1 +?-.+?-.'

!dentification of e:ternal legal5 reg#lator$5 and contract#al co%pliance re=#ire%ents +??val#ation of co%pliance *ith e:ternal re=#ire%ents Positive ass#rance of co%pliance

?ns#re co%pliance *ith e:ternal re=#ire%ents

,.1.

Contact *ith specialinterest gro#ps

P('.16 DS'.1 DS'.2 (rganisation of infor%ation sec#rit$ P(,.' DS6.6 +?2.2 +?2.6 +?'.

Relationships !T contin#it$ fra%e*ork !T contin#it$ plans

P(' DS'

Define the !T processes5 organisation and relationships ?ns#re contin#o#sservice

,.1.9

!ndependent revie* of infor%ation sec#rit$

,.0

Polic$5 standard and proced#res rollo#t P(, Sec#rit$ testing5 s#rveillance and %onitoring DS6 S#pervisor$ revie* Ass#rance of internal control !ndependent ass#rance Contracted staff policies and proced#res !dentification of all s#pplier relationships S#pplier risk %anage%ent Cser acco#nt %anage%ent +alicio#s soft*are prevention detection and correction +?2 +?'

Co%%#nicate %anage%ent ai%s and direction ?ns#re s$ste%s sec#rit$ +onitor and eval#ate internal control Provide !T governance

,.2 ,.2.1

?:ternal parties !dentification of risks related to e:ternal parties

P('.1' DS2.1 DS2.DS6.'

DS6.)

DS6.11 DS12.-

?:change of sensitive data Ph$sical access

P(' DS2 DS6 DS12

Define the !T processes5 organisation and relationships +anage third@part$ services ?ns#re s$ste%s sec#rit$ +anage the ph$sical environ%ent Co%%#nicate %anage%ent ai%s and direction ?ns#re s$ste%s sec#rit$ Define the !T processes5 organisation and relationships Page , of C(7!T to S!" Relevance

,.2.2

Addressing sec#rit$ *hen dealing *ith c#sto%ers

P(,.2 DS6.'

?nterprise !T risk and control fra%e*ork P(, Cser acco#nt %anage%ent DS6 Contracted staff policies and proced#res P('

,.2.-

Addressing sec#rit$ in third@part$ agree%ents

P('.1'

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

!S(2!?C 2 002 Classifi@cations

!S( Te:t

Te$ !S(2!?C 2 002 Areas Te$ !S( Area

Co0iT '.1 Control (0<ectives Co0iT '.1 Te:t Polic$5 standard and proced#res rollo#t Develop%ent and ac=#isition standards S#pplier contract %anage%ent S#pplier relationship %anage%ent S#pplier risk %anage%ent S#pplier perfor%ance %onitoring +anage%ent of !T sec#rit$ !nternal control at third parties

Co0iT !T Processes Co0iT Process Te:t Co%%#nicate %anage%ent ai%s and direction +anage =#alit$ Proc#re !T reso#rces +anage third@part$ services ?ns#re s$ste%s sec#rit$ +onitor and eval#ate internal control

P(,.' P(9.A!6.2 DS2.2 DS2.DS2.' DS6.1 +?2., .1 .1.1 Responsi0ilit$ for assets !nventor$ of assets .0 Asset %anage%ent P(2.2

P(, P(9 A!6 DS2 DS6 +?2

?nterprise data dictionar$ and data s$nta: r#les

P(2

Define the infor%ation architect#re

DS).2 DS).-

!dentification and %aintenance of config#ration ite%s DS) Config#ration integrit$ revie*

+anage the config#ration

.1.2

(*nership of assets

P('.)

Data and s$ste% o*nership

P('

Define the !T processes5 organisation and relationships

DS).2

!dentification and %aintenance of config#ration DS) ite%s

+anage the config#ration Define the !T processes5 organisation and relationships Co%%#nicate %anage%ent ai%s and direction Define the infor%ation architect#re Ac=#ire and %aintain application soft*are +anage the config#ration

.1.-

Accepta0le #se of assets

P('.10

S#pervision

P('

P(,.2 .2 .2.1 !nfor%ation classification Classification g#idelines P(2.A!2.'

?nterprise !T risk and control fra%e*ork P(,

Data classification sche%e Application sec#rit$ and availa0ilit$ Config#ration repositor$ and 0aseline

P(2 A!2 DS)

.2.2 9.1

!nfor%ation la0elling and handling Prior to e%plo$%ent 9.0 /#%an reso#rce sec#rit$

DS).1

9.1.1

Roles and responsi0ilities

P('.,

?sta0lish%ent of roles and responsi0ilities Responsi0ilit$ for risk5 sec#rit$ and co%pliance !T policies %anage%ent Personnel recr#it%ent and retention Personnel co%petencies Staffing of roles Cser acco#nt %anage%ent ?sta0lish%ent of roles and responsi0ilities Personnel recr#it%ent and retention Personnel clearance proced#res S#pplier risk %anage%ent ?sta0lish%ent of roles and responsi0ilities Personnel recr#it%ent and retention Staffing of roles S#pplier risk %anage%ent

P('

Define the !T processes5 organisation and relationships Co%%#nicate %anage%ent ai%s and direction +anage !T h#%an reso#rces ?ns#re s$ste%s sec#rit$

P('.9 P(,.P( .1 P( .2 P( .DS6.'

P(, P( DS6

9.1.2

Screening 9.0

P('., P( .1 P( ., DS2.-

P(' P( DS2

Define the !T processes5 organisation and relationships +anage !T h#%an reso#rces +anage third@part$ services Define the !T processes5 organisation and relationships +anage !T h#%an reso#rces +anage third@part$ services

9.1.-

Ter%s and conditions of e%plo$%ent

P('., P( .1 P( .DS2.-

P(' P( DS2

9.2

D#ring e%plo$%ent Responsi0ilit$ for risk5 sec#rit$ and co%pliance S#pervision Define the !T processes5 organisation and relationships +anage !T h#%an reso#rces Page ,9 of C(7!T to S!" Relevance

9.2.1

+anage%ent responsi0ilities

P('.9 P('.10

P(' P(

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

!S(2!?C 2 002 Classifi@cations

!S( Te:t

Te$ !S(2!?C 2 002 Areas Te$ !S( Area

Co0iT '.1 Control (0<ectives Co0iT '.1 Te:t P( '.11 Segregation of d#ties P( .Staffing of roles ?sta0lish%ent of roles and responsi0ilities

Co0iT !T Processes Co0iT Process Te:t

9.2.2

!nfor%ation sec#rit$ a*areness5 ed#cation5 and training

P('.,

P('

Define the !T processes5 organisation and relationships Co%%#nicate %anage%ent ai%s and direction +anage !T h#%an reso#rces !dentif$ a#to%ated sol#tions !nstall and accredit sol#tions and change ?ns#re s$ste%s sec#rit$

P(,.2 P(,.' P( .2 P( .' P( .

?nterprise !T risk and control fra%e*ork P(, Polic$5 standard and proced#res rollo#t P( Personnel co%petencies Personnel training ?%plo$ee <o0 perfor%ance eval#ation Definition and %aintenance of 0#siness f#nctional and technical re=#ire%ents Training +anage%ent of !T sec#rit$ !T sec#rit$ plan !dentit$ %anage%ent !dentification of ed#cation and training needs Deliver$ of training and ed#cation Responsi0ilit$ for risk5 sec#rit$ and co%pliance Po0 change and ter%ination Sec#rit$ incident definition A!1 A! DS6

A!1.1 A! .1 DS6.1 DS6.2 DS6.DS .1 DS .2 /#%an reso#rce sec#rit$

DS

?d#cate and train #sers

9.2.-

Disciplinar$ process

9.0

P('.9 P( .9 DS6.,

P(' P( DS6

Define the !T processes5 organisation and relationships +anage !T h#%an reso#rces ?ns#re s$ste%s sec#rit$

9.9.-.1

Ter%ination or change of e%plo$%ent Ter%ination responsi0ilities P( .9 DS6.' Po0 change and ter%ination Cser acco#nt %anage%ent P( DS6 +anage !T h#%an reso#rces ?ns#re s$ste%s sec#rit$ Co%%#nicate %anage%ent ai%s and direction +anage !T h#%an reso#rces +anage !T h#%an reso#rces ?ns#re s$ste%s sec#rit$

9.-.2

Ret#rn of assets

P(,.2 P( .9

?nterprise !T risk and control fra%e*ork P(, Po0 change and ter%ination Po0 change and ter%ination Cser acco#nt %anage%ent P( P( DS6

9.-.-

Re%oval of access rights Ph$sical and environ%ental sec#rit$

P( .9 DS6.'

).1 ).1.1

Sec#re areas Ph$sical sec#rit$ peri%eter

).0

DS12.1 DS12.2 DS12.2 DS12.DS12.1 DS12.2 DS12.'

Site selection and la$o#t Ph$sical sec#rit$ %eas#res Ph$sical sec#rit$ %eas#res Ph$sical access Site selection and la$o#t Ph$sical sec#rit$ %eas#res Protection against environ%ental factors

DS12

+anage the ph$sical environ%ent +anage the ph$sical environ%ent +anage the ph$sical environ%ent

).1.2

Ph$sical entr$ controls

DS12

).1.-

Sec#rit$ offices5 roo%s and facilities Protecting against e:ternal and environ%ental threats

DS12

).1.'

).1.6

>orking in sec#re areas

P('.1'

Contracted staff policies and proced#res P(' ?nterprise !T risk and control fra%e*ork P(, !nfrastr#ct#re %aintenance Ph$sical access Protection of sec#rit$ technolog$ Site selection and la$o#t Ph$sical access Protection of sec#rit$ technolog$ Protection against environ%ental factors Protection against environ%ental factors A!DS12 DS6 DS12

Define the !T processes5 organisation and relationships Co%%#nicate %anage%ent ai%s and direction Ac=#ire and %aintain technolog$ infrastr#ct#re +anage the ph$sical environ%ent ?ns#re s$ste%s sec#rit$ +anage the ph$sical environ%ent

P(,.2 A!-.DS12.).1., P#0lic access5 deliver$ and loading areas DS6. DS12.1 DS12.).2 ).2.1 ?=#ip%ent sec#rit$ ).0 ?=#ip%ent sitting and protection DS6. DS12.' ).2.2 S#pporting #tilities DS12.'

DS6 DS12 DS12

?ns#re s$ste%s sec#rit$ +anage the ph$sical environ%ent +anage the ph$sical environ%ent Page ,) of C(7!T to S!" Relevance

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

!S(2!?C 2 002 Classifi@cations

!S( Te:t

Te$ !S(2!?C 2 002 Areas Te$ !S( Area

).2.-

Ca0ling sec#rit$

Co0iT '.1 Control (0<ectives Co0iT '.1 Te:t Ph$sical facilities DS12.6 %anage%ent Protection of sec#rit$ DS6. technolog$ Protection against DS12.' environ%ental factors A!-.DS12.6 DS1-.6 !nfrastr#ct#re %aintenance Ph$sical facilities %anage%ent Preventive %aintenance for hard*are

Co0iT !T Processes Co0iT Process Te:t

DS6 DS12 A!DS12 DS1-

).2.'

?=#ip%ent %aintenance

?ns#re s$ste%s sec#rit$ +anage the ph$sical environ%ent Ac=#ire and %aintain technolog$ infrastr#ct#re +anage the ph$sical environ%ent +anage operations Define the !T processes5 organisation and relationships +anage the ph$sical environ%ent +anage data Co%%#nicate %anage%ent ai%s and direction +anage the ph$sical environ%ent

).2.6

Sec#rit$ of e=#ip%ent off pre%ises

P('.) DS12.2 DS12.DS11.'

Data and s$ste% o*nership Ph$sical sec#rit$ %eas#res Ph$sical access Disposal

P(' DS12 DS11

).2.,

Sec#re disposal or re#se of e=#ip%ent

).2.

Re%oval of propert$

P(,.2 DS12.2 Co%%#nications and operations %anage%ent

?nterprise !T risk and control fra%e*ork P(, Ph$sical sec#rit$ %eas#res DS12

10.1

(perational proced#res and responsi0ilities 10.0

10.1.1

Doc#%ented operating proced#res

A!1.1 A!'.' DS1-.1

10.1.2

Change %anage%ent

A!,.1

Definition and %aintenance of 0#siness f#nctional and technical re=#ire%ents Tno*ledge transfer to operations and s#pport staff (perations5 proced#res and instr#ctions Change standards and proced#res !%pact assess%ent5 prioritisation and a#thorisation ?%ergenc$ changes Change stat#s tracking and reporting Change clos#re and doc#%entation

A!1 A!' DS1A!,

!dentif$ a#to%ated sol#tions ?na0le operation and #se +anage operations +anage changes

A!,.2 A!,.A!,.' A!,.6

10.1.-

Segregation of d#ties

P('.11 DS6.'

Segregation of d#ties Cser acco#nt %anage%ent

P(' DS6

Define the !T processes5 organisation and relationships ?ns#re s$ste%s sec#rit$ Define the !T processes5 organisation and relationships Ac=#ire and %aintain technolog$ infrastr#ct#re !nstall and accredit sol#tions and changes

10.1.'

Separation of develop%ent5 test and operational facilities

P('.11 A!-.' A! .'

Segregation of d#ties 8easi0ilit$ test environ%ent Test environ%ent

P(' A!A!

10.2

Third@part$ service deliver$ %anage%ent Co%%#nications and operations %anage%ent Service level %anage%ent fra%e*ork Definition of services Service level agree%ents S#pplier perfor%ance %onitoring +onitoring and reporting of service level achieve%ents S#pplier perfor%ance %onitoring Define and %anage service levels +anage third@part$ services

10.2.1

Service deliver$

10.0

DS1.1 DS1.2 DS1.DS2.'

DS1 DS2

10.2.2

+onitoring and revie* of third@part$ services

DS1.6 DS2.' +?2.,

DS1 DS2

Define and %anage service levels +anage third@part$ services +onitor and eval#ate internal control Define and %anage service levels +anage third@part$ services

10.2.-

+anaging changes to third@part$ services

DS1.6 DS2.2 DS2.-

!nternal control at third parties +?2 +onitoring and reporting of service level achieve%ents DS1 S#pplier relationship %anage%ent DS2 S#pplier risk %anage%ent Perfor%ance and capacit$ planning C#rrent perfor%ance and capacit$

10.10.-.1

S$ste%s planning and acceptance Capacit$ %anage%ent DS-.1 DS-.2 DS+anage perfor%ance and capacit$

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 0 of

C(7!T to S!" Relevance

!S(2!?C 2 002 Classifi@cations

!S( Te:t

Te$ !S(2!?C 2 002 Areas Te$ !S( Area

Co0iT '.1 Control (0<ectives Co0iT '.1 Te:t 8#t#re perfor%ance and DS-.capacit$ P(-.' Technolog$ standards Definition and %aintenance of 0#siness f#nctional and technical re=#ire%ents Re=#ire%ents and feasi0ilit$ decision and approval Application sec#rit$ and availa0ilit$ Soft*are =#alit$ ass#rance Tno*ledge transfer to operations and s#pport staff 8inal acceptance test

Co0iT !T Processes Co0iT Process Te:t

10.-.2

S$ste%s acceptance

P(-

Deter%ine technological direction

A!1.1 A!1.' A!2.' A!2.9 A!'.' A! . 10.' Protection against %alicio#s and %o0ile code Co%%#nications and operations %anage%ent

A!1 A!2 A!' A!

!dentif$ a#to%ated sol#tions Ac=#ire and %aintain application soft*are ?na0le operation and #se !nstall and accredit sol#tions and changes

10.'.1

Controls against %alicio#s code

10.0

DS6.)

+alicio#s soft*are prevention detection and correction DS6 DS6 +alicio#s soft*are prevention detection and correction (ffsite 0ack#p storage Storage and retention arrange%ents 7ack#p and restoration Sec#rit$ re=#ire%ents for data %anage%ent DS' DS11

?ns#re s$ste%s sec#rit$ ?ns#re s$ste%s sec#rit$

10.'.2 10.6 10.6.1

Controls against %o0ile code 7ack#p !nfor%ation 0ack#p

DS6.) DS'.) DS11.2 DS11.6 DS11.,

?ns#re contin#o#s service +anage data

10.,

1et*ork sec#rit$ %anage%ent Define the !T processes5 organisation and relationships

10.,.1

1et*ork controls

P('.1

Segregation of d#ties +alicio#s soft*are5 prevention detection and correction ?:change of sensitive data Protection of sec#rit$ technolog$ +alicio#s soft*are prevention5 detection and correction ?:change of sensitive data

P('

DS6.) DS6.11 10.,.2 Sec#rit$ of net*ork services DS6.

DS6

?ns#re s$ste%s sec#rit$

DS6

?ns#re s$ste%s sec#rit$

DS6.) DS6.11 Co%%#nications and operations %anage%ent P(2.DS11.2 DS11.DS11.' 10. .2 Disposal of %edia DS11.DS11.'

10. 10. .1

+edia handling +anage%ent of re%ova0le %edia

10.0

Data classification sche%e Storage and retention arrange%ents +edia li0rar$ %anage%ent s$ste% Disposal +edia li0rar$ %anage%ent s$ste% Disposal ?nterprise !T risk and control fra%e*ork Sec#rit$ re=#ire%ents for data %anage%ent Tno*ledge of transfer to operations and s#pport staff Protection of sec#rit$ technolog$

P(2 DS11

Define the infor%ation architect#re +anage data

DS11

+anage data

10. .-

!nfor%ation handling proced#res

P(,.2 DS11.,

P(, DS11 A!' DS6

Co%%#nicate %anage%ent ai%s and direction +anage data ?na0le operation and #se ?ns#re s$ste%s sec#rit$

10. .'

Sec#rit$ of s$ste% doc#%entation

A!'.' DS6.

DS).2 DS).DS1-.1 10.9 ?:change of infor%ation !nfor%ation e:change policies and proced#res Co%%#nications and operations %anage%ent

!dentification and %aintenance of config#ration ite%s DS) Config#ration integrit$ revie* DS1(perations5 proced#res and instr#ctions

+anage the config#ration +anage operations

10.9.1

10.0

P(2.-

Data classification sche%e

P(2

Define the infor%ation architect#re

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 1 of

C(7!T to S!" Relevance

!S(2!?C 2 002 Classifi@cations

!S( Te:t

Te$ !S(2!?C 2 002 Areas Te$ !S( Area

Co0iT '.1 Control (0<ectives Co0iT '.1 Te:t

Co0iT !T Processes Co0iT Process Te:t Co%%#nicate %anage%ent ai%s and direction +anage data Define the infor%ation architect#re Deter%ine technological direction Proc#re !T reso#rces +anage third@part$ services +anage data ?ns#re s$ste%s sec#rit$ +anage data +anage data

P(,.2 DS11.1 10.9.2 ?:change agree%ents P(2.P(-.' A!6.2 DS2.10.9.10.9.' Ph$sical %edia in transit ?lectronic %essaging DS11., DS6.9 DS11., 10.9.6 10.) 10.).1 7#siness infor%ation s$ste%s ?lectronic co%%erce services ?lectronic Co%%erce DS11.,

?nterprise !T risk and control P(, fra%e*ork 7#siness re=#ire%ents for data %anage%ent DS11 Data classification sche%e Technolog$ standards S#pplier contract %anage%ent S#pplier risk %anage%ent Sec#rit$ re=#ire%ents for data %anage%ent Cr$ptographic ke$ %anage%ent Sec#rit$ re=#ire%ents for data %anage%ent Sec#rit$ re=#ire%ents for data %anage%ent P(2 P(A!6 DS2 DS11 DS6 DS11 DS11

AC' AC, DS6.11

10.).2

(nline transactions

ACAC' AC6 AC,

10.).-

P#0licl$ availa0le infor%ation

P(,.2 P(,

Processing integrit$ and validit$ AC Transaction a#thentication and integrit$ DS6 ?:change of sensitive data Acc#rac$5 co%pleteness and a#thenticit$ checks AC Processing integrit$ and validit$ (#tp#t revie* reconciliation and error handling Transaction a#thentication and integrit$ ?nterprise !T risk and control fra%e*ork Co%%#nicate %anage%ent ai%s and direction Application control and a#dita0ilit$ Protection of sec#rit$ technolog$ Sec#rit$ testing5 s#rveillance and %onitoring Definition and collection of %onitoring data S#pervisor$ revie*

Application Controls ?ns#re s$ste%s sec#rit$

Application Controls

10.10 10.10.1

+onitoring A#dit logging A!2.DS6. A!2 DS6 DS6 +?1 +?2 Ac=#ire and %aintain application soft*are ?ns#re s$ste%s sec#rit$ ?ns#re s$ste%s sec#rit$ +onitor and eval#ate !T perfor%ance +onitor and eval#ate internal control Provide !T governance

10.10.2

+onitoring s$ste%s #se

DS 6.6 +?1.2 +?2.2 +?2.6 +?'.

10.10.-

Protection of log infor%ation

DS6.6 DS6. Co%%#nications and operations %anage%ent

Ass#rance of internal control +?' !ndependent ass#rance Sec#rit$ testing5 s#rveillance and %onitoring DS6 Protection of sec#rit$ technolog$ Sec#rit$ testing5 s#rveillance and %onitoring DS6 Protection of sec#rit$ technolog$ +?2 S#pervisor$ revie* Ass#rance of internal control Application control and a#dita0ilit$ Protection of sec#rit$ technolog$ Protection of sec#rit$ technolog$

?ns#re s$ste%s sec#rit$

10.10.'

Ad%inistrator and operator logs

10.0

DS6.6 DS6. +?2.2 +?2.6

?ns#re s$ste%s sec#rit$ +onitor and eval#ate internal control

10.10.6

8a#lt logging

A!2.DS6.

A!2 DS6 DS6

Ac=#ire and %aintain application soft*are ?ns#re s$ste%s sec#rit$ ?ns#re s$ste%s sec#rit$

10.10., 11.1 11.1.1

Clock s$nchronisation 7#siness re=#ire%ents for access control Access control polic$ 11.0 Access control

DS6.

P(2.2

?nterprise data dictionar$ and data s$nta: r#les

P(2

Define the infor%ation architect#re Co%%#nicate %anage%ent ai%s and direction ?ns#re s$ste%s sec#rit$

P(2.P(,.2 DS6.2 Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Data classification sche%e P(, ?nterprise !T risk and control fra%e*ork DS6 !T sec#rit$ plan

Page 2 of

C(7!T to S!" Relevance

!S(2!?C 2 002 Classifi@cations

!S( Te:t

Te$ !S(2!?C 2 002 Areas Te$ !S( Area

Co0iT '.1 Control (0<ectives Co0iT '.1 Te:t DS6.!dentit$ %anage%ent DS6.' Cser acco#nt %anage%ent DS6.' DS6.' DS6.DS6.' Cser acco#nt %anage%ent Cser acco#nt %anage%ent !dentit$ %anage%ent Cser acco#nt %anage%ent

Co0iT !T Processes Co0iT Process Te:t

11.2 11.2.1 11.2.2 11.2.11.2.' 11.-

Cser access %anage%ent Cser registration Privilege %anage%ent Cser pass*ord %anage%ent Revie* of #ser access rights Cser responsi0ilities

DS6 DS6 DS6 DS6

?ns#re s$ste%s sec#rit$ ?ns#re s$ste%s sec#rit$ ?ns#re s$ste%s sec#rit$ ?ns#re s$ste%s sec#rit$

11.-.1

Pass*ord #se

P(,.2 DS6.'

?nterprise !T risk and control fra%e*ork P(, Cser acco#nt %anage%ent DS6 ?nterprise !T risk and control fra%e*ork P(, Protection of sec#rit$ technolog$ DS6 ?nterprise !T risk and control fra%e*ork P(, Protection of sec#rit$ technolog$ DS6 +alicio#s soft*are prevention detection and correction DS6 +alicio#s soft*are prevention5 detection and correction ?:change of sensitive data +alicio#s soft*are prevention5 detection and correction ?:change of sensitive data Protection of sec#rit$ technolog$ +alicio#s soft*are prevention5 detection and correction ?:change of sensitive data

Co%%#nicate %anage%ent ai%s and direction ?ns#re s$ste%s sec#rit$ Co%%#nicate %anage%ent ai%s and direction ?ns#re s$ste%s sec#rit$ Co%%#nicate %anage%ent ai%s and direction ?ns#re s$ste%s sec#rit$

11.-.2

Cnattended #ser e=#ip%ent

P(,.2 DS6.

11.-.-

Clear@desk and clearscreen polic$

P(,.2 DS6.

11.'

1et*ork access control

11.0

Access control

DS6.)

?ns#re s$ste%s sec#rit$

11.'.1

Polic$ on #se of net*ork services

DS6.) DS6.11

DS6

?ns#re s$ste%s sec#rit$

11.'.2

Cser a#thentication for e:ternal connections

DS6.) DS6.11 DS6.

DS6

?ns#re s$ste%s sec#rit$

11.'.-

?=#ip%ent identification in net*orks

DS6

?ns#re s$ste%s sec#rit$

DS6.) DS6.11

DS)

+anage the config#ration

DS).2 11.'.' Re%ote diagnostic and config#ration port protection DS6.

!dentification and %aintenance of config#ration ite%s Protection of sec#rit$ technolog$ DS6 +alicio#s soft*are prevention5 detection and correction ?:change of sensitive data +alicio#s soft*are prevention5 detection and correction ?:change of sensitive data +alicio#s soft*are prevention5 detection and correction ?:change of sensitive data +alicio#s soft*are prevention5 detection and correction ?:change of sensitive data Cser acco#nt %anage%ent Protection of sec#rit$ technolog$ !dentit$ %anage%ent Cser acco#nt %anage%ent ?%ergenc$ changes Protection of sec#rit$ technolog$ Protection of sec#rit$ technolog$ Protection of sec#rit$ technolog$

?ns#re s$ste%s sec#rit$

DS6.) DS6.11

11.'.6

Segregation in net*orks

DS6.) DS6.11

DS6

?ns#re s$ste%s sec#rit$

11.'.,

1et*ork connection control

DS6.) DS6.11

DS6

?ns#re s$ste%s sec#rit$

11.'. 11.6 11.6.1

1et*ork ro#ting control (perating s$ste% access control Sec#re logon proced#res

DS6.) DS6.11 DS6.' DS6. DS6.DS6.' A!,.DS6.

DS6

?ns#re s$ste%s sec#rit$

DS6

?ns#re s$ste%s sec#rit$

11.6.2 11.6.11.6.'

Cser identification and a#thentication Pass*ord %anage%ent s$ste% Cse of s$ste% #tilities

11.0

Access control

DS6 DS6 A!, DS6 DS6 DS6

?ns#re s$ste%s sec#rit$ ?ns#re s$ste%s sec#rit$ +anage changes ?ns#re s$ste%s sec#rit$ ?ns#re s$ste%s sec#rit$ ?ns#re s$ste%s sec#rit$

11.6.6 11.6., 11., 11.,.1 11.,.2

Session ti%e@o#t Bi%itation of connection ti%e Application and infor%ation access control !nfor%ation access registration Sensitive s$ste% isolation

DS6. DS6.

DS6.' A!1.2 A!2.'

Cser acco#nt %anage%ent Risk anal$sis report Application sec#rit$ and availa0ilit$

DS6 A!1 A!2

?ns#re s$ste%s sec#rit$ !dentif$ a#to%ated sol#tions Ac=#ire and %aintain application soft*are

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page - of

C(7!T to S!" Relevance

!S(2!?C 2 002 Classifi@cations

!S( Te:t

Te$ !S(2!?C 2 002 Areas Te$ !S( Area

Co0iT '.1 Control (0<ectives Co0iT '.1 Te:t Protection of sec#rit$ DS6. technolog$ DS6.10 1et*ork sec#rit$ DS6.11 ?:change of sensitive data

Co0iT !T Processes Co0iT Process Te:t DS6 ?ns#re s$ste%s sec#rit$

11.

+o0ile co%p#ting and tele*orking ?nterprise !T risk and control fra%e*ork P(, !T sec#rit$ plan DS6 !dentit$ %anage%ent Protection of sec#rit$ technolog$ Technolog$ standards P(Co%%#nicate %anage%ent ai%s and direction ?ns#re s$ste%s sec#rit$

11. .1

+o0ile co%p#ting and co%%#nication

P(,.2 DS6.2 DS6.DS6.

11. .2

Tele*orking

P(-.'

Deter%ine technological direction Co%%#nicate %anage%ent ai%s and direction ?ns#re s$ste%s sec#rit$

P(,.2 DS6.2 DS6.DS6. !nfor%ation s$ste%s ac=#isition5 develop%ent and %aintenance A!1.2 A!2.' A!-.2 12.2 12.2.1 12.2.2 12.2.Correct processing in applications !np#t data validation Control of internal processing +essage integrit$ A!2.A!2.A!2.A!2.' DS6.9 12.2.' 12.(#tp#t data validation Cr$ptographic controls A!2.-

?nterprise !T risk and control fra%e*ork P(, !T sec#rit$ plan DS6 !dentit$ %anage%ent Protection of sec#rit$ technolog$

12.1 12.1.1

Sec#rit$ re=#ire%ents of infor%ation s$ste%s Sec#rit$ re=#ire%ents anal$sis and specification

12.0

Risk anal$sis report Application sec#rit$ and availa0ilit$ !nfrastr#ct#re reso#rce protection and availa0ilit$ Application control and a#dita0ilit$ Application control and a#dita0ilit$ Application control and a#dita0ilit$ Application sec#rit$ and availa0ilit$ Cr$ptographic ke$ %anage%ent Application control and a#dita0ilit$

A!1 A!2 A!-

!dentif$ a#to%ated sol#tions Ac=#ire and %aintain application soft*are Ac=#ire and %aintain technolog$ infrastr#ct#re Ac=#ire and %aintain application soft*are Ac=#ire and %aintain application soft*are Ac=#ire and %aintain application soft*are ?ns#re s$ste%s sec#rit$

A!2 A!2 A!2 DS6

A!2

Ac=#ire and %aintain application soft*are

12.-.1

Polic$ on #se of cr$ptographic controls

P(,.2 A!2.' DS6.9

12.-.2 12.' 12.'.1

Te$ %anage%ent Sec#rit$ of s$ste% files Control of operational soft*are

DS6.9

?nterprise !T risk and control fra%e*ork Application sec#rit$ and availa0ilit$ Cr$ptographic ke$ %anage%ent Cr$ptographic ke$ %anage%ent Protection of sec#rit$ technolog$ Config#ration repositor$ and 0aseline !nfrastr#ct#re %aintenance S#pplier perfor%ance %onitoring Config#ration repositor$ and 0aseline

P(, A!2 DS6 DS6

Co%%#nicate %anage%ent ai%s and direction Ac=#ire and %aintain application soft*are ?ns#re s$ste%s sec#rit$ ?ns#re s$ste%s sec#rit$

DS6. DS).1

DS6 DS) A!DS2 DS)

?ns#re s$ste%s sec#rit$ +anage the config#ration Ac=#ire and %aintain technolog$ infrastr#ct#re +anage third@part$ services +anage the config#ration

12.'.2

Protection of s$ste% test data

A!-.DS2.' DS).1

DS).2 DS11., 12.'.Access control to progra% data A!2.' A! .' A! ., DS11.DS11.,

!dentification and %aintenance of config#ration ite%s DS11 Sec#rit$ re=#ire%ents for data %anage%ent Application sec#rit$ and availa0ilit$ A!2 Test environ%ent Testing of changes +edia li0rar$ %anage%ent s$ste% Sec#rit$ re=#ire%ents for data %anage%ent A! DS11

+anage data

Ac=#ire and %aintain application soft*are !nstall and accredit sol#tions and change +anage data

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page ' of

C(7!T to S!" Relevance

!S(2!?C 2 002 Classifi@cations

!S( Te:t

Te$ !S(2!?C 2 002 Areas Te$ !S( Area !nfor%ation s$ste%s ac=#isition5 develop%ent and %aintenance

Co0iT '.1 Control (0<ectives Co0iT '.1 Te:t

Co0iT !T Processes Co0iT Process Te:t

12.6 12.6.1

Sec#rit$ develop%ent and s#pport processes Change control proced#res

12.0

A!2.,

+a<or #pgrades to e:isting s$ste%s !%pact assess%ent5 prioritisation and a#thorisation ?%ergenc$ changes Test plan Application sec#rit$ and availa0ilit$ !nfrastr#ct#re %aintenance Test plan Test environ%ent Testing of changes 8inal acceptance test Config#ration integrit$ revie*

A!2

Ac=#ire and %aintain application soft*are

A!,.2 A!,.A! .2 12.6.2 Technical revie* of applications after operating s$ste% changes A!2.' A!-.A! A! A! A! .2 .' ., .

A!, A!

+anage changes !nstall and accredit sol#tions and change Ac=#ire and %aintain application soft*are Ac=#ire and %aintain technolog$ infrastr#ct#re !nstall and accredit sol#tions and changes +anage the config#ration

A!2 A!A! DS)

DS).!nfor%ation s$ste%s ac=#isition5 develop%ent and %aintenance

12.6.-

Restrictions on changes to soft*are packages

12.0

A!2.6 A!,.1

Config#ration and i%ple%entation of ac=#ired application soft*are Change standards and proced#res !%pact assess%ent5 prioritisation and a#thorisation ?%ergenc$ changes

A!2 A!,

Ac=#ire and %aintain application soft*are +anage changes

A!,.2 A!,.-

DS)

+anage the config#ration

DS).2 12.6.' !nfor%ation leakage A!2.' A! . 12.6.6 (#tso#rced soft*are develop%ent P(9.A!2. A!6.2 DS2.' P(9 12., 12.,.1 Technical v#lnera0ilit$ %anage%ent Control of technical v#lnera0ilities A!-.-

!dentification and %aintenance of config#ration ite%s Application sec#rit$ and availa0ilit$ A!2 8inal acceptance test Develop%ent and ac=#isition standards Develop%ent of application soft*are S#pplier contract %anage%ent S#pplier perfor%ance %onitoring +anage =#alit$ A! A!2 A!6 DS2

Ac=#ire and %aintain application soft*are !nstall and accredit sol#tions and changes Ac=#ire and %aintain application soft*are Proc#re !T reso#rces +anage third@part$ services

!nfrastr#ct#re %aintenance

A!-

Ac=#ire and %aintain technolog$ infrastr#ct#re

A!,.2 A!,.DS6.6 DS6.

!%pact assess%ent5 prioritisation and a#thorisation A!, ?%ergenc$ changes DS6 Sec#rit$ testing5 s#rveillance and %onitoring DS) Protection of sec#rit$ technolog$ !dentification and %aintenance of config#ration ite%s

+anage changes ?ns#re s$ste%s sec#rit$ +anage the config#ration

DS).2 !nfor%ation sec#rit$ incident %anage%ent P().DS6., DS9.2 !nfor%ation sec#rit$ incident %anage%ent P().DS6.6 DS6.,

1-.1 1-.1.1

Reporting !S events and *eaknesses Reporting !S events

1-.0

?vent identification Sec#rit$ incident definition Registration of c#sto%er =#eries

P() DS6 DS9

Assess and %anage !T risks ?ns#re s$ste%s sec#rit$ +anage service desk and incidents

1-.1.2

Reporting !S *eaknesses

1-.0

?vent identification P() Sec#rit$ testing5 s#rveillance and %onitoring DS6 Sec#rit$ incident definition DS9

Assess and %anage !T risks ?ns#re s$ste%s sec#rit$ +anage service desk and incidents

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page 6 of

C(7!T to S!" Relevance

!S(2!?C 2 002 Classifi@cations

!S( Te:t

Te$ !S(2!?C 2 002 Areas Te$ !S( Area

Co0iT '.1 Control (0<ectives Co0iT '.1 Te:t Protection of sec#rit$ DS6. technolog$ Registration of c#sto%er DS9.2 =#eries DS9.!ncident escalation

Co0iT !T Processes Co0iT Process Te:t

1-.2

+anage%ent of !S incidents and i%prove%ents !T polic$ and control environ%ent Sec#rit$ incident definition Registration of c#sto%er =#eries Cost %anage%ent Tno*ledge transfer to operations and s#pport staff !ncident clos#re Reporting and trend anal$sis !dentification and classification of pro0le%s Pro0le% tracking and resol#tion Application control and a#dita0ilit$ Sec#rit$ incident definition Protection of sec#rit$ technolog$ Registration of c#sto%er =#eries !ncident escalation !ncident clos#re Co%%#nicate %anage%ent ai%s and direction ?ns#re s$ste%s sec#rit$ +anage service desk and incidents +anage the !T invest%ent ?na0le operation and #se +anage service desk and incidents +anage pro0le%s

1-.2.1

Responsi0ilities and proced#res

P(,.1 DS6., DS9.2 P(6.' A!'.' DS9.' DS9.6 DS10.1 DS10.2

P(, DS6 DS9 P(6 A!' DS9 DS10

1-.2.2

Bearning fro% !S incidents

1-.2.-

Collection of evidence

A!2.DS6., DS6. DS9.2 DS9.DS9.'

A!2 DS6 DS9

Ac=#ire and %aintain application soft*are ?ns#re s$ste%s sec#rit$ +anage service desk and incidents

1'.1 1'.0 1'.1.1

!ncl#ding !S in the 7CP process 7#siness contin#it$ %anage%ent !S in the 7CP %anage%ent process P(-.1 P().1 P().2 DS'.1 DS'.DS'.9 DS9.Technological direction planning !T risk %anage%ent fra%e*ork ?sta0lish%ent of risk conte:t !T contin#it$ fra%e*ork Critical !T reso#rces !T services recover$ and res#%ption !ncident escalation !T risk %anage%ent fra%e*ork ?sta0lish%ent of risk conte:t Risk assess%ent !T contin#it$ fra%e*ork Critical !T reso#rces !T contin#it$ plans !T services recover and res#%ption !T contin#it$ fra%e*ork Service desk !ncident escalation Technological direction planning +aintenance of the !T contin#it$ plan Testing of the !T contin#it$ plan !T contin#it$ plan training Distri0#tion of the !T contin#it$ plan Post@res#%ption revie* P(P() DS' DS9 Deter%ine technological direction Assess and %anage !T risks ?ns#re contin#o#s service +anage service desk and incidents

1'.1.2

7#siness contin#it$ and risk assess%ent

P().1 P().2 P().' DS'.1 DS'.-

P() DS'

Assess and %anage !T risks ?ns#re contin#o#s service

1'.1.-

Developing and i%ple%enting contin#it$ plans incl#ding !S

DS'.2 DS'.9 DS'.1 DS9.1 DS9.-

DS'

?ns#re contin#o#s service

1'.1.'

7CP fra%e*ork

DS' DS9

?ns#re contin#o#s service +anage service desk and incidents Deter%ine technological direction ?ns#re contin#o#s service

1'.1.6

Testing5 %aintaining and reassessing 7CP

P(-.1 DS'.' DS'.6 DS'., DS'. DS'.10 7#siness contin#it$ %anage%ent Co%pliance

P(DS'

1'.1.6 16.1

Testing5 %aintaining and re@assessing 7CP 1'.0 Co%pliance *ith legal re=#ire%ents 16.0

16.1.1

!dentification of applica0le legislation

P('.9

Responsi0ilit$ for risk5 sec#rit$ and co%pliance

P('

Define the !T processes5 organisation and relationships

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page , of

C(7!T to S!" Relevance

!S(2!?C 2 002 Classifi@cations

!S( Te:t

Te$ !S(2!?C 2 002 Areas Te$ !S( Area

Co0iT '.1 Control (0<ectives Co0iT '.1 Te:t !dentification of e:ternal legal5 reg#lator$5 and contract#al co%pliance re=#ire%ents Responsi0ilit$ for risk5 sec#rit$ and co%pliance Responsi0ilit$ for risk5 sec#rit$ and co%pliance Storage and retention arrange%ents ?sta0lish%ent of roles and responsi0ilities Responsi0ilit$ for risk5 sec#rit$ and co%pliance S#pplier relationship %anage%ent !dentification of e:ternal legal5 reg#lator$ and contract#al co%pliance re=#ire%ents ?val#ation of co%pliance *ith e:ternal re=#ire%ents Positive ass#rance of co%pliance

Co0iT !T Processes Co0iT Process Te:t

+?-.1

+?-

?ns#re co%pliance *ith e:ternal re=#ire%ents Define the !T processes5 organisation and relationships Define the !T processes5 organisation and relationships +anage data Define the !T processes5 organisation and relationships +anage third@part$ services ?ns#re co%pliance *ith e:ternal re=#ire%ents

16.1.2

!ntellect#al propert$ rights 3!PR4

P('.9

P('

16.1.-

Protection of organisational records

P('.9 DS11.2

P(' DS11

16.1.'

Data protection and privac$ of personal infor%ation

P('., P('.9 DS2.2

P(' DS2 +?-

+?-.1 +?-.+?-.' Prevention of %is#se of infor%ation processing facilities

16.1.6

16.0

Co%pliance

P('.1'

Contracted staff policies and proced#res P(' ?nterprise !T risk and control fra%e*ork P(, !dentification and %aintenance of config#ration ite%s DS) Config#ration integrit$ revie* Responsi0ilit$ for risk5 sec#rit$ and co%pliance Cr$ptographic ke$ %anage%ent

Define the !T processes5 organisation and relationships Co%%#nicate %anage%ent ai%s and direction

P(,.2

DS).2 DS).-

+anage the config#ration

16.1.,

Reg#lation of cr$ptographic controls

P('.9 DS6.9

P(' DS6

Define the !T processes5 organisation and relationships ?ns#re s$ste%s sec#rit$

16.2

Co%pliance *ith sec#rit$ policies and standards and technical co%pliance Co%pliance *ith sec#rit$ policies and standards Responsi0ilit$ for risk5 sec#rit$ and co%pliance Define the !T processes5 organisation and relationships Co%%#nicate %anage%ent ai%s and direction +onitor and eval#ate internal control

16.2.1

P('.9

P('

P(,.2 +?2.1 +?2.2 +?2.+?2.' +?2.6 +?2., +?2. 16.2.2 Technical co%pliance checking DS6.6 DS6. +?2.6 16.16.-.1 !nfor%ation s$ste%s a#dit considerations !S a#dit controls A!2.DS6.6 +?2.6 16.-.2 Protection of !S a#dit tools 16.0 Co%pliance A!2.A!2.' DS6.

?nterprise !T risk and control fra%e*ork P(, +onitoring of internal control fra%e*ork +?2 S#pervisor$ revie* Control e:ceptions Control selfassess%ent Ass#rance of internal control !nternal control at third parties Re%edial actions Sec#rit$ testing5 s#rveillance and %onitoring DS6 Protection of sec#rit$ technolog$ +?2 Ass#rance of internal control Application control and a#dita0ilit$ A!2 Sec#rit$ testing5 s#rveillance and %onitoring DS6 Ass#rance of internal control Application control and a#dita0ilit$ Application sec#rit$ and availa0ilit$ Protection of sec#rit$ technolog$ +?2 A!2 DS6

?ns#re s$ste%s sec#rit$ +onitor and eval#ate internal control

Ac=#ire and %aintain application soft*are ?ns#re s$ste%s sec#rit$ +onitor and eval#ate internal control Ac=#ire and %aintain application soft*are ?ns#re s$ste%s sec#rit$

Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.

Page

of

C(7!T to S!" Relevance