ISO27001 Audit Checklist

Paladion Networks

ABOUT THIS DOCUMENT
This document contains the questions to be asked in a process audit. The controls
selected here are primarily from ISO27001 and Internal best practices.

VERSION CONTROL
Version

Author

Approved By

1.0

Shaheem Motlekar

Vinod Vasudevan

2.0

Abhishek Kumar

Firosh Ummer

Confidentiality Agreement: This document is to be used for internal
purpose of Paladion Networks only.

ISO27001 AUDIT QUESTIONNAIRE
#

Questions

Significance

Evidence

4 Information Security Management System
4.1 General Requirements
The organization shall establish, implement, operate, monitor,
review, maintain and improve a documented ISMS within the
context of the organization’s overall business activities and the
risks they face. For the purposes of this International Standard
the process used is based on the PDCA model

1)

High

Has the organization established, implemented, operating,
monitoring, reviewing, maintaining and improving documented
ISMS within the context of the organization’s overall business
activities and the risks is faces?

4.2 Establishing and managing the ISMS
4.2.1 Establish the ISMS
4.2.1 a) Define the scope and boundaries of the ISMS in terms of
the characteristics of the business, the organization, its location,
assets, technology, and including details of and justification for
any exclusions from the scope
1)

Is the scope and boundaries of the ISMS defined and
documented?

2)

Does the scope take into consideration the characteristics of the
business, the organization, its location, assets, technology, and
including details of and justification for any exclusion from the
scope?

4.2.1 b) Define an ISMS policy in terms of the characteristics of

Confidentiality Agreement: This document is to be used for internal
purpose of Paladion Networks only.

High

Scope document

High

ISMS policy document

1

1 c) Define the risk assessment approach of the organization.# Questions Significance Evidence the business. . legal and regulatory requirements. 2) takes into account business and legal or regulatory requirements. and contractual security obligations .2. 3) aligns with the organization’s strategic risk management context in which the establishment and maintenance of the ISMS will take place. 2 .criteria against which risk will be evaluated 4. 4) establishes criteria against which risk will be evaluated. 1) Is the ISMS policy documented and approved by the management? Does the ISMS policy include the following. the organization. 1) Identify a risk assessment methodology that is suited to the ISMS. and contractual security obligations. and the identified business information security. assets and technology that: 1) includes a framework for setting objectives and establishes an overall sense of direction and principles for action with regard to information security.organization’s strategic risk management context in which the establishment and maintenance of the ISMS will take place .a framework for setting objectives and an overall sense of direction and principles for action with regard to information security 2) . its location.business and legal or regulatory requirements. 5) has been approved by management. High Risk assessment methodology document 2) Develop criteria for accepting risks and identify the acceptable Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.

taking into account the Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. 2) Identify the threats to those assets. and the owners of these assets.2. High Risk assessment report High Risk assessment report 4) Identify the impacts that losses of confidentiality. 3 . 3) Identify the vulnerabilities that might be exploited by the threats. The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible results. 1) Identify the assets within the scope of the ISMS. 1) Assess the business impact upon the organization that might result from a security failure. integrity and availability may have on the assets.2.# Questions Significance Evidence levels of risk. 1) Is the risk assessment approach of the organization defined and documented? 2) Are the criteria for accepting risks and identifying the acceptable levels of risk documented? 4.1 d) Identify the risks. integrity and availability may have on the assets identified? 4.1 e) Analyse and evaluate the risks. 1) Is risk assessment conducted to identify the risks for the scope of the ISMS? 2) Are all the assets within the scope of the ISMS identified along with their owner? 3) Are threats and vulnerabilities for all the assets identified? 4) Is the impact that losses of confidentiality.

4) Determine whether the risk is acceptable or requires treatment using the risk acceptance criteria established in 4.1c)2). and 4) transferring the associated business risks to other parties. and the controls currently implemented. 2) Assess the realistic likelihood of such a security failure occurring in the light of prevailing threats and vulnerabilities. providing they clearly satisfy the organization’s policies and the criteria for risk acceptance (see 4.# Questions Significance Evidence consequences of a loss of confidentiality. 1) Are options for the treatment of risks identified and evaluated? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. insurers. 3) Estimate the levels of risks. suppliers. 2) knowingly and objectively accepting risks. and impacts associated with these assets.2. integrity or availability of the assets.2. e.1 f) Identify and evaluate options for the treatment of risks.g. 1) Is the business impact upon the organization that might result from a security failure assessed? 2) Is the realistic likelihood of a security failure occurring in the light of prevailing threats and vulnerabilities and the controls currently implemented assessed? 3) For all risks is it decided whether the risk is acceptable or requires treatment? 4.2. 4 . Possible actions include: 1) applying appropriate controls.1c)2)). Risk treatment plan 3) avoiding risks.

5 .2.2. 1) Are control objectives and controls for the treatment of risks identified and implemented? 2) Is any control implemented which is not suggested by ISO 27001 standard Annex A? 4. 1) Management approval for residual risks Management approval for implementing & operating ISMS Is management authorization to implement and operate the ISMS obtained? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. avoided or transferred? Is it done while satisfying the organization’s policies and the criteria for risk acceptance? 4.# 2) Questions Significance Evidence Are these risks which are accepted.2.1 i) Obtain management authorization to implement and operate the ISMS. 1) Is management approval of the proposed residual risks obtained? 4.2. regulatory and contractual requirements. Controls objectives and controls shall be selected and implemented to meet the requirements identified by the risk assessment and risk treatment process. Statement of applicability The control objectives and controls from Annex A shall be selected as part of this process as suitable to cover these requirements. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may also be selected.1 h) Obtain management approval of the proposed residual risks. This selection shall take account of the criteria for accepting risks (see 4.1c)) as well as legal.1 g) Select control objectives and controls for the treatment of risks.

2.# Questions Significance Evidence 4.1 j) Prepare a Statement of Applicability.2.2. 1) Is the risk treatment plan implemented? 2) Are funds allocated for risk treatment activities? 3) Are roles and responsibilities defined for risk treatment activities? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. responsibilities and priorities for managing information security risks (see 5). selected in 4.1e)2)).2. Statement of Applicability 2) the control objectives and controls currently implemented (see 4.2 Implement and operate the ISMS 4. 1) High Risk treatment plan Is a risk treatment plan formulated that identifies the appropriate management action.2 b) Implement the risk treatment plan in order to achieve the identified control objectives.2 a) Formulate a risk treatment plan that identifies the appropriate management action.1g) and the reasons for their selection.2. 1) Is Statement of Applicability documented? 2) Are the reasons for selection and exclusion of control objectives and controls included in the Statement of Applicability? 4. resources. resources. responsibilities and priorities for managing information security risks? 4. High 6 . A Statement of Applicability shall be prepared that includes the following: 1) the control objectives and controls. and 3) the exclusion of any control objectives and controls in Annex A and the justification for their exclusion. which includes consideration of funding and allocation of roles and responsibilities.2.

2).2. 1) Effectiveness measurement report Are all the operations within ISMS managed? 4.2 h) Implement procedures and other controls capable of enabling prompt detection of and response to security incidents (see 4.2 g) Manage resources for the ISMS (see 5. 1) Evidence Are all controls identified during risk treatment phase implemented? 4.2. 1) High Is the effectiveness of the selected controls or groups of controls measured? 4.2.2.2).1g) to meet the control objectives.3). 1) Training plan High Training material Training records High High Are all the resources required for functioning of ISMS managed? 4.2.# Questions 4.2.2 d) Define how to measure the effectiveness of the selected controls or groups of controls and specify how these measurements are to be used to assess control effectiveness to produce comparable and reproducible results (see 4.2.2 c) Implement controls selected in 4.2 e) Implement training and awareness programmes (see 5. 1) Significance High Incident management policy & procedures Incident management records Are procedures and other controls capable of enabling prompt detection of and response to security incidents implemented? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. 7 .2.3c)).2.2.2 f) Manage operations of the ISMS. 1) High Metrics & effectiveness measurement methodology Are training and awareness program implemented? 4.

3 Monitor and review the ISMS 4. 3) enable management to determine whether the security activities delegated to people or implemented by information technology are performing as expected.promptly identify attempted and successful security breaches and incidents 1) .help detect security events and thereby prevent security incidents by the use of indicators . incidents.2. High Monitoring policy & procedures Monitoring records 4) help detect security events and thereby prevent security incidents by the use of indicators. 2) promptly identify attempted and successful security breaches and incidents.3 a) Execute monitoring and review procedures and other controls to: 1) promptly detect errors in the results of processing. and review of security controls) taking into account results of security audits.determine whether the actions taken to resolve a breach of security were effective 4. High Minutes of meetings 8 .# Questions Significance Evidence 4.enable management to determine whether the security activities delegated to people or implemented by information technology are performing as expected .2. Are monitoring and review procedures implemented to. .2. and 5) determine whether the actions taken to resolve a breach of security were effective.promptly detect errors in the results of processing .3 b) Undertake regular reviews of the effectiveness of the ISMS (including meeting ISMS policy and objectives. effectiveness measurements. suggestions and feedback Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.

# Questions Significance Evidence from all interested parties. taking into account changes to: 1) the organization. 5) effectiveness of the implemented controls.2. incidents.2. effectiveness measurements. 3) business objectives and processes. such as changes to the legal or regulatory environment.2. 4) identified threats. 1) Are internal ISMS audits conducted at planned intervals? 4. suggestions and feedback from all interested parties? 4. 1) Is the effectiveness of the ISMS regularly reviewed taking into account results of security audits. 2) technology.2. changed contractual obligations.3 c) Measure the effectiveness of controls to verify that security requirements have been met.3 e) Conduct internal ISMS audits at planned intervals. and 6) external events. 9 . and changes in social climate.3 d) Review risk assessments at planned intervals and review the level of residual risk and identified acceptable risk.3 f) Undertake a management review of the ISMS on a regular Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. 1) High Metrics/ Effectiveness measurement report High Risk assessment report High ISMS audit report High Review report Is control effectiveness measured to ensure that security requirements have been met? 4. including the level of residual risk and identified acceptable risk? 4. 1) Are risk assessments reviewed at planned intervals.

3.3 h) Record actions and events that could have an impact on the effectiveness or performance of the ISMS (see 4.2.4 Maintain and improve the ISMS 4. 1) Minutes of meetings Is management review of the ISMS carried out on a regular basis to ensure that the scope remains adequate and improvements in the ISMS process are identified? 4. Apply the lessons learnt from the security experiences of other organizations and those of the organization itself. 1) Are identified improvements in the ISMS implemented? 4. 1) Evidence High Are actions and events that could have an impact on the effectiveness or performance of the ISMS recorded? 4.2.4 b) Take appropriate corrective and preventive actions in accordance with 8. 1) High Are security plans updated taking into account the findings of monitoring and reviewing activities? 4.3).4 a) Implement the identified improvements in the ISMS.4 c) Communicate the actions and improvements to all interested parties with a level of detail appropriate to the Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. High 10 .3.2.1). 1) High High Incident management records Are appropriate corrective and preventive actions implemented in response to security events? 4.3 g) Update security plans to take into account the findings of monitoring and reviewing activities.2.2 and 8.2.2.# Questions Significance basis to ensure that the scope remains adequate and improvements in the ISMS process are identified (see 7.

operation and control of its information Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.2.1g)).3. 1) High Do improvements achieve their intended objectives? How is it assessed? 4.1 General Documentation shall include records of management decisions.2. as relevant. agree on how to proceed.2.4 d) Ensure that the improvements achieve their intended objectives.3 Documentation requirements 4. ensure that actions are traceable to management decisions and policies.1c)). The ISMS documentation shall include: a) documented statements of the ISMS policy (see 4.1c) to 4.# Questions Significance Evidence circumstances and. d) a description of the risk assessment methodology (see 4. 11 . g) documented procedures needed by the organization to ensure the effective planning. 1) Are the actions and improvements communicated to all interested parties? 4.1a)).1b)) and objectives. and subsequently back to the ISMS policy and objectives. High Records of management decisions ISMS policy Scope of the ISMS Procedures and controls in support of the ISMS Risk assessment methodology Risk assessment report Risk treatment plan How to measure the effectiveness of controls Statement of Applicability c) procedures and controls in support of the ISMS.2. f) the risk treatment plan (see 4.2b)). b) the scope of the ISMS (see 4.2.2. e) the risk assessment report (see 4.2. It is important to be able to demonstrate the relationship from the selected controls back to the results of the risk assessment and risk treatment process. and the recorded results are reproducible.

1) 2) Is it possible to demonstrate the relationship from the selected controls back to the results of the risk assessment and risk treatment process.Records of management decisions .2.Scope of the ISMS 3) .3. A documented procedure shall be established to define the management actions needed to: High Document and record control procedure a) approve documents for adequacy prior to issue. b) review and update documents as necessary and re-approve Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.3). and subsequently back to the ISMS policy and objectives? Are the following documented and approved? .How to measure the effectiveness of controls .3c)).2 Control of documents Documents required by the ISMS shall be protected and controlled.Statement of Applicability 4. h) records required by this International Standard (see 4.Risk assessment methodology .# Questions Significance Evidence security processes and describe how to measure the effectiveness of controls (see 4. 12 .ISMS policy .Risk assessment report . and i) the Statement of Applicability.Procedures and controls in support of the ISMS .Risk treatment plan .3.

ensure that changes and the current revision status of documents are identified .approve documents for adequacy prior to issue . 1) 2) Are documents required by the ISMS adequately protected and controlled? Is a documented procedure available that defines the management actions needed to. g) ensure that documents of external origin are identified.ensure that relevant versions of applicable documents are available at points of use .review and update documents as necessary and re-approve documents . c) ensure that changes and the current revision status of documents are identified. and j) apply suitable identification to them if they are retained for any purpose. and are transferred. 13 . f) ensure that documents are available to those who need them. h) ensure that the distribution of documents is controlled.ensure that documents remain legible and readily identifiable . stored and ultimately disposed of in accordance with the procedures applicable to their classification.ensure that documents are available to those who need them.# Questions Significance Evidence documents. e) ensure that documents remain legible and readily identifiable. d) ensure that relevant versions of applicable documents are available at points of use. i) prevent the unintended use of obsolete documents. and are transferred. stored and ultimately disposed of in Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. .

readily identifiable and retrievable. retrieval. The controls needed for the identification.ensure that the distribution of documents is controlled prevent the unintended use of obsolete documents and apply suitable identification to them if they are retained for any purpose 4. 1) 2) High Document and record control procedure Records as required by ISO 27001 Are records established and maintained to provide evidence of conformity to requirements and the effective operation of the ISMS? How are records protected and controlled? Are controls needed for the identification. protection. protection. The ISMS shall take account of any relevant legal or regulatory requirements and contractual obligations.# Questions Significance Evidence accordance with the procedures applicable to their classification . storage. Records shall remain legible. retention time and disposition of records documented and implemented? 3) Are records maintained to meet relevant legal or regulatory requirements and contractual obligations? 5 Management responsibility Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. storage. They shall be protected and controlled.ensure that documents of external origin are identified .3 Control of records Records shall be established and maintained to provide evidence of conformity to requirements and the effective operation of the ISMS.3. Records shall be kept of the performance of the process as outlined in 4. retrieval. retention time and disposition of records shall be documented and implemented.2 and of all occurrences of significant security incidents related to the ISMS. 14 .

b) ensuring that ISMS objectives and plans are established. and h) conducting management reviews of the ISMS (see 7). implement. review. monitor. f) deciding the criteria for accepting risks and for acceptable risk levels.2. monitoring. implement. d) communicating to the organization the importance of meeting information security objectives and conforming to the information security policy. its responsibilities under the law and the need for continual improvement . c) establishing roles and responsibilities for information security. operate.establishing roles and responsibilities for information security . maintenance and improvement of the ISMS by: a) establishing an ISMS policy.1 Management commitment Management shall provide evidence of its commitment to the establishment. objectives and plans . 15 . g) ensuring that internal ISMS audits are conducted (see 6). maintenance and improvement of the ISMS? 2) Are following actions carried out by the management. operation. 1) Is management committed to the establishment. monitoring.providing sufficient resources to establish.1). implementation. operation. review. review.communicating to the organization the importance of meeting information security objectives and conforming to the information security policy.# Questions Significance Evidence 5.establishing an ISMS policy. maintain and improve the ISMS (see 5. operate. its responsibilities under the law and the need for continual improvement. . Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. High e) providing sufficient resources to establish. implementation.

implement. operate. . e) carry out reviews when necessary. review.2. implement.deciding the criteria for accepting risks and for acceptable risk levels . and to react appropriately to the results of these reviews.1 Provision of resources The organization shall determine and provide the resources needed to: a) establish. monitor. c) identify and address legal and regulatory requirements and contractual security obligations. b) ensure that information security procedures support the business requirements. maintain and improve an ISMS .ensuring that internal ISMS audits are conducted .# Questions Significance Evidence monitor.2 Resource management 5.establish. maintain and improve the ISMS .ensure that information security procedures support the business requirements . and f) where required. 16 . operate. review.conducting management reviews of the ISMS 5. 1) Does the organization determine and provide the resources needed to. review. High d) maintain adequate security by correct application of all implemented controls.identify and address legal and regulatory requirements and Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. improve the effectiveness of the ISMS. monitor. maintain and improve an ISMS.

experience and Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. b) providing training or taking other actions (e. awareness and competence The organization shall ensure that all personnel who are assigned responsibilities defined in the ISMS are competent to perform the required tasks by: a) determining the necessary competencies for personnel performing work effecting the ISMS. 1) Are the necessary competencies for personnel performing work affecting the ISMS identified? 2) Is training provided to personnel? 3) Is the effectiveness of training provided evaluated? 4) Are records of education.2 Training.2.g.3). and Training plan High Training material Training records/ feedback d) maintaining records of education. experience and qualifications (see 4.maintain adequate security by correct application of all implemented controls . skills. employing competent personnel) to satisfy these needs. The organization shall also ensure that all relevant personnel are aware of the relevance and importance of their information security activities and how they contribute to the achievement of the ISMS objectives. skills. training. 17 . and to react appropriately to the results of these reviews .3.# Questions Significance Evidence contractual security obligations .carry out reviews when necessary. training. c) evaluating the effectiveness of the actions taken. improve the effectiveness of the ISMS 5.where required.

3. and for reporting results and maintaining records (see 4. as well as the results of previous audits.conform to the requirements of this International Standard and relevant legislation or regulations Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. controls. 1) Are internal ISMS audits conducted at planned intervals? Does the audit verify that ISMS. The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. c) are effectively implemented and maintained. processes and procedures of its ISMS: a) conform to the requirements of this International Standard and relevant legislation or regulations. frequency and methods shall be defined.# Questions Significance Evidence qualifications maintained? 6 Internal ISMS audits The organization shall conduct internal ISMS audits at planned intervals to determine whether the control objectives. . taking into consideration the status and importance of the processes and areas to be audited. The audit criteria. 18 . scope. An audit program shall be planned. Follow-up activities shall include the verification of the actions taken and the reporting of verification results (see 8).3) shall be defined in a documented procedure. Auditors shall not audit their own work. Audit report High Audit plan Audit methodology Non compliance closure report The responsibilities and requirements for planning and conducting audits. b) conform to the identified information security requirements. and d) perform as expected. Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process.

The results of the reviews shall be clearly documented and records shall be maintained (see 4.2 Review input High Review records/ Minutes of meetings High Review records/ Minutes of meetings The input to a management review shall include: a) results of ISMS audits and reviews.3). 19 . adequacy and effectiveness? 2) Are the results of the reviews clearly documented and records maintained? 7. Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. 1) Does the management review the organization’s ISMS at planned intervals (at least once a year) to ensure its continuing suitability. and for reporting results and maintaining records defined in a documented procedure? 3) Are follow-up activities conducted that include the verification of the actions taken and the reporting of verification results? 7 Management review of the ISMS 7. including the information security policy and information security objectives. adequacy and effectiveness. scope.perform as expected 2) Are the audit criteria.are effectively implemented and maintained .3.# Questions Significance Evidence .1 General Management shall review the organization’s ISMS at planned intervals (at least once a year) to ensure its continuing suitability. frequency and methods defined? Are the responsibilities and requirements for planning and conducting audits. This review shall include assessing opportunities for improvement and the need for changes to the ISMS.conform to the identified information security requirements .

which could be used in the organization to improve the ISMS performance and effectiveness. Does the input to the management review include the following? .vulnerabilities or threats not adequately addressed in the previous risk assessment . 20 .results of ISMS audits and reviews .follow-up actions from previous management reviews . e) vulnerabilities or threats not adequately addressed in the previous risk assessment. products or procedures.any changes that could affect the ISMS . d) status of preventive and corrective actions.results from effectiveness measurements . products or procedures.feedback from interested parties . which could be used in the organization to improve the ISMS performance and effectiveness. h) any changes that could affect the ISMS.techniques.3 Review output High Review records/ Minutes of meetings The output from the management review shall include any decisions and actions related to the following. and i) recommendations for improvement.# Questions Significance Evidence b) feedback from interested parties. a) Improvement of the effectiveness of the ISMS. f) results from effectiveness measurements. c) techniques. g) follow-up actions from previous management reviews.recommendations for improvement 7. Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.status of preventive and corrective actions . 1) .

d) Resource needs. to respond to internal or external events that may impact on the ISMS. 4) regulatory or legal requirements.Update of the risk assessment and risk treatment plan .regulatory or legal requirements --.contractual obligations Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. 2) security requirements.# Questions Significance Evidence b) Update of the risk assessment and risk treatment plan. e) Improvement to how the effectiveness of controls is being measured. as necessary.Improvement of the effectiveness of the ISMS . 5) contractual obligations. to respond to internal or external events that may impact on the ISMS. as necessary. including changes to: --. including changes to: 1) business requirements. c) Modification of procedures and controls that effect information security. 21 . and 6) levels of risk and/or risk acceptance criteria. 3) business processes effecting the existing business requirements.security requirements --.business processes effecting the existing business requirements --.business requirements --.Modification of procedures and controls that effect information security. 1) Does the output from the management review include decisions and actions related to the following? .

and Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. 1) High Does the organization continually improve the effectiveness of the ISMS through the use of the information security policy. d) determining and implementing the corrective action needed.3. information security objectives.1 Continual improvement The organization shall continually improve the effectiveness of the ISMS through the use of the information security policy. audit results.Improvement to how the effectiveness of controls is being measured 8 ISMS improvement 8. corrective and preventive actions and management review (see 7). b) determining the causes of nonconformities.Resource needs .# Questions Significance Evidence --. The documented procedure for corrective action shall define requirements for: High Non compliance closure report Incident management records Corrective action procedure a) identifying nonconformities. c) evaluating the need for actions to ensure that nonconformities do not recur. corrective and preventive actions and management review? 8. information security objectives.2 Corrective action The organization shall take action to eliminate the cause of nonconformities with the ISMS requirements in order to prevent recurrence. e) recording results of action taken (see 4. audit results. analysis of monitored events.levels of risk and/or risk acceptance criteria . 22 . analysis of monitored events.3).

# Questions Significance Evidence f) reviewing of corrective action taken. The documented procedure for preventive action shall define requirements for: High Non compliance closure report Incident management records Preventive action procedure a) identifying potential nonconformities and their causes. c) determining and implementing preventive action needed.3).recording results of action taken .3. The organization shall identify changed risks and identify Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. d) recording results of action taken (see 4.reviewing of corrective action taken 8. Preventive actions taken shall be appropriate to the impact of the potential problems.determining the causes of nonconformities 2) .determining and implementing the corrective action needed . and e) reviewing of preventive action taken.identifying nonconformities .3 Preventive action The organization shall determine action to eliminate the cause of potential nonconformities with the ISMS requirements in order to prevent their occurrence.evaluating the need for actions to ensure that nonconformities do not recur . 23 . b) evaluating the need for action to prevent occurrence of nonconformities. 1) Does the organization take action to eliminate the cause of nonconformities with the ISMS requirements in order to prevent recurrence? Is the corrective action procedure documented? Does it define requirements for? .

its overall objectives and scope.# Questions Significance Evidence preventive action requirements focusing attention on significantly changed risks.5.reviewing of preventive action taken A.identifying potential nonconformities and their causes 2) . and its importance as an enabling Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.1 Information security policy A.determining and implementing preventive action needed . 1) Does the organization determine action to eliminate the cause of potential nonconformities with the ISMS requirements in order to prevent their occurrence? Is the preventive action procedure documented? Does it define requirements for? .1. The priority of preventive actions shall be determined based on the results of the risk assessment.1 Information security policy document 1) Is there a written policy document which is approved by the management? 2) Is policy document available to all employees responsible for information security? 3) High  Security Policy  Documents referenced in the Policy Does the policy contain a definition of information security . 24 .evaluating the need for action to prevent occurrence of nonconformities .recording results of action taken .5 Security policy A.5.

5. principles. Medium  Last review date  Records of management review 25 . including the following? 6) .security education. regulatory. standards and compliance requirements. training.compliance with legislative.1. and awareness requirements . and contractual requirements .business continuity management .consequences of information security policy violations 7) Does the policy contain an explanation of the process for reporting of suspected security incidents? 8) Does the policy contain references to documentation which may support the policy? 9) How is the policy communicated to the users? A.# Questions Significance Evidence mechanism for information sharing? 4) Does the policy contain a statement of management intention supporting the goals and principles of information security? 5) Does the policy contain a definition of general management responsibilities and specific Company responsibilities for all aspects of information security? Does the policy contain an explanation of security polices.2 Review of the information security policy 1) Does the policy have a clear owner? 2) Is there a defined review process. including responsibilities and schedule for review? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.

6.1 Internal organization To manage information security within the organization A.# Questions 3) Does the review embrace the effectiveness of the policy. legal conditions and technical environment? 4) Are the policy documents updated according to defined schedule? 5) Is revised policy approved by management? Significance Evidence A.6 Organizational of information security A.Formulation. Review and approval of information security Policy . 26 . changes to the organizational environment. business circumstances. to give management direction and support? 2) Are information security responsibilities explicitly assigned and acknowledged? 3) High  Organization Chart  Documented information security roles and responsibilities  Minutes of the meeting of the Information Security Forum Are the following addressed by the information security steering forum? .Review the effectiveness of the implementation of the information security policy .Identification of information security goals .1 Management commitment to information security 1) Does a high level information security steering forum exist.Provisioning resources required for information security Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.6.1.

Review of security incidents .1.Security education.Coordination and implementation security controls .6.Ensuring implementation of information security controls being coordinated across the organization .# Questions Significance Evidence .6.Approval of Security Initiatives .Approving assignment of specific roles and responsibilities for information security across the organization .1.Non compliances 2) .Risk assessment and information classification and other procedures .Initiating plans and programs to maintain information security awareness A. 27 .2 Information security coordination 1) Medium  Organization Chart  Minutes of meetings of the crossfunctional committee  Information Security Policy  Asset inventory  Documented information security roles and responsibilities Does a cross-functional committee exist to co-ordinate information security activities? Are the following items addressed by the cross-functional committee? . training and awareness A.3 Allocation of information security responsibilities 1) High Is ownership of information systems clearly defined and is security recognized as the responsibility of the "owner"? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.

1. home-computers or hand-held devices 4) Are specialist information security advisors (internal or external) consulted to ensure consistent and appropriate security decision making? A. e.1.4 Authorization process for information processing facilities High  1) Is there a well defined authorization process for the acquisition and use of any new information processing facility? 2) Is a feasibility study conducted to support purpose and use of any new information processing facilities? Documented authorization procedure Evidence of authorization request and approval Are the following authorizations considered? .User management approval 3) .# 2) Questions Significance Evidence Is responsibility for the protection of individual assets and the carrying out of security processes explicitly defined? Are asset owners aware of the responsibility towards the assets?  A.Use of privately owned information processing facilities. 28 .g. service providers? Do confidentiality agreements address the following requirements? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.6.5 Confidentiality Agreements 1) 2) High  Sample agreements signed with employees and service providers Are confidentiality agreements signed with employees.6. laptops.Technical approval for hardware and software .

law enforcement.expected actions to be taken in case of a breach of this agreement A.8 Independent review of information security 1)  Is the organization’s approach to managing information security Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. supervisory authorities) should be contacted.expected duration of an agreement . 29 .6.7 Contact with special interest groups 1) Are contacts with special interest groups or other specialist security forums and professional associations maintained? 2) How is information received from special interest groups and acted upon? A.required actions when an agreement is terminated .6.# Questions Significance Evidence .ownership of information. and how identified information security incidents should be reported? A.g.the right to audit and monitor activities .responsibilities and actions of signatories to avoid unauthorized information disclosure .the permitted use of confidential information .a definition of the information to be protected .6.6 Contact with authorities 1) Procedure for contact with authorities  Sample report Medium  Information received from special interest groups High  Audit report Medium Are there procedures in place that specify when and by whom authorities (e. fire department.1.1.1. trade secrets and intellectual property .

2 External parties A. including authentication and authorization controls .2.# Questions Significance Evidence and its implementation reviewed by an independent party periodically? A. 30 .6.value and sensitivity of the information involved 2) .6.controls necessary to protect information during storage. processing.legal and regulatory requirements 3) Is access provided only after controls identified in risk assessment have been implemented? 4) Is a contract and NDA signed with external party before providing access? Are all security requirements mentioned in the contract/ agreement? 5) Is access provided after approval from the concerned authorities? Is the application owner consulted prior to granting access? 6) Are access privileged provided on a need to know and need to do basis? Is there a check on the privileges granted to third party users? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.terms and conditions for information security incidents .type of access . communication.1 Identification of risks from third party access 1) High  Risk assessment report Is a risk assessment carried out before providing external party access (logical and physical) to information processing facilities? Does risk assessment take into consideration following aspects? .

the respective liabilities of the organization and the customer responsibilities with respect to legal matters intellectual property rights (IPRs) and copyright assignment A.arrangements for reporting.6. information security incidents .3 Addressing security in third party agreements 1) High  Contract/Agreement/NDA Copy Do the contracts with third parties include the following: .the target level of service and unacceptable levels of service .General policy on Security . of personal details). 31 .Asset protection .Service to be made available .description of the product or service to be provided . any activity related to the organization’s assets .g.the right to monitor. and investigation of information inaccuracies (e.Unacceptable levels of service Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.access control policy 2) .6.2.asset protection .2 Addressing security when dealing with customers 1) Significance Medium Are all identified security requirements addressed before giving customers access to the organization’s information or assets? Are following considered before giving customers access to the organization’s information or assets? .# 7) Questions Evidence Are third party personnel made aware of the organization’s acceptable usage policy? A.2. notification. and revoke.

7 Asset Management A.User training .location 2) .Protection against malicious software .1. 32 .Right to audit contractual responsibilities .Defined change management .1.Access methods .Asset type .7.2 Ownership of assets Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.license information .Physical protection controls and mechanism .owner A.Legal responsibilities .1 Inventory of assets 1) High  Asset Inventory High  Asset inventory Is an inventory of all information assets maintained? Are following information recorded in the inventory? .Security incident handling A.backup information .7.classification .# Questions Significance Evidence .Escalation Process .7.Monitoring and reporting of performance .business value .Liabilities .1 Responsibility for assets A.

3 Acceptable use of assets 1) Are rules for the acceptable use of information and assets associated with information processing facilities identified.2 Information labeling and handling Medium  1) Information labeling and handling procedure Labels on existing assets Is there a well defined procedure for information labeling and handling in accordance with the organization's classification Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. contractors and third party users required to follow rules for the acceptable use of information and assets associated with information processing facilities? Significance Medium Evidence  Acceptable usage policy  Information classification guideline  Asset register A.7.# Questions 1) Are all information and assets associated with information processing facilities owned by a designated part of the organization? 2) Are owners for overall security of the assets? A.2. and implemented? 2) Are all employees.2 Information Classification A.7. legal requirements. 33 .2.1. sensitivity.7. and criticality to the organization? 2) Who defines the classification of an information asset? Is information classification reviewed periodically? High  A. documented.7.1 Classification guidelines 1) Are information assets classified considering its business value.

Printed Reports 2) . transmission.8. declassification.File Transfers 3) Is classified information labeled? 4) Are secure processing. storage.1.Magnetic Media .8 Human resources security A.2 Screening High High    Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. and destruction covered by appropriate information handling procedures? Is chain of custody and logging of any security relevant event also maintained? A.1 Roles and responsibilities 1) Do all job descriptions define relevant security responsibilities? 2) Are security responsibilities documented? 3) Are security responsibilities communicated to job candidates during the pre-employment process? A.1. Employee contract or equivalent document Documented recruitment procedure/ guidelines Records of verification for a 34 .1 Prior to employment A.Screen Displays .8.Electronic Messages .# Questions Significance Evidence scheme? Are the following labeled with the appropriate classification(s)? .8.

Academic qualification .Independent identification Check.# Questions Significance Evidence sample set of recruitment 1) Are applications for employment screened if the job involves access to information processing facilities? 2) Are at least two satisfactory character references .3 Terms and conditions of employment 1) High  Employee contract or equivalent document Are the employee’s responsibilities for information security stated in the terms and conditions for employment? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.taken up before making a job offer? 3) Is a check for completeness and accuracy of the applicant's curriculum vitae carried out? Are the following checks carried out on applications for employment involving access to Company IT facilities handling sensitive information? 4) .1. protection of personal data and/or employment based legislation? A.8.Credit check . ex – passport or similar doc .one business and one personal .Check for criminal record 5) Is a similar screening process carried out for contractors and temporary staff (either directly or through a mandate in the contract with the supplying agency)? 6) Does verification checks take into account all relevant privacy.Background check . 35 .

employment with the organization? 5) Does it include the responsibilities that are extended outside the organizations premises and outside normal working hours.2.8. contractor or third party user disregards the organizations security requirements? Significance Evidence A.are provided with guidelines to state security expectations of their role within the organization Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.8.# Questions 2) Are the employee’s legal responsibilities and rights included in the terms and conditions for employment? 3) Do the terms and conditions of employment state that all employees.g. contractors and third party users should sign a confidentiality or NDA prior to access to information processing facilities? 4) Does the terms and conditions of employment include the responsibilities of the organization for the handling of personal information.1 Management responsibilities 1) Medium  Training plan and schedule  Training material Does the management responsibility include ensuring the employees.2 During employment A. contractors and third party users: . e. including the personal information created as a result of. or in course of. home-working? 6) Does it include the actions to be taken if the employee.are properly briefed on their information security roles and responsibilities prior to being granted access to sensitive information . 36 .

education. before access to IT services is granted? 4) Is security training repeated at regular intervals for all staff? A.2.. etc. are staff fully aware of their responsibilities and involved in testing those plans? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.g.continue to have the appropriate skills and qualifications 2) Are all users given adequate security education and technical training? 3) Does the education and training include Company policies and procedures as well as the correct use of IT facilities. are staff fully aware of their responsibilities and involved in testing those plans? 6) For job functions designated in the escalation line for disaster recovery plans.)? 5) For job functions designated in the escalation line for incident response. brochures. and training 1) To be done 2) Are employees specifically made aware of “social engineering” risks? 3) Does security training and awareness include a testing component? 4) Are resources available for employees on information-security training (e. website for security and security issues.8.# Questions Significance Evidence .conform to the terms and conditions of employment . Medium  Training plan and schedule  Training material 37 .2 Information security awareness.

8.2 Return of assets 1) High  Sample employee termination forms High  Sample employee termination forms Is there a process defined for the exiting employees. 38 . keys.3 Disciplinary process 1) Significance Medium  High  Disciplinary procedure Is there a formal disciplinary process for dealing with employees who have allegedly violated Company security policies and procedures? A.8.# 7) Questions Evidence How is the effectiveness of the training tested? A.3.8.1 Termination responsibilities 1) Are the responsibilities for performing employment termination or change of employment clearly defined and assigned? 2) Do the Terms and Condition of employment & Confidentiality Agreement incorporate the termination responsibilities including the ongoing security/ legal responsibilities for a specific defined period of time? A.3.3 Termination or change of employment A.2.3 Removal of access rights 1) Employment termination procedure What are the procedures for removal of access rights (physical and logical access.3. identification cards etc) of the employees leaving the organization? Are these procedures documented? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.8. contractors and third party users to return all of the organizations assets in their possession upon termination of their employment/contract? A.8.

# Questions Significance Evidence A.1 Physical Security Perimeter 1) Is the security perimeter for IT facilities supporting critical or sensitive business activities clearly defined? 2) Is the security perimeter physically sound? 3) Is there a manned reception area or equivalent to control physical access? 4) Are all fire doors on a security perimeter alarmed? A. High High  Physical Security policy  Manned reception  Perimeter wall/ fence etc  Visitor register  Access card  Access request forms 39 .9.1.9 Physical and Environmental Security A.1.9.9.2 Physical Entry Controls 1) Is date and time of entry and departure recorded for all visitors? 2) Are visitors briefed on the security requirements and on emergency procedures? 3) Are authentication controls (card and PIN) used to authorize all access to information processing facilities? Is access logged? 4) Are all personnel required to wear some visible identification? 5) Is identification card for contractors. visitors or temporary employees physically different from regular employees? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.1 Secure areas A.

# Questions 6) Are access rights to secure areas regularly reviewed and updated? 7) Do access requests require written approval of the site owner? Significance Evidence  A.1. rooms and facilities 1) Are relevant health and safety regulations and standards considered for offices.4 Protecting against external and environmental threats Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.9. rooms and facilities? 2) Do secure areas give minimum indication of their purpose? 3) Are the secure areas locked when unattended? 4) Are the locations of the sensitive information processing facilities readily accessible to the public? 5) Is there an alerting mechanism if there is a deviation in the operating environment? 6) Is there a fallback procedure when physical access control is down or has failed? Are the security personnel aware of the procedure? 7) Is an alarm system installed to warn against unauthorized access or prolonged open status of access doors? A.3 Securing offices.9. Medium High Applicable health and safety regulations and standards  Physical Security policy  Fire fighting equipments  Location and storage arrangement of backup media  Fireproofing arrangements  Air conditioning equipments 40 .1.

or activities within a secure area on a need to know basis? 2) Is working in secure areas supervised? 3) Are the vacant secure areas physically locked and checked periodically? 4) Is the access to secure areas or information processing facilities for third party personnel authorized and monitored? 5) Are any recording equipment (e. explosion.9. tested and monitored? 4) Is physical protection against damage from flood. Significance Medium Evidence  Location of building  CCTV records  Visitor register  Access cards  Manned security 41 .# Questions 1) Are hazardous or combustible materials stored securely or at a safe distance from the secure area? 2) Are fallback equipment and back-up media located at a safe distance so as to avoid damage from a disaster at the main site? 3) Is environmental protection equipment (fire suppression.5 Working in Secure Areas 1) Are the personnel aware of the existence of. and other forms of natural or man-made disaster designed and applied? A. power supply) installed. water flooding. earthquake. heat/air conditioning. Photographic) allowed within a secure area? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.g.1. civil unrest. fireproofing.

9.2 Supporting utilities 1) Are there multiple feeds to avoid a single point of failure in the power supply? 2) Is there a UPS in place to support orderly close down or Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.2.6 Public access. High 42 .2.1.1 Equipment Siting and Protection 1) Medium Are the equipments sited and protected to reduce the risks from environmental threats and hazards.9.9.# Questions 6) Have executives and administrative personnel been trained in fire fighting techniques? 7) Are periodic fire drills practiced? What is the frequency? A. delivery and loading areas 1) Is the access to a holding area from outside the building restricted to identified and authorized personnel? 2) Is the holding area separated from the other parts of the building? 3) Are the materials inspected for potential hazards before being used? 4) Are the incoming materials registered in accordance with asset management procedures? Significance Medium Evidence  Material movement register  Materials Forms  Power supply sources  UPS / Generator A. and opportunities for unauthorized access? A.9.2 Control objective: Equipment security A.

Medium  Equipment maintenance instructions and schedule  Equipment maintenance records Medium 43 .9.# Questions Significance Evidence continuous running of critical equipment? 3) Is there a back-up generator in place and tested? 4) Are emergency power switches located near emergency exits in equipment room to facilitate rapid power down? 5) Are power switches of servers and other critical information processing facilities adequately protected? 6) Is there a procedure for monitoring the health of the power sources? A.2.4 Equipment Maintenance 1) Is the maintenance of equipment done in accordance with the suppliers recommended service intervals and specifications? 2) Is the maintenance of equipment done by authorized personnel only? 3) Are records kept of all suspected or actual faults and all maintenance? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.9.2.3 Cabling Security 1) Are power and telecommunications lines placed underground or adequately protected? 2) Are network cables protected from unauthorized interception or damage? 3) Are power cables segregated from the communications cables? A.

#

Questions

A.9.2.5 Security of equipment off-premises
1)

Is the use of any equipment outside an organization’s premises
authorized by the management?

2)

Is the equipment and media left unattended in public places?

3)

Is the manufacturer’s instruction for protecting equipment
observed?

4)

Are there any controls defined by a risk assessment for using the
equipment off-premises?

5)

Is there adequate insurance cover?

6)

Can maintenance of equipment be performed remotely?

A.9.2.6 Secure Disposal or re-use of Equipment
1)

Significance

Evidence

Medium

High

Asset disposal procedure

Documented operating procedures

Is sensitive data and licensed software totally erased from
equipment prior to disposal?

A.9.2.7 Removal of Property
1)

Can the organization's property be removed without formal
authorization?

2)

Are spot checks undertaken to detect unauthorized removal of
property?

Medium

A.10 Communications and Operations Management
A.10.1 Operational procedures and responsibilities
A.10.1.1 Documented Operating Procedures

Confidentiality Agreement: This document is to be used for internal
purpose of Paladion Networks only.

Medium

44

#

Questions

1)

Are there documented procedures for the operation of all
computer systems?

2)

Do the procedures contain instructions for execution of each job
like handling of information, scheduling requirements, error
handling instructions, support contacts, system restart and
recovery procedures and special output handling instructions?

A.10.1.2 Change management
1)

Is change control procedure documented?

2)

Are significant changes identified and recorded?

3)

Is there a change control committee to approve changes?

4)

Does change control procedure clearly define roles and
responsibilities for all individual associated with changes?

5)

Has it been clearly identified, the changes that go through change
control procedure? And which do not? What are the changes that
have been omitted? Why?

6)

Do users use a Change request form while requesting a change?

7)

Do asset owners authorize changes requested by users?

8)

Can the FW owner authorize Firewall rule base change? How is it
being ensured that the requestor and approver should not be the
same person?

9)

Is an impact analysis done before making any changes to the
system?

Confidentiality Agreement: This document is to be used for internal
purpose of Paladion Networks only.

Significance

High

Evidence

Change Control Policy

Change Control Form

45

#

Questions

10)

After a change, is the relevant documentation updated?

11)

Are the details of change communicated to all relevant persons?

A.10.1.3 Segregation of Duties

1)

Has consideration been given to the segregation of certain duties
in order to reduce opportunities for unauthorized modification or
misuse of data or services?

2)

Are activities that require collusion in order to commit fraud
segregated?

3)

If not possible to segregate duties due to small staff, are
compensatory controls implemented, ex: rotation of duties, audit
trails?

A.10.1.4 Separation of development, test and operational facilities
1)

Are development and testing facilities isolated from operational
systems?

2)

Are rules for the transfer of software from development to
operational status well defined and documented?

3)

Are development and operational software run on different
processors?

4)

Are sensitive data removed before using them in test
environment?

5)

Are utilities like compilers and editors disabled from operational
systems?

Confidentiality Agreement: This document is to be used for internal
purpose of Paladion Networks only.

Significance

Evidence

High

Medium

Documented duties which needs
to be segregated

List of development, test and
operational systems

46

2 Third party service delivery management A.10. tracing of faults and disruptions related to the service delivered reviewed? 5) If the contract is granted for more than one year. failures.1 Service Delivery 1) Are security controls. operational problems.10. service definitions and delivery levels included in the third party service delivery agreement? Is it implemented.2 Monitoring and review of third party services 1) Are the services provided by the vendor monitored and reviewed? 2) Is there an individual in the organization responsible for monitoring and controlling the vendor performance? 3) Are periodic audits carried out on the outsourced vendor? 4) Are third party audit trails and records of security events. operated and maintained by third party? 2) Does outsourcing arrangements include plans for necessary transitions? 3) Does third party maintains sufficient service capability together with workable plans designed to ensure that agreed service continuity levels are maintained following major service failures or disaster? A.10. is there an Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. High Medium  Third party agreements/ Outsourcing contracts/ SLA  SLA reports  Vendor audit reports 47 .2.2.# 6) Questions Significance Evidence Does test environment emulate the operational system environment as closely as possible? A.

10.3 System planning and acceptance A.10.2.1 Capacity Management 1) Are application.3. system and network architectures designed for high availability and operational redundancy? 2) Are capacity requirements monitored to ensure that adequate processing power and storage remain available? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.# Questions Significance Evidence annual review to ensure that the vendor still meets all necessary criteria? A.10. High  Monitoring procedure  Monitoring reports 48 .3 Monitoring changes to third party services Medium Does changes to third party services take into account the following requirements: a) changes made by organization to implement i) enhancements to current services offered ii) development of any new applications & systems iii) modifications of organization policies 1) iv) new controls to resolve information security incidents b) changes in third party services to implement i) changes & enhancements to networks ii) use of new technologies iii) adoption of new products or new versions iv) new development tools v) changes to physical locations vi) change of vendors A.

upgrades and new versions? 2) Are the requirements and acceptance criteria for new systems clearly defined.2 System Acceptance 1) Are acceptance criteria established and suitable test carried out prior to acceptance of new information systems.4.3. documented and tested? 3) Are there any error recoveries and restart procedures and contingency plans? 4) Are there an agreed set of security controls in place? 5) Are there effective manual procedures? 6) Is there sufficient training imparted in the operation or use of new systems? 7) Is the effect on the existing systems studied? Significance High Evidence  Requirements specifications  System testing reports  Anti-Virus Policy  Antivirus architecture A.10.4 Protection against malicious and mobile code A.10.10.1 Controls against malicious code 1) Are detection and prevention controls to protect against malicious software and appropriate user awareness procedures formally implemented? 2) Is there a formal policy requiring compliance with software licenses and prohibiting the use of unauthorized software? 3) Is there a formal policy to protect against risks associated with Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. High 49 .# Questions A.

# Questions Significance Evidence obtaining files and software either from or via external networks and also to indicate what protective measures should be taken? 4) Is appropriate anti-virus and anti-spyware software installed and regularly updated? 5) Are formal reviews of the software and data content of systems supporting critical business processes regularly carried out? 6) Are all files and email attachments of uncertain or external origin checked for viruses.4.control the resources available to mobile code access .10.executing mobile code in a logically isolated environment .10. virus attacks? 8) Are appropriate business continuity plans for recovery from virus attack in place? 9) Are remote users and laptop computer users covered under the virus protection program? 10) Is malicious code filtered at the network perimeter? A.2 Controls against Mobile code 1) Medium Are any mobile code used in the organization? How is security of mobile code ensured? Are following controls considered? 2) . 50 .cryptographic controls to uniquely authenticate mobile code A. and recovering from.5 Backup Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. trojans before use? 7) Are appropriate management procedures and responsibilities exist for the reporting of.

5. Backup and Recovery Policy & procedure Backup and Recovery Records and logs Backup media labeling and storage 51 .# Questions Significance Evidence  A.10.1 Information Back-up High   1) Are back-up copies of essential business information and software taken regularly? 2) Is backup and recovery procedure documented? 3) Does the document identify the Servers and the Data for backing up and the frequency of back up? 4) Does backup data contain audit trails and logs? 5) What are roles and responsibilities defined and assigned for backup activities? 6) What permissions are given to backup operators? 7) Are Back up events logged in the log repository? 8) How is access to backup media controlled? 9) Is backup media stored both onsite and offsite? If offsite backup is taking place what is the frequency and how is the offsite backup tapes integrity assured? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.

52 . IBM Tivoli etc. with sufficient information? 12) Is there a procedure for media rotation? 13) What are the precautions taken for media (aged/unused) disposal? Does the backup policy identify the period for backup data retention? What is the recommended disposal method? 14) What are the steps followed in restoring backup? Are the steps documented and available to the authorized personnel? 15) Is the media and back up restoration tested periodically? Request for logs and verify 16) Is the back up media password protected or encrypted? 17) Are the tapes left around near tape drives? 18) Is an automated back up tool used? Veritas. 19) What are the tracking mechanisms for backup failure and success? Does the document give guidelines on the actions to be taken by the backup operator? 20) Significance Evidence Can a backup operator delete backup logs? Where are the backup logs getting logged? What are the assigned permissions to the Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.# Questions 10) Is backup media stored in fireproof environment? 11) Is a media labeling procedure in place.

6. including user equipment established? 3) Are special controls established to safeguard the confidentiality and integrity of data passing over public networks? 4) Are there regular. service levels.2 Security of Network Services 1) Are security features.10.10.7 Media Handling Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. 53 .6. periodic vulnerability and penetration testing in accordance with the risk of each security/control domain and perimeter? 5) Is appropriate logging enabled and are logs reviewed? A.6 Network security management A.1 Network controls 1) Have network managers implemented controls to ensure the security of data in networks and the protection of connected services from unauthorized access? 2) Are the responsibilities and procedures for the management of remote equipment.10.10.# Questions Significance Evidence backup operator on the machine? A. and management requirements of all network services identified and included in all network services agreement? 2) Is the ability of the network service provider to manage agreed services in a secure way determined and regularly monitored? High High  Network policy  Network Layout Diagram  Network security features  Network monitoring reports A.

tapes etc) destroyed? A.7. disk.1 Management of removable computer media 1) Are appropriate procedures and controls exist to protect computer media? 2) Are the contents of a media that are no longer needed in an organization erased? 3) Is an authorization required for all media to be removed from the organization? 4) Is the record of all authorized removals maintained? 5) Are media stored in a safe and secure environment? 6) Is an inventory maintained of all removable media? A.10.10.7.10.7.2 Disposal of Media 1) Are formal procedures established for the secure disposal of media? 2) Is the disposal of sensitive items logged to maintain an audit trail? 3) How are different types of media (paper.# Questions A.3 Information Handling Procedures 1) Significance Medium Medium High Evidence  Media handling guidelines  Media Asset inventory  Media disposal guidelines  Media disposal records  Information handling procedure Are procedures for the handling and storage of information established to prevent their unauthorized disclosure or misuse? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. 54 .

8 Exchanges of information A. 55 .# Questions 2) Is there maintenance of a formal record of the authorized recipients of data? 3) Are procedures in place to ensure that input data is complete. procedure and controls in place to protect the exchange of information through the use of all types of communication facilities? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.1 Information exchange policies and procedures 1) Medium  Information exchange policies and procedures Are policies.7.8.10. is it appropriately protected? Significance Evidence Medium A.10. that processing is properly completed and that output validation is applied? 4) Is the distribution of data kept to a minimum? 5) Is there a review of distribution lists and lists of authorized recipients at regular intervals? 6) Are all media labeled to indicate its classification level? 7) Are access restrictions in place for all media? A.4 Security of System Documentation 1) Is the system documentation stored securely? 2) Is the access list for system documentation kept to a minimum and authorized by the application owner? 3) If the system documentation is held on a public network or supplied via a public network.10.

copyright.10. dispatch and receipt  Escrow agreement  Responsibilities and liabilities in the event of information security incidents.8. including messages. copying.  Media movement/ tracking register  Media packaging Medium 56 . software license compliance  any special controls that may be required to protect sensitive items.3 Physical media in transit Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. mis-routing.8. transmission. and destruction? 3) What retention and disposal guidelines are followed for all business correspondence. modification.# Questions 2) What controls are in place to protect exchanged information from interception. in accordance with relevant national and local legislation and regulations? A.10. such as loss of data  Technical standards for packaging and transmission  agreed labeling system for sensitive or critical information  Courier identification standards  Procedures to ensure traceability and non-repudiation  Ownership and responsibilities for data protection. such as cryptographic keys A.2 Exchange agreements 1) Significance Medium Evidence  Information exchange agreements Are there agreements for the exchange of information and software between the organization and external parties? Do exchange agreements incorporate the following: 2)  Procedures for notifying sender.

for example requirements for electronic signatures .legal considerations.stronger levels of authentication controlling access from publicly accessible networks A.protecting messages from unauthorized access. 57 .# Questions 1) Is a list of authorized couriers agreed with the management and is there a procedure to check the identification of couriers? 2) How is information protected against unauthorized access. misuse or corruption during transportation beyond an organization’s physical boundaries? 3) Is the packaging sufficient to protect the contents from any physical damage? A.4 Electronic messaging 1) Significance High Evidence  Risk assessment/ audit report for electronic messaging systems Are the risks associated with the use of electronic messaging assessed? How are following Security considerations for electronic messaging addressed? .5 Business information systems 1) Medium Are policies and procedures developed and implemented to protect information associated with the interconnection of Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.10.obtaining approval prior to using external public services such as instant messaging or file sharing . modification or denial of service .8.ensuring correct addressing and transportation of the message 2) .8.general reliability and availability of the service .10.

2 On-Line transactions 1) High High  Risk assessment/ audit report for systems providing online transactions Are the risks involved in on-line transactions assessed? Does the security requirements for on-line transactions involve the following: 2)  Use of electronic signatures by each of the parties involved in the transaction  Validation and verification of user credentials  Confidentiality and privacy  Encryption  Use of secure protocols  Storage of transaction details outside of any public accessible environment A.10.10. contract dispute. and unauthorized disclosure and modification? A.1 Electronic commerce 1) Are there controls in place to protect information involved in electronic commerce passing over public networks from fraudulent activity.3 Publicly Available information 1) Medium Is there a formal authorization process before information is made publicly available? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.# Questions Significance Evidence business information systems? A.10.9.9.9 Electronic commerce services A.9.10. 58 .

log-on and log-off  terminal identity or location if possible  records of successful and rejected system access attempts  records of successful and rejected data and other resource access attempts  changes to system configuration  use of privileges Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. High  Sample audit logs  Audit settings in servers. network devices and applications 59 . times. e.g.1 Audit logging 1) Are audit trails of exceptions and security-relevant events recorded and kept for an agreed period to assist with access control monitoring and possible future investigations? 2) Do audit logs include following data?  user IDs  dates. and details of key events.10.10.10.# Questions 2) How are the information made available on a publicly available system protected from unauthorized modification? 3) Is the information obtained in compliance with data protection legislation? 4) Is the sensitive information protected during collection.10 Monitoring A. processing and storage? 5) Is the access to the publishing system protected such that it does not give access to the network to which the system is connected? Significance Evidence A.

10.3 Protection of log information 1) How are logging facilities and log information protected against tampering and unauthorized access? 2) Are there mechanism to detect and prevent. 60 .2 Monitoring system use 1) Are procedures established for monitoring use of information processing facilities? 2) Are the results of the monitoring activities reviewed regularly? High  Monitoring Policy and procedure  Monitoring records High  Log storage facilities Are following activities monitored. 3)  authorized access  all privileged operations  unauthorized access attempts  system alerts or failures  changes to. or attempts to change.# Questions  use of system utilities and applications  files accessed and the kind of access  network addresses and protocols  alarms raised by the access control system  Significance Evidence activation and de-activation of protection systems.  alterations to the message types that are recorded  log files being edited or deleted Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.10.10. such as anti-virus systems and intrusion detection systems A. system security settings and controls A.10.

3)  the time at which an event (success or failure) occurred  information about the event  which account and which administrator or operator was involved  which processes were involved A. network devices and applications 61 . network devices and applications High  Monitoring Policy and procedure  Monitoring records  Sample fault logs Do logs include following info.4 Administrator and operator logs 1) Are the activities carried out by system administrator and system operator logged? 2) Are system administrator and operator logs reviewed on a regular basis?  Sample audit logs  Audit settings in servers.10.10.10.# Questions  Significance Evidence storage capacity of the log file media being exceeded A.10. Medium  Fault log settings in servers.5 Fault logging 1) Are faults reported by users or by system programs regarding problems with information processing or communication systems logged? 2) Is there a review of fault logs to ensure that they have been satisfactorily resolved? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.

access authorization.policies for information dissemination and authorization .relevant legislation and any contractual obligations regarding protection of access to data or services .requirements for periodic review of access controls Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.segregation of access control roles. access request.# 3) Questions Evidence Is there a review of corrective measures to ensure that the controls have not been compromised and that the action taken is authorized? A.security requirements of individual business applications .11 Access Control A.1 Business requirement for access control A.1 Access Control Policy 1) Is there a documented access control policy? 2) Are both logical and physical access control aspects considered in the policy? 3) Does the policy take account of the following Access Control Policy .1.standard user access profiles for common job roles in the organization . 62 .11. e.10.requirements for formal authorization of access requests .6 Clock synchronization 1) Significance High  High  Clock settings in servers.10. network devices Are computer clocks synchronized to ensure the accuracy of time information in audit logs? How are the clocks synchronized? A.g.11. access administration .

removal of access rights A.11.# Questions Significance Evidence .1 User Registration 1) Is there a formal user registration/ deregistration procedure for granting and revoking access to all information systems and services? 2) Are unique ID assigned to all users? 3) Is there a check done to verify that the user has authorization from the system owner for the use of the information system or service? 4) Is there a check done to verify that the level of access granted is appropriate to the business purpose? 5) Are the users given a written statement of their access rights? 6) Are the users required to sign statements indicating that they have understood the conditions of access? 7) Is a formal record of all persons registered to use the service maintained? 8) Is there a periodic check for and removal of dormant/ redundant user IDs and accounts? 9) Is it ensured that the dormant/ redundant user ID`s are not issued to other users? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.2.2 User access management A.11.  User registration/ deregistration records  Review of user ids High 63 .

High High 64 .# Questions 10) Are the accounts of users who change duties or leave the Company removed immediately? 11) Are any temporary/generic/guest/anonymous user IDs in use? If so. operating system or database) identified and the categories of staff that are allowed access. defined? 3) Are privileges allocated to individuals on a “need to know” basis and on an "event by event" basis? 4) Is there an authorization process for granting privileges and a record kept of all privileges allocated? 5) Are system routines developed or promoted to avoid the need to grant privileges to users? 6) Are privileges assigned to a different user identity from those used for normal business use? A.3 User Password Management Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.11.2.2. how are they shared? 12) Is user addition and deletion monitored and logged? A.11. Significance Evidence  User registration/ deregistration records  Review of user ids  User acknowledgement records for receipt of passwords  Password settings on servers.2 Privilege Management 1) Is the use of special privileges that enable the user to override system or application controls restricted and controlled? 2) Are the privileges associated with each system (eg.

# Questions Significance Evidence network devices and applications 1) Is the allocation of user passwords securely controlled a formal management process? 2) Are users required to sign an undertaking to keep passwords confidential? 3) Is there a secure password policy for various systems? What is the current password policy? 4) Is password policy enforced on all systems.4 Review of User Access Rights 1) Are user access rights reviewed at regular intervals? What is the periodicity of review? 2) Are authorizations for privileged access rights reviewed more frequently than others? 3) Are user access rights reviewed and re-allocated when moving from one employment to another within the same organization? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.11. application and firewall? 5) Are users forced to change their password on first login and whenever password is reset? 6) Are passwords communicated to users in a secure manner? 7) Do users acknowledge the receipt of the password? 8) Are default passwords changed? A.2. High  Review reports for user access rights 65 .

11.3 Clear desk and clear screen policy 1) Unattended user equipment security guideline Clear desk and clear screen policy Is there a clear desk and clear screen policy followed in the organization? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.11.not use the same password for business and non-business purposes .select strong passwords A. paper. software file or hand-held device) of passwords 2) .keep passwords confidential .11. logging-off systems and securing PCs or terminals by key lock or equivalent control? A.2 Unattended user equipment 1) Are the users trained with regard to terminating active session.not share individual user passwords .change temporary passwords at the first log-on .change passwords at regular intervals .3.avoid keeping a record (e.3. 66 .1 Password use 1) High  Medium  Medium  Password security guidelines Are guidelines communicated to users on secure use of passwords? Does the guideline include the following? .# Questions 4) Are privilege allocations checked at regular intervals? 5) Are changes to privileged accounts logged for periodic review? Significance Evidence A.3.g.3 User responsibilities A.11.

High  Network policy  Network diagram  Firewall/ router configuration 67 . what is the time limit after which it gets activated? 7) Do user’ lock the workstation if they know they are not going to be around it for more than 5 minutes? Significance Evidence A. telex and Xerox machines protected? 5) Are printers cleared of sensitive information immediately? 6) Is there a screen saver password configured on the desktop? If yes.1 Policy on use of Network Services 1) Is there a policy concerning the use of networks and network services? 2) Are users only able to gain access to the services that they are authorized to use? 3) Are there authorization procedures for determining who is allowed to access which networks and networked services? 4) Are there management controls and procedures to protect the access to network connections and network services? 5) What is the process for requesting and approving modem Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.4 Network access control A.11. printers left logged on when unattended? 4) Are incoming and outgoing mail points and unattended fax.11.4.# Questions 2) Is sensitive information locked away when not required? 3) Are personal computers.

2 User Authentication for External Connections 1)  Network diagram  Firewall and router configuration Medium Medium Is physical and logical access to diagnostic and configuration ports controlled? Is there a well defined procedure. network devices and applications Where applicable. are connections by remote computer systems authenticated through equipment identification? A. are they separated into logical domains protected by a defined perimeter (e.11.4. hardware tokens. for example RPC ports. NetBIOS ports etc. approval. firewall) which restricts the connection capabilities of users? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.4.4 Remote diagnostic and configuration port protection 1)  Are all connections by remote users authenticated (e.11. challenge/response systems)? A.4.# Questions Significance Evidence connections to servers or desktops? 6) Does the organization have an access control devices like a firewall which segments critical segments from non-critical ones? 7) Is there a policy concerning the use of networks and network services? Are there a set of services that will be blocked across the FW.11.g.11. 68 .3 Equipment identification in networks 1) High High Where large networks extend beyond organizational and corporate boundaries. user id password.5 Segregation in Networks 1) Authentication mechanisms for access to servers. covering request. monitoring and termination of access? A.4.g. A.

11.6 Network Connection Control 1) Significance High Are routing controls implemented to ensure that computer connections and information flows do not breach the access policy of the business applications? A.11.5.5 Operating system access control A.11.g.4. through gateways that filter traffic by means of pre-defined tables or rules)? A.4. High 69 .# 2) Questions High  Network diagram  Firewall and router configuration  Network diagram  Firewall and router configuration  Operating system configuration Are controls implemented to restrict the network connection capability of users (e.1 Secure Log-on Procedures 1) Does the log-on procedure display the system or application identifiers only after the process is successfully completed? 2) Does the log-on procedure display a general notice warning that the computer can be used only by authorized users? 3) Does the log-on procedure provide helpful messages that would aid an unauthorized user? 4) Does the log-on procedure validate the log-on information only on completion of all input data? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.11.7 Network Routing Control 1) Evidence Is the criterion for segregation based on the access control policy and access requirements and takes into account the relative cost and performance impact? A.

11. network devices and applications 70 .5.5.11.2 User Identification and Authentication 1) Significance Evidence High Do all users have a unique identifier for their personal and sole use? A.# Questions 5) Does the log-on procedure limit the number of unsuccessful logon attempts allowed? 6) Does the log-on procedure limit the maximum and minimum time allowed for the log-on procedure? 7) Does the log-on procedure display the date and time of previous successful login and the details of any unsuccessful log-on attempts? 8) Does the log on procedure not display the password being entered or consider hiding the password characters by symbols? 9) Does the log on procedure not transmit passwords in clear text over a network? A.3 Password Management System 1) Does the password management system enforce the use of individual passwords to maintain accountability? 2) Does the password management system allow users to select and change their own passwords? 3) Does the password management system enforce a choice of quality passwords? 4) Does the password management system force users to change temporary passwords on first log-on and when password expires? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. High  Password settings in servers.

4 Use of System Utilities 1) Are those system utility programs that might be capable of overriding system and application controls restricted and tightly controlled? 2) Are there authentication and authorization procedures for system utilities? 3) Is there a segregation of system utilities from application software? 4) Is the number of authorized users with access to system utilities restricted? 5) Is a log maintained of all use of system utilities? 6) Are all unnecessary software based utilities and system software removed or disabled? 7) Are authorization levels for system utilities defined and Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. network devices and applications 71 .# Questions 5) Does the password management system maintain a record of previous user passwords? 6) Does the password management not display passwords on screen when being entered? 7) Does the password management system store password files separately from application system data? 8) Does the password management system store and transfer passwords in encrypted form (ex: using a one-way encryption algorithm)? A.5.11. Significance Medium Evidence  Configuration of servers.

g.11. 72 .5.6 Limitation of Connection Time 1) High Are connection times restricted for high risk applications (e. network devices and applications Medium  Configuration of servers.1 Information Access Restriction 1) Are appropriate logical access controls implemented in the application systems? 2) Are menus provided to control access to application system functions? 3) Is there a control over the access rights of the users? Is role based access control implemented? 4) Is it ensured that outputs from application systems handling sensitive information contain only the information that are relevant to the use of the output? 5) Is it ensured that outputs from application systems handling sensitive information are sent only to authorized terminals and locations? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.# Questions Significance Evidence documented? A.5.11.11. network devices and applications High  Application audit report Are inactive sessions forced to shut down after a defined period of inactivity? What is the default timeout period? A.6.6 Application and information access control A. Session Time-out 1)  Configuration of servers.: to normal office hours)? A.11.5.

7.g.12 Information systems acquisition.11.2 Sensitive System Isolation 1) Is the sensitivity of an application system explicitly identified and documented by the application owner? 2) Do sensitive systems have a dedicated (isolated) computing environment? 3) If a sensitive application system is to run in a shared environment. development and Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.: working from a remote external fixed location) authorized by management and specifically controlled to ensure a suitable level of protection? What controls are in place to protect teleworking facilities? A.: notebooks.11.e. 73 . laptops and mobile phones)? 2) What controls are in place to protect mobile computing systems? A.6.1 Mobile Computing and communications 1) Is a formal policy in place to ensure that special care is taken when using mobile computing facilities (e.# Questions A.7 Mobile Computing and Teleworking A.11. palmtops.7.11.2 Teleworking a ) b ) Medium  Policy for use of mobile computing facility Medium  Authorization records for any teleworking facility Is all tele-working (i. are the other application systems with which it will share resources identified and agreed? Significance Evidence Medium A.

12.# Questions Significance Evidence maintenance A. 74 .Exceeding data volume limits .Missing or incomplete data .1 Security requirements analysis and specification 1) Do the statements of business requirements for new systems or enhancements to existing systems specify the requirements for security controls? 2) Is there a well defined acquisition and procurement process in place? 3) Do contracts with the supplier address the identified security requirements?  Requirements specification High  Acquisition and procurement policy and procedure High  Application audit report A.Unauthorized or inconsistent control data 3) Is there a procedure to conduct periodic reviews of the content of Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.12.1.1 Security requirements of information systems A.Invalid characters .2 Correct processing in applications A.1 Input Data Validation 1) Is data input to application systems subject to sufficient validation control to ensure completeness and accuracy? Are the following included in validation checks? .Out-of-range Values 2) .12.2.12.

12.2.2 Control of Internal Processing 1) Is data validated throughout the processing cycle? 2) Are there session or batch controls to reconcile data file balances after transaction updates? 3) Are there balancing controls to check the opening balances against previous closing balances? 4) Is there validation of system generated data? 5) Is a hash total of records and files maintained? 6) Are there checks to ensure that application programs are run at the correct time? 7) Are there checks to ensure that programs are run in the correct order? 8) High  Application audit report Is all vendor supplied software maintained at a level supported by the supplier and does any upgrade decision take into account the Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. 75 .# Questions Significance Evidence key fields or data files? 4) Is there a procedure to inspect hard-copy input documents for any unauthorized changes to input data? 5) Are there procedures for responding to validation errors? 6) Are there procedures for testing the plausibility of the input data? 7) Are the responsibilities of all the personnel involved in the data input process clearly defined? 8) Is there a log of the activities involved in the data input process? A.

3.3 Cryptographic controls A.12.4 Output Data Validation 1) Is data output from application systems validated to ensure that the processing of stored information is correct and appropriate to the circumstances? 2) Are plausibility checks done to test whether the output data is reasonable? 3) Are there reconciliation control counts to ensure that all data is processed? 4) Is there sufficient documentation for a reader or for subsequent processing? 5) Is the responsibility of all personnel involved in the data output process defined? 6) Is there a log of activities in the data output validation process? A.12.2.# Questions Significance Evidence security of the new release? 9) Are there checks on the integrity of data or software transferred? A. High 76 .12.3 Message Integrity 1) High  Application audit report High  Application audit report  Cryptography policy and procedures  List of cryptographic technologies in use Are controls implemented to ensure authenticity and protection of message integrity in applications? A.2.1 Policy on the use of Cryptographic Controls Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.12.

which of the following. are taken into account? 1) Type and quality of algorithm Length of Keys National and regulatory restrictions Export and import controls 2) What are the mechanisms used for preventing clear text traffic flowing through internet? 3) What are the mechanisms used for preventing clear text traffic flowing through branch offices? 4) What kind of protection is taken against the storage of passwords in clear text? 5) Does the application store the password in clear text? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.# Questions 1) Is risk assessment used to determine whether cryptographic control is appropriate? 2) Is a policy in place to cover the use of cryptographic controls for protection of information? 3) Does the policy consider the managements approach towards the use of cryptographic controls? 4) Does the policy cover key management? 5) Are the responsibilities of key management and policy implementation defined? Significance Evidence When identifying the level of cryptographic protection. 77 .

# Questions 6) If proprietary encryption algorithms are used.dealing with compromised keys .2 Key Management 1) Is there a well defined key management procedure in place to support the organization’s use of cryptographic techniques? 2) Does the key management procedure take care of the following? Significance High Evidence  Key management procedure .storing keys .recovering keys that are lost or corrupted Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.changing or updating keys . 78 .distributing keys to intended users .3.generating keys for different cryptographic systems and different applications . is appropriate care taken to protect the integrity and confidentiality of the private key? 8) Are the cryptographic keys used for digital signatures different to those used for encryption? 9) Has full consideration been given to legislative issues with respect to the status and use of digital signatures? 10) Has the use of non-repudiation services been considered where it might be necessary to resolve disputes about the occurrence or non-occurrence of an event or action? 12.generating and obtaining public key certificates . have their strength and integrity been certified by an authorized evaluation agency? 7) Where digital signatures are employed.revoking keys .

archiving keys .1 Control of Operational Software 1) Is strict control maintained over the implementation of software on operational systems? 2) Is the updating of the operational program libraries performed only by the nominated librarian with proper management authorization? 3) What is the process for version management? 4) Is an audit log of all updates to operational program libraries maintained? 5) Are the previous versions of software retained as a contingency measure? 6) Has the organization entered into an Escrow agreement with anyone? Does it insist on escrow agreements when it outsources application development to a 3rd party? 7) What controls have been deployed to ensure that code check in and version changes are carried out by only authorized individuals? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.# Questions Significance Evidence .4 Security of system files 12.4.logging and auditing of key management related activities 12. High  Software development policy and procedure  Software version control system  Escrow arrangements 79 .destroying keys .

4.2 Protection of System Test Data 1) Is system test data subject to appropriate protection and controls? 2) Are access control procedures which are applicable to operational application systems.4. applicable to test application systems as well? 3) Is there a separate authorization each time operational information is copied to a test application system? 4) Is the operational information erased from a test application system immediately after the testing is complete? 5) Is the copying and use of operational information logged to provide an audit trail? 6) Is sensitive data masked before testing? 12.# Questions 8) Is the access given to the suppliers for support purposes with the management’s approval and is it monitored? 9) Are tools available in the production application environment that would allow data to be altered without the production of an audit trail? 10) Is development code or compilers available on operational systems? 12. Significance High High Evidence  Software development policy and procedure  Approval records for using operational data for testing  Software development policy and 80 .3 Access Control to Program Source Code Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.

High 81 .1 Change Control Procedures 1) Are there formal change control procedures governing the implementation of changes to systems? 2) Is there a record maintained of agreed authorization levels? 3) Is there a process to ensure that changes can be submitted by authorized users only? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.# Questions Significance Evidence procedure 1) Are program source libraries held with operational systems? 2) Is a program librarian nominated for each application? 3) Does IT support staff have restricted access to program source libraries? 4) Are programs under development or maintenance separated from operational program source libraries? 5) Are program listings held in a secure environment? 6) Is an audit log of all accesses to program source libraries maintained? 7) Are old versions of source program archived together with all supporting software.5 Security in development and support processes 12. job control. data definitions and procedures?  Software version control system  Change control policy and procedure  Change control records 12.5.

information.# Questions 4) Are security controls reviewed to ensure that they will not be compromised by changes? 5) Is there a process to identify all computer software.5. 82 . is the relevant documentation updated? 13) Is there a procedure to handle emergency changes? Is it later authorized and subjected to change control procedure? 14) Is there a verification of the changes that have taken place? 12.2 Technical review of applications after Operating System Changes 1) Significance Medium Evidence  Review reports Is the security impact of operating system changes reviewed to ensure that changes do not have an adverse impact on applications? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. database entries and hardware that will require amendment? 6) Is there a process to obtain formal approval for detailed proposals before work commences? 7) Is there a process to ensure that authorized users accept the changes before any implementation? 8) Is it ensured that the implementation is carried out with minimum business disruption? 9) Is a record of all software updates maintained? 10) Is an audit trail of all change requests maintained? 11) Is a rollback plan available for the changes? 12) After a change.

# Questions 2) Does the review check the application control and integrity procedures to ensure that they have not been compromised by operating system changes? 3) Does the annual support plan and budget cover reviews and system testing resulting from operating system changes? 4) Is the notification of operating system changes provided in time to allow for reviews to take place before implementation? 5) Are the operating system changes reflected in the business continuity plan? 12.4 Information leakage 1) Significance Evidence  Software development policy and procedure  Change control records  Application/ source code audit report  Monitoring policy and procedure  Monitoring reports Medium High When procuring programs/software. 83 .5.3 Restrictions on Changes to Software Packages 1) Are vendor-supplied packages used (as far as possible) without modification? 2) Is it checked if the built-in controls or the integrity processes are being compromised while modifying a software package? 3) Is the consent of the vendor taken to modify a package if necessary? 4) Is a risk assessment done prior to changing the package? 12.5. are appropriate steps taken Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.

# Questions Significance Evidence to minimize the risk of inclusion of covert channels and Trojan code? 2) Are programs bought from a reputable source only? Are following requirements considered for limiting the risk of information leakage: 3) .Scanning of outbound media and communication for hidden information . High  Software development policy and procedure  Agreements/ Contracts/ NDA/ SLA 84 .Monitoring resource usage in computer systems 4) Are only evaluated products used? 5) Is all source code inspected before operational use? 6) Is the access and modification to source code controlled? 7) Are staffs of proven trust used to work on key systems? 8) Is personnel and system activities regularly monitored? 12.5 Outsourced Software Development 1) Are licensing arrangements. code ownership and intellectual property rights taken care of when software development is outsourced? 2) Are a certification of the quality and the accuracy of the work carried out obtained? 3) Is there a right of access for audit of the quality and accuracy of Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.5.

# Questions Significance Evidence work done? 4) Are there contractual requirements for quality of code? 5) Is there testing before installation to detect malicious or Trojan code? 6) Who owns the intellectual property of the code? Are Escrow arrangements in place where required? 7) Have developers been trained in programming techniques that provide for more secure applications? 12.1 Control of technical vulnerabilities 1) Is there any vulnerability assessment carried out for the Servers.6 Technical Vulnerability Management 12.6. High  Vulnerability assessment reports  Penetration testing reports  Roles and responsibilities for technical vulnerability management 85 . Network Devices and Security Devices? 2) What is the periodicity of such vulnerability assessments? 3) Is there any patch management system deployed for efficient and timely deployment of patches on the Operating Systems? 4) Are roles and responsibilities associated with technical vulnerability management defined and established? 5) How is timely information for published vulnerabilities obtained? 6) Is there a well defined patch management procedure in place? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.

1.2 Reporting security weaknesses 1)  Incident management policy and procedures  Incident management records  Incident management policy and procedures  Incident management records High High Are there formal procedures defined for reporting Security Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.1 Reporting information security events and weaknesses 13.1.1 Reporting information security events 1) Are there formal procedures for reporting information security incidents? 2) Are all users informed of formal procedures for reporting the different types of security incident? 3) Is contact information for reporting an incident readily accessible to users/administrators? 4) Is there a feedback process to notify the informant about the results after the incident is dealt? 5) Does the incident response team prepare a report for each incident reported/occurred? 6) Is there a report for action taken in rectifying the incident? 7) Is a time frame defined for the incident response team to conduct an investigation? 8) Are incidents reported to senior management? 13.# Questions Significance Evidence 13 Information security incident management 13. 86 .

procedures for handling different types of security incidents .reporting the action to the appropriate authority 3) Are all potential types of security incidents covered by the procedures? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. contractors and third party users required and trained to note and report any observed or suspected security weaknesses in systems or services? 13.collection of audit trails and other evidences .planning and implementation of corrective action . orderly response to information security incidents defined? Does the incident management procedure incorporate the following guidelines: .1 Responsibilities and procedures 1)  Incident management policy and procedures  Incident management records High Are the management responsibilities and procedures to ensure quick.2.# Questions Significance Evidence Weakness? 2) All employees.action to recover from security breaches and correct system failures . 87 .analysis and identification of the cause of the incident 2) . effective.2 Management of information security incidents and improvements 13.containment .

to ensure admissibility of evidence in case of an incident? 2) Is a procedure developed with instructions for collecting and presenting evidence for the purposes of disciplinary action? Significance Evidence  Incident management policy and procedures  Incident management records  Incident management policy and procedures  Incident management records  Business Continuity Policy/Procedure  Risk assessment results High High 14 Business Continuity Management 14. volumes.# Questions 4) Are actions and authority to recover from incidents defined? 5) Are recovery mechanisms tested? Are people familiar with the process? 13.2.1 Information security aspects of business continuity management 14.1 Including information security in the Business Continuity Management Process Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.2.1. High 88 .3 Collection of evidences 1) Are the rules for evidence laid down by the relevant law or court identified. and costs etc so as to learn from them? 13.2 Learning from information security incidents 1) How is learning from security incidents incorporated so as to prevent its reoccurrence? 2) Are there mechanisms in place to quantify and monitor incidents based on types.

1.# Questions 1) Is there a managed process in place for developing and maintaining business continuity across the Company? 2) Does the process include risk analysis of critical business processes? Significance Evidence 3) 4) Are responsibilities and emergency arrangements identified and agreed? 5) Is the business continuity strategy consistent with the agreed business objectives and priorities? 14.3 Developing and implementing continuity plans including information security 1)  Business Continuity Policy/Procedure  Risk assessment results  Business Continuity Policy/Procedure  BCP test plan and results  Training plan and records High High Have continuity plans been developed to maintain or restore business operations in the required time scales following Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.2 Business Continuity and risk assessment 1) Is a risk assessment carried out for business processes? 2) Is the risk assessment procedure well defined? 3) Does the risk assessment identify events that can cause interruptions to business processes. 89 . along with the probability and impact of such interruptions and their consequences for information security? 14.1.

# Questions Significance Evidence interruptions to. or failure of. High  Business Continuity Policy/Procedure 90 .4 Business Continuity Planning Framework 1) Is a single framework maintained to ensure that all plans are consistent and to identify priorities for testing and maintenance? 2) Does each business continuity plan specify the conditions for its activation as well as individuals responsible for executing each component of the plan? 3) Are emergency procedures with detailed actions identified? 4) Are fallback. fallback and resumption procedures identified? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. critical business processes? 2) Are all responsibilities and emergency procedures identified and agreed upon? 3) Are the agreed procedures documented? 4) Is the staff trained in the agreed procedures? 5) Are documented procedures tested periodically? 14. temporary and resumption operational procedures identified? 5) Is there a maintenance schedule to specify how and when the plan will be tested? 6) Are responsibilities of all individuals involved in the plan well documented? 7) Are all assets and resources required to perform the emergency.1.

Changes in legislation . maintaining and re-assessing business continuity plans 1) At what monthly interval is the business continuity plan tested? 2) Are a variety of techniques used to provide assurance that the plan will operate in real life? (table-top testing. testing recovery at an alternate site. 91 .1. tests of supplier facilities and services. suppliers.Changes in business strategy .Upgrading of operational systems . education. complete rehearsals) 3) Does the business continuity process include reviewing and updating the plan to ensure continued effectiveness? High  BCP test plan and results  Training plan and records Are the business continuity plans reviewed under the following circumstances? . addresses or telephone 4) .# 8) Questions Significance Evidence Are sufficient awareness.Changes in location.Changes in risk 5) Are third-party providers involved in the test exercises? 15 Compliance Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.5 Testing.Changes in processes . resources . simulations. and training activities carried out? 14. facilities. customers .Changes in contractors.Acquisition of new equipment . technical recovery testing.Changes in personnel.

#

Questions

Significance

Evidence

15.1 Compliance with legal requirements
15.1.1 Identification of Applicable Legislation

1)

Are all relevant statutory, regulatory and contractual
requirements explicitly defined and documented for each
information system?

2)

Are specific controls and individual responsibilities to meet these
requirements defined and documented?

15.1.2 Intellectual Property Rights

1)

Are there procedures/instructions in place to guide staff on the
use of material for which there may be intellectual property
rights, including disciplinary action for breach?

2)

Are applicable legislative, regulatory, and contractual
requirements considered while complying with IPR?

3)

Is a software copyright compliance policy published that defines
the legal use of software and information products?

4)

Are appropriate asset registers maintained?

5)

Is proof and evidence of ownership of licenses, master disks,
manuals, etc maintained?

6)

Are controls implemented to check whether the maximum
number of users permitted is not exceeded?

7)

Are checks carried out to see that only authorized software and
licensed products are installed?

Confidentiality Agreement: This document is to be used for internal
purpose of Paladion Networks only.

High

High

List of statutory, regulatory and
contractual requirements

License keys/ agreements

92

#

Questions

8)

Is there a policy for maintaining appropriate license conditions?

9)

Is there a policy for disposing or transferring software to others?

10)

Are appropriate audit tools used?

11)

Are terms and conditions for software and information obtained
from public networks complied with?

15.1.3 Protection of Organizational Records
1)

Are important organizational records safeguarded from loss,
destruction or falsification considering the legislative or regulatory
environment within which the organization operates?

2)

Are records categorized into various types? (accounting records,
database records etc)

3)

Are guidelines issued on the retention, storage, handling and
disposal of records and information?

4)

Is a retention schedule drawn up identifying the essential record
types and the period of time for which they should be retained?

5)

Is an inventory of sources of key information maintained?

15.1.4 Data Protection and Privacy of Personal Information
1)

Are data protection and privacy requirements in relevant
legislations, regulations and contractual clauses identified?

2)

How does the organization comply to data protection and privacy
requirements?

15.1.5 Prevention of Misuse of Information Processing Facilities

Confidentiality Agreement: This document is to be used for internal
purpose of Paladion Networks only.

Significance

Evidence

High

High

Data privacy policy/ procedure

Medium

93

#

Questions

1)

Are there procedures and controls in place to ensure that the
organization's IT facilities are used only for authorized business
purposes, and are not subject to misuse?

2)

Are all users aware of the precise scope of their permitted access
and of the monitoring in place to detect unauthorized use?

3)

Does a warning message appear at the log-on process indicating
that unauthorized access is not permitted?

15.1.6 Regulation of Cryptographic Controls
1)

Are the requirements regarding use of cryptography in relevant
regulations, laws and agreements identified?

2)

Is legal advice sought before cryptographic controls are
implemented?

Significance

Evidence

High

15.2 Compliance with security policies and standards and
technical compliance
15.2.1 Compliance with Security Policies and Standards

1)

Are the information systems, service providers, owners, users
and management subject to regular review to ensure that they
are in compliance with Company security policies and applicable
standards?

2)

How are non-compliance analyzed, treated, tracked, closed and
reviewed?

15.2.2 Technical Compliance Checking

Confidentiality Agreement: This document is to be used for internal
purpose of Paladion Networks only.

High

Compliance audit reports

High

Vulnerability assessment reports

Penetration testing reports

94

methodology.3. agreed and carried out in a controlled manner (minimizing the risk of disruption to the business process)? 2) Are audit requirements agreed with appropriate management? 3) Is the scope of the audit agreed and controlled? 4) Are the checks limited to read-only access to software and data? 5) Are accesses other than read-only erased when the audit is completed? 6) Are IT resources for performing the audit explicitly identified and made available? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only. organization structure 15. Medium 95 .# Questions 1) Are information systems regularly checked for compliance with security implementation standards? 2) What are the different kinds of audits that are carried out for technical compliance checking? 3) How are vulnerabilities identified in technical audit tracked and fixed? Significance Evidence  Application security testing reports  Audit plan. schedule.2 Information system audit considerations 15.1 Information System Audit Controls 1) Are audits of operational systems planned.

# Questions 7) Are requirements for additional processing identified and agreed? 8) Are all accesses monitored and logged to produce an audit trail? 9) Are all procedures.2 Protection of information system audit tools 1) Are audit tools (software or data files) safeguarded so as to prevent any possible misuse? 2) Are system audit tools held separate from development and operational systems. Significance Evidence Medium 96 . requirements and responsibilities documented? 10) Are the person(s) carrying out the audit independent of the activities audited? 15. and not kept in tape libraries or user areas? Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.3.