Self Assessment MASTER v7.0

Question Question
Primary Security Domain COBIT 4.0 Control Objective ISO 27001/17799 ISO 20000/ITIL Reference Question (Control Objective) Business Staff Question (Control Objective) IT Staff
Number Number
I. Security Policy PO6 Communicate Management Aims and Direction 3.1 Information Security Policy 6.6 Information Security Management 1 Are you and members of your department aware of information 1 Has an information security policy framework been developed including who is
PO4.14 Contracted Staff Policies and Procedures 4.1 Information Security Infrastructure 6.6.1 General (See ISO Mapping for security policies and have you been provided with any type of responsible for development, review, and approval of policies?
additional details) awareness training or ongoing communications?
6.6.6 Controls c)
I. Security Policy PO6 Communicate Management Aims and Direction 3.1 Information Security Policy 6.6 Information Security Management 2 For policies that have been provided, are the supported and 2 Has the policy framework been implemented resulting in creation of information
PO4.14 Contracted Staff Policies and Procedures 4.1 Information Security Infrastructure 6.6.1 General (See ISO Mapping for enforced by your department's leadership? security policies that are supported in the highest levels of the organization?
additional details)
6.6.6 Controls c)
I. Security Policy M1 Monitor the Processes 12.2 Reviews of Security Policy and 6.6 Information Security Management 3 Is there a process in place to review employee compliance with 3 Does internal staff regularly monitor security controls to measure performance
1.1 Collecting Monitoring Data Technical Compliance 6.6.1 General (See ISO Mapping for organizational policies? and adequacy?
1.2 Assessing Performance additional details)
1.3 Assessing Customer Satisfaction 6.6.6 Controls (a,c,e)
1.4 Management Reporting
M2 Assess Control Adequacy
2.1 Internal Control Monitoring
I. Security Policy M1 Monitor the Processes 12.2 Reviews of Security Policy and 6.6 Information Security Management 3.1 If you answered yes to question 3, is effectiveness measured against security
1.1 Collecting Monitoring Data Technical Compliance 6.6.1 General (See ISO Mapping for policy, regulatory/contract compliance?
I. Security Policy M1 Monitor the Processes 12.2 Reviews of Security Policy and 6.6 Information Security Management 4 Has your department or employees ever requested an exception 4 Is there a current process for defining and ongoing review of policy exceptions?
1.1 Collecting Monitoring Data Technical Compliance 6.6.1 General (See ISO Mapping for from policy items?
I. Security Policy M1 Monitor the Processes 12.2 Reviews of Security Policy and 6.6 Information Security Management 4.1 Are you familiar with the University's Risk Acceptance Process? 4.1 Are you familiar with the University's Risk Acceptance Process?
1.1 Collecting Monitoring Data Technical Compliance 6.6.1 General (See ISO Mapping for
I. Security Policy 11.18 Protection of Disposed Sensitive Information, 5.2.2 Information labeling and 6.6 Information Security Management 5 Do policies and procedures exist for the handling of paper copy
11.26 Archiving handling 6.6.1 General (See ISO Mapping for documents?
additional details)
I. Security Policy 11.27 Protection of Sensitive Messages 3 Security Policy 6.6 Information Security Management 6 Are you aware of email and Internet acceptable usage policies?
6.2.1 Information security education 6.6.6 Controls (a,c,e)
and training
II. Organizational Security PO1 Define a Strategic IT Plan 4.1 Information Security Infrastructure 4 Planning and Implementing Service 7 Does your department collaborate with the IT department for 5 Is strategic IT planning performed to determine business requirements that
PO4.11 IT Staffing Management purposes of strategic planning? could have an impact on technologies, staffing, and information security
requirements?
II. Organizational Security 4.2 Organizational Placement of the IT Function 4.1 Information Security Infrastructure 6.6 Information Security Management 8 Are members of your department assigned responsibilities for 6 Has a security organizational structure been created that defines information
4.4 Roles and Responsibilities 6.11 Including Security in 6.6.1 General (See ISO Mapping for information security and if so do they have specific directives for security roles and responsibilities?
4.6 Responsibility for Logical and Physical Security Responsibilities additional details) protecting critical information?
8.1 Operational procedures and 6.6.6 Controls (a,c,d)
responsibilities
II. Organizational Security PO7 Manage Human Resources 6.1 Personnel Security 3.3.2 Professional Development a) 9 Are background and reference checks performed and verified 7 Are background and reference checks performed and verified during the
7.1 Personnel Recruitment and Promotion Recruitment during the recruiting hiring and processes? recruiting and hiring and processes?
7.2 Personnel Qualifications
7.5 Cross-training or Staff Backup
7.6 Personnel Clearance Procedures
Fusion Alliance, Inc. , University of Cincinnati Confidential 11/12/2020 Page 1

Question Question
Number Number
II. Organizational Security PO7 Manage Human Resources 6.1 Personnel Security 3.3 Competence, Awareness, and Training 8 Are security skill requirements reviewed and mapped to current security staff
7.1 Personnel Recruitment and Promotion capabilities and evaluated against organizational security requirements?
II. Organizational Security PO7 Manage Human Resources 6.1 Personnel Security 6.6 Information Security Management 9 Are security skills redundant within staff members so that no critical security
7.1 Personnel Recruitment and Promotion 6.6.1 General (See ISO Mapping for functions are dependent on a single employee?
7.2 Personnel Qualifications additional details)
II. Organizational Security DS2 Manage Third-party Services 4.3 Outsourcing 7.3 Supplier Management (See ISO 27001 10 Are there specific criteria that a business partner or vendor must meet for
2.4 Third-party Qualifications 4.3.1 Security requirements in mapping for additional details) security requirements?
2.5 Outsourcing Contracts outsourcing contracts
II. Organizational Security DS2 Manage Third-party Services 4.3 Outsourcing 7.3 Supplier Management 10 Does your department include information security requirements 11 When partnering with a third party or contracting services, is a risk review
2.6 Continuity of Services 4.3.1 Security requirements in 6.6.3 Security Risk Assessment Practices in contracts with third parties that handle or change sensitive data performed to determine risks such as handling sensitive data and sharing
2.7 Security Relationships outsourcing contracts or systems? proprietary information or intellectual property?
4.2, 4.3, 6.1, 6.3, 8.1, 8.7, 10.5
II. Organizational Security DS5 Ensure Systems Security 4.2.2 Security requirements in third 7 Relationship Process 12 Are business associate agreements or similar contracts required for third party
5.13 Counterparty Trust party contracts 7.3 Supplier Management partners that contain expected levels of security? Are those contracts typically
4.3 Outsourcing 7.3.2 Contract Management included and signed for all partner access to systems?
4.3.1 Security requirements in
III. Asset Classification and PO2.3 Data Classification Scheme 5.2 Information
outsourcing Classification
contracts 6.62 Identifying and Classifying Information 11 Do you know which of the data items in your department need 13 Has a data and/or asset classification scheme been developed and
Control PO4.7 Ownership and Custodianship Assets protected? Do you have a way of identifying this data that is implemented and does it map handling requirements to the classification
PO4.8 Data and System Ownership different than the words and vocabulary you use to identify data levels?
that does not need secured?
III. Asset Classification and PO2.3 Data Classification Scheme 5.2 Information Classification 6.62 Identifying and Classifying Information 12 Do you know which computer systems in your department are 14 Has an asset inventory system been implemented that includes asset criticality
Control Assets used to process or store critical or private data? Are you aware of and/or classification ratings?
any mechanism to document any such systems?
III. Asset Classification and PO4.8 Data and System Ownership 3 Security Policy 6.6 Information Security Management 13 Have you worked with members of the IT department to map out 15 Have information flows and systems moves into and out of systems and
Control 7.2.5 Security of equipment off- 6.6.1 General (See ISO Mapping for information flows into and out of the organization? facilities been identified? Is there a policy that defines this flow of data, systems,
premises additional details) and information?
8.7.2 Security of media in transit
9.8.1 Mobile computing
III. Asset Classification and PO8 Ensure Compliance with External Requirements 3 Security Policy 6.6 Information Security Management 13.1 Have you worked with members of the IT department to map out 15.1 Is there a policy that defines acceptable flow of data, systems, and information
Control 8.4 Privacy, Intellectual Property and Data Flow 7.2.5 Security of equipment off- 6.6.1 General (See ISO Mapping for systems movement (such as mobile devices) into and out of the between third parties?
premises additional details) organization?
III. Asset Classification and PO7 Manage Human Resources 7.2.5 Security of equipment off- 6.6 Information Security Management 14 Do you have the ability to track information, mobile or storage
Control 7.8 Job Change and Termination premises 6.6.1 General (See ISO Mapping for devices in the possession of employees and ensure safe return of
PO4.8 Data and System Ownership 8.7.2 Security of media in transit additional details) those items upon employee termination?
III. Asset Classification and DS9 Manage the Configuration 10.4.1 Control of operational software 9.1 Configuration Management 16 Is there a document or system that contains hardware, software, application, or
Control 9.1 Configuration Recording 10.5.2 Technical review of operating 9.1.4 Configuration Status Accounting and operating system configurations for your department?
9.3 Status Accounting system changes Reporting
9.4 Configuration Control 7.2 Equipment Security
9.8 Software Accountability
IX. Access Control DS5 Ensure Systems Security 9.1 BUSINESS REQUIREMENT FOR 6.6 Information Security Management 15 Do you provide IT with access requirements to information, data, 17 Are there defined procedures for granting access levels to staff and third parties
5.3 Security of Online Access to Data ACCESS CONTROL 6.6.7 Documents and Records d) control over and applications in use by your department? based on there job requirement to access the information?
5.4 User Account Management 9.1 Business Requirement for Access access to information, assets, and systems
Control
IX. Access Control DS5 Ensure Systems Security 9.1.1
9.2 Access
User control
Access policy
Management 6.6 Information Security Management 16 Is a new employee or terminated employee process in place to 18 Have employees been identified that add/remove user accounts and is account
5.4 User Account Management 9.2 User
9.2.1 UserAccess Management
registration 6.6.7 Documents and Records d) control over add or remove employees access to key systems and data? creation/removal logged so that information can be audited or reviewed?
5.5 Management Review of User Accounts 9.6 Application
9.2.4 Review ofAccess Control
user access rights access to information, assets, and systems
5.21 Protection of Electronic Value 9.6.1 Information access restriction
IX. Access Control DS5 Ensure Systems Security 9.2.3 User password management 6.6 Information Security Management 17 Are you aware of requirements for the complexity or length of
5.2 Identification, Authentication and Access 6.6.1 General (See ISO Mapping for your password?
5.4 User Account Management additional details)
5.5 Management Review of User Accounts 6.6.7 Documents and Records
5.6 User Control of User Accounts d) control over access to information,
assets, and systems

Question Question
Number Number
IX. Access Control DS5 Ensure Systems Security 9.2.3 User password management 6.6 Information Security Management 18 Do you change you password often?
5.2 Identification, Authentication and Access 6.6.1 General (See ISO Mapping for
5.4 User Account Management additional details)
assets, and systems
IX. Access Control DS5 Ensure Systems Security 5.2.2 Information labeling and 6.6 Information Security Management 19 Do you ever utilize a password or userID that is shared between
5.2 Identification, Authentication and Access handling 6.6.1 General (See ISO Mapping for multiple employees?
5.4 User Account Management 9.2 User Access Management additional details)
IX. Access Control DS5 Ensure Systems Security 5.2.2 Information labeling and 6.6 Information
assets, Security Management
and systems 20 Use accounts that have system administrator rights only in
5.2 Identification, Authentication and Access handling 6.6.1 General (See ISO Mapping for special situations, such as when installing software or configuring
5.4 User Account Management 9.2 User Access Management additional details) your system?
assets, and systems
V. Physical and Environmental DS12 Manage Facilities 7.1 Secure Areas 6.6 Information Security Management 21 Is access controlled, monitored, and recorded to your work areas 19 Are physical security controls implemented for key IT systems such as the data
Security 12.1 Physical Security 7.2 Equipment Security 6.6.1 General (See ISO Mapping for or facilities? center and has a third party assessed those controls for the level of
additional details) effectiveness?
VI. Equipment Security PO6 Communicate Management Aims and Direction 9.8.1 Mobile computing 6.6 Information Security Management 22 Do employees in your department understand requirements to 20 Has a policy been defined and implemented that outlines security for mobile
6.3 Communication of Organization Policies 6.6.1 General (See ISO Mapping for protect mobile devices that contain sensitive or critical data? devices such as laptops and PDA's, and mobile storage such as flash drives?
6.6 Compliance with Policies, Procedures and additional details)
Standards
6.11 Communication of IT Security Awareness
PO8 Ensure Compliance with External Requirements
8.4 Privacy, Intellectual Property and Data Flow
DS7 Educate and Train Users
VII. General Controls PO9 Assess Risks 4.2.1 Identification of risks from third 6.6.3 Security Risk Assessment Practices 23 Has your department worked with the IT or Information Security 21 Have you worked with departments in the organization to assess risks to critical
9.1 Business Risk Assessment party access 6.6.4 Risks to Information Assets department to identify risks to key systems and data for your data or systems and the resulting impact to the business should those risks be
9.3 Risk Identification 12.3 System Audit Considerations department? realized?
DS5 Ensure Systems Security 12.3.1 System audit controls
5.8 Data Classification
VII. General Controls PO9 Assess Risks 4.2.1 Identification of risks from third 6.6.3 Security Risk Assessment Practices 22 Have high risk areas identified through risk assessment activities been
9.5 Risk Action Plan party access 6.6.4 Risks to Information Assets prioritized and a plan to prioritize the remediation of these risks been
AI1 Identify Automated Solutions 12.3 System Audit Considerations developed?
1.9 Cost-effective Security Controls 12.3.1 System audit controls
VII. General Controls AI1 Identify Automated
7.3 Security Solutions
Principles and Awareness Training No direct mapping (See COBIT 6.6 Information Security Management 23 Does automation of businesses processes through IT systems cause additional
1.1 Definition of Information Requirements mapping for additional details) 6.6.1 General (See COBIT Mapping for risk to the security of information and have you worked to the identify
additional details) automated processes that might contain those risks?
VII. General Controls DS11 Manage Data 8.7.3 Electronic commerce security 9.1.3 Configuration Control 24 Are automated or manual processes in place to ensure the 24 Have integrity controls been implemented in systems that process transactions
11.1 Data Preparation Procedures 10.2 Security in Application Systems 10.1.5 Design, Build and Configure Release accuracy, validity, and non-repudiation of transactions in your to verify accuracy, validity, and non-repudiation?
11.2 Source Document Authorization Procedures 10.3 Cryptographic Controls b) ensure the integrity is maintained during department?
11.3 Source Document Data Collection build, installation, packaging, and delivery
11.4 Source Document Error Handling
11.7 Accuracy, Completeness and Authorization Checks
11.8 Data Input Error Handling
11.9 Data Processing Integrity
11.10 Data Processing Validation and Editing
11.11 Data Processing Error Handling
11.14 Output Balancing and Reconciliation
11.15 Output Review and Error Handling
11.27 Protection of Sensitive Messages
11.29 Electronic Transaction Integrity
VII. General Controls M1 Monitor the Processes 12.2 Reviews of Security Policy and 6.6 Information Security Management 25 Is regular security assessment and testing performed that includes things such
1.1 Collecting Monitoring Data Technical Compliance 6.6.1 General (See ISO Mapping for as penetration testing, vulnerability scanning, policy and configuration review?
1.3 Assessing Customer Satisfaction 6.6.3 Security Risk Assessment Practices

Question Question
Number Number
VII. General Controls M3 Obtain Independent Assurance No relevant mapping 6.6 Information Security Management 26 Does your organization provision the services of a trusted advisor to assess
3.3 Independent Effectiveness Evaluation of IT Services 6.6.1 General (See ISO Mapping for information security controls and provide guidance for areas of weakness or
3.4 Independent Effectiveness Evaluation of Third-party additional details) vulnerability?
Service Providers 6.6.6 Controls
3.5 Independent Assurance of Compliance with Laws f) Expert help on risk assessment and control
and Regulatory Requirements and Contractual implementation
Commitments
3.6 Independent Assurance of Compliance with Laws
and Regulatory Requirements by Third-party Service
Providers
3.7 Competence of Independent Assurance Function
VII. General Controls 11.18 Protection of Disposed Sensitive Information 5.2.2 Information labeling and 6.6 Information Security Management 25 Does your organization have a secure disposal process for 27
handling 6.6.1 General (See ISO Mapping for dispose of paper copy documents containing sensitive
additional details) information?
VII. General Controls 11.18 Protection of Disposed Sensitive Information 5.2.2 Information labeling and 6.6 Information Security Management 26 Have you ever had to disclose a loss or leak of sensitive 28
handling 6.6.1 General (See ISO Mapping for information to a student?
additional details)
6.6.5 Security and Availability of Information
a) disclosure of sensitive information to
unauthorized parties
6.6.6 Controls
f) Expert help on risk assessment and
control implementation
VII. General Controls 11.26 Archiving, 11.27 Protection of Sensitive Messages 8.7.4 Security of electronic mail 6.6 Information Security Management 27 Do you know how long your email is retained?
6.6.1 General (See ISO Mapping for
additional details)
VII. General Controls 11.26 Archiving, 11.27 Protection of Sensitive Messages 8.7.4 Security of electronic mail 6.6 Information Security Management 28 Do you archive email and if so, where do you store the archive?
6.6.1 General (See ISO Mapping for
additional details)
VIII. Communications & PO9 Assess Risks 10 Systems Development and 6.6 Information Security Management 29 If you answered yes to question 17, do you prioritize patches and perform
Operations Management AI3-3.6 Acquire and Maintain Technology Infrastructure Maintenance 6.6.1 General (See ISO Mapping for testing to determine suitability to be implemented on production systems?
PO11 Manage Quality 8.1.5 Separation of development and additional details)
operational facilities
VIII. Communications & AI4 Develop and Maintain Procedures 6.2 User Training 3.3 Competence, Awareness, and Training 29 Are information security related procedures integrated into work 30 Are specific work procedures either documented or provided verbally? If so, is
Operations Management 4.2 User Procedures Manual 3.3.1 General procedures and are employees in your department provided any security integrated into the procedures?
4.3 Operations Manual 3.3.2 Professional Development security awareness training?
4.4 Training Materials
7.1 Identification of Training Needs
VIII. Communications & DS5 Ensure Systems Security 8.3 Protection against Malicious 6.6 Information Security Management 30 Do your systems all have antivirus and antispyware software and 31 Do all systems in your department have current anti-virus software installed and
Operations Management 5.19 Malicious Software Prevention, Detection and Software 6.6.1 General (See ISO Mapping for do employees ever disable or remove the software? are definition files updated on a regular basis (preferably every day)?
Correction additional details)
VIII. Communications & DS5 Ensure Systems Security 8.3 Protection against Malicious 6.6 Information Security Management 30.1 If you answered yes to question 30, do employees ever disable or 31.1 If you answered yes to question 32, are definition files updated on a regular
Operations Management 5.19 Malicious Software Prevention, Detection and Software 6.6.1 General (See ISO Mapping for remove the software? basis (preferably every day)?
Correction additional details)
X. Systems Development and AI3 Acquire and Maintain Technology Infrastructure 10.1 Security Requirements of 7.3 Supplier Management 32 Is security an integrated component of the evaluation and selection of
Maintenance 3.1 Assessment of New Hardware and Software Systems Information Technology solutions?
DS8 Assist and Advise Customers 10.1.1 Security requirements analysis
PO11 Manage Quality and specification
11.9 Acquisition and Maintenance Framework for the
Technology Infrastructure
X. Systems Development and PO9 Assess Risks 8.1.2 Operational change control 6.6.3 Security Risk Assessment Practices 33 Is a risk review performed prior to the implementation of new infrastructure
Maintenance 9.1 Business Risk Assessment 10.5.1 Change control procedures (routers, switches, servers, firewalls, etc)?
9.3 Risk Identification 10.1 Security Requirements of
AI3-3.6 Acquire and Maintain Technology Infrastructure Systems
11.9 Acquisition and Maintenance Framework for the 10.1.1 Security requirements analysis
Technology Infrastructure and specification
12.3.1 System audit controls
X. Systems Development and PO9 Assess Risks 10 Systems Development and 6.6 Information Security Management 34 Is there a defined process for monitoring vendors for software patches or
Maintenance AI3-3.6 Acquire and Maintain Technology Infrastructure Maintenance 6.6.1 General (See ISO Mapping for vulnerabilities that impact the infrastructure systems in production?
PO11 Manage Quality additional details)

Question Question
Number Number
X. Systems Development and AI5 Install and Accredit Systems 8.2 System Planning and Acceptance 10 Release Process 35 Are changes to existing systems or new implementations performed in a test
Maintenance 5.7 Testing of Changes 8.1.5 Separation 10.1.2 Release Policy c) authority of release environment separate from production systems?
5.11 Operational Test of development and operational into acceptance test and production
5.12 Promotion to Production facilities environments
X. Systems Development and AI5 Install and Accredit Systems 8.2.2 System acceptance 10 Release Process 32 Does you department review and accept new technology system 36 Is acceptance testing a part of the pre-production testing process and does
Maintenance 5.9 Final Acceptance Test 10.1.2 Release Policy g) verification and functionality and is information security a component of the acceptance include both key IT and Business personnel?
5.13 Evaluation of Meeting User Requirements acceptance of release review and acceptance process?
5.14 Management’s Post-implementation Review
X. Systems Development and AI5 Install and Accredit Systems 8.1.2 Operational change control 10 Release Process 33 Do you review or test any changes to your systems and 37 Is a formal or informal change management function practiced for changes to
Maintenance 5.7 Testing of Changes 10.5 Security in Development and 10.1.2 Release Policy c) authority of release applications prior to the IT department implementing those systems? Does it include changes to configuration including patching and
AI6 Manage Changes Support Processes into acceptance test and production changes? functionality.
6.4 Emergency Changes 10.5.1 Change control procedures environments g) verification and acceptance
10.5.2 Technical review of operating of release
system changes 9.2 Change Management
10.5.3 Restrictions on changes to
software packages
X. Systems Development and AI5 Install and Accredit Systems 8.1.2 Operational change control 9.2 Change Management 38 Is there a log or document that outlines all changes including who reviewed the
Maintenance 5.7 Testing of Changes 10.5 Security in Development and 9.2.4 Change management reporting, changes, testing performed, back out plans, acceptance/denial, and who
AI6 Manage Changes Support Processes analysis, and actions performed the changes?
6.4 Emergency Changes 10.5.1 Change control procedures
10.5.2 Technical review of operating
system changes
10.5.3 Restrictions on changes to
software packages
XI. Business Continuity DS4 Ensure Continuous Service 11 Business Continuity Management 6.3 Service Continuity and Availability 34 Has your department worked with the IT or Information Security 39 Has a business impact analysis been performed with regard to identifying
4.2 IT Continuity Plan Strategy and Philosophy 11.1.2 Business continuity and impact Management department to identify the core systems, applications, and critical or sensitive information?
4.4 Minimizing IT Continuity Requirements analysis 6.3.4 Service Continuity Planning and Testing information in order to determine the impact to the department in
4.10 Critical IT Resources the event of un-availability, loss, theft, or disclosure?
DS10 Manage Problems and Incidents
10.1 Problem Management System
10.2 Problem Escalation
DS12 Manage Facilities
12.6 Uninterruptible Power Supply
XI. Business Continuity DS4 Ensure Continuous Service 11 Business Continuity Management 6.3 Service Continuity and Availability 40 If you answered yes to question 26, have provisions been made to ensure
4.2 IT Continuity Plan Strategy and Philosophy 11.1.3 Writing and implementing Management critical information is available for mission critical business processes in the
4.4 Minimizing IT Continuity Requirements continuity plans 6.3.4 Service Continuity Planning and Testing event of a security incident?
4.10 Critical IT Resources 11.1.4 Business continuity planning
DS10 Manage Problems and Incidents framework
XI. Business Continuity DS4 Ensure Continuous Service 11 Business Continuity Management 6.3 Service Continuity and Availability 35 Does your department have requirements for timeframes to 41 Does your department have the ability to identify and resolve such incidents in a
4.3 IT Continuity Plan Contents 11.1.3 Writing and implementing Management recover each of the core systems, applications, or information timeframe consistent with business operational requirements?
4.9 User Department Alternative Processing Backup continuity plans 6.3.3 Service Continuity Strategy a) maximum that affect the departments operations?
Procedures acceptable period of lost service
XI. Business Continuity DS4 Ensure Continuous Service 11.1 Aspects of Business Continuity 6.3 Service Continuity and Availability 36 Are you aware of procedures or contact listings in the event of a 42 Has your department developed business continuity or disaster recovery plans
4.2 IT Continuity Plan Strategy and Philosophy Management Management disaster involving your facility and IT systems? that include maintaining or restoring basic IT resources during a disaster or
4.10 Critical IT Resources 11.1.3 Writing and implementing 6.3.4 Service Continuity Planning and Testing outage?
DS10 Manage Problems and Incidents continuity plans
XI. Business Continuity DS4 Ensure Continuous Service 11.1 Aspects of Business Continuity 6.3 Service Continuity and Availability 37 Has your department been involved with any testing of disaster 43 Are these plans tested on a recurring basis and updated as required depending
4.3 IT Continuity Plan Contents Management Management plans? on the outcome of tests?
4.9 User Department Alternative Processing Backup 11.1.5 Testing, maintaining and re- 6.3.4 Service Continuity Planning and Testing
Procedures assessing business continuity plans
XI. Business Continuity DS4 Ensure Continuous Service 8.4 Housekeeping 6.3 Service Continuity and Availability 38 Do employees in your department have access to store files on 44 Has the IT staff collaborated with key business users to make sure that
4.6 Testing the IT Continuity Plan 8.4.1 Information back-up Management network folders that are backed up on a daily basis? If so, have business critical information is backed up and available offsite? If so, have
4.12 Offsite Backup Storage 11.1 Aspects of Business Continuity 6.3.4 Service Continuity Planning and Testing you been able to successfully restore data when required? restore operations been tested successfully?
DS11 Manage Data Management
11.23 Backup and Restoration
11.24 Backup Jobs
11.25 Backup Storage

Question Question
Number Number
XII. Compliance PO8 Ensure Compliance with External Requirements 12.1 Compliance With Legal 6.6.5 Security and Availability of Information 39 Are any regulatory requirements relevant to information your 45 Does an employee responsible for information security review requirements for
8.1 External Requirements Review Requirements department creates or stores? Examples of potential legal or regulatory compliance and legal obligations and collaborate with executive
8.2 Practices and Procedures for Complying with regulatory requirements are; PCI Compliance (Visa, MasterCard), leadership and legal counsel to determine which issues are relevant to the
External Requirements HIPAA (Healthcare), GLB (Insurance, Financial), software organization? Examples include PCI Compliance (Visa, MasterCard), HIPAA (Healthcare), GLB
8.3 Safety and Ergonomic Compliance licensing, intellectual property rights, contractual obligations, etc. (Insurance, Financial), software licensing, intellectual property rights, contractual obligations, etc.
8.5 Electronic Commerce
8.6 Compliance With Insurance Contracts
XII. Compliance DS5 Ensure Systems Security 12.1 Compliance with Legal 6.6.6 Controls c) See ISO 27001 mapping for 40 Does your department have the ability to monitor employee 46 Have you deployed processes and/or automated alerts so that policy violations
5.7 Security Surveillance Requirements additional detail behavior with regard to compliance to organizational policies and intrusive behavior can be identified? This includes things such as account
5.11 Incident Handling 12.3 System Audit Considerations and/or identify illegal activities? lockout alerts, intrusion detections systems, virus alerting, intellectual property
9.7 Monitoring System Access and violations, etc.
Use
12.2.1 Compliance with security policy
12.2.2 Technical compliance checking
6.3 Responding to Security Incidents
and Malfunctions
XII. Compliance DS9 Manage the Configuration 5.1.1 Inventory of assets 9.1 Configuration Management 47 Is there a software licensing inventory that provides the ability to effectively
9.5 Unauthorized Software 12.1 Compliance with Legal 9.1.2 Configuration Identification e) licenses review and manage for license compliance and is there an ongoing process to
9.8 Software Accountability Requirements 9.1.4 Configuration Status Accounting and review licenses?
12.1.2 Intellectual property rights Reporting
XII. Compliance DS11 Manage Data 8.6 Media Handling and Security 6.6 Information Security Management 41 Are you aware of legal or organization policy or requirements to 48 Is there a policy and/or standard that defines data retention requirements?
11.5 Source Document Retention 12 Compliance 6.6.1 General (See ISO Mapping for retain data? (note: Examples could include financial, health, or
11.19 Storage Management 12.1.3 Safeguarding of organizational additional details) transaction history / information)
11.20 Retention Periods and Storage Terms records
11.26 Archiving 12.1.4 Data protection and privacy of
personal information

Current Maturity Rating
(Please read FAQ for definitions)
0 - Non Existent
Answer Describe Existing Key Security
Describe Key Weaknesses Describe any Current Projects 1 - Initial / Ad-Hoc
Yes/No/Somewhat/ Controls Supporting This Primary Security Domain
Relative to This Question Relative to This Question 2 - Repeatable but Intuitive
Not Applicable Question
3 - Defined Process
4 - Managed and Measurable
5 - Optimized I. Security Policy
Not
Applicable 1
I. Security Policy
I. Security Policy
I. Security Policy
I. Security Policy
I. Security Policy
I. Security Policy
I. Security Policy
II. Organizational Security

0 - Non Existent
3 - Defined Process
5 - Optimized II. Organizational Security
III. Asset Classification and

Control

Control

Control

Control

Control

Control
IX. Access Control
IX. Access Control
IX. Access Control

0 - Non Existent
3 - Defined Process
5 - Optimized IX. Access Control
IX. Access Control
IX. Access Control
V. Physical and Environmental

Security
VI. Equipment Security
VII. General Controls

0 - Non Existent
3 - Defined Process
5 - Optimized VII. General Controls
VIII. Communications &

Operations Management



X. Systems Development and

Maintenance

Maintenance

Maintenance

0 - Non Existent
3 - Defined Process
5 - Optimized X. Systems Development and
Maintenance

Maintenance

Maintenance

Maintenance
XI. Business Continuity

0 - Non Existent
3 - Defined Process
5 - Optimized XII. Compliance
XII. Compliance
XII. Compliance
XII. Compliance

Security Control Maturity Rating
Information Security Domains
0 - Non Existent 1 - Initial / Ad-Hoc 2 - Repeatable but Intuitive 3 - Defined Process 4 - Managed and Measurable 5 - Optimized
I. Security Policy
III. Asset Classification and Control
IV. Personnel Security
V. Physical and Environmental Security
VI. Equipment Security
VIII. Communications & Operations Management
IX. Access Control
X. Systems Development and Maintenance
XII. Compliance
0 - Non-existent Complete lack of any recognizable processes. The enterprise has not even recognized that there is an issue to be addressed.
There is evidence that the enterprise has recognized that the issues exist and need to be addressed. There are, however, no standardized processes;
1 - Initial instead there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized.
Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or
communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and,
2 - Repeatable therefore, errors are likely.
Procedures have been standardized and documented, and communicated through training. It is, however, left to the individual to follow these processes,
3 - Defined and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.
It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are
4 - Managed under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.
Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modeling with other enterprises. IT is
5 - Optimized used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt
.
PO1 Define a Strategic IT Plan
1.1 IT as Part of the Organization’s Long and Short Range Plan
1.2 IT Long-range Plan
1.3 IT Long-range Planning—Approach and Structure
1.4 IT Long-range Plan Changes
1.5 Short-range Planning for the IT Function
1.6 Communication of IT Plans
1.7 Monitoring and Evaluating of IT Plans
1.8 Assessment of Existing Systems
PO2 Define the Information Architecture
2.1 Information Architecture Model
2.2 Corporate Data Dictionary and Data Syntax Rules
2.3 Data Classification Scheme
2.4 Security Levels
PO3 Determine Technological Direction
3.1 Technological Infrastructure Planning
3.2 Monitor Future Trends and Regulations
3.3 Technological Infrastructure Contingency
3.4 Hardware and Software Acquisition Plan
3.5 Technology Standards
PO4 Define the IT Organization and Relationships
4.1 IT Planning or Steering Committee
4.2 Organizational Placement of the IT Function
4.3 Review of Organizational Achievements
4.4 Roles and Responsibilities
4.5 Responsibility for Quality Assurance
4.6 Responsibility for Logical and Physical Security
4.7 Ownership and Custodianship
4.8 Data and System Ownership
4.9 Supervision
4.10 Segregation of Duties
4.11 IT Staffing
4.12 Job or Position Descriptions for IT Staff
4.13 Key IT Personnel
4.14 Contracted Staff Policies and Procedures
4.15 Relationships
PO5 Manage the IT Investment
5.1 Annual IT Operating Budget
5.2 Cost and Benefit Monitoring
5.3 Cost and Benefit Justification
PO6 Communicate Management Aims and Direction
6.1 Positive Information Control Environment
6.2 Management’s Responsibility for Policies
6.3 Communication of Organization Policies
6.4 Policy Implementation Resources
6.5 Maintenance of Policies
6.6 Compliance with Policies, Procedures and Standards
6.7 Quality Commitment
6.8 Security and Internal Control Framework Policy
6.9 Intellectual Property Rights
6.10 Issue-specific Policies
6.11 Communication of IT Security Awareness
PO7 Manage Human Resources
7.1 Personnel Recruitment and Promotion
7.3 Roles and Responsibilities
7.4 Personnel Training
7.7 Employee Job Performance Evaluation
7.8 Job Change and Termination
PO8 Ensure Compliance with External Requirements
8.1 External Requirements Review
8.2 Practices and Procedures for Complying with External Requirements
8.3 Safety and Ergonomic Compliance
8.5 Electronic Commerce
8.6 Compliance With Insurance Contracts
PO9 Assess Risks
9.1 Business Risk Assessment
9.2 Risk Assessment Approach
9.3 Risk Identification
9.4 Risk Measurement
9.5 Risk Action Plan
9.6 Risk Acceptance
9.7 Safeguard Selection
9.8 Risk Assessment Commitment
PO10 Manage Projects
10.1 Project Management Framework
10.3 Project Team Membership and Responsibilities
10.4 Project Definition
10.5 Project Approval
10.6 Project Phase Approval
10.7 Project Master Plan
10.8 System Quality Assurance Plan
10.9 Planning of Assurance Methods
10.10 Formal Project Risk Management
10.11 Test Plan
10.12 Training Plan
10.13 Post-implementation Review Plan
PO11 Manage Quality
11.1 General Quality Plan
11.2 Quality Assurance Approach
11.3 Quality Assurance Planning
11.4 Quality Assurance Review of Adherence to IT Standards and Procedures
11.5 System Development Life Cycle Methodology
11.6 System Development Life Cycle Methodology for Major Changes to Existing Technology
11.7 Updating of the System Development Life Cycle Methodology
11.8 Coordination and Communication
11.9 Acquisition and Maintenance Framework for the Technology Infrastructure
11.10 Third-party Implementer Relationships
11.11 Program Documentation Standards
11.12 Program Testing Standards
11.13 System Testing Standards
11.14 Parallel/Pilot Testing
11.15 System Testing Documentation
11.16 Quality Assurance Evaluation of Adherence to Development Standards
11.17 Quality Assurance Review of the Achievement of IT Objectives
11.18 Quality Metrics
11.19 Reports of Quality Assurance Reviews
AI1 Identify Automated Solutions
1.1 Definition of Information Requirements
1.2 Formulation of Alternative Courses of Action
1.3 Formulation of Acquisition Strategy
1.4 Third-party Service Requirements
1.5 Technological Feasibility Study
1.6 Economic Feasibility Study
1.7 Information Architecture
1.8 Risk Analysis Report
1.9 Cost-effective Security Controls
1.10 Audit Trails Design
1.11 Ergonomics
1.12 Selection of System Software
1.13 Procurement Control
1.14 Software Product Acquisition
1.15 Third-party Software Maintenance
1.16 Contract Application Programming
1.17 Acceptance of Facilities
1.18 Acceptance of Technology
AI2 Acquire and Maintain Application Software
2.1 Design Methods
2.2 Major Changes to Existing Systems
2.3 Design Approval
2.4 File Requirements Definition and Documentation
2.5 Program Specifications
2.6 Source Data Collection Design
2.7 Input Requirements Definition and Documentation
2.8 Definition of Interfaces
2.9 User-machine Interface
2.10 Processing Requirements Definition and Documentation
2.11 Output Requirements Definition and Documentation
2.12 Controllability
2.13 Availability as a Key Design Factor
2.14 IT Integrity Provisions in Application Program Software
2.15 Application Software Testing
2.16 User Reference and Support Materials
2.17 Reassessment of System Design
AI3 Acquire and Maintain Technology Infrastructure
3.1 Assessment of New Hardware and Software
3.2 Preventive Maintenance for Hardware
3.3 System Software Security
3.4 System Software Installation
3.5 System Software Maintenance
3.6 System Software Change Controls
3.7 Use and Monitoring of System Utilities
AI4 Develop and Maintain Procedures
4.1 Operational Requirements and Service Levels
4.2 User Procedures Manual
4.3 Operations Manual
4.4 Training Materials
AI5 Install and Accredit Systems
5.1 Training
5.2 Application Software Performance Sizing
5.3 Implementation Plan
5.4 System Conversion
5.5 Data Conversion
5.6 Testing Strategies and Plans
5.7 Testing of Changes
5.8 Parallel/Pilot Testing Criteria and Performance
5.9 Final Acceptance Test
5.10 Security Testing and Accreditation
5.11 Operational Test
5.12 Promotion to Production
5.13 Evaluation of Meeting User Requirements
5.14 Management’s Post-implementation Review
AI6 Manage Changes
6.1 Change Request Initiation and Control
6.2 Impact Assessment
6.3 Control of Changes
6.4 Emergency Changes
6.5 Documentation and Procedures
6.6 Authorized Maintenance
6.7 Software Release Policy
6.8 Distribution of Software
DS1 Define and Manage Service Levels
1.1 Service Level Agreement Framework
1.2 Aspects of Service Level Agreements
1.3 Performance Procedures
1.4 Monitoring and Reporting
1.5 Review of Service Level Agreements and Contracts
1.6 Chargeable Items
1.7 Service Improvement Program
DS2 Manage Third-party Services
2.1 Supplier Interfaces
2.2 Owner Relationships
2.3 Third-party Contracts
2.4 Third-party Qualifications
2.5 Outsourcing Contracts
2.6 Continuity of Services
2.7 Security Relationships
2.8 Monitoring
DS3 Manage Performance Capacity
3.1 Availability and Performance Requirements
3.2 Availability Plan
3.3 Monitoring and Reporting
3.4 Modeling Tools
3.5 Proactive Performance Management
3.6 Workload Forecasting
3.7 Capacity Management of Resources
3.8 Resources Availability
3.9 Resources Schedule
DS4 Ensure Continuous Service
4.1 IT Continuity Framework
4.2 IT Continuity Plan Strategy and Philosophy
4.3 IT Continuity Plan Contents
4.4 Minimizing IT Continuity Requirements
4.5 Maintaining the IT Continuity Plan
4.6 Testing the IT Continuity Plan
4.7 IT Continuity Plan Training
4.8 IT Continuity Plan Distribution
4.9 User Department Alternative Processing Backup Procedures
4.10 Critical IT Resources
4.11 Backup Site and Hardware
4.12 Offsite Backup Storage
4.13 Wrap-up Procedures
DS5 Ensure Systems Security
5.1 Manage Security Measures
5.2 Identification, Authentication and Access
5.3 Security of Online Access to Data
5.4 User Account Management
5.5 Management Review of User Accounts
5.6 User Control of User Accounts
5.7 Security Surveillance
5.8 Data Classification
5.9 Central Identification and Access Rights
5.10 Management Violation and Security Activity Reports
5.11 Incident Handling
5.12 Reaccreditation
5.13 Counterparty Trust
5.14 Transaction Authorization
5.15 Nonrepudiation
5.16 Trusted Path
5.17 Protection of Security Functions
5.18 Cryptographic Key Management
5.19 Malicious Software Prevention, Detection and Correction
5.20 Firewall Architectures and Connections with Public Networks
5.21 Protection of Electronic Value
DS6 Identify and Allocate Costs
6.1 Chargeable Items
6.2 Costing Procedures
6.3 User Billing and Chargeback Procedures
7.1 Identification of Training Needs
7.2 Training Organization
7.3 Security Principles and Awareness Training
DS8 Assist and Advise Customers
8.1 Help Desk
8.2 Registration of Customer Queries
8.3 Customer Query Escalation
8.4 Monitoring of Clearance
8.5 Trend Analysis and Reporting
DS9 Manage the Configuration
9.1 Configuration Recording
9.2 Configuration Baseline
9.3 Status Accounting
9.4 Configuration Control
9.5 Unauthorized Software
9.6 Software Storage
9.7 Configuration Management Procedures
9.8 Software Accountability
DS10 Manage Problems and Incidents
10.3 Problem Tracking and Audit Trail
10.4 Emergency and Temporary Access Authorization
10.5 Emergency Processing Priorities
DS11 Manage Data
11.1 Data Preparation Procedures
11.2 Source Document Authorization Procedures
11.3 Source Document Data Collection
11.4 Source Document Error Handling
11.5 Source Document Retention
11.6 Data Input Authorization Procedures
11.7 Accuracy, Completeness and Authorization Checks
11.8 Data Input Error Handling
11.9 Data Processing Integrity
11.10 Data Processing Validation and Editing
11.11 Data Processing Error Handling
11.12 Output Handling and Retention
11.13 Output Distribution
11.14 Output Balancing and Reconciliation
11.15 Output Review and Error Handling
11.16 Security Provision for Output Reports
11.17 Protection of Sensitive Information During Transmission and Transport
11.18 Protection of Disposed Sensitive Information
11.19 Storage Management
11.20 Retention Periods and Storage Terms
11.21 Media Library Management System
11.22 Media Library Management Responsibilities
11.23 Backup and Restoration
11.24 Backup Jobs
11.25 Backup Storage
11.26 Archiving
11.27 Protection of Sensitive Messages
11.28 Authentication and Integrity
11.29 Electronic Transaction Integrity
11.30 Continued Integrity of Stored Data
12.1 Physical Security
12.2 Low Profile of the IT Site
12.3 Visitor Escort
12.4 Personnel Health and Safety
12.5 Protection Against Environmental Factors
DS13 Manage Operations
13.1 Processing Operations Procedures and Instructions Manual
13.2 Start-up Process and Other Operations Documentation
13.3 Job Scheduling
13.4 Departures from Standard Job Schedules
13.5 Processing Continuity
13.6 Operations Logs
13.7 Safeguard Special Forms and Output Devices
13.8 Remote Operations
M1 Monitor the Processes
1.1 Collecting Monitoring Data
1.2 Assessing Performance
1.3 Assessing Customer Satisfaction
2.2 Timely Operation of Internal Controls
2.3 Internal Control Level Reporting
2.4 Operational Security and Internal Control Assurance
M3 Obtain Independent Assurance
3.1 Independent Security and Internal Control Certification/Accreditation of IT Services
3.2 Independent Security and Internal Control Certification/Accreditation of Third-party Service Providers
3.3 Independent Effectiveness Evaluation of IT Services
3.4 Independent Effectiveness Evaluation of Third-party Service Providers
3.5 Independent Assurance of Compliance with Laws and Regulatory Requirements and Contractual Commitments
3.6 Independent Assurance of Compliance with Laws and Regulatory Requirements by Third-party Service Providers
3.7 Competence of Independent Assurance Function
3.8 Proactive Audit Involvement
M4 Provide for Independent Audit
4.1 Audit Charter
4.2 Independence
4.3 Professional Ethics and Standards
4.4 Competence
4.5 Planning
4.6 Performance of Audit Work
4.7 Reporting
4.8 Follow-up Activities
3 SECURITY POLICY
3.1 INFORMATION SECURITY POLICY
3.1.1 Information security policy document
3.1.2 Review and evaluation
4 ORGANIZATIONAL SECURITY
4.1 INFORMATION SECURITY INFRASTRUCTURE
4.1.1 Management information security forum
4.1.2 Information security co-ordination
4.1.3 Allocation of information security responsibilities
4.1.4 Authorization process for information processing facilities
4.1.5 Specialist information security advice
4.1.6 Co-operation between organizations
4.1.7 Independent review of information security
4.2 SECURITY OF THIRD PARTY ACCESS
4.2.1 Identification of risks from third party access
4.2.2 Security requirements in third party contracts
4.3 OUTSOURCING
4.3.1 Security requirements in outsourcing contracts
5 ASSET CLASSIFICATION AND CONTROL
5.1 ACCOUNTABILITY FOR ASSETS
5.1.1 Inventory of assets
5.2 INFORMATION CLASSIFICATION
5.2.1 Classification guidelines
5.2.2 Information labelling and handling
6 PERSONNEL SECURITY
6.1 SECURITY IN JOB DEFINITION AND RESOURCING
6.1.1 Including security in job responsibilities
6.1.2 Personnel screening and policy
6.1.3 Confidentiality agreements
6.1.4 Terms and conditions of employment
6.2 USER TRAINING
6.2.1 Information security education and training
6.3 RESPONDING TO SECURITY INCIDENTS AND MALFUNCTIONS
6.3.1 Reporting security incidents
6.3.2 Reporting security weaknesses
6.3.3 Reporting software malfunctions
6.3.4 Learning from incidents
6.3.5 Disciplinary process
7 PHYSICAL AND ENVIRONMENTAL SECURITY
7.1 SECURE AREAS
7.1.1 Physical security perimeter
7.1.2 Physical entry controls
7.1.3 Securing offices, rooms and facilities
7.1.4 Working in secure areas
7.1.5 Isolated delivery and loading areas
7.2 EQUIPMENT SECURITY
7.2.1 Equipment siting and protection
7.2.2 Power supplies
7.2.3 Cabling security
7.2.4 Equipment maintenance
7.2.5 Security of equipment off-premises
7.2.6 Secure disposal or re-use of equipment
7.3 GENERAL CONTROLS
7.3.1 Clear desk and clear screen policy
7.3.2 Removal of property
8 COMMUNICATIONS AND OPERATIONS MANAGEMENT
8.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES
8.1.1 Documented operating procedures
8.1.2 Operational change control
8.1.3 Incident management procedures
8.1.4 Segregation of duties
8.1.5 Separation of development and operational facilities
8.1.6 External facilities management
8.2 SYSTEM PLANNING AND ACCEPTANCE
8.2.1 Capacity planning
8.2.2 System acceptance
8.3 PROTECTION AGAINST MALICIOUS SOFTWARE
8.3.1 Controls against malicious software
8.4 HOUSEKEEPING
8.4.1 Information back-up
8.4.2 Operator logs
8.4.3 Fault logging
8.5 NETWORK MANAGEMENT
8.5.1 Network controls
8.6 MEDIA HANDLING AND SECURITY
8.6.1 Management of removable computer media
8.6.2 Disposal of media
8.6.3 Information handling procedures
8.6.4 Security of system documentation
8.7 EXCHANGES OF INFORMAT ION AND SOFTWARE
8.7.1 Information and software exchange agreements
8.7.3 Electronic commerce security
8.7.4 Security of electronic mail
8.7.5 Security of electronic office systems
8.7.6 Publicly available systems
8.7.7 Other forms of information exchange
9 ACCESS CONTROL
9.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL
9.1.1 Access control policy
9.2 USER ACCESS MANAGEMENT
9.2.1 User registration
9.2.2 Privilege management
9.2.3 User password management
9.2.4 Review of user access rights
9.3 USER RESPONSIBILITIES
9.3.1 Password use
9.3.2 Unattended user equipment
9.4 NETWORK ACCESS CONTROL
9.4.1 Policy on use of network services
9.4.2 Enforced path
9.4.3 User authentication for external connections
9.4.4 Node authentication
9.4.5 Remote diagnostic port protection
9.4.6 Segregation in networks
9.4.7 Network connection control
9.4.8 Network routing control
9.4.9 Security of network services
9.5 OPERATING SYSTEM ACCE SS CONTROL
9.5.1 Automatic terminal identification
9.5.2 Terminal log-on procedures
9.5.3 User identification and authentication
9.5.4 Password management system
9.5.5 Use of system utilities
9.5.6 Duress alarm to safeguard users
9.5.7 Terminal time-out
9.5.8 Limitation of connection time
9.6 APPLICATION ACCESS CONTROL
9.6.1 Information access restriction
9.6.2 Sensitive system isolation
9.7 MONITORING SYSTEM ACCESS AND USE
9.7.1 Event logging
9.7.2 Monitoring system use
9.7.3 Clock synchronization
9.8 MOBILE COMPUTING AND TELEWORKING
9.8.2 Teleworking
10 SYSTEMS DEVELOPMENT AND MAINTENANCE
10.1 SECURITY REQUIREMENTS OF SYSTEMS
10.1.1 Security requirements analysis and specification
10.2 SECURITY IN APPLICATION SYSTEMS
10.2.1 Input data validation
10.2.2 Control of internal processing
10.2.3 Message authentication
10.2.4 Output data validation
10.3 CRYPTOGRAPHIC CONTROLS
10.3.1 Policy on the use of cryptographic controls
10.3.2 Encryption
10.3.3 Digital signatures
10.3.4 Non-repudiation services
10.3.5 Key management
10.4 SECURITY OF SYSTEM FILES
10.4.1 Control of operational software
10.4.2 Protection of system test data
10.4.3 Access control to program source library
10.5 SECURITY IN DEVELOPMENT AND SUPPORT PROCE SSES
10.5.1 Change control procedures
10.5.2 Technical review of operating system changes
10.5.3 Restrictions on changes to software packages
10.5.4 Covert channels and Trojan code
10.5.5 Outsourced software development
11 BUSINESS CONTINUITY MANAGEMENT
11.1 ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
11.1.1 Business continuity management process
11.1.2 Business continuity and impact analysis
11.1.3 Writing and implementing continuity plans
11.1.4 Business continuity planning framework
11.1.5 Testing, maintaining and re-assessing business continuity plans
12 COMPLIANCE
12.1 COMPLIANCE WITH LEGAL REQUIREMENTS
12.1.1 Identification of applicable legislation
12.1.2 Intellectual property rights (IPR)
12.1.3 Safeguarding of organizational records
12.1.4 Data protection and privacy of personal information
12.1.5 Prevention of misuse of information processing facilities
12.1.6 Regulation of cryptographic controls
12.1.7 Collection of evidence
12.2 REVIEWS OF SECURITY P OLICY AND TECHNICAL COMPLIANCE
12.2.1 Compliance with security policy
12.2.2 Technical compliance checking
12.3 SYSTEM AUDIT CONSIDERATIONS
12.3.1 System audit controls
12.3.2 Protection of system audit tools
3 The management system
3.1 Management and Responsibility
3.2 Documentation requirements
3.3 Competence, awareness and training
3.3.1 General
3.3.2 Professional development
3.3.3 Approaches to be considered
4 Planning and implementing service management
4.1 Plan service management (Plan)
4.1.1 Scope of service Management
4.1.2 Planning approaches
4.1.3 Events to be considered
4.1.4 Scope and contents of the plan
4.2 Implement service management and provide the services
4.3 Monitoring, measuring and reviewing (Check)
4.4 COntinual improvement (Act)
4.4.1 Policy
4.4.2 Planning for service improvements
5 Planning and implementing new or changed services
5.1 Topics for consideration
5.2 Change records
6 Service delivery process
6.1 Service level management
6.1.1 Service catalogue
6.1.2 Service level agreements (SLAs)
6.1.3 Service level management (SLM) process
6.1.4 Supporting service agreements
6.2 Service reporting
6.2.1 Policy
6.2.2 Purpose and quality checks on service reports
6.2.3 Service reports
6.3 Service continuity and availability management
6.3.1 General
6.3.2 Availability monitoring and activities
6.3.3 Service continuity strategy
6.3.4 Service continuity planning and testing
6.4 Budgeting and accounting for IT services
6.4.1 General
6.4.2 Policy
6.4.3 Budgeting
6.4.4 Accounting
6.5 Capacity management
6.6 Information security management
6.6.1 General
6.6.2 Identifying and classifying information assets
6.6.3 Seruciry risk assessment practices
6.6.4 Risks to information assets
6.6.5 Security and availability of information
6.6.6 Controls
6.6.7 Documents and records
7 Relationship processes
7.1 General
7.2 Business relationship management
7.2.1 Service reviews
7.2.2 Service complaints
7.2.3 Customer satisfaction measurement
7.3 Supplier management
7.3.1 Introduction
7.3.2 Contract management
7.3.3 Service definition
7.3.4 Manageing multiple suppliers
7.3.5 Contractual disputes management
7.3.6 Contract end
8 Resolution processes
8.1 Background
8.1.1 Setting priorities
8.1.2 Workarounds
8.2 Incident management
8.2.1 General
8.2.2 Major incidents
8.3 Problem management
8.3.1 Scope of problem management
8.3.2 Initiation of problem management
8.3.3 Known errors
8.3.4 Problem resolution management
8.3.5 Communication
8.3.6 Tracking and escalation
8.3.7 Incident and problem record closure
8.3.8 Problem reviews
8.3.9 Topics for reviews
8.3.10 Problem prevention
9 Control processes
9.1 Configuratin management
9.1.1 Configuration management planning and implementation
9.1.2 Configuration identification
9.1.3 Configuration control
9.1.4 Configuration status accounting and reporting
9.1.5 Configuration verification and audit
9.2 Change management
9.2.1 Planning and implementation
9.2.2 Closing and reviewing the change request
9.2.3 Emergency changes
9.2.4 Change management reporting, analysis and actions
10 Release process
10.1 Release management process
10.1.1 General
10.1.2 Release policy
10.1.3 Release and roll-out planning
10.1.4 Developing or acquiring software
10.1.5 Design, uild and configure release
10.1.6 Release verification and acceptance
10.1.7 Documentation
10.1.8 Roll-out, distribution and installation
10.1.9 Post release and roll-out

Self Assessment MASTER v7.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Self Assessment MASTER v7.0

Uploaded by

Copyright:

Available Formats

Question Question

Fusion Alliance, Inc. , University of Cincinnati Confidential 11/12/2020 Page 1

Fusion Alliance, Inc. , University of Cincinnati Confidential 11/12/2020 Page 2

Fusion Alliance, Inc. , University of Cincinnati Confidential 11/12/2020 Page 3

Fusion Alliance, Inc. , University of Cincinnati Confidential 11/12/2020 Page 4

Fusion Alliance, Inc. , University of Cincinnati Confidential 11/12/2020 Page 5

Fusion Alliance, Inc. , University of Cincinnati Confidential 11/12/2020 Page 6

II. Organizational Security

II. Organizational Security

II. Organizational Security

Fusion Alliance, Inc. , University of Cincinnati Confidential 11/12/2020 Page 7

II. Organizational Security

II. Organizational Security

II. Organizational Security

II. Organizational Security

III. Asset Classification and

III. Asset Classification and

III. Asset Classification and

III. Asset Classification and

III. Asset Classification and

III. Asset Classification and

IX. Access Control

IX. Access Control

IX. Access Control

Fusion Alliance, Inc. , University of Cincinnati Confidential 11/12/2020 Page 8

IX. Access Control

IX. Access Control

V. Physical and Environmental

VI. Equipment Security

VII. General Controls

VII. General Controls

VII. General Controls

VII. General Controls

VII. General Controls

Fusion Alliance, Inc. , University of Cincinnati Confidential 11/12/2020 Page 9

VII. General Controls

VII. General Controls

VII. General Controls

VII. General Controls

VIII. Communications &

VIII. Communications &

VIII. Communications &

VIII. Communications &

X. Systems Development and

X. Systems Development and

X. Systems Development and

Fusion Alliance, Inc. , University of Cincinnati Confidential 11/12/2020 Page 10

X. Systems Development and

X. Systems Development and

X. Systems Development and

XI. Business Continuity

XI. Business Continuity

XI. Business Continuity

XI. Business Continuity

XI. Business Continuity

XI. Business Continuity

Fusion Alliance, Inc. , University of Cincinnati Confidential 11/12/2020 Page 11

Fusion Alliance, Inc. , University of Cincinnati Confidential 11/12/2020 Page 12

II. Organizational Security

III. Asset Classification and Control

IV. Personnel Security

V. Physical and Environmental Security

VI. Equipment Security