Professional Documents
Culture Documents
You are going to be asked about several questions regarding Information Security area. This questionnaire has been designed to assess the level of internal controls in this area
that we take information security very seriously as an integral part of excellence in our service to our clients, and we encourage you to take an active part of this continous imp
This questionnaire is based on ISO27001, an international standing standard . It provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining, an
Information Security within the organization. As a framework, it is organized in eleven domains, and the 133 controls covering the information security management.
The questionnaire has been developed following an scenario presentation for some areas within ISO standard. You will have to choose the description which reflects in a mo
the current situation of the organization. The description of these scenarios is based on the Capability Maturity Model, which is a process improvement approach that helps o
improve their performance and evaluate their level of maturity within a process/control. The maturity levels for CMM are the following:
Please keep in mind that all the questions are aimed at evaluating the level of internal control within the computing environment involved in your engagement with ADP. Do
free form comment fields to point out anything you consider important toward this objective.
Please, complete the following table taking into account the following field descriptions:
Field descriptions
· Name & version - Name and version of the application involved in your engaagement with ADP, the supporting database, and the operating system of the serv
application
· Level of customization - Low, minimum or high customization from the standard version, or customized package
· Change management - Change management within the application (new developments, corrective changes, patch installation, data migrations...) is performed
externally
· Administration - Administrative tasks of the different systems are performed internally or externally
Please, list the certifications (e.g., SSAE16, ISO27001, etc.) owned by the company which could be relevant from an information security or quality management
evidence of listed certifications):
Certifications
List of Certifications
ADP REQUIRES A COMPREHENSIVE DATA FLOW DIAGRAM FOR THIS ENGAGEMENT. Please return such diagram with the completed questionnaire.
We would like to remind you that all the questionnaires could be followed by further documentation requests, penetration test summaries and/or on-site assessments per
Third Party Management team. It is important that you answer this questionnaire in a realistic manner, all questions require answers. All questions left blank will be scored as 0 - C
supply the appropriate required evidence for each question that you are answering. Thanks a lot for your help.
of internal controls in this area. Please, be aware
tive part of this continous improvement challenge.
ionnaire.
Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
Management should set a clear policy direction in line with business objectives and demonstrate support for, and commitment to, information security through the issue and maintenance of an information security policy across the organization.
0 1 2 3 4 5 N/A
0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments
Policies and guidelines have There are some informal Management has stated There is an information In addition to level 3, the In addition to level 4, the
not been developed or guidelines related to their commitment to address security policy document, policy also contains defined policy is periodically
defined in the information information security in some information security in all which contains a definition of management review reviewed, at least, annually or
security area. areas (IT, physical access areas. information security, its overall procedures. They consider when significant changes
control, etc.). objectives and scope and responsible individuals and occur. Evidences of this
the role of information supporting documentation to review are kept.
systems. be maintained.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Information Security Policy Information Security Policy 1. Information Security Policy
2. Evidence of Information
Security Policy Review
Page 5 of 38
6 Organizing information security
6.1 Internal organization
A management framework should be established to initiate and control the implementation of information security within the organization.
Management should approve the information security policy, assign security roles and co-ordinate and review the implementation of security across the organization.
If necessary, a source of specialist information security advice should be established and made available within the organization. Contacts with external security specialists or groups, including relevant authorities, should be developed to keep up with industrial
trends, monitor standards and assessment methods and provide suitable liaison points when handling information security incidents. A multi-disciplinary approach to information security should be encouraged.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None None List of members of the 1. List of members of the
security committee (names security committee (names
and roles) and roles)
2. Minutes or recordings or
the periodic meetings
Contact with authorities (e.g. Although no responsibilities An individual or individuals Individual or individuals in the Besides level 3, an updated Besides level 4, contact with
law enforcement, fire have been defined, authorities have been informally organization are formally list of all the relevant special interest groups or
department, supervisory have been contacted by the assigned to be responsible for responsible for contacting organization contact numbers other specialist security
authorities) and special Organization in case of contacting authorities. authorities. is maintained. forums and professional
interest groups has not been incident. associations is maintained
assigned to any specific (e.g.: in order to share and
responsible within the exchange information about
organization. new technologies, products,
threats, or vulnerabilities).
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Information Security Policy List of members of the 1. List of members of the
security committee (names security committee (names
and roles) and roles)
2. Minutes or recordings or
the periodic meetings
Page 6 of 38
6.2 External parties
Objective: To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.
The security of the organization’s information and information processing facilities should not be reduced by the introduction of external party products or services.
Any access to the organization’s information processing facilities and processing and communication of information by external parties should be controlled.
Where there is a business need for working with external parties that may require access to the organization’s information and information processing facilities, or in obtaining or providing a product and service from or to an external party, a risk assessment
should be carried out to determine security implications and control requirements. Controls should be agreed and defined in an agreement with the external party.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None Example of security Example of security Example of security Example of security
requirements defined in requirements defined in requirements defined in requirements defined in
contracts with clients. contracts with clients. contracts with clients. contracts with clients.
There are no guidelines and General security guidelines Contracts and signed Besides level 2, the risks to Besides level 3, service level Besides level 4, the partner's
procedures in place regarding affecting internal parties have agreements include the need the organization’s information agreements are monitored audit plan includes periodical
the risk of customers been informally to meet security from business processes and periodically reviewed to security audits on their
accessing information and communicated to all requirements and involving customers have ensure they are being met. customers.
information processing customers accessing confidentiality clauses. been assessed.
facilities. information and information General security guidelines
processing facilities. are mentioned in those Service level agreements
agreements. have been formalized.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None Example of security Example of security Example of security Example of security
requirements defined in requirements defined in requirements defined in requirements defined in
contracts with clients. contracts with clients. contracts with clients. contracts with clients.
Page 7 of 38
7 Asset management
7.1 Inventory and classification of assets
Information should be classified to indicate the need, priorities, and expected degree of protection when handling the information. Information has varying degrees of sensitivity and criticality. Some items may require an additional level of protection or special
handling. An information classification scheme should be used to define an appropriate set of protection levels and communicate the need for special handling measures.
All assets should be accounted for and have a nominated owner. Owners should be identified for all assets. The responsibility for the maintenance of appropriate controls should be assigned. The implementation of specific controls may be delegated by the
owner as appropriate but the owner remains responsible for the proper protection of the assets.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None IT assets classification. IT assets classification. 1. IT assets classification. 1. IT assets classification.
2. List of IT assets and 2. List of IT assets and
defined owners. defined owners.
Page 8 of 38
7.2 Acceptable use of assets
Rules for acceptable use of information and assets associated with information facilities should be identified, documented, and implemented.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None Documented policies Documented policies Documented policies Documented policies
regarding the acceptable use regarding the acceptable use regarding the acceptable use regarding the acceptable use
of assets. of assets. of assets. of assets.
Page 9 of 38
8 Human resources security
8.1 Prior to employment
Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
Security responsibilities should be addressed prior to employment in adequate job descriptions and in terms and conditions of employment.
All candidates for employment, contractors and third party users should be adequately screened, especially for sensitive jobs.
Employees, contractors and third party users of information processing facilities should sign an agreement on their security roles and responsibilities.
An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party users to minimize possible security risks. A formal disciplinary
process for handling security breaches should be established.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None None Evidence of last background Evidence of last background
check performed. check performed.
Page 10 of 38
8.2 During employment
Objective: To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and
to reduce the risk of human error.
Management responsibilities should be defined to ensure that security is applied throughout an individual’s employment within the organization.
An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party users to minimize possible security risks. A formal disciplinary
process for handling security breaches should be established.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None Example of information Example of information Example of information 1. Example of information
security awareness and security awareness and security awareness and security awareness and
training materials used training materials used training materials used training materials used
2. Evidences on periodical
evaluation on the result of the
awareness program
Page 11 of 38
8.3 Termination or change of employment
Objective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner.
Responsibilities should be in place to ensure an employee’s, contractor’s or third party user’s exit from the organization is managed, and that the return of all equipment and the removal of all access rights are completed.
Change of responsibilities and employments within an organization should be managed as the termination of the respective responsibility or employment in line with this section, and any new employments should be managed.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Documented responsibilities Documented responsibilities Documented responsibilities
over terminations or change of over terminations or change of over terminations or change of
employment. employment. employment.
Page 12 of 38
9 Physical and environmental security
9.1 Secure areas
Objective: To prevent unauthorized physical access, damage, and interference to the organization’s premises and information.
Critical or sensitive information processing facilities should be housed in secure areas, protected by defined security perimeters, with appropriate security barriers and entry controls. They should be physically protected from unauthorized access, damage, and
interference.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None None Audit trail of all accesses Audit trail of all accesses
performed during the last performed during the last
month. month.
No specific physical Unsupervised working in the Besides level 1, specific In addition to level 2, All accesses to the data The data centre and/or the
security controls have been data centre is explicitly physical security measures appropriate environmental centre are logged, either fallback equipment are sited
defined on the data centre. forbidden for safety reasons to protect the data centre such protection mechanisms internal or external. at a safe distance to avoid
and to prevent opportunities as traditional lock, proximity have been provided and damage from a disaster
for malicious activities. card access, or pin have been suitably placed (e.g.: fire Environmental conditions are affecting the main site.
implemented. fighting equipment, technical continuously monitored.
floor and ceiling). Protection mechanisms are
automatically activated
depending on established
thresholds.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None Contract established with data Contract established with data Contract established with data Contract established with data Contract established with data
center provider (if center provider (if center provider (if center provider (if center provider (if
externalized). externalized). externalized). externalized). externalized).
Page 13 of 38
9.2 Equipment security
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s activities.
Protection of equipment (including that used off-site, and the removal of property) is necessary to reduce the risk of unauthorized access to information and to protect against loss or damage. This should also consider equipment sitting and disposal. Special
controls may be required to protect against physical threats, and to safeguard supporting facilities, such as the electrical supply and cabling infrastructure.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Media disposal or re-use Media disposal or re-use 1. Media disposal or re-use
procedure. procedure. procedure.
2. Example of a certificate
obtained for an asset
disposed (from the
outsourcer).
Page 14 of 38
10 Communications and operations management
10.1 Operational procedures and responsibilities
Objective: To ensure the correct and secure operation of information processing facilities.
Responsibilities and procedures for the management and operation of all information processing facilities should be established. This includes the development of appropriate operating procedures.
Segregation of duties should be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.
The change management process and segregation of duties controls in this area are referred to baseline software and hardware. The application level is covered in the information systems acquisition, development and maintenance area.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Operating procedures Operating procedures Operating procedures
regarding backup, server regarding backup, server regarding backup, server
monitoring and batch monitoring and batch monitoring and batch
processes scheduling. processes scheduling. processes scheduling.
A change management Changes on information Besides level 1, all changes Besides level 2, rules have Besides level 3, fallback Alarms and controls have
process to manage changes processing facilities and are authorized after being been defined and procedures are considered been implemented over the
to information processing systems are informally sufficiently tested. documented. These include and documented when change management process
facilities and systems have authorized by management. formal assessing information changes are performed. to ensure it is performed
not been considered. security impact, testing and Development and operational properly.
Procedures consider controls acceptance of changes. software run on a different
in order to avoid segregation system. Automatic alarms have been
of duties conflicts in the Development software is not put in place to indicate
change management process accessible in the production Operational requirements of problems of future capacity
as well as segregation of environment. new systems are established or efficiency to anticipate the
environments. and tested prior to their possible need of changes on
acceptance and use. systems.
Page 15 of 38
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None For the last change or 1. For the last change or 1. For the last change or
customization performed to customization performed to customization performed to
the application involved in this the application involved in this the application involved in this
assessment, provide - a) assessment, provide - a) assessment, provide - a)
information security impact information security impact information security impact
assessments b) testing plan assessments b) testing plan assessments b) testing plan
and results c) evidence of and results c) evidence of and results c) evidence of
user acceptance. user acceptance. user acceptance.
2. Evidences of fallback 2. Evidences of fallback
procedures associated to a procedures associated to a
change in the application change in the application
involved in this assessment. involved in this assessment.
Page 16 of 38
10.2 Third party service delivery management
Objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.
The organization should check the implementation of agreements, monitor compliance with the agreements and manage changes to ensure that the services delivered meet all requirements agreed with the third party.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Agreed security 1. Agreed security 1. Agreed security
arrangements, service arrangements, service arrangements, service
definitions and compensating definitions and compensating definitions and compensating
actions. actions. actions.
2. Example of service report 2. Example of service report
of the most relevant IT of the most relevant IT
providers. providers.
Page 17 of 38
10.3 System planning and acceptance (covered by question 10.1.B.)
Advance planning and preparation are required to ensure the availability of adequate capacity and resources to deliver the required system performance.
Projections of future capacity requirements should be made, to reduce the risk of system overload.
The operational requirements of new systems should be established, documented, and tested prior to their acceptance and use.
Precautions are required to prevent and detect the introduction of malicious code and unauthorized mobile code.
Software and information processing facilities are vulnerable to the introduction of malicious code, such as computer viruses, network worms, Trojan horses, and logic bombs. Users should be made aware of the dangers of malicious code. Managers should,
where appropriate, introduce controls to prevent, detect, and remove malicious code and control mobile code.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None Screenshot of antivirus Screenshot of antivirus Screenshot of antivirus 1. Screenshot of antivirus
updating policy. updating policy. updating policy. updating policy.
2. Screenshots of
administration panel of e-mail
and web gateways and
monitoring tools.
Page 18 of 38
10.5 Back-up
Objective: To maintain the integrity and availability of information and information processing facilities.
Routine procedures should be established to implement the agreed back-up policy and strategy (see also 14.1) for taking back-up copies of data and rehearsing their timely restoration.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Backup policy/procedure. Backup policy/procedure. 1. Backup policy/procedure.
2. Evidence of backup media
testing, corresponding to the
application involved in this
assessment.
Page 19 of 38
10.6 Network security management (covered by questions in subarea number 11.4)
Objective: To ensure the protection of information in networks and the protection of the supporting infrastructure.
The secure management of networks, which may span organizational boundaries, requires careful consideration to dataflow, legal implications, monitoring, and protection.
Additional controls may also be required to protect sensitive information passing over public networks.
10.7 Media handling (subareas selected to be included in the scope, management of removable media and disposal of media,
are covered by questions in subarea number 9.2)
Objective: To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities.
Appropriate operating procedures should be established to protect documents, computer media (e.g. tapes, disks), input/output data and system documentation from unauthorized disclosure, modification, removal, and destruction.
Objective: To maintain the security of information and software exchanged within an organization and with any external entity.
Exchanges of information and software between organizations should be based on a formal exchange policy, carried out in line with exchange agreements, and should be compliant with any relevant legislation.
Procedures and standards should be established to protect information and physical media containing information in transit.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Documented precautions and Documented precautions and Documented precautions and
instructions concerning instructions concerning instructions concerning
exchange of information. exchange of information. exchange of information.
Page 20 of 38
10.10 Monitoring
Systems should be monitored and information security events should be recorded. Operator logs and fault logging should be used to ensure information system problems are identified.
An organization should comply with all relevant legal requirements applicable to its monitoring and logging activities.
System monitoring should be used to check the effectiveness of controls adopted and to verify conformity to an access policy model.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Documented log monitoring Documented log monitoring 1. Documented log monitoring
procedure, concerning the procedure, concerning the procedure, concerning the
application involved in this application involved in this application involved in this
assessment. assessment. assessment.
2. Evidence of automatic log
alerts and reports.
Page 21 of 38
11 Access control
11.1 Business requirement for access control
Access to information, information processing facilities and business processes should be controlled on the basis of business and security requirements.
Access control rules should take account of policies for information dissemination and authorization.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Access control Documented log monitoring Access control
policy/procedure, concerning procedure, concerning the policy/procedure, concerning
the application involved in this application involved in this the application involved in this
assessment. assessment. assessment.
Page 22 of 38
11.2 User access management (covered by questions in subarea number 11.1, 11.3)
Objective: To ensure authorized user access and to prevent unauthorized access to information systems.
Formal procedures should be in place to control the allocation of access rights to information systems and services.
The procedures should cover all stages in the life-cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services. Special attention should be given, where
appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls.
Objective: To prevent unauthorized user access, and compromise or theft of information and information processing facilities.
Users should be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment.
A clear desk and clear screen policy should be implemented to reduce the risk of unauthorized access or damage to papers, media, and information processing facilities.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None Screenshot of password Screenshot of password Screenshot of password 1. Screenshot of password
policy configuration, policy configuration, policy configuration, policy configuration,
concerning the application concerning the application concerning the application concerning the application
involved in this assessment. involved in this assessment. involved in this assessment. involved in this assessment.
2. Statement that users are
required to sign in order to
accept conditionsof access.
Clear desks and clear screens Clear desks and clear screens Although not documented, Besides level 2, related Besides level 3, periodical Besides level 4, reviews are
guidelines are not being actions are being followed as staff is concerned about procedures have been training is performed to raise conducted in order to
followed. a result of personal initiatives information security and developed and approved by personnel awareness. guarantee information security
in sensitive areas (e.g.: perform clear desks and clear management. as well as monitor awareness
management offices). screens actions. Users have been formally actions' effectiveness
advised to terminate their (documents are periodically
Time-out screen saver Sensitive information, e.g. on active sessions when finished. removed from printers, pin is
protected by password is paper or on electronic storage required to use photocopiers,
activated. media, is locked away in a etc.).
cabinet or other when not
required, especially when the
office is vacated.
Page 23 of 38
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None User responsibilities User responsibilities 1. User responsibilities
procedures/policy. procedures/policy. procedures/policy.
2. Records of reviews
performed to evaluate
awaremeness actions'
effectiveness.
Page 24 of 38
11.4 Network access control
User access to networks and network services should not compromise the security of the network
services by ensuring:
a) appropriate interfaces are in place between the organization’s network and networks owned by other organizations, and public networks;
b) appropriate authentication mechanisms are applied for users and equipment;
c) control of user access to information services in enforced.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None Network map, showing the Network map, showing the 1. Network map, showing the 1. Network map, showing the
system where application system where application system where application system where application
involved in this assessment is involved in this assessment is involved in this assessment is involved in this assessment is
running. running. running. running.
2. Penetration tests reports 2. Penetration tests reports
and actions plans. and actions plans.
Page 25 of 38
11.5 Operating system access control (covered by questions in subarea 11.3)
Security facilities should be used to restrict access to operating systems to authorized users. The facilities should be capable of the following:
a) authenticating authorized users, in accordance with a defined access control policy;
b) recording successful and failed system authentication attempts;
c) recording the use of special system privileges;
d) issuing alarms when system security policies are breached;
e) providing appropriate means for authentication;
f) where appropriate, restricting the connection time of users.
11.6 Application and information access control (covered by questions in subarea 7.1, 11.1 and 11.4)
Security facilities should be used to restrict access to and within application systems.
Logical access to application software and information should be restricted to authorized users. Application systems should:
a) control user access to information and application system functions, in accordance with a defined access control policy;
b) provide protection from unauthorized access by any utility, operating system software, and malicious software that is capable of overriding or bypassing system or application controls;
c) not compromise other systems with which information resources are shared.
Objective: To ensure information security when using mobile computing and teleworking facilities.
The protection required should be commensurate with the risks these specific ways of working cause.
When using mobile computing the risks of working in an unprotected environment should be considered and appropriate protection applied. In the case of teleworking the organization should apply protection to the teleworking site and ensure that suitable
arrangements are in place for this way of working.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Mobile computing and Mobile computing and Mobile computing and
teleworking procedures/policy. teleworking procedures/policy. teleworking procedures/policy.
Page 26 of 38
12 Information systems acquisition, development and maintenance
12.1 Security requirements of information systems
Information systems include operating systems, infrastructure, business applications, off-the-shelf products, services, and user-developed applications. The design and implementation of the information system supporting the business process can be crucial for
security. Security requirements should be identified and agreed prior to the development and/or implementation of information systems.
All security requirements should be identified at the requirements phase of a project and justified, agreed, and documented as part of the overall business case for an information system.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Security requirements Security requirements Security requirements
documented for the last documented for the last documented for the last
development or change development or change development or change
performed to the application performed to the application performed to the application
involved in this assessment. involved in this assessment. involved in this assessment.
Page 27 of 38
12.2 Correct processing in applications
Appropriate controls should be designed into applications, including user developed applications to ensure correct processing. These controls should include the validation of input data, internal processing and output data.
Additional controls may be required for systems that process, or have an impact on, sensitive, valuable or critical information. Such controls should be determined on the basis of security requirements and risk assessment.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None List of controls defined in the List of controls defined in the List of controls defined in the
application involved in this application involved in this application involved in this
assessment. assessment. assessment.
Page 28 of 38
12.4 Security of system files
Access to system files and program source code should be controlled, and IT projects and support activities conducted in a secure manner. Care should be taken to avoid exposure of sensitive data in test environments. These controls apply to the
application level in contrast to the baseline software level considered in section 10.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None None Evidence of the segregation of Evidence of the segregation of
environments concerning the environments concerning the
application involved in this application involved in this
assessment. assessment.
Page 29 of 38
12.5 Security in development and support processes
Managers responsible for application systems should also be responsible for the security of the project or support environment. They should ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the
system or the operating environment.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Change management Change management 1. Change management
procedure. procedure. procedure.
2. Evidence of documentation
regarding a development
process.
Information leakage controls Some information leakage Occasionally, logs have been Besides level 2, the related Besides level 3, the result of In addition to level 4, some
and guidelines have not been guidelines have been reviewed to identify procedure has been scans and logs are indicators and automatic
implemented or developed. communicated to specific unintentional release of documented and can periodically reviewed. alarms have been defined, as
departments. These are the information to an untrusted consider the following: well as automatic tools to
result of individual efforts environment. - scanning of outbound media exploit the logs registered and
performed by individuals. and communications for to generate high level reports.
hidden information; These are used to actively
- regular monitoring of identify potential unauthorized
personnel and system actions related to data
activities, where permitted leakage and to improve the
under existing legislation or implemented control
regulation; framework.
- logging resource usage in
computer systems.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Information leakage Information leakage Information leakage
procedure. procedure. procedure.
There are no controls in place Software development, when Where software development Besides level 2, the following Besides level 3, the following Besides level 4, formal
focused on controlling the outsourced, is controlled by is outsourced, the following has been considered: has been considered: quality review on all the
outsourced software the internal IT department or aspects are considered in - Licensing arrangements, - Rights of access for audit of incidences identified is
development, when responsible in an informal formal agreements: code ownership, and the quality and accuracy of performed and corrective
applicable. manner. No controls have - Certification of the quality intellectual property rights; work done; actions are taken in order to
been defined or formalized. and accuracy of the work - Escrow arrangements in the - Testing before installation to improve the quality of
carried out; event of failure of the third detect malicious and trojan provided service.
- Contractual requirements for party; code.
quality and security
functionality of code;
Page 30 of 38
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None Formal agreements Formal agreements Formal agreements Formal agreements
established with software established with software established with software established with software
providers in case the providers in case the providers in case the providers in case the
application being assessed application being assessed application being assessed application being assessed
here is being outsourced. here is being outsourced. here is being outsourced. here is being outsourced.
Page 31 of 38
12.6 Technical Vulnerability Management
Technical vulnerability management should be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. These considerations should include operating systems, and any other applications in use.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Vulnerability management Vulnerability management Vulnerability management
procedure. procedure. procedure.
Page 32 of 38
13 Information security incident management
13.1 Reporting information security events and weaknesses
Objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.
Formal event reporting and escalation procedures should be in place. All employees, contractors and third party users should be made aware of the procedures for reporting the different types of event and weakness that might have an impact on the security of
organizational assets. They should be required to report any information security events and weaknesses as quickly as possible to the designated point of contact.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Information security incident Information security incident Information security incident
management procedures. management procedures. management procedures.
13.2 Management of information security incidents and improvements (covered by questions in subarea number 13.1)
Objective: To ensure a consistent and effective approach is applied to the management of information security incidents.
Responsibilities and procedures should be in place to handle information security events and weaknesses effectively once they have been reported. A process of continual improvement should be applied to the response to, monitoring, evaluating, and overall
management of information security incidents.
Where evidence is required, it should be collected to ensure compliance with legal requirements.
Page 33 of 38
14 Business continuity management
14.1 Information security aspects of business continuity management
Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
A business continuity management process should be implemented to minimize the impact on the organization and recover from loss of information assets (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate
actions) to an acceptable level through a combination of preventive and recovery controls.
This process should identify the critical business processes and integrate the information security management requirements of business continuity with other continuity requirements relating to such aspects as operations, staffing, materials, transport and
facilities.
The consequences of disasters, security failures, loss of service, and service availability should be subject to a business impact analysis. Business continuity plans should be developed and implemented to ensure timely resumption of essential operations.
Information security should be an integral part of the overall business continuity process, and other management processes within the organization.
Business continuity management should include controls to identify and reduce risks, in addition to the general risks assessment process, limit the consequences of damaging incidents, and ensure that information required for business processes is readily
available.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None Business impact analysis Business impact analysis Business impact analysis Business impact analysis
document document document document
Mechanisms intended to Data is periodically backed- Redundancy mechanisms Besides level 1 or 2 Besides level 3, a testing Besides level 4, formal
recover information systems in up using removable media exist, so the information is -depending on the plan has been developed to periodic training is performed
the event of a disaster have such as tapes. backed-up in real time. organization- a Disaster ensure that each element of to ensure all the roles and
not been put in place. Recovery Plan (DRP) has the DRP is tested periodically. responsibilities affected by the
In case of disaster, In case of disaster, data can been defined and DRP have been properly
organization's appropriate be restored in an alternative implemented. understood.
personnel can restore the processing location (cold,
information in the processing warm or hot site). Actions to be taken when
facilities using the back-up recovering the information
tapes. systems activity are properly
documented.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None List of redundancy 1. List of redundancy 1. List of redundancy 1. List of redundancy
mechanisms implemented in mechanisms implemented in mechanisms implemented in mechanisms implemented in
the system where the the system where the the system where the the system where the
application involved in this application involved in this application involved in this application involved in this
assessment is running. assessment is running. assessment is running. assessment is running.
2. Disaster recovery plan 2. Disaster recovery plan 2. Disaster recovery plan
document. document. document.
3. DRP testing plan 3. DRP testing plan
document. document.
4. Evidence of periodic DRP
training.
Page 34 of 38
Actions to be embraced in the Actions to be embraced in the Roles and responsibilities Besides level 3, a Business A testing plan has been Additionally to level 4, a
event of a information security event of a information security regarding the business Continuity Plan (BCP) has developed to ensure that each single framework of
incident are not known incident are known throughout continuity management have been developed and element of the BCP is tested business continuity plan is
throughout the organization. the organization, but not been formally assigned, implemented to determine the periodically. The results of maintained to ensure it is
formalized. including the crisis committee. overall approach to business tests are recorded and consistent with all the
continuity. corrective actions taken. initiatives taken within the
These are the result of organization.
incidences that have occurred The management of business Additionally, formal periodic
in the past and the experience continuity has been training is performed to The BCP considers all
learnt from solving these incorporated in the ensure all the roles and services and resources
incidences. organization’s processes and responsibilities have been facilitating business continuity,
structure. properly understood. not only information systems:
staffing, non-information
processing resources, and
suppliers.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Business continuity plan. 1. Business continuity plan. 1. Business continuity plan.
2. BCP testing plan document 2. BCP testing plan document
and evidence of BCP training and evidence of BCP training
activities. activities.
Page 35 of 38
15 Compliance
15.1 Compliance with legal requirements
Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.
The design, operation, use, and management of information systems may be subject to statutory, regulatory, and contractual security requirements.
Advice on specific legal requirements should be sought from the organization’s legal advisers, or suitably qualified legal practitioners. Legislative requirements vary from country to country and may vary for information created in one country that is transmitted to
another country (i.e. trans-border data flow).
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None List of relevant statutory, List of relevant statutory, 1. List of relevant statutory,
regulatory and contractual regulatory and contractual regulatory and contractual
requirements that may affect requirements that may affect requirements that may affect
the organization. the organization. the organization.
2. Evidence of audit/reviews
performed in order to check
that the organization is
compliant with all relevant
statutory, regulatory and
contractual requirements.
The organization is not aware The organization retains all The system of storage and Besides level 2, a retention Besides level 3, the system of Besides level 4, periodical
of the data retention period data according to some handling ensures clear schedule is drawn up storage and handling permits tests of retention and
stated by regulation. specific regulations or internal identification of records and identifying records and the appropriate destruction of recovery of data are
guidelines, but there is no a of their retention period. period of time for which they records after that period if performed. Corrective actions
clear classification in terms should be retained, according they are not needed by the are analyzed by management.
of records and mandatory to applicable legislation or organization.
retention periods. regulation.
Appropriate controls are
implemented to protect
records and information from
loss, destruction, and
falsification.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Evidence of retention Evidence of retention 1. Evidence of retention
schedule, identifying records schedule, identifying records schedule, identifying records
and the period of time for and the period of time for and the period of time for
which they should be retained. which they should be retained. which they should be retained.
2. Results of periodical tests
of retention and recovery of
data performed.
Page 36 of 38
The organization is not aware The organization concerns Responsibility for handling Appropriate technical and Assigned responsible Reviews are periodically
of the data protection and about data protection and personal information and organizational measures to personnel provide guidance to conducted in order to check
privacy of personal privacy of personal ensuring awareness of the protect personal information managers, users and service that the organization is
information requirements information (some guidelines data protection principles is are implemented. providers on their individual compliant with related
stated by the regulation. have been given and some dealt with in accordance with responsibilities and the regulation.
controls have been put in relevant legislation and specific procedures that
place) but they are not totally regulations. should be Corrective actions are
aligned with related followed. documented and followed-up
regulation. by management.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None None None Evidence of legal compliance
reviews.
The organization has not Internal employees are given Employees of the At log-on, a warning Periodical training sessions The organization periodically
communicated any guideline or informed of the organization, contractors, and message is presented to for personnel accessing the reviews the use of
regarding prevention of organization's guidelines third party users are advised indicate that the information information systems are in information processing
misuse of information regarding prevention of that no access will be processing facility being place. facilities (by examining logs or
processing facilities. misuse of information permitted except that which is entered is owned by the dedicated tools). Results are
processing facilities when authorized. They are aware of organization and that logged and analyzed by
hired. the monitoring in place to unauthorized access is not management, with the aim of
detect unauthorized use. permitted. The user has to detecting inappropriate
acknowledge and react access and improve the level
appropriately to the message of internal control.
on the screen to continue with
the log-on process.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Screenshot of logon warning Screenshot of logon warning 1. Screenshot of logon
message (presented to message (presented to warning message (presented
indicate that the information indicate that the information to indicate that the information
processing facility being processing facility being processing facility being
entered is owned by the entered is owned by the entered is owned by the
organization and that organization and that organization and that
unauthorized access is not unauthorized access is not unauthorized access is not
permitted). permitted). permitted).
2. Records or reviews of the
use of information processing
facilities performed by
management.
Page 37 of 38
15.2 Compliance with security policies and standards and technical compliance
Objective: To ensure compliance of systems with organizational security policies and standards.
Such reviews should be performed against the appropriate security policies and the technical platforms and information systems should be audited for compliance with applicable security implementation standards and documented security controls.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None Reports generated as part of Reports generated as part of Reports generated as part of 1. Reports generated as part
the technical compliance the technical compliance the technical compliance of the technical compliance
reviews performed. reviews performed. reviews performed. reviews performed.
2. Evidence of follow-up
activities regarding technical
compliance corrective actions.
15.3 Information systems audit considerations (covered by questions in subarea number 15.2)
Objective: To maximize the effectiveness of and to minimize interference to/from the information systems audit process.
There should be controls to safeguard operational systems and audit tools during information systems audits.
Protection is also required to safeguard the integrity and prevent misuse of audit tools.
Page 38 of 38