Third Party Assurance Questionnaire

ADP - Third Party Risk Management Program
Welcome to the ADP's Third Party Risk Management Program.
You are going to be asked about several questions regarding Information Security area. This questionnaire has been designed to assess the level of internal controls in this area
that we take information security very seriously as an integral part of excellence in our service to our clients, and we encourage you to take an active part of this continous imp
This questionnaire is based on ISO27001, an international standing standard . It provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining, an
Information Security within the organization. As a framework, it is organized in eleven domains, and the 133 controls covering the information security management.
The questionnaire has been developed following an scenario presentation for some areas within ISO standard. You will have to choose the description which reflects in a mo
the current situation of the organization. The description of these scenarios is based on the Capability Maturity Model, which is a process improvement approach that helps o
improve their performance and evaluate their level of maturity within a process/control. The maturity levels for CMM are the following:
Please keep in mind that all the questions are aimed at evaluating the level of internal control within the computing environment involved in your engagement with ADP. Do
free form comment fields to point out anything you consider important toward this objective.
Please, complete the following table taking into account the following field descriptions:
Field descriptions
· Name & version - Name and version of the application involved in your engaagement with ADP, the supporting database, and the operating system of the serv
application
· Level of customization - Low, minimum or high customization from the standard version, or customized package
· Change management - Change management within the application (new developments, corrective changes, patch installation, data migrations...) is performed
externally
· Administration - Administrative tasks of the different systems are performed internally or externally
Name & version Level of Change management Administration Additional comments

High customization
internal
Application
Medium ly
externa
Database
Low lly
Customized deve Operating system N/A
Please, list the certifications (e.g., SSAE16, ISO27001, etc.) owned by the company which could be relevant from an information security or quality management
evidence of listed certifications):
Certifications
List of Certifications
ADP REQUIRES A COMPREHENSIVE DATA FLOW DIAGRAM FOR THIS ENGAGEMENT. Please return such diagram with the completed questionnaire.
We would like to remind you that all the questionnaires could be followed by further documentation requests, penetration test summaries and/or on-site assessments per
Third Party Management team. It is important that you answer this questionnaire in a realistic manner, all questions require answers. All questions left blank will be scored as 0 - C
supply the appropriate required evidence for each question that you are answering. Thanks a lot for your help.
of internal controls in this area. Please, be aware
tive part of this continous improvement challenge.
ng, reviewing, maintaining, and improving the

y management.
ption which reflects in a more realistic manner

vement approach that helps organizations to
engagement with ADP. Do not hesitate to use the

e operating system of the server which runs the
ata migrations...) is performed internally or
ecurity or quality management perspective (include
ionnaire.
or on-site assessments performed to by ADP's

t blank will be scored as 0 - Chaos. Also note and
5 Security policy
5.1 Information security policy
Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
Management should set a clear policy direction in line with business objectives and demonstrate support for, and commitment to, information security through the issue and maintenance of an information security policy across the organization.
0 1 2 3 4 5 N/A
0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments
Policies and guidelines have There are some informal Management has stated There is an information In addition to level 3, the In addition to level 4, the
not been developed or guidelines related to their commitment to address security policy document, policy also contains defined policy is periodically
defined in the information information security in some information security in all which contains a definition of management review reviewed, at least, annually or
security area. areas (IT, physical access areas. information security, its overall procedures. They consider when significant changes
control, etc.). objectives and scope and responsible individuals and occur. Evidences of this
the role of information supporting documentation to review are kept.
systems. be maintained.
Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence: Required Evidence:
None None None Information Security Policy Information Security Policy 1. Information Security Policy
2. Evidence of Information
Security Policy Review
Page 5 of 38
6 Organizing information security
6.1 Internal organization
Objective: To manage information security within the organization.
A management framework should be established to initiate and control the implementation of information security within the organization.
Management should approve the information security policy, assign security roles and co-ordinate and review the implementation of security across the organization.
If necessary, a source of specialist information security advice should be established and made available within the organization. Contacts with external security specialists or groups, including relevant authorities, should be developed to keep up with industrial
trends, monitor standards and assessment methods and provide suitable liaison points when handling information security incidents. A multi-disciplinary approach to information security should be encouraged.

Information security Information security roles and Besides level 1, information The information security Besides level 3, a security Besides level 4, the security
responsibilities have not been responsibilities have been security roles and coordination is performed by committee is in place with committee has arranged
assigned. informally assigned to one responsibilities have been one individual (Chief Security representatives from differentperiodical meeting to discuss
or more individuals who are formally assigned and Officer) or group of individuals areas of the organization withinformation security issues.
also responsible for other communicated to affected who are independent from relevant roles and functions. Minutes and records of the
tasks in the Organization. personnel. managing and operating IT periodic meetings are
systems in the company. They are periodically updated maintained as evidence as
and supported by awareness well as track of the decisions
actions. made regarding risk
management and follow up
actions to be performed.
None None None None List of members of the 1. List of members of the
security committee (names security committee (names
and roles) and roles)
2. Minutes or recordings or
the periodic meetings
Contact with authorities (e.g. Although no responsibilities An individual or individuals Individual or individuals in the Besides level 3, an updated Besides level 4, contact with
law enforcement, fire have been defined, authorities have been informally organization are formally list of all the relevant special interest groups or
department, supervisory have been contacted by the assigned to be responsible for responsible for contacting organization contact numbers other specialist security
authorities) and special Organization in case of contacting authorities. authorities. is maintained. forums and professional
interest groups has not been incident. associations is maintained
assigned to any specific (e.g.: in order to share and
responsible within the exchange information about
organization. new technologies, products,
threats, or vulnerabilities).
None None None Information Security Policy List of members of the 1. List of members of the
security committee (names security committee (names
and roles) and roles)
2. Minutes or recordings or
the periodic meetings
Page 6 of 38
6.2 External parties
Objective: To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.
The security of the organization’s information and information processing facilities should not be reduced by the introduction of external party products or services.
Any access to the organization’s information processing facilities and processing and communication of information by external parties should be controlled.
Where there is a business need for working with external parties that may require access to the organization’s information and information processing facilities, or in obtaining or providing a product and service from or to an external party, a risk assessment
should be carried out to determine security implications and control requirements. Controls should be agreed and defined in an agreement with the external party.

There are no guidelines and General security guidelines Contracts and signed Besides level 2, the risks to Besides level 3, service level Besides level 4, the partner's
procedures in place regarding affecting internal parties have agreements include the need the organization’s information agreements are monitored audit plan includes periodical
the risk of external providers been informally to meet security from business processes and periodically reviewed to security audits on their
accessing information and communicated to all external requirements and involving external providers ensure they are being met. providers.
information processing companies. confidentiality clauses. have been assessed.
facilities. General security guidelines
are mentioned in those Service level agreements
agreements. have been formalized.
None None Example of security Example of security Example of security Example of security
requirements defined in requirements defined in requirements defined in requirements defined in
contracts with clients. contracts with clients. contracts with clients. contracts with clients.
There are no guidelines and General security guidelines Contracts and signed Besides level 2, the risks to Besides level 3, service level Besides level 4, the partner's
procedures in place regarding affecting internal parties have agreements include the need the organization’s information agreements are monitored audit plan includes periodical
the risk of customers been informally to meet security from business processes and periodically reviewed to security audits on their
accessing information and communicated to all requirements and involving customers have ensure they are being met. customers.
information processing customers accessing confidentiality clauses. been assessed.
facilities. information and information General security guidelines
processing facilities. are mentioned in those Service level agreements
agreements. have been formalized.
None None Example of security Example of security Example of security Example of security
requirements defined in requirements defined in requirements defined in requirements defined in
contracts with clients. contracts with clients. contracts with clients. contracts with clients.
Page 7 of 38
7 Asset management
7.1 Inventory and classification of assets
Objective: To ensure that information receives an appropriate level of protection.
Information should be classified to indicate the need, priorities, and expected degree of protection when handling the information. Information has varying degrees of sensitivity and criticality. Some items may require an additional level of protection or special
handling. An information classification scheme should be used to define an appropriate set of protection levels and communicate the need for special handling measures.
All assets should be accounted for and have a nominated owner. Owners should be identified for all assets. The responsibility for the maintenance of appropriate controls should be assigned. The implementation of specific controls may be delegated by the
owner as appropriate but the owner remains responsible for the proper protection of the assets.

Information assets within the A list of assets has been Besides level 1, assets have Besides level 2, formal Besides level 3, ownership of Besides level 4, periodic
organization have not been developed identifying the been classified according to documentation has been these assets has been reviews on the user
identified. information assets within the their importance for the developed to support the risk formally designated. classification and their
organization. business as a result of a risk analysis and the classification applicability are performed.
analysis. of the assets in terms of its The periodicity of the review is
value, legal requirements, at least annual, or when
sensitivity, and criticality to the significant changes occur.
organization.
None None IT assets classification. IT assets classification. 1. IT assets classification. 1. IT assets classification.
2. List of IT assets and 2. List of IT assets and
defined owners. defined owners.
Page 8 of 38
7.2 Acceptable use of assets
Objective: To achieve and maintain appropriate protection of organizational assets.
Rules for acceptable use of information and assets associated with information facilities should be identified, documented, and implemented.

There are no specific rules for Rules which define the Besides level 1, general Besides level 2, specific Besides level 3, specific Besides level 4, periodic
acceptable use of information acceptable uses of policies regarding the rules for critical assets have controls and technical reviews on the defined
assets. information assets acceptable use of assets have been defined and formalized measures have been defined controls are being
associated with information been communicated to all to state guidelines for each and implemented to ensure performed to ensure they
facilities have been defined. personnel. The guidelines type of asset. They include the acceptable use of assets are updated and adapted to
are maintained in the Intranet electronic mail and Internet is being met. changes in the environment.
or in an accessible format for usages, as well as the use of
all users. mobile devices outside the
premises of the organization.
None None Documented policies Documented policies Documented policies Documented policies
regarding the acceptable use regarding the acceptable use regarding the acceptable use regarding the acceptable use
of assets. of assets. of assets. of assets.
Page 9 of 38
8 Human resources security
8.1 Prior to employment
Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
Security responsibilities should be addressed prior to employment in adequate job descriptions and in terms and conditions of employment.
All candidates for employment, contractors and third party users should be adequately screened, especially for sensitive jobs.
Employees, contractors and third party users of information processing facilities should sign an agreement on their security roles and responsibilities.
An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party users to minimize possible security risks. A formal disciplinary
process for handling security breaches should be established.

Security roles and Job descriptions are used to Besides level 1, security roles Besides level 2, as part of Background verification Besides level 4, where a job
responsibilities are neither document security roles and and responsibilities include their contractual obligation, checks (satisfactory character involves the person having
defined nor communicated responsibilities in accordance the requirement to: employees, contractors and references, curriculum vitae, access to sensitive
to job candidates during the with the organization's third party users should agree academic and professional information, the organization
pre-employment process. guidelines. - protect information from and sign the terms and qualifications) on all considers more detailed
unauthorized access, conditions of their candidates for employment checks, such as:
These are communicated to disclosure, modification, employment contract, which are carried out in accordance
job candidates during the pre- destruction or interference; should state their and the with relevant laws and - independent identity check
employment process. organization’s responsibilities proportional to the business (passport or similar
- ensure responsibility is for information security as well requirements and the document);
assigned to the individual for as related disciplinary perceived risks.
actions taken; processes. - credit checks or checks of
Depending on applicable criminal records.
legislation, the candidates are
informed beforehand.
None None None None Evidence of last background Evidence of last background
check performed. check performed.
Page 10 of 38
8.2 During employment
Objective: To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and
to reduce the risk of human error.
Management responsibilities should be defined to ensure that security is applied throughout an individual’s employment within the organization.
An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party users to minimize possible security risks. A formal disciplinary
process for handling security breaches should be established.

When new employees are When new employees are Besides level 1, ongoing Besides level 2, ongoing Besides level 3, training to Periodical evaluation on the
hired, there is not a formal hired, there is an awareness is performed and awareness and education are enhance awareness is result of awareness programs
introduction to the introduction to the includes communication formalized and include focused on the specific is conducted on internal and
organization's security policies organization's security policies protocols (e.g.: not using e- training on security needs of each different area. external personnel. Based on
or guidelines. or guidelines based on mail for transmitting sensitive requirements, legal the results, training is
communicating them all the data, not directly contacting responsibilities and business redesigned and adapted to
standards and security the final client but controls, as well as correct the information security
information policies which are communicating via ADP use of information processing company needs.
relevant to his/her job Streamline) and other facilities.
position. potential causes of
information security incidents. Relevant contractors and
third parties are also included
in welcome programs.
None None Example of information Example of information Example of information 1. Example of information
security awareness and security awareness and security awareness and security awareness and
training materials used training materials used training materials used training materials used
2. Evidences on periodical
evaluation on the result of the
awareness program
Page 11 of 38
8.3 Termination or change of employment
Objective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner.
Responsibilities should be in place to ensure an employee’s, contractor’s or third party user’s exit from the organization is managed, and that the return of all equipment and the removal of all access rights are completed.
Change of responsibilities and employments within an organization should be managed as the termination of the respective responsibility or employment in line with this section, and any new employments should be managed.

Responsibilities over Some responsibilities over Besides level 1, Besides level 2, Besides level 3, accesses to In addition to level 4,
terminations, change of terminations or change of responsibilities include: responsibilities over information are removed periodical reviews on the
employment and the employment have been - Return of assets upon terminations or change of before the employment accomplishment of the
corresponding procedures defined, although they have termination. employment have been terminates for sensitive work defined procedures are
have not been defined and not been formally - Removal or change of formally documented in the positions. being performed.
formalized. documented. access rights. corresponding procedures
- Change of passwords for (e.g. confidentiality after When a change on
remaining active shared termination of employment). responsibilities occurs,
accounts. accesses from the systems
- Transfer of knowledge. are removed and it is
considered as a new user
registration.
None None None Documented responsibilities Documented responsibilities Documented responsibilities
over terminations or change of over terminations or change of over terminations or change of
employment. employment. employment.
Page 12 of 38
9 Physical and environmental security
9.1 Secure areas
Objective: To prevent unauthorized physical access, damage, and interference to the organization’s premises and information.
Critical or sensitive information processing facilities should be housed in secure areas, protected by defined security perimeters, with appropriate security barriers and entry controls. They should be physically protected from unauthorized access, damage, and
interference.
The protection provided should be commensurate with the identified risks.

There are no specific physical Security perimeters are used Besides level 1, key facilities Besides level 2, all Besides level 3, an audit trail Besides level 4, suitable
security measures (such as to protect areas that contain are sited to avoid access by employees, contractors and of all the accesses is securely intruder detection systems
barriers, card controlled entry information and information the public. third party users and all maintained. are installed and regularly
gates or manned reception processing facilities. visitors are required to wear tested; unoccupied areas are
gates) to protect the security some form of visible alarmed and video
perimeter. identification. surveillance.
None None None None Audit trail of all accesses Audit trail of all accesses
performed during the last performed during the last
month. month.
No specific physical Unsupervised working in the Besides level 1, specific In addition to level 2, All accesses to the data The data centre and/or the
security controls have been data centre is explicitly physical security measures appropriate environmental centre are logged, either fallback equipment are sited
defined on the data centre. forbidden for safety reasons to protect the data centre such protection mechanisms internal or external. at a safe distance to avoid
and to prevent opportunities as traditional lock, proximity have been provided and damage from a disaster
for malicious activities. card access, or pin have been suitably placed (e.g.: fire Environmental conditions are affecting the main site.
implemented. fighting equipment, technical continuously monitored.
floor and ceiling). Protection mechanisms are
automatically activated
depending on established
thresholds.
None Contract established with data Contract established with data Contract established with data Contract established with data Contract established with data
center provider (if center provider (if center provider (if center provider (if center provider (if
externalized). externalized). externalized). externalized). externalized).
Page 13 of 38
9.2 Equipment security
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s activities.
Equipment should be protected from physical and environmental threats.
Protection of equipment (including that used off-site, and the removal of property) is necessary to reduce the risk of unauthorized access to information and to protect against loss or damage. This should also consider equipment sitting and disposal. Special
controls may be required to protect against physical threats, and to safeguard supporting facilities, such as the electrical supply and cabling infrastructure.

There are no guidelines When re-used, only critical All devices containing A procedure has been Besides level 3, techniques Besides level 4, secure
regarding secure disposal or equipment (e.g.: those which sensitive information are developed regarding secure to make the original disposal of equipment and
re-use of equipment and belonged to management) is physically destroyed or the disposal or re-use of any kind information non-retrievable media is achieved by
media. securely disposed. information is destroyed, of equipment or media. It has are used, rather than the outsourcing this functions to
deleted or overwritten before been formalized and approved standard delete or format third parties specialized in
being re-used. by management. function (e.g. by incineration the removal. Certificates
or shredding). from the outsourcer are
obtained for all the assets
disposed by this means.
None None None Media disposal or re-use Media disposal or re-use 1. Media disposal or re-use
procedure. procedure. procedure.
2. Example of a certificate
obtained for an asset
disposed (from the
outsourcer).
Page 14 of 38
10 Communications and operations management
10.1 Operational procedures and responsibilities
Objective: To ensure the correct and secure operation of information processing facilities.
Responsibilities and procedures for the management and operation of all information processing facilities should be established. This includes the development of appropriate operating procedures.
Segregation of duties should be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.
The change management process and segregation of duties controls in this area are referred to baseline software and hardware. The application level is covered in the information systems acquisition, development and maintenance area.

Operating procedures have Organization personnel is Some informal operating All operating procedures have Technical training has been The maintenance and periodic
not been documented. capable of managing critical procedures, as the result of been formally developed provided to users to ensure review of the procedures to
system activities associated individual efforts, have been and authorized by their skills are aligned with the ensure they are up to date
with information processing developed. They are not management. job needs. have been formalized.
and communications. approved by management.
These activities could include,

for example, computer start-
up and close-down
procedures, back-up,
equipment maintenance and
change management, media
handling, computer room and
mail handling management
and safety.
None None None Operating procedures Operating procedures Operating procedures
regarding backup, server regarding backup, server regarding backup, server
monitoring and batch monitoring and batch monitoring and batch
processes scheduling. processes scheduling. processes scheduling.
A change management Changes on information Besides level 1, all changes Besides level 2, rules have Besides level 3, fallback Alarms and controls have
process to manage changes processing facilities and are authorized after being been defined and procedures are considered been implemented over the
to information processing systems are informally sufficiently tested. documented. These include and documented when change management process
facilities and systems have authorized by management. formal assessing information changes are performed. to ensure it is performed
not been considered. security impact, testing and Development and operational properly.
Procedures consider controls acceptance of changes. software run on a different
in order to avoid segregation system. Automatic alarms have been
of duties conflicts in the Development software is not put in place to indicate
change management process accessible in the production Operational requirements of problems of future capacity
as well as segregation of environment. new systems are established or efficiency to anticipate the
environments. and tested prior to their possible need of changes on
acceptance and use. systems.
Page 15 of 38
None None None For the last change or 1. For the last change or 1. For the last change or
customization performed to customization performed to customization performed to
the application involved in this the application involved in this the application involved in this
assessment, provide - a) assessment, provide - a) assessment, provide - a)
information security impact information security impact information security impact
assessments b) testing plan assessments b) testing plan assessments b) testing plan
and results c) evidence of and results c) evidence of and results c) evidence of
user acceptance. user acceptance. user acceptance.
2. Evidences of fallback 2. Evidences of fallback
procedures associated to a procedures associated to a
change in the application change in the application
involved in this assessment. involved in this assessment.
Page 16 of 38
10.2 Third party service delivery management
Objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.
Only IT providers are considered in this area.
The organization should check the implementation of agreements, monitor compliance with the agreements and manage changes to ensure that the services delivered meet all requirements agreed with the third party.

Third party service delivery Third party service level The responsibility for Besides level 2, service Besides level 3, service Besides level 4, the approach
management procedures, agreements with IT managing the relationship with delivery by a third party has reports are periodically to manage IT services when
such as monitoring and review providers are included in the the third IT parties has been been formally defined and it reviewed. dealing with IT providers is
of the service provided, have contracts. However, there are assigned to an specific includes the agreed security based on ITIL best practices.
not been designed and no security arrangements individual or service arrangements, service
considered. within them. management team. definitions and compensating
actions.
None None None Agreed security 1. Agreed security 1. Agreed security
arrangements, service arrangements, service arrangements, service
definitions and compensating definitions and compensating definitions and compensating
actions. actions. actions.
2. Example of service report 2. Example of service report
of the most relevant IT of the most relevant IT
providers. providers.
Page 17 of 38
10.3 System planning and acceptance (covered by question 10.1.B.)
Objective: To minimize the risk of systems failures.
Advance planning and preparation are required to ensure the availability of adequate capacity and resources to deliver the required system performance.
Projections of future capacity requirements should be made, to reduce the risk of system overload.
The operational requirements of new systems should be established, documented, and tested prior to their acceptance and use.
10.4 Protection against malicious and mobile code
Objective: To protect the integrity of software and information.
Precautions are required to prevent and detect the introduction of malicious code and unauthorized mobile code.
Software and information processing facilities are vulnerable to the introduction of malicious code, such as computer viruses, network worms, Trojan horses, and logic bombs. Users should be made aware of the dangers of malicious code. Managers should,
where appropriate, introduce controls to prevent, detect, and remove malicious code and control mobile code.

There are no controls Antivirus has been only Antivirus software has been In addition to level 2, Besides level 3, periodical Besides level 4, gateways or
regarding detection and installed in the most relevant installed for each client and management procedures and training to make all the staff other automatic control
prevention against malicious equipments. server. responsibilities for IT aware of the risks of obtaining tools have been installed to
code. personnel have been defined external files is performed. monitor e-mail, web pages
It is automatically and stating the basic guidelines to and downloaded files.
periodically updated. deal with malicious code
protection on systems,
training in their use, reporting
and recovering from malicious
code attacks.
None None Screenshot of antivirus Screenshot of antivirus Screenshot of antivirus 1. Screenshot of antivirus
updating policy. updating policy. updating policy. updating policy.
2. Screenshots of
administration panel of e-mail
and web gateways and
monitoring tools.
Page 18 of 38
10.5 Back-up
Objective: To maintain the integrity and availability of information and information processing facilities.
Routine procedures should be established to implement the agreed back-up policy and strategy (see also 14.1) for taking back-up copies of data and rehearsing their timely restoration.

There is not a back-up Even there is not a formal Back-ups are performed Besides level 2, back-up Beside level 3, back-ups are Besides level 4, back-up
strategy for taking back-up back-up policy, critical data is periodically, depending on policy and procedure have protected by means of media is regularly tested.
copies of data and rehearsing occasionally backed-up. data criticality. been designed and formally encryption and they are stored
their timely restoration. approved. with an appropriate level of
physical security in a remote
location.
On the other hand, back-ups

of critical business information
in mobile computing and
communication are taken
regularly.
None None None Backup policy/procedure. Backup policy/procedure. 1. Backup policy/procedure.
2. Evidence of backup media
testing, corresponding to the
application involved in this
assessment.
Page 19 of 38
10.6 Network security management (covered by questions in subarea number 11.4)
Objective: To ensure the protection of information in networks and the protection of the supporting infrastructure.
The secure management of networks, which may span organizational boundaries, requires careful consideration to dataflow, legal implications, monitoring, and protection.
Additional controls may also be required to protect sensitive information passing over public networks.
10.7 Media handling (subareas selected to be included in the scope, management of removable media and disposal of media,
are covered by questions in subarea number 9.2)
Objective: To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities.
Appropriate operating procedures should be established to protect documents, computer media (e.g. tapes, disks), input/output data and system documentation from unauthorized disclosure, modification, removal, and destruction.
10.8 Exchange of information
Objective: To maintain the security of information and software exchanged within an organization and with any external entity.
Exchanges of information and software between organizations should be based on a formal exchange policy, carried out in line with exchange agreements, and should be compliant with any relevant legislation.
Procedures and standards should be established to protect information and physical media containing information in transit.

No guidelines have been Precautions to be adopted Besides level 1, precautions Besides level 2, precautions Besides level 3, awareness Besides level 4, guidelines
given regarding information when using electronic are followed by all staff and to be considered by all and training actions to are periodically reviewed
exchange (by means of communication facilities for are informally applied to all employees have been personnel are in place (e.g.: to and updated by
physical media or electronic information exchange have kind of data. formalized in procedures and avoid being overhead or management to ensure they
format, such as an e-mail). been informally considered for approved by management. intercepted when making a are sufficient to cover the risks
critical business areas. phone call, not leaving associated to information
messages on answering exchange channels.
They are intended to protect machines).
information from interception,
copying, modification, mis-
routing, and destruction.
None None None Documented precautions and Documented precautions and Documented precautions and
instructions concerning instructions concerning instructions concerning
exchange of information. exchange of information. exchange of information.
Page 20 of 38
10.10 Monitoring
Objective: To detect unauthorized information processing activities.
Systems should be monitored and information security events should be recorded. Operator logs and fault logging should be used to ensure information system problems are identified.
An organization should comply with all relevant legal requirements applicable to its monitoring and logging activities.
System monitoring should be used to check the effectiveness of controls adopted and to verify conformity to an access policy model.

Audit logs have not been Audit logs have been Besides level 1, the A formal log monitoring Besides level 3, the results of
Automatic alerts and
activated. activated recording user organization is capable of procedure is in place. monitoring activities are reports have been
activities, administrator reviewing recorded logs. periodically reviewed. developed over the logs to
activities, exceptions, and constantly monitor
information security events. They have been inspected Log information is protected unauthorized information
occasionally. against tampering and processing activities.
unauthorized access.
None None None Documented log monitoring Documented log monitoring 1. Documented log monitoring
procedure, concerning the procedure, concerning the procedure, concerning the
application involved in this application involved in this application involved in this
assessment. assessment. assessment.
2. Evidence of automatic log
alerts and reports.
Page 21 of 38
11 Access control
11.1 Business requirement for access control
Objective: To control access to information.
Access to information, information processing facilities and business processes should be controlled on the basis of business and security requirements.
Access control rules should take account of policies for information dissemination and authorization.

Access to information facilities Basic user profiles on More sophisticated user Besides level 2, an access Besides level 3, periodic Periodically, management
is given without considering information processing access profiles have been control policy and procedure reviews on critical business reviews that the defined user
employees' business needs. facilities (e.g. read-only, designed, including different have been formally developed users are performed to profile model remain
read/write data privileges) access privileges based on and approved by ensure their privileges appropriate to the business
have been designed in order the need to know, from a management. regarding access to needs.
to give employees access to business perspective. information are consistent with
information. Required user privileges in the defined model.
User access profiles assigned all information systems, based
to each employee are aligned on business needs, are
with their business functional formally defined.
needs.
None None None Access control Documented log monitoring Access control
policy/procedure, concerning procedure, concerning the policy/procedure, concerning
the application involved in this application involved in this the application involved in this
Page 22 of 38
11.2 User access management (covered by questions in subarea number 11.1, 11.3)
Objective: To ensure authorized user access and to prevent unauthorized access to information systems.
Formal procedures should be in place to control the allocation of access rights to information systems and services.
The procedures should cover all stages in the life-cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services. Special attention should be given, where
appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls.
11.3 User responsibilities
Objective: To prevent unauthorized user access, and compromise or theft of information and information processing facilities.
The co-operation of authorized users is essential for effective security.
Users should be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment.
A clear desk and clear screen policy should be implemented to reduce the risk of unauthorized access or damage to papers, media, and information processing facilities.

There are no rules regarding It is enforced the use of Besides level 1, a minimum Besides level 2, passwords Besides level 3, a password Besides level 4, users are
the use of individual user IDs individual user IDs and length of six characters is are stored and transmitted in minimum length of eight required to sign an statement
and passwords. passwords. enforced when building a a protected form. characters is enforced. accepting the conditions of
password. Complexity rules are access.
Vendors default passwords Passwords are required to be A record of previous user enabled.
have not been changed. changed when first log-on User accounts are locked passwords to prevent re-use
occurs. Afterwards, they after a certain number of is maintained (password The following could be
expire periodically, at least unsuccessful login attempts. history). considered: use of special
annually. characters and numeric
characters, not allowing the
Vendor default passwords use of easy-to-guess
have been changed. passwords such as the name
of the organization,
employee's name, the ID, etc.
None None Screenshot of password Screenshot of password Screenshot of password 1. Screenshot of password
policy configuration, policy configuration, policy configuration, policy configuration,
concerning the application concerning the application concerning the application concerning the application
involved in this assessment. involved in this assessment. involved in this assessment. involved in this assessment.
2. Statement that users are
required to sign in order to
accept conditionsof access.
Clear desks and clear screens Clear desks and clear screens Although not documented, Besides level 2, related Besides level 3, periodical Besides level 4, reviews are
guidelines are not being actions are being followed as staff is concerned about procedures have been training is performed to raise conducted in order to
followed. a result of personal initiatives information security and developed and approved by personnel awareness. guarantee information security
in sensitive areas (e.g.: perform clear desks and clear management. as well as monitor awareness
management offices). screens actions. Users have been formally actions' effectiveness
advised to terminate their (documents are periodically
Time-out screen saver Sensitive information, e.g. on active sessions when finished. removed from printers, pin is
protected by password is paper or on electronic storage required to use photocopiers,
activated. media, is locked away in a etc.).
cabinet or other when not
required, especially when the
office is vacated.
Page 23 of 38
None None None User responsibilities User responsibilities 1. User responsibilities
procedures/policy. procedures/policy. procedures/policy.
2. Records of reviews
performed to evaluate
awaremeness actions'
effectiveness.
Page 24 of 38
11.4 Network access control
Objective: To prevent unauthorized access to networked services.
Access to both internal and external networked services should be controlled.
User access to networks and network services should not compromise the security of the network
services by ensuring:
a) appropriate interfaces are in place between the organization’s network and networks owned by other organizations, and public networks;
b) appropriate authentication mechanisms are applied for users and equipment;
c) control of user access to information services in enforced.

No guidelines on secure use Communication networks Besides level 1, the following Guidelines described in level Implemented technical Technical compliance
of network services have been (including wireless networks) set of controls are 2 have been documented measures among those checking is performed with the
developed. are designed and divided into implemented, when and approved by described in levels 2 and 3 assistance of automated
separate logical network applicable: management. are periodically checked by tools, which generate alerts
domains, based on a risk performing penetration tests. and technical reports for
assessment and the different - Ports and services not Such tests are planned, subsequent interpretation by a
security requirements within required for business have documented and repeatable. technical specialist.
each of the domains (e.g. been disabled or removed.
publicly accessible systems, Required ports are accessed Examples of supporting
internal networks, and critical by using secure protocols automated tools are intrusion
assets). (e.g. SSL). detection systems (IDS),
intrusions prevention systems
- Authentication of remote (IPS).
users is achieved by using
virtual private network (VPN)
solutions.
- Wireless networks are not

visible to unauthorized
individuals.
- External services, if any, are

located in DMZ.
- Routing controls are based

on positive source and
destination address checking
mechanisms.
None None Network map, showing the Network map, showing the 1. Network map, showing the 1. Network map, showing the
system where application system where application system where application system where application
involved in this assessment is involved in this assessment is involved in this assessment is involved in this assessment is
running. running. running. running.
2. Penetration tests reports 2. Penetration tests reports
and actions plans. and actions plans.
Page 25 of 38
11.5 Operating system access control (covered by questions in subarea 11.3)
Objective: To prevent unauthorized access to operating systems.
Security facilities should be used to restrict access to operating systems to authorized users. The facilities should be capable of the following:
a) authenticating authorized users, in accordance with a defined access control policy;
b) recording successful and failed system authentication attempts;
c) recording the use of special system privileges;
d) issuing alarms when system security policies are breached;
e) providing appropriate means for authentication;
f) where appropriate, restricting the connection time of users.
11.6 Application and information access control (covered by questions in subarea 7.1, 11.1 and 11.4)
Objective: To prevent unauthorized access to information held in application systems.
Security facilities should be used to restrict access to and within application systems.
Logical access to application software and information should be restricted to authorized users. Application systems should:
a) control user access to information and application system functions, in accordance with a defined access control policy;
b) provide protection from unauthorized access by any utility, operating system software, and malicious software that is capable of overriding or bypassing system or application controls;
c) not compromise other systems with which information resources are shared.
11.7 Mobile computing and teleworking
Objective: To ensure information security when using mobile computing and teleworking facilities.
The protection required should be commensurate with the risks these specific ways of working cause.
When using mobile computing the risks of working in an unprotected environment should be considered and appropriate protection applied. In the case of teleworking the organization should apply protection to the teleworking site and ensure that suitable
arrangements are in place for this way of working.

Training and specific controls Mobile computing facilities are
Besides level 1, the following Besides level 2, specific Besides level 3, training is Besides level 4, users are
on mobile computing and physically protected against matters are considered: policies and procedures arranged for personnel using required to sign an statement
teleworking and related theft (e.g. using padlocks have been established for mobile computing to raise accepting the conditions of
policies and guidelines have when left alone). - The communications these cases. their awareness on the access for mobile computing
not been considered. security requirements when additional risks resulting from and teleworking.
Appropriate physical security transmitting information this way of working and the
mechanisms of the building through non-corporative controls that are implemented.
and the local environment are networks.
taken into account.
- The threat of unauthorized
access to information or
resources from other
persons using the
accommodation, e.g. family
and friends.
- Back-up data mechanisms.
- Anti-virus protection and

firewall requirements.
None None None Mobile computing and Mobile computing and Mobile computing and
teleworking procedures/policy. teleworking procedures/policy. teleworking procedures/policy.
Page 26 of 38
12 Information systems acquisition, development and maintenance
12.1 Security requirements of information systems
Objective: To ensure that security is an integral part of information systems.
Information systems include operating systems, infrastructure, business applications, off-the-shelf products, services, and user-developed applications. The design and implementation of the information system supporting the business process can be crucial for
security. Security requirements should be identified and agreed prior to the development and/or implementation of information systems.
All security requirements should be identified at the requirements phase of a project and justified, agreed, and documented as part of the overall business case for an information system.

Security requirements are not Security requirements are Besides level 1, a set of Besides level 2, security Besides level 3, requirements Post implementation reviews
considered when an informally gathered for security requirements is requirements are formally for security controls, and not are periodically performed in
information system managing critical information applied to all information documented. only business specifications, order to ensure that security
acquisition, development and system acquisitions, systems acquisitions, are formally stated within the controls have been
maintenance occurs. developments and developments and functional requirements. considered and finally met.
maintenances. maintenances. This includes
both automated controls and
the need for supporting
manual controls.
None None None Security requirements Security requirements Security requirements
documented for the last documented for the last documented for the last
development or change development or change development or change
performed to the application performed to the application performed to the application
involved in this assessment. involved in this assessment. involved in this assessment.
Page 27 of 38
12.2 Correct processing in applications
Objective: To prevent errors, loss, unauthorized modification or misuse of information in applications.
Appropriate controls should be designed into applications, including user developed applications to ensure correct processing. These controls should include the validation of input data, internal processing and output data.
Additional controls may be required for systems that process, or have an impact on, sensitive, valuable or critical information. Such controls should be determined on the basis of security requirements and risk assessment.

No controls have been Validation checks are Some automatic validation Besides level 2, controls on Besides level 3, reviews on Besides level 4, reviews on
defined to ensure correct occasionally performed to checks have been applications have been the control effectiveness are the control design are
processing in applications. detect any corruption of incorporated into applications defined and formally periodically performed. performed, at least, annually
information through to detect any corruption of documented. They include to ensure they remain suitable
processing. This checks are information through controls within all data life to the business needs and
performed manually. processing errors or deliberate cycle, meaning input data changes on the environment.
acts. validation, control of internal
processing and output data
These can include checks on validation.
terminating programs in case
of failure, logging or
reconciliation counts controls.
None None None List of controls defined in the List of controls defined in the List of controls defined in the
application involved in this application involved in this application involved in this
Page 28 of 38
12.4 Security of system files
Objective: To ensure the security of system files.
Access to system files and program source code should be controlled, and IT projects and support activities conducted in a secure manner. Care should be taken to avoid exposure of sensitive data in test environments. These controls apply to the
application level in contrast to the baseline software level considered in section 10.

No specific policies and Access to program source Besides level 1, the use of Access control procedure Software implementations areThe updating of program
technical measures have code and associated items sensitive data for developing also considers test application only performed after source libraries and
been designed and (such as designs, or testing purposes is systems. extensive and successful associated items, and the
implemented to manage the specifications, verification avoided. Otherwise, this testing. issuing of program sources to
security of system files in plans and validation plans) information is erased when Program source libraries are programmers is only
applications. within applications is strictly the development or testing is controlled by specific The test plan includes tests on performed after appropriate
controlled and logged. complete. measures such as access usability, security, effects on authorization has been
control, back ups and control other systems and user- received.
of versions. friendliness, and are carried
out on separate systems
A rollback strategy is in from production.
place before changes are
performed in operational
software libraries.
None None None None Evidence of the segregation of Evidence of the segregation of
environments concerning the environments concerning the
application involved in this application involved in this
assessment. assessment.
Page 29 of 38
12.5 Security in development and support processes
Objective: To maintain the security of application system software and information.
Project and support environments should be strictly controlled.
Managers responsible for application systems should also be responsible for the security of the project or support environment. They should ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the
system or the operating environment.

There are no procedures in There are informal Change management Besides level 2, change Besides level 3, the following Besides level 4, introduction
place to manage change in guidelines to manage the procedures have been management procedure has points are considered within of new systems and major
developments and support process of change in new developed, but not been documented. change management process: changes to existing systems
processes. developments and support documented. They include - the risk of built-in controls follow a formal process of
processes. the following: In addition, new software is and integrity processes being documentation, specification,
- ensuring changes are tested in a segregated compromised; testing, quality control, and
submitted by authorized environment from both - whether the consent of the managed implementation.
users; production and development. vendor needs to be obtained;
- ensuring authorized users - the possibility of obtaining
accept changes prior to the required changes from the
implementation into vendor as standard program
production; updates;
- maintaining a version control
for all software updates;
None None None Change management Change management 1. Change management
2. Evidence of documentation
regarding a development
process.
Information leakage controls Some information leakage Occasionally, logs have been Besides level 2, the related Besides level 3, the result of In addition to level 4, some
and guidelines have not been guidelines have been reviewed to identify procedure has been scans and logs are indicators and automatic
implemented or developed. communicated to specific unintentional release of documented and can periodically reviewed. alarms have been defined, as
departments. These are the information to an untrusted consider the following: well as automatic tools to
result of individual efforts environment. - scanning of outbound media exploit the logs registered and
performed by individuals. and communications for to generate high level reports.
hidden information; These are used to actively
- regular monitoring of identify potential unauthorized
personnel and system actions related to data
activities, where permitted leakage and to improve the
under existing legislation or implemented control
regulation; framework.
- logging resource usage in
computer systems.
None None None Information leakage Information leakage Information leakage
There are no controls in place Software development, when Where software development Besides level 2, the following Besides level 3, the following Besides level 4, formal
focused on controlling the outsourced, is controlled by is outsourced, the following has been considered: has been considered: quality review on all the
outsourced software the internal IT department or aspects are considered in - Licensing arrangements, - Rights of access for audit of incidences identified is
development, when responsible in an informal formal agreements: code ownership, and the quality and accuracy of performed and corrective
applicable. manner. No controls have - Certification of the quality intellectual property rights; work done; actions are taken in order to
been defined or formalized. and accuracy of the work - Escrow arrangements in the - Testing before installation to improve the quality of
carried out; event of failure of the third detect malicious and trojan provided service.
- Contractual requirements for party; code.
quality and security
functionality of code;
Page 30 of 38
None None Formal agreements Formal agreements Formal agreements Formal agreements
established with software established with software established with software established with software
providers in case the providers in case the providers in case the providers in case the
application being assessed application being assessed application being assessed application being assessed
here is being outsourced. here is being outsourced. here is being outsourced. here is being outsourced.
Page 31 of 38
12.6 Technical Vulnerability Management
Objective: To reduce risks resulting from exploitation of published technical vulnerabilities.
Technical vulnerability management should be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. These considerations should include operating systems, and any other applications in use.

Responsibilities for technical Responsibilities for technical An effective management Besides level 2, the Besides level 3, the formal Besides level 4, a timeline has
vulnerability management vulnerability management process for technical corresponding procedure has procedure manages the patch been defined to react to
have not been defined. have been assigned (e.g.: IT vulnerabilities has been been documented. installation and the testing notifications of potentially
personnel) but not formally developed, but not before deciding to install it. If a relevant technical
defined. documented. It considers: In addition, systems have patch is available, the risks vulnerabilities. Periodical
- the establishment of the been identified and classified associated with installing the reviews on the time frames
roles and responsibilities on the exposure of technical patch are assessed. taken are performed in order
associated with technical risk, which allows the to identify possible
vulnerability management; organization to address first An audit log is kept for all improvement opportunities.
- the actions to be embraced those systems exposed at procedures undertaken.
when a potential technical higher risks.
vulnerability is identified;
None None None Vulnerability management Vulnerability management Vulnerability management
Page 32 of 38
13 Information security incident management
13.1 Reporting information security events and weaknesses
Objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.
Formal event reporting and escalation procedures should be in place. All employees, contractors and third party users should be made aware of the procedures for reporting the different types of event and weakness that might have an impact on the security of
organizational assets. They should be required to report any information security events and weaknesses as quickly as possible to the designated point of contact.

Security incidents are not Security incidents are scaled Responsibilities for dealing A formal information security Besides level 3, the Besides level 4, evaluation of
being managed in a to IT personnel. This point of with security incidents have event and weaknesses procedures include the information security incidents
centralized manner and no contact is known throughout been assigned. reporting procedures have analysis and identification of is used to identify recurring or
related procedures have been the organization. been established, together the root cause of the incident, high impact incidents.
defined. Security incidents have been with an incident response and planning, communication and
All personnel has received defined and include some of escalation procedure. implementation of corrective Secure communication
specific instructions about the following items: action to prevent recurrence. channels have been
how to proceed when an information system failures established.
incident occurs. and loss of service, malicious Rules to be considered when
code, denial of service, errors collecting and presenting
resulting from incomplete or evidence for the purposes of
inaccurate business data, disciplinary or legal actions
breaches of confidentiality and involving internal and external
integrity, misuse of information individuals have been also
systems, etc. considered.
None None None Information security incident Information security incident Information security incident
management procedures. management procedures. management procedures.
13.2 Management of information security incidents and improvements (covered by questions in subarea number 13.1)
Objective: To ensure a consistent and effective approach is applied to the management of information security incidents.
Responsibilities and procedures should be in place to handle information security events and weaknesses effectively once they have been reported. A process of continual improvement should be applied to the response to, monitoring, evaluating, and overall
management of information security incidents.
Where evidence is required, it should be collected to ensure compliance with legal requirements.
Page 33 of 38
14 Business continuity management
14.1 Information security aspects of business continuity management
Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
A business continuity management process should be implemented to minimize the impact on the organization and recover from loss of information assets (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate
actions) to an acceptable level through a combination of preventive and recovery controls.
This process should identify the critical business processes and integrate the information security management requirements of business continuity with other continuity requirements relating to such aspects as operations, staffing, materials, transport and
facilities.
The consequences of disasters, security failures, loss of service, and service availability should be subject to a business impact analysis. Business continuity plans should be developed and implemented to ensure timely resumption of essential operations.
Information security should be an integral part of the overall business continuity process, and other management processes within the organization.
Business continuity management should include controls to identify and reduce risks, in addition to the general risks assessment process, limit the consequences of damaging incidents, and ensure that information required for business processes is readily
available.

Events that could cause As a result of incidences that A business impact analysis Besides level 2, the BIA has Besides level 3, a procedure Besides level 4, the business
interruptions to business have occurred in the past, a (BIA) has been conducted to been formally carried out with has been put in place in order impact analysis considers all
processes have not been set of events that could determine the probability and full involvement from to keep the BIA updated services and resources
identified. cause interruptions to impact of potential business owners of business (either the analysis is facilitating business
business processes has been interruptions in terms of time, resources and processes. periodically conducted or continuity, not only
identified. These are usually damage scale and recovery They also approve acceptable when significant changes take information systems: staffing,
related to information period. RPO and RTO estimations. place in the organization). non-information processing
systems. resources, and suppliers.
RPO (recovery point Under no circumstances the
objective) and RTO (recovery RTO exceeds three working
time objective) are calculated days.
as part of the BIA.
None None Business impact analysis Business impact analysis Business impact analysis Business impact analysis
document document document document
Mechanisms intended to Data is periodically backed- Redundancy mechanisms Besides level 1 or 2 Besides level 3, a testing Besides level 4, formal
recover information systems in up using removable media exist, so the information is -depending on the plan has been developed to periodic training is performed
the event of a disaster have such as tapes. backed-up in real time. organization- a Disaster ensure that each element of to ensure all the roles and
not been put in place. Recovery Plan (DRP) has the DRP is tested periodically. responsibilities affected by the
In case of disaster, In case of disaster, data can been defined and DRP have been properly
organization's appropriate be restored in an alternative implemented. understood.
personnel can restore the processing location (cold,
information in the processing warm or hot site). Actions to be taken when
facilities using the back-up recovering the information
tapes. systems activity are properly
documented.
None None List of redundancy 1. List of redundancy 1. List of redundancy 1. List of redundancy
mechanisms implemented in mechanisms implemented in mechanisms implemented in mechanisms implemented in
the system where the the system where the the system where the the system where the
application involved in this application involved in this application involved in this application involved in this
assessment is running. assessment is running. assessment is running. assessment is running.
2. Disaster recovery plan 2. Disaster recovery plan 2. Disaster recovery plan
document. document. document.
3. DRP testing plan 3. DRP testing plan
document. document.
4. Evidence of periodic DRP
training.
Page 34 of 38
Actions to be embraced in the Actions to be embraced in the Roles and responsibilities Besides level 3, a Business A testing plan has been Additionally to level 4, a
event of a information security event of a information security regarding the business Continuity Plan (BCP) has developed to ensure that each single framework of
incident are not known incident are known throughout continuity management have been developed and element of the BCP is tested business continuity plan is
throughout the organization. the organization, but not been formally assigned, implemented to determine the periodically. The results of maintained to ensure it is
formalized. including the crisis committee. overall approach to business tests are recorded and consistent with all the
continuity. corrective actions taken. initiatives taken within the
These are the result of organization.
incidences that have occurred The management of business Additionally, formal periodic
in the past and the experience continuity has been training is performed to The BCP considers all
learnt from solving these incorporated in the ensure all the roles and services and resources
incidences. organization’s processes and responsibilities have been facilitating business continuity,
structure. properly understood. not only information systems:
staffing, non-information
processing resources, and
suppliers.
None None None Business continuity plan. 1. Business continuity plan. 1. Business continuity plan.
2. BCP testing plan document 2. BCP testing plan document
and evidence of BCP training and evidence of BCP training
activities. activities.
Page 35 of 38
15 Compliance
15.1 Compliance with legal requirements
Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.
The design, operation, use, and management of information systems may be subject to statutory, regulatory, and contractual security requirements.
Advice on specific legal requirements should be sought from the organization’s legal advisers, or suitably qualified legal practitioners. Legislative requirements vary from country to country and may vary for information created in one country that is transmitted to
another country (i.e. trans-border data flow).

No statutory, regulatory or Some statutory, regulatory or Some statutory, regulatory or All relevant statutory, Besides level 3, Besides level 4, audits or
contractual requirements contractual requirements contractual requirements regulatory, and contractual documentation is kept up to reviews are periodically
(e.g.: data retention, privacy (e.g.: data retention, privacy (e.g.: data retention, privacy requirements and the date by assigned personnel. conducted in order to check
regulations) for each regulations) for information regulations) for information organization’s approach to Training courses or contact that the organization is
information system or the systems and/or the systems and/or the meet these requirements are sessions with special interests compliant with all relevant
organization have been organization have been organization have been explicitly defined and groups are in place. statutory, regulatory and
identified. informally identified. formally identified and/or this documented for each contractual requirements.
responsibility is assigned to information system and the
appropriate personnel. organization. Corrective actions are
documented and followed-up
by management.
None None None List of relevant statutory, List of relevant statutory, 1. List of relevant statutory,
regulatory and contractual regulatory and contractual regulatory and contractual
requirements that may affect requirements that may affect requirements that may affect
the organization. the organization. the organization.
2. Evidence of audit/reviews
performed in order to check
that the organization is
compliant with all relevant
statutory, regulatory and
contractual requirements.
The organization is not aware The organization retains all The system of storage and Besides level 2, a retention Besides level 3, the system of Besides level 4, periodical
of the data retention period data according to some handling ensures clear schedule is drawn up storage and handling permits tests of retention and
stated by regulation. specific regulations or internal identification of records and identifying records and the appropriate destruction of recovery of data are
guidelines, but there is no a of their retention period. period of time for which they records after that period if performed. Corrective actions
clear classification in terms should be retained, according they are not needed by the are analyzed by management.
of records and mandatory to applicable legislation or organization.
retention periods. regulation.
Appropriate controls are
implemented to protect
records and information from
loss, destruction, and
falsification.
None None None Evidence of retention Evidence of retention 1. Evidence of retention
schedule, identifying records schedule, identifying records schedule, identifying records
and the period of time for and the period of time for and the period of time for
which they should be retained. which they should be retained. which they should be retained.
2. Results of periodical tests
of retention and recovery of
data performed.
Page 36 of 38
The organization is not aware The organization concerns Responsibility for handling Appropriate technical and Assigned responsible Reviews are periodically
of the data protection and about data protection and personal information and organizational measures to personnel provide guidance to conducted in order to check
privacy of personal privacy of personal ensuring awareness of the protect personal information managers, users and service that the organization is
information requirements information (some guidelines data protection principles is are implemented. providers on their individual compliant with related
stated by the regulation. have been given and some dealt with in accordance with responsibilities and the regulation.
controls have been put in relevant legislation and specific procedures that
place) but they are not totally regulations. should be Corrective actions are
aligned with related followed. documented and followed-up
regulation. by management.
None None None None None Evidence of legal compliance
reviews.
The organization has not Internal employees are given Employees of the At log-on, a warning Periodical training sessions The organization periodically
communicated any guideline or informed of the organization, contractors, and message is presented to for personnel accessing the reviews the use of
regarding prevention of organization's guidelines third party users are advised indicate that the information information systems are in information processing
misuse of information regarding prevention of that no access will be processing facility being place. facilities (by examining logs or
processing facilities. misuse of information permitted except that which is entered is owned by the dedicated tools). Results are
processing facilities when authorized. They are aware of organization and that logged and analyzed by
hired. the monitoring in place to unauthorized access is not management, with the aim of
detect unauthorized use. permitted. The user has to detecting inappropriate
acknowledge and react access and improve the level
appropriately to the message of internal control.
on the screen to continue with
the log-on process.
Otherwise, similar controls are

in place, such as the formal
acceptance of the correct use
of information processing
facilities policy.
None None None Screenshot of logon warning Screenshot of logon warning 1. Screenshot of logon
message (presented to message (presented to warning message (presented
indicate that the information indicate that the information to indicate that the information
processing facility being processing facility being processing facility being
entered is owned by the entered is owned by the entered is owned by the
organization and that organization and that organization and that
unauthorized access is not unauthorized access is not unauthorized access is not
permitted). permitted). permitted).
2. Records or reviews of the
use of information processing
facilities performed by
management.
Page 37 of 38
15.2 Compliance with security policies and standards and technical compliance
Objective: To ensure compliance of systems with organizational security policies and standards.
The security of information systems should be regularly reviewed.
Such reviews should be performed against the appropriate security policies and the technical platforms and information systems should be audited for compliance with applicable security implementation standards and documented security controls.

Information systems are not Some checks on information A set of checks on Requirements and Results of reviews and The implementation of the
audited. systems are performed operational systems are responsibilities regarding the corrective actions carried out corrective actions is actively
occasionally. These tests are periodically conducted by audits are documented. by managers are recorded followed up to ensure that
not defined. independent persons from the and these records maintained. the agreed implementation
audited activities. Technical Audits are conducted by dates are being met.
reports are generated or personnel with adequate Information systems audit
results are recorded. training and skills (e.g.: tools or dedicated processes Automated audit tools are in
internal audit). are used and conveniently place and continuously
protected. working to monitor the
compliance with the policies
and technical measures
defined. They provide its
results in a dashboard which
is used by management to
continuously improve the
policies and controls
implemented.
None None Reports generated as part of Reports generated as part of Reports generated as part of 1. Reports generated as part
the technical compliance the technical compliance the technical compliance of the technical compliance
reviews performed. reviews performed. reviews performed. reviews performed.
2. Evidence of follow-up
activities regarding technical
compliance corrective actions.
15.3 Information systems audit considerations (covered by questions in subarea number 15.2)
Objective: To maximize the effectiveness of and to minimize interference to/from the information systems audit process.
There should be controls to safeguard operational systems and audit tools during information systems audits.
Protection is also required to safeguard the integrity and prevent misuse of audit tools.
Page 38 of 38

Third Party Assurance Questionnaire

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Third Party Assurance Questionnaire

Uploaded by

Copyright:

Available Formats

ADP - Third Party Risk Management Program

Welcome to the ADP's Third Party Risk Management Program.

Name & version Level of Change management Administration Additional comments

ng, reviewing, maintaining, and improving the

ption which reflects in a more realistic manner

engagement with ADP. Do not hesitate to use the

ata migrations...) is performed internally or

ecurity or quality management perspective (include

or on-site assessments performed to by ADP's

Objective: To manage information security within the organization.

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

Objective: To ensure that information receives an appropriate level of protection.

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

Objective: To achieve and maintain appropriate protection of organizational assets.

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

The protection provided should be commensurate with the identified risks.

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

Equipment should be protected from physical and environmental threats.

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

These activities could include,

Only IT providers are considered in this area.

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

Objective: To minimize the risk of systems failures.

10.4 Protection against malicious and mobile code

Objective: To protect the integrity of software and information.

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

On the other hand, back-ups

10.8 Exchange of information

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

Objective: To detect unauthorized information processing activities.

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

Objective: To control access to information.

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

11.3 User responsibilities

The co-operation of authorized users is essential for effective security.

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

Objective: To prevent unauthorized access to networked services.

Access to both internal and external networked services should be controlled.

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

- Wireless networks are not

- External services, if any, are

- Routing controls are based

Objective: To prevent unauthorized access to operating systems.

Objective: To prevent unauthorized access to information held in application systems.

11.7 Mobile computing and teleworking

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

- Back-up data mechanisms.

- Anti-virus protection and

Objective: To ensure that security is an integral part of information systems.

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

Objective: To prevent errors, loss, unauthorized modification or misuse of information in applications.

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

Objective: To ensure the security of system files.

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments

Objective: To maintain the security of application system software and information.

Project and support environments should be strictly controlled.

0 - Chaos 1 - Initial 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimized Scoring Comments