DSS05 Manage Security Services

COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Align, Plan, and Organize

Process: DSS05 – Manage Security Services
DSS05 – Process Setting

Process Description1
Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and
maintain information security roles and access privileges and perform security monitoring.
Process Purpose Statement1
Minimize the business impact of operational information security vulnerabilities and incidents.
Process Assessment Objectives1
The objectives of this assessment are to determine that:
 Viruses, worms, spyware, and spam do not distract from the business,
 All information is protected,
 Enterprise-wide operations are secured from disruption,
 All users are uniquely identifiable and have access rights in accordance with their business role,
 Physical measures have been implemented to protect information from unauthorized access, damage and interference when being processed, stored or
transmitted,
 Infrastructure events are integrated with general event monitoring and incident management, and
 Electronic information is properly secured when stored, transmitted or destroyed.
Process Risk Drivers2
Access management failing business requirements and compromising the security of business-critical systems
Business disruptions
1 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
2 - © 2015 Wescott and Associates. All rights reserved.

Compromised integrity of sensitive data
Compromised overall security architecture
Compromised system information
Confidential information being accessed by devices configured to read the radiation emitted by the computers
Critical incidents not solved properly
Data altered by unauthorized users
Devices reconfigured without authorization
Disclosure of corporate assets and sensitive information accessible for unauthorized parties
Disruption of IT services
Exposure of information
Failure of firewall rules to reflect the organization’s security policy
Failure to terminate unused accounts in a timely manner, thus impacting corporate security
Hardware stolen by unauthorized people
Inability to account for all sensitive IT assets
Inadequate physical security measures
Incidents not solved in a timely manner
Incompleteness and inaccuracy of transmitted data
Increased likelihood of problem recurrence
Ineffective countermeasures
Insufficient service quality
Keys misused by unauthorized parties
Lack of audit trails of problems, incidents and their solutions for proactive problem and incident management
Loss of information
Misuse of sensitive IT assets, leading to financial losses and other business impacts
Misuse of users’ accounts, compromising organizational security
Physical attack on the IT site
Problems and incidents not solved in a timely manner
Recurrence of problems and incidents
Registration of non-verified users, thus compromising system security

Security breaches
Security breaches not detected in a timely manner
Segregation-of-duty violations
Sensitive data misused or destroyed
Sensitive information exposed
Systems and data that are prone to virus attacks
Threats to physical security not identified
Unauthorized access to cryptographic keys
Unauthorized access to data tapes
Unauthorized changes to hardware and software
Unauthorized data access
Unauthorized entry to secure areas
Unauthorized external connections to remote sites
Undetected security breaches
Undetected unauthorized modifications to firewall rules
Unreliable security logs
Unspecified security requirements for all systems
Users failing to comply with security policy
Violations of legal and regulatory requirements
Visitors gaining unauthorized access to IT equipment or information

DSS05 – Process Goal Assessment

DSS05.01 Management Practice1
Protect against malware. Implement and maintain preventive, detective and corrective measures in place (especially up-to-date security patches and virus
control) across the enterprise to protect information systems and technology from malware (e.g., viruses, worms, spyware, and spam).
Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objectives1
DSS05.01.01 - Awareness Determine if and how IT Determine and analyze whether and confirm that a malicious software prevention policy is
and Enforcement communicates malicious established, documented and communicated throughout the organization.
software awareness and
enforce prevention procedures
and responsibilities.
DSS05.01.02 - Protection Understand that IT has Determine that automated controls have been implemented to provide virus protection and that
Tools installed and activated violations are appropriately communicated.
malicious software protection
tools on all processing facilities,
with malicious software
definition files that are updated
as required (automatically or
semi-automatically).
DSS05.01.03 - Configuration Determine that IT distributes all Determine whether and confirm that the protection software is centrally distributed (version and
Management protection software centrally patch-level) using a centralized configuration and change management process.
(version and patch-level) using
centralized configuration and
change management.
DSS05.01.04 - Threat Understand that IT regularly Analyze whether and confirm that information on new potential threats is regularly reviewed and

Objectives1
Review reviews and evaluates evaluated and, as necessary, manually updated to the virus definition files.
information on new potential
threats (e.g., reviewing
vendors, products, and
services security advisories)
DSS05.01.05 - Traffic Determine that IT filters Determine whether and confirm that incoming e-mail is filtered appropriately against unsolicited
Filtering incoming traffic, such as email information.
and downloads, to protect
against unsolicited information
(e.g., spyware, phishing
emails).
DSS05.01.06 - Malware Determine if and to what extent 1. Determine if IT conducts periodic training about malware in email and Internet usage.
Training IT conducts periodic training
about malware in email and 2. Determine if IT trains users to not install shared or unapproved software.
Internet usage and to not install
shared or unapproved
software.

Manage network and connectivity security. Use security measures and related management procedures to protect information over all methods of connectivity.

Objectives1
DSS05.02.01 - Security Based on risk assessments Determine and analyze whether and confirm that a network security policy (e.g., provided
Policy and business requirements, services, allowed traffic, types of connections permitted) has been established and is maintained.
determine if IT has established
and maintains a policy for
security of connectivity.
DSS05.02.02 - Authorized Determine that IT allows only 1. Determine if policy and procedures allow only authorized devices to have access to corporate
Devices Only authorized devices to have information and the enterprise network.
access to corporate information
and the enterprise network and 2. Determine how IT prevents unauthorized access from non-specified devices.
that these devices are
configured to require
passwords.
DSS05.02.03 - Network Determine that and to what Determine and analyze if IT implements network filtering mechanisms, such as firewalls and
Filtering extent IT has implemented intrusion detection software, with appropriate policies to control inbound and outbound traffic.
network-filtering mechanisms,
such as firewalls and intrusion
detection software, with
appropriate policies to control
inbound and outbound traffic.
DSS05.02.04 - Encryption Determine if and to what extent Determine and analyze whether and confirm that data transmissions outside the organization
IT encrypts information in require encrypted format prior to transmission.
transit and if it is according to a

Objectives 1
classification.
DSS05.02.05 - Security Determine that IT applies Detail the application of approved security protocols to network connectivity.
Protocols approved security protocols to
network connectivity.
DSS05.02.06 - Secure Determine that IT has 1. Determine the kinds of network devices in use.
Configurations configured network equipment
in a secure manner. 2. Determine the methods that It uses to configure all network equipment in a secure manner.
DSS05.02.07 - Secure Understand if IT has Determine the methods IT uses to establish trusted mechanisms to support the secure
Transmissions established trusted transmission and receipt of information.
mechanisms to support the
secure transmission and
receipt of information.
DSS05.02.08 - Network Pen Determine that IT carries out Note: IT can carry out these testing steps and have Internal Audit participate or Internal Audit can
Testing periodic penetration testing to execute these independently from IT. Before any testing occurs, ensure that there is a
determine adequacy of network comprehensive SLA between Internal Audit and IT Security to ensure that expectations and limits
protection. are firmly set and understood.
Specific testing for OS and Pen testing are not included here. Please research the latest methods
and means for your particular environment. Discussion on methods and means follows.
The testing performed closely parallels that which an internal IS auditor will be assigned to audit,
given the size, complexity and financial resources devoted to risk associated with lack of security
concerns.
The first phase relates to information gathering, which is comprised of public information search,
googling, obtaining maximum information about business, employees, etc., thereby profiling the
target. For instance, this phase may result in obtaining resumes/CVs of employees, which may be

Objectives1
useful in understanding technologies employed at the attack site.
The first testing goal is to ascertain the internal network topology or footprint that provides a map
of the critical access paths/points and devices including their Internet protocol (IP) address
ranges. This is the network discovery stage.
Once critical points/devices are identified within the network, the next step is to attack those
devices given the various types of known vulnerabilities within the system and operating software
running on the devices (e.g., UNIX, NT, Apache, Netscape and IIS). This comprises the
vulnerability analysis phase.
Exploitation and notification is the third and final phase.
The methodology needed to perform external testing allows for a systematic checking for known
vulnerabilities and pursuit of potential security risks. The methodology ordinarily employed
includes the processes of:
Information gathering (reconnaissance)
Network enumeration
Vulnerability analysis
Exploitation
Results analysis and reporting
For physical testing, identification of telecommunication access paths into and out of the
organization's premises, including communications rooms, and the data center areas are critical
to identifying potential methods to intercept, prevent or modify data communications. These
access paths should be physically secured from unauthorized access and rendered inaccessible
without the knowledge and specific permission of the organization as well as specialized

Objectives1
equipment.
Social engineering techniques are employed in an attempt to obtain information regarding

perimeter network devices and their defenses (i.e., IP address ranges, firewalls and default
gateways) as well as potential internal targets. The information gathered during the
reconnaissance phase outlines the basis of this test. The purpose of this testing is to assess the
ease of extraction of critical information from internal organization resources and
employees/contractors, or others with detailed knowledge of the organization, without their
becoming aware of the significance of the information obtained. Of particular interest is testing
whether the organization's help desk will assist an unauthorized or unidentified user.
First, and most importantly, the more information that the individual performing the test has about
the organization, employee and network, the greater the likelihood of success of extracting
information. The individual performing the test should have a script. For example, the individual
performing the test may pose as on of the technical support personnel, whose name was
obtained in an earlier help desk call seeking information pertaining to connectivity and, therefore,
requesting network information. Typically, these social engineering efforts succeed when
information obtained from one source is used in combination with information from a second,
progressive source.
Using information obtained from the help desk in the example in 7.2.1, the test continues by
having an auditor pose as an organization employee over the telephone asking for a password
reset/change. These tests are best performed using a telephone inside the organization, as help
desk/security personnel employees may be more willing to accept the masquerade and provide
the information requested without detailed authentication/personal confirmation. Acting as an
impatient, disgruntled or aggravated customer over the phone as well as other personal behaviors
(i.e., telling the help desk employee that they need access to get information to their superior

Objectives1
without specifying their name) may add to the likelihood of success.
Background information, such as the mother’s maiden name, zip code or social security number,
of the employee being impersonated by the individual performing the test is helpful. In addition,
obtaining resumes/CVs of employees through an Internet search or a stranger headhunter
approach could be of more help.
Impersonating a consultant/auditor and reaching IT staff directly without any introduction is

another approach. Management should be aware and agree to this approach to prevent
unnecessary troubles.
Nevertheless, it is recommended that if caught because confidential propriety information is

unknown, the tester should excuse themselves using some plausible justification (e.g., not feeling
well, their boss needs them right away, do not have time right now). Each piece of information
obtained adds to increase the likelihood of a successful penetration to a critical information asset.
Each organization differs in its structure (i.e., centralized in the same geographical area vs.
segmented over a large physical area under different management), size (i.e., medium size bank
with 500-800 employees to large financial management organization with over 10,000
employees), network complexity and security awareness (i.e., well-known organization or federal
agency that is continuously probed by
Review of garbage disposal areas and bins for information can be a valuable source of sensitive
security and overall organizational information that could be useful in a social engineering
examination. Access to recycled paper bins should also be considered a source of critical
information.
Physical harm is possible in going through an organization's garbage, as there could be

Objectives1
everything from sharp objects to hypodermic needles to hazardous chemicals. The penetration-
testing contract, if performed by external consultants, should explicitly allow for this type of testing.
As noted previously, none of the information obtained using social engineering may be particularly
relevant except when taken together with other information obtained via other tests defined in this
procedure. The most important aspect when attempting to exploit individuals’ naïveté or lack of
training for the security of organization proprietary information is that there will always be
someone who will divulge information and it is ordinarily only a matter of time before such an
individual is contacted.
With the advent of wireless technology for transmitting data and voice, the well-known and relied
upon controls instituted using perimeter devices are disappearing. Gone are the physical security
controls, such as security guards, cameras and locks that were effective in protecting wired
networks and data transmissions. The major vulnerabilities result from the users of wireless
technologies not addressing the following:
 Reliance on WEP for encryption

 Wireless networks not being segregated from other networks
 Descriptive SSID or AP names being used
 Hard-coded MAC addresses
 Weak or nonexistent key management
 Beacon packets that have not been disabled or are “enabled”
 Distributed APs
 Default passwords/IP addresses
 WEP weak key avoidance
 DHCP being used on WLANs

Objectives1
 Unprotected rogue access points
The risks and threats associated with attacks against wireless networks are widespread including:
 Attacks where message traffic is captured and analyzed and encryption keys cracked, i.e.,
initialization vector—IV
 Resource theft, where Internet access is obtained that in return is used as a launch pad for
other attacks, i.e., cyclical redundancy check (CRC-32)
 Denial-of-service due to signal interference and propagation of threat from viruses and
worms
In addition, as with other types of technologies, the greatest weakness with wireless security is
not the technical shortcomings but out-of-the-box insecure installations. The human factor is
typically the weakest link.
Web application testing includes manual and automated testing of the portal site as an outsider
with no login information. This testing compliments the external penetration testing. The goal of
this testing is to gain an understanding of how individuals interact with the system in accessing
sensitive data.
Additional testing may include testing of the portal site by an insider through a standard login
account. The goal of this testing is to determine the ease of access to sensitive information that is
not authorized by the login account (i.e., privilege escalation).
Identification and exploitation of vulnerabilities can be accomplished using various commercial

and open source vulnerability assessment tools.
DSS05.02.09 - System Determine if IT carries out 1. Determine if IT performs or contracts for periodic testing of system security to determine
Security Testing periodic testing of system adequacy of system protection.

Objectives1
security to determine adequacy
of system protection. 2. Obtain and review all associated reports.


Manage endpoint security. Ensure that endpoints (e.g., laptop, desktop, server, and other mobile and network devices or software) are secured at a level that is
equal to or greater than the defined security requirements of the information processed, stored or transmitted.

Objectives1
DSS05.03.01 - OS Determine that IT configures Determine how IT configures operating systems in a secure manner.
Configurations operating systems in a secure
manner. Note: Specific testing of different operating systems are done elsewhere in the audit-testing
universe. Specifically in the ST series of audit programs (Specific Technology).
DSS05.03.02 - Device Understand if IT implements Determine the configurations to implement device lockdown mechanisms.
Lockdown device lockdown mechanisms.
DSS05.03.03 - Storage Understand that IT encrypts 1. Determine and analyze if a defined key life cycle management process exists. The process
Encryption information in storage should include:
according to a classification. – Minimum key sizes required for the generation of strong keys
– Use of required key generation algorithms
– Identification of required standards for the generation of keys
– Purposes for which keys should be used and restricted
– Allowable usage periods or active lifetimes for keys
– Acceptable methods of key distribution
– Key backup, archival and destruction
2. Determine if controls over private keys exist to enforce their confidentiality and integrity.
Consideration should be given to the following:
– Storage of private signing keys within secure cryptographic devices (e.g., FIPS 140-1,

Objectives1
ISO 15782-1, ANSI X9.66)
– Private keys not exported from a secure cryptographic module
– Private keys backed up, stored and recovered only by authorized personnel using dual
control in a physically secured environment
3. Understand if procedures are defined to ensure that information labeling and handling is
performed in accordance with the organization’s information classification scheme.
DSS05.03.04 - Remote Understand how IT manages Determine how IT manages remote access and control.
Access remote access and control.
DSS05.03.05 - Network Determine that IT manages Determine how IT manages network configuration in a secure manner.
Configuration network configuration in a
secure manner. Note: specific testing of specific network devices (i.e., Routers, switches, and firewalls) is located
in the Specific Technology (ST) section of the audit-testing universe.
DSS05.03.06 - Network Understand that IT implements Determine how IT implements network traffic filtering on endpoint devices.
Traffic Filtering network traffic filtering on
endpoint devices.
DSS05.03.07 - System Determine how IT protects Determine ITs philosophy on protecting system integrity.
Integrity system integrity.
DSS05.03.08 - Physical Determine how IT provides Determine how IT provides physical protection of endpoint devices.
Protection physical protection of endpoint
devices.
DSS05.03.09 - Secure Determine how IT disposes of Understand how IT disposes of endpoint devices securely.
Disposal endpoint devices securely.


Manage user identity and logical access. Ensure that all users have information access rights in accordance with their business requirements and coordinate
with business units that manage their own access rights within business processes.

Objectives1
DSS05.04.01 - Access Determine that and how IT IT should align the management of identities and access rights to the defined roles and
Rights maintains user access rights in responsibilities, based on least-privilege, need-to-have and need-to-know principles.
accordance with business
function and process 1. Determine if security practices require users, system processes to be uniquely identifiable, and
requirements. systems to be configured to enforce authentication before access is granted.
2. Determine if user access rights are maintained in accordance with business function and
process requirements.
DSS05.04.02 - Role Determine that IT uniquely Understand if predetermined and preapproved roles are utilized to grant access, then determine if
Definitions identifies all information the roles clearly delineate responsibilities based on least privileges and ensure that the
processing activities by establishment and modification of roles are approved by process owner management.
functional roles, coordinating
with business units to ensure
that all roles are consistently
defined, including roles that are
defined by the business itself
within business process
applications.
DSS05.04.03 - Determine how IT Analyze if access provisioning and authentication control mechanisms are utilized for controlling
Authentication authenticates all access to logical access across all users, system processes and IT resources, for in-house and remotely
information assets and if it is managed users, processes, and systems.

Objectives1
based on a security
classification, coordinating with
business units that manage
authentication within
applications used in business
processes to ensure that
authentication controls have
been properly administered.
DSS05.04.04 - Access Right Determine who and to what Determine if all changes to access rights (creation, modifications and deletions) are administered
Change extent IT administers all to take effect at the appropriate time based only on approved and documented transactions
changes to access rights authorized by designated management individuals
(creation, modifications and
deletions) to take effect at the
appropriate time based only on
approved and documented
transactions authorized by
designated management
individuals
DSS05.04.05 - Privileged Determine that and how IT Determine if privileged user accounts are segregated and how they are managed.
Accounts segregates and manage
privileged user accounts.
DSS05.04.06 - Reviews Understand if IT performs Determine the process for performing regular management review of all accounts and related
regular management review of privileges.
all accounts and related
privileges.
DSS05.04.07 - Unique Determine how IT ensures that IT should also uniquely identify all information processing activities by user.
Identifications all users (internal, external and

Objectives1
temporary) and their activity on Understand that all users (internal, external and temporary) and their activity on IT systems
IT systems (business (business application, IT infrastructure, system operations, development and maintenance) are
application, IT infrastructure, uniquely identifiable.
system operations,
development and maintenance)
are uniquely identifiable.
DSS05.04.08 - Sensitive Understand that IT maintains Determine if an audit trail is maintained of access to information classified as highly sensitive.
Data Access Audit Trail an audit trail of access to
information classified as highly
sensitive.


Manage physical access to IT assets. Define and implement procedures to grant, limit and revoke access to premises, buildings and areas according to
business needs, including emergencies. Access to premises, buildings and areas should be justified, authorized, logged and monitored. This should apply to all
persons entering the premises, including staff, temporary staff, clients, vendors, visitors or any other third party.

Objectives1
DSS05.05.01 - Access Determine that IT manages the IT should ensure that formal access requests are to be completed and authorized by
Grants requesting and granting of management of the IT site, and the request records retained. The forms should specifically
access to the computing identify the areas to which the individual is granted access.
facilities.
Determine and outline the process that governs the requesting and granting of access to the
computing facilities.
DSS05.05.02 - Current Understand how IT ensures IT should base access to IT sites (sever rooms, buildings, areas or zones) on job function and
Profiles that access profiles remain responsibilities.
current.
1. Understand if formal access requests are completed and authorized by management of the IT
site, the records are retained, and the forms specifically identify the areas to which the
individual is granted access. This is verified by observation or review of approvals.
2. 2. Determine if procedures are in place to ensure that access profiles remain current. Verify
that access to IT sites (server rooms, buildings, areas or zones) is based on job function and
responsibilities.
DSS05.05.03 - Entry Point Determine that IT logs and IT should register all visitors, including contractors and vendors, to the site.
Monitors monitors all entry points to IT
sites. Understand if there is a process to log and monitor all entry points to IT sites, registering all
visitors, including contractors and vendors, to the site.

Objectives1
DSS05.05.04 - Visible Understand if IT instructs all IT should prevent the issuance of identity cards or badges without proper authorization.
Identification personnel to display visible
identification at all times. Determine if a policy exists instructing all personnel to display visible identification at all times and
prevents the issuance of identity cards or badges without proper authorization. Observe whether
badges are being worn in practice.
DSS05.05.05 - Visitor Escort Determine if IT requires visitors If unfamiliar individual who is not wearing staff identification is identified, IT personnel should alert
to be escorted at all times while security personnel.an unaccompanied,
on-site.
Understand if a policy exists requiring visitors to be escorted at all times by a member of the IT
operations group while onsite and individuals who are not wearing appropriate identification are
pointed out to security personnel.
DSS05.05.06 - Sensitive Determine if IT restricts access IT should ensure that the devices record entry and trigger an alarm in the event of unauthorized
Area Access to sensitive IT sites by access. Examples of such devices include badges or key cards, keypads, closed-circuit television
establishing perimeter and biometric scanners.
restrictions, such as fences,
walls, and security devices on Observe whether access to sensitive IT sites is restricted through perimeter restrictions, such as
interior and exterior doors. fences/walls and security devices on interior and exterior doors. Verify that the devices record
entry and sound an alarm in the event of unauthorized access. Examples of such devices include
badges or key cards, key pads, closed-circuit television and biometric scanners.
DSS05.05.07 - Awareness Understand if IT conducts Determine if regular physical security awareness training is conducted. Verify by reviewing
Training regular physical security training logs.
awareness training.


Manage sensitive documents and output devices. Establish appropriate physical safeguards, accounting practices and inventory management over sensitive IT
assets, such as special forms, negotiable instruments, special-purpose printers or security tokens.

Objectives1
DSS05.06.01 - Disposal Determine that IT has 1. Review the policy on disposal of media. Determine that the responsibility for the development
Procedures established procedures to and communication of policies on disposal is clearly defined.
govern the receipt, use,
removal and disposal of special 2. Determine if and how equipment and media containing sensitive information are sanitized prior
forms and output devices into, to reuse or disposal in such a way that data marked as ‘deleted’ or ‘to be disposed’ cannot be
within and out of the enterprise. retrieved (e.g., media containing highly sensitive data have been physically destroyed)
3. Determine if and how disposed equipment and media containing sensitive information have
been logged to maintain an audit trail as to their eventual whereabouts.
4. Determine if and how active media is removed from the media inventory list when subject
to disposal. Check that the current inventory has been updated to reflect recent disposals in
the log.
5. Inquire as to how unsanitized equipment and media are transported in a secure way
throughout the disposal process.
6. Determine THE COMPANYs disposal methods and contractors, if applicable. Determine if

disposal contractors have the necessary physical security and procedures to store and handle
the equipment and media before and during disposal.
DSS05.06.02 - Access Understand if IT has assigned Confirm that procedures exist to govern the receipt, removal and disposal of special forms and
Procedures access privileges to sensitive output devices into, within and out of the organization.

Objectives1
documents and output devices
based on the least-privilege
principle, balancing risk and
business requirements.
DSS05.06.03 - Inventory Determine if IT has established Understand that IT has established an inventory of sensitive documents and output devices, and
an inventory of sensitive conducts regular reconciliations.
documents and output devices,
and conducts regular
reconciliations.
DSS05.06.04 - Safeguards Understand if IT has Confirm that a procedure exists to gain, change and remove access to sensitive assets.
established appropriate
physical safeguards over
special forms and sensitive
devices.
DSS05.06.05 - Destruction Determine that IT destroys Understand that removal and disposal procedures documentation exists.
sensitive information and
protect output devices (e.g.,
degaussing of electronic media,
physical destruction of memory
devices, making shredders or
locked paper baskets available
to destroy special forms and
other confidential papers).


Monitor the infrastructure for security-related events. Using intrusion detection tools, monitor the infrastructure for unauthorized access and ensure that any
events are integrated with general event monitoring and incident management.

Objectives1
DSS05.07.01 - Event Understand if and how IT logs 1. Understand if IT logs security-related events reported by infrastructure security monitoring
Logging security-related events tools, identifying the level of information to be recorded based on a consideration of risk.
reported by infrastructure
security monitoring tools, 2. Review a sample of these logs.
identifying the level of
information to be recorded
based on a consideration of
risk. Retain them for an
appropriate period to assist in
future investigations.
DSS05.07.02 - Incident Determine that IT has defined Determine if IT has defined and communicates the nature and characteristics of potential
Recording and communicates the nature security-related incidents so they can be easily recognized and their impacts understood to
and characteristics of potential enable a commensurate response.
security-related incidents so
they can be easily recognized
and their impacts understood
to enable a commensurate
response.
DSS05.07.03 - Log Review Determine if and who within IT Determine if and who within IT regularly reviews the event logs for potential incidents.
regularly reviews the event

logs for potential incidents.
DSS05.07.04 - Evidence Understand that IT maintains a Determine and review the procedure for evidence collection in line with local forensic evidence
Collection procedure for evidence rules and ensure that all staff are made aware of the requirements.
collection in line with local
forensic evidence rules and
ensure that all staff are made
aware of the requirements.
DSS05.07.05 - Incident Determine how IT ensures that Determine that IT ensures security incident tickets are created in a timely manner when
Tickets security incident tickets are monitoring identifies potential security incidents.
created in a timely manner
when monitoring identifies
potential security incidents.

DSS05 Assessment Summary1

Management Practice Practice Description Practice Assessment Summary
Protect against malware. Implement and maintain preventive, detective
and corrective measures in place (especially
up-to-date security patches and virus control)
across the enterprise to protect information
systems and technology from malware (e.g.,
viruses, worms, spyware,
Manage network and connectivity Use security measures and related
security. management procedures to protect
information over all methods of connectivity.
Manage endpoint security. Ensure that endpoints (e.g., laptop, desktop,
server, and other mobile and network devices
or software) are secured at a level that is
equal to or greater than the defined security
requirements of the information processed,
stored or transmitted.
Manage user identity and logical Ensure that all users have information access
access. rights in accordance with their business
requirements and coordinate with business
units that manage their own access rights
within business processes.
Manage physical access to IT Define and implement procedures to grant,
assets. limit and revoke access to premises, buildings
and areas according to business needs,
including emergencies. Access to premises,

Management Practice Practice Description Practice Assessment Summary
buildings and areas should be justified,
authorized, logged and monitored. This
should apply to all persons entering the
premises, including staff, temporary staff,
clients, vendors, visitors or any other third
party.
Manage sensitive documents and Establish appropriate physical safeguards,
output devices accounting practices and inventory
management over sensitive IT assets, such
as special forms, negotiable instruments,
special-purpose printers or security tokens.
Monitor the infrastructure for Using intrusion detection tools, monitor the
security-related events infrastructure for unauthorized access and
ensure that any events are integrated with
general event monitoring and incident
management.

DSS05 Risk Summary1

Create multiple risk scenarios for each risk identified in the summary above that affects achieving the objective.
Risk Scenario - Describe the risk/opportunity scenario, including a discussion of the negative and positive impact of the scenario. The description clarifies the threat/
vulnerability type and includes the actors, events, assets and time issues.
Risk Scenario Component Mark all that apply

Threat Type (Describe the nature of the event) ⃣
Malicious
⃣ Accidental
⃣ Error
⃣ Failure
⃣ Natural
⃣ External requirement
Actor (Who or what could trigger the threat that exploits a vulnerability) ⃣ Internal
⃣ External
⃣ Human
⃣ Non-Human
Event (Something that happens that was not supposed to happen, something does not ⃣ Disclosure
happen that was supposed to happen, or a change in circumstances. Events always have ⃣ Interruption
causes and usually have consequences. A consequence is the outcome of an event and has ⃣ Modification
an impact on objectives.) ⃣ Theft
⃣ Destruction
⃣ Ineffective design
⃣ Ineffective execution
⃣ Rules and regulations
⃣ Inappropriate use
Asset (An asset is something of tangible or intangible value that is worth and skills protecting, ⃣ Process
including people, systems, infrastructure, finances and reputation.) ⃣ People and Skills

Risk Scenario Component Mark all that apply
⃣ Organizational Structure
⃣ Physical Infrastructure
⃣ IT Infrastructure
⃣ Information
⃣ Applications
Resource (A resource is anything that helps to achieve a goal.) ⃣ Process
⃣ People and Skills
⃣ Organizational Structure
⃣ Physical Infrastructure
⃣ IT Infrastructure
⃣ Information
⃣ Applications
Time Timing ⃣ Critical ⃣ Non-Critical
Duration ⃣ Short ⃣ Moderate ⃣ Extended
Detection ⃣ Slow ⃣ Moderate ⃣ Instant
Time lag ⃣ Immediate ⃣ Delayed
Velocity ⃣ Slowing ⃣ Constant ⃣ Increasing
Likelihood ⃣ Highly ⃣ Moderate ⃣ Unlikely
Impact ⃣ Great ⃣ Moderate ⃣ Little
Possible Risk Response Risk Avoidance:

Risk Acceptance:
Risk Sharing/Transfer:
Risk Mitigation:

DSS05 Manage Security Services

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DSS05 Manage Security Services

Uploaded by

Copyright:

Available Formats

COBIT® 5 Process Assessment Worksheet

Area: Management Domain: Align, Plan, and Organize

DSS05 – Process Setting

Process Purpose Statement1

Process Assessment Objectives1

The objectives of this assessment are to determine that:

Process Risk Drivers2

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

DSS05 – Process Goal Assessment

Activity Title1 Activity Assessment Activity Assessment Step(s)2

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

DSS05.02 Management Practice1

Activity Title1 Activity Assessment Activity Assessment Step(s)2

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

Exploitation and notification is the third and final phase.

2 - © 2015 Wescott and Associates. All rights reserved.

Social engineering techniques are employed in an attempt to obtain information regarding

2 - © 2015 Wescott and Associates. All rights reserved.

Impersonating a consultant/auditor and reaching IT staff directly without any introduction is

Nevertheless, it is recommended that if caught because confidential propriety information is

2 - © 2015 Wescott and Associates. All rights reserved.

 Reliance on WEP for encryption

2 - © 2015 Wescott and Associates. All rights reserved.

Identification and exploitation of vulnerabilities can be accomplished using various commercial

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

DSS05.03 Management Practice1

Activity Title1 Activity Assessment Activity Assessment Step(s)2

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

DSS05.04 Management Practice1

Activity Title1 Activity Assessment Activity Assessment Step(s)2

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

DSS05.05 Management Practice1

Activity Title1 Activity Assessment Activity Assessment Step(s)2

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

DSS05.06 Management Practice1

Activity Title1 Activity Assessment Activity Assessment Step(s)2

6. Determine THE COMPANYs disposal methods and contractors, if applicable. Determine if

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

DSS05.07 Management Practice1

Activity Title1 Activity Assessment Activity Assessment Step(s)2

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

DSS05 Assessment Summary1

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

DSS05 Risk Summary1

Risk Scenario Component Mark all that apply

2 - © 2015 Wescott and Associates. All rights reserved.

Possible Risk Response Risk Avoidance:

2 - © 2015 Wescott and Associates. All rights reserved.

You might also like