Pre Assessment Questionnaire

1 Orginaztion name: Dinarak

2 Provide organizational chart Found
2.1 No. of departments 8
2.2 No. of employees 40
2.3 No. of branches 1
2.4 Do your organization have their own domain? Yes
3 Provide hiring process No
3.1 Do you have NDA/SLA? No
4 provide Business Plan (company profile) No
5 provide Business process (key activities) Open wallet / money transfer /transaction history /
Efawatercom /cash out or in
6 provide third party process No
8 provide Existing informaation and procedure policies and procedures No
9 provide previous risk assessment No
10 provide previous VA/PT No
11 Do you have business continuity plan No
13 Locations (physical and virtual) of the ISMS on-preimse and STS cloud
14 network topology flat network
 Security Risk Assessment Questionnaire
Name of Company: Dinarak

Company's Website: www.dinarak.com

Contact Person Completing the Assessment:Ayman Al-Jundi

Email Address: a.jundi@dinarak.com

Phone Number: 0780791646

Select the appropriate answer from the drop down in the Response column, and provide a brief description in the Comments section.

Third Party's Response to

Comments/Questions
Information Security Assessment Questions Response Comments This section for Dinarak Use Only
organization's
Comments/Questions

Operational Security
1 Do you have Security department? Yes Security section within department reporting to the CEO

2 Does the company have written information security policies? No

3 Do the staff that is related to IT have defined job responsibilities and duties? Yes

4 Are duties and areas of responsibility separated, in order to reduce opportunities for unauthorized modification or misuse of information, or services. Yes
4.1 If Yes, How? Yes User Domain privileges,linux / web user privileges
5 Does the company have a formal change control process for IT changes? No
6 Do you have a documented and enforced key management policy in place? No
8 Does the ownership of cryptographic keys defined? No
9 Do you define your risks before impleminting any project? No

10 How is the IT Department managing access control, authentication, and authorization for different IT resources? Yes Domain Controller / per system user privileges
11 Is access restricted to systems that contain sensitive data? No
11.1 If yes, what controls or are currently in place to restrict access? No
12 Are there any security measures in place to protect email accounts from unauthorized access? Yes enforced MFA
(e.g., strong passwords, multi-factor authentication)
13 Do employees have a unique log-in ID when accessing data? Yes
14 Is there formal control of access to System Administrator privileges? No
15 Do you have access controls applied in your company No
16 What are the critical information assets and resources of your organization? (e.g., databases, servers, intellectual property, customer data) Yes Databases/Employee info and client info

17 Are you classifying and labelling your data? No

18 Does the company have security measures in place for data protection? No
18.1 If yes, please describe in the comments section No
19 Is there an inventory of all assets associated with information and information processing facilities. Yes Assets invintory
20 Are system and security patches applied to workstations on a routine bases? No
21 Are system and security patches applied to servers on a routine bases? No
21.1 Are system and security patches tested prior to implementation in the production environment? No
22 Is there a process for secure disposal of both IT equipment and media? No
22.1 If yes, please describe in the comments section No
23 How are backups currently performed in the IT Department? (e.g., frequency, types of backups, backup locations) Yes Schudaled Acronis backup for servers / cloud
OneDrive for enduser /cloud
24 Name your backup solution Yes Acronis and OneDrive

25 Are computer systems (servers) backed up according to a regular schedule? Yes

26 Has the back-up and recovery process been verified? No
27 Does the company store backups offsite? Yes
28 Does the company encrypt its backups? Yes
29 What data is being backed up? Are critical systems and data included in the backup process? Yes Critical server only
30 Are records protected from loss, destruction, falsification and unauthorized access or release in accordance with legislative, regulatory, contractual and business requirements. No

31 Does the comapny replicate data to locations outside of Jordan? Yes OneDrive
32 Does the comapny outsource its data storage? Yes
32.1 If yes, to whom is the data outsourced? Yes STS Cloud
33 Do you have a threat intiilgence program No
34 Does the threat intelligence program ensure that the information collected related to information security threats are relevant, insightful, contextual and actionable. No

35 Is there a documented process for gathering and assessing threat intelligence information relevant to our organization's assets and information systems? No

36 Does the company have disaster recovery plans for data processing facilities? No
36.1 What about Business Continuity Plans? No
37 Are computer rooms protected against fire and flood? No
38 Do you have a BC &IR Commettie No
39 Does the company have a "Hot" recovery site? Yes DR Site
40 If an information security data breach occurred, would the security manager be notified? No

40.1 If yes, how soon would the manager be notified? No

41 Are servers configured to capture who accessed a system and what changes were made? No

41.1 If no, in case of a security breach, how do you determine who accessed the system and what changes were made? No

42 Does the company have a formal Incident Response plan? No

43 Has the company experienced an information security breach in the past three to five years? No
43.1 If so, please document what information was lost in the comments section? No
43.2 If so, please document how the clients were notified and how quickly in the comments section? No
44 Does the company receive any Audit Reports regarding cyberSecurity? No
44.1 If so, please document which type of SOC report is being obtained in the comments section. Please provide a copy of the latest SOC report. No

44.2 If not, does the company allow clients the right to audit their systems and controls? No

technological Security
45 Does your company develop any software solutions? Yes
45.1 Are you performing code security check periodically or part of development? No
46 is there data encryption solution in use? No

46.1 If yes what type of encryption is used? No

47 is there an anti virus solution in use? Yes

47.1 if yes, what are the features of AV software enabled? Yes Sophos XDR
48 Is antivirus software installed on data processing servers? Yes
49 Is antivirus software installed on workstations? Yes
50 is there a PAM solution in use? No

51 is there MDM solution in use? No

52 is there EDR solution in use? Yes Sophos XDR

53 is there IDS/IPS in use? Yes

53.1 If yes, please describe in the comments section Yes Sophos XDR/ F.W
54 is there DLP in use? No

55 is there Cloud Security Solutions in use? No

56 Are network boundaries protected by firewalls? Yes

57 Are employees required to use a VPN when accessing the company's systems from all remote locations? Yes
58 Is wireless access allowed in your company? Yes
58.1 If yes, please describe how it is protected in the comments section Yes WPA2
59 What email systems and services are used within the organization? (e.g., Microsoft Exchange, Google Workspace) Yes MS O365
60 How is the IT Department monitoring and detecting security incidents or potential risks? No
61 is there a SEIM solution in use? No

62 Is regular network vulnerability scanning performed? No

Physical Security
63 Does the organization have security measures in place to protect storage media from unauthorized access, modification, or destruction? No
64 Does the organization have physical security perimeters in place? No
65 Are the physical controls effective at restricting access to information and assets to authorized personnel only? No
66 Does the organization have procedures in place to ensure that sensitive information is not left unattended on desks or screens? No
67 What areas are covered by the CCTV system, and why were these areas chosen? (e.g., entrances, critical infrastructure, sensitive locations) Yes Enterance/ Guest /Client Area

68 Is physical access to data processing equipment (servers and network equipment) restricted? No

68.1 If yes, what controls are currently in place? No

People Security
69 Do the terms and conditions of employment for all personnel include information security requirements? No

70 Does the organization have a disciplinary process in place for dealing with personnel who violate information security policies and procedures No

71 Who is responsible for taking actions once violation occurred No

72 Do all staff receives information security awareness training? No

73 Does the organization have a process in place for terminating or changing the employment of personnel in a way that maintains information security? No
74 Does the organization require personnel to sign confidentiality or non-disclosure agreements, as appropriate? No
75 Have you determined which services, systems, and data remote workers will access? No