Professional Documents
Culture Documents
Select the appropriate answer from the drop down in the Response column, and provide a brief description in the Comments section.
Operational Security
1 Do you have Security department? Yes Security section within department reporting to the CEO
4 Are duties and areas of responsibility separated, in order to reduce opportunities for unauthorized modification or misuse of information, or services. Yes
4.1 If Yes, How? Yes User Domain privileges,linux / web user privileges
5 Does the company have a formal change control process for IT changes? No
6 Do you have a documented and enforced key management policy in place? No
8 Does the ownership of cryptographic keys defined? No
9 Do you define your risks before impleminting any project? No
10 How is the IT Department managing access control, authentication, and authorization for different IT resources? Yes Domain Controller / per system user privileges
11 Is access restricted to systems that contain sensitive data? No
11.1 If yes, what controls or are currently in place to restrict access? No
12 Are there any security measures in place to protect email accounts from unauthorized access? Yes enforced MFA
(e.g., strong passwords, multi-factor authentication)
13 Do employees have a unique log-in ID when accessing data? Yes
14 Is there formal control of access to System Administrator privileges? No
15 Do you have access controls applied in your company No
16 What are the critical information assets and resources of your organization? (e.g., databases, servers, intellectual property, customer data) Yes Databases/Employee info and client info
31 Does the comapny replicate data to locations outside of Jordan? Yes OneDrive
32 Does the comapny outsource its data storage? Yes
32.1 If yes, to whom is the data outsourced? Yes STS Cloud
33 Do you have a threat intiilgence program No
34 Does the threat intelligence program ensure that the information collected related to information security threats are relevant, insightful, contextual and actionable. No
35 Is there a documented process for gathering and assessing threat intelligence information relevant to our organization's assets and information systems? No
36 Does the company have disaster recovery plans for data processing facilities? No
36.1 What about Business Continuity Plans? No
37 Are computer rooms protected against fire and flood? No
38 Do you have a BC &IR Commettie No
39 Does the company have a "Hot" recovery site? Yes DR Site
40 If an information security data breach occurred, would the security manager be notified? No
41.1 If no, in case of a security breach, how do you determine who accessed the system and what changes were made? No
44.2 If not, does the company allow clients the right to audit their systems and controls? No
technological Security
45 Does your company develop any software solutions? Yes
45.1 Are you performing code security check periodically or part of development? No
46 is there data encryption solution in use? No
47.1 if yes, what are the features of AV software enabled? Yes Sophos XDR
48 Is antivirus software installed on data processing servers? Yes
49 Is antivirus software installed on workstations? Yes
50 is there a PAM solution in use? No
53.1 If yes, please describe in the comments section Yes Sophos XDR/ F.W
54 is there DLP in use? No
Physical Security
63 Does the organization have security measures in place to protect storage media from unauthorized access, modification, or destruction? No
64 Does the organization have physical security perimeters in place? No
65 Are the physical controls effective at restricting access to information and assets to authorized personnel only? No
66 Does the organization have procedures in place to ensure that sensitive information is not left unattended on desks or screens? No
67 What areas are covered by the CCTV system, and why were these areas chosen? (e.g., entrances, critical infrastructure, sensitive locations) Yes Enterance/ Guest /Client Area
68 Is physical access to data processing equipment (servers and network equipment) restricted? No
People Security
69 Do the terms and conditions of employment for all personnel include information security requirements? No
70 Does the organization have a disciplinary process in place for dealing with personnel who violate information security policies and procedures No