Section 1. Security policy
1.1 Information security policy
Objective: To provide management direction and support for information security.
Top management should set a clear direction and demonstrate their support for and commitment to information security through the issue of an information security policy across the organization.
[Is there a formal information security policy?]
1.1.1 Information security policy document (Key)
A written policy document should be available to all employees responsible for information security.
[Can you show me the official policy statement that is distributed to employees and tell me how it is promulgated through the organization?]
Section 2. Security organization
2.1 Information security infrastructure
Objective: To manage information security within the organization.
A management framework should be established to initiate and control the implementation of information security within the organization.
[Can you tell me who is in charge of information security and how you get in touch with them?]
2.1.1 Management information security forum
Management direction should be provided through a suitable high level steering forum.
[How does top level management guide information security controls?]
2.1.2 Information security coordination
In a large organization it might be necessary to coordinate information security measures through a cross-functional forum.
[How large is your organization and how are you able to coordinate the computer security effort between all of those people?]
2.1.3 Allocation of information security responsibilities (Key)
Responsibilities for the protection of individual assets and for carrying out specific security processes should be explicitly defined.
[Who is responsible for virus protection? Who do you call if you find a virus?]
2.1.4 Authorization process for IT facilities
Installation of IT facilities should be technically approved and authorized.
[Has this computer (pick one) been approved by computer security? How?]
2.1.5 Specialist information security advice
Specialist advice on information security may be required.
[What internal security expertise do you have and what outside experts do you use to augment your internal expertise?]
2.1.6 Cooperation between organizations
Security specialists and organizations should cooperate to combat general security threats.
[Would you say there is a lot of cooperation between groups in the area of information security?]
2.1.7 Independent review of information security
Implementation of information security should be independently reviewed.
[Who provides your outside information security audit function and who do they work for?]
2.2 Security of third party access
Objective: To maintain the security of organizational IT facilities and information assets accessed by third parties.
Access to company IT facilities by (non-organizational) third parties should be controlled.
[How do you allow business partners access to their applications without openning up your internal systems to potential harm?]
2.2.1 Identification of risks from third party connections
The risks associated with access to organizational IT facilities by third parties should be assessed and appropriate security controls implemented.
[Is there a risk management report describing why you selected the controls you selected for your outside connections?]
2.2.2 Security conditions in third party contracts
Contracts with third parties involving access to organizational IT facilities should specify security conditions.
[What provisions are put in contracts to address computer security and which contracts are those provisions included in?]
Section 3. Assets classification and control
3.1 Accountability for assets
Objective: To maintain appropriate protection of organizational assets.
All major information assets should be accounted for and have a nominated owner (see 0.3.11).
[Who in the organization owns the data in this (pick one) database? Who in this organization owns this (pick one) computer? Who owns the telephone connection on your desk? Who owns network you use?]
3.1.1 Inventory of assets
Inventories should be maintained of all major information and IT assets.
[Please show me a list of all major information and IT assets in the organization.]
3.2 Information classification
Objective: To ensure that information assets receive an appropriate level of protection.
Security classifications should be used to indicate the need and priorities for security protection.
[What is the need for protecting this (pick one) document? What is the most important file in any corporate computer that you are aware of? IF I had a dollar to spend on protecting one of these two documents (pick two) which one should I spend it on?]
3.2.1 Classification guidelines
Protection for classified information should be consistent with business needs.
[What percentage of all information assets are classified as more important than nominal systems and information? Why is that the right percentage?]
3.2.2 Classification labelling
Classified information and outputs from systems handling organizationally classified data should be labelled appropriately.
[Show me the label on the most highly sensitive document you have access to and tell me what it means.]
Section 4. Personnel security
4.1 Security in job definition and resourcing
Objective: To reduce the risks of human error, theft, fraud or misuse of facilities.
Security should be addressed at the recruitment stage, included in job descriptions and contracts, and monitored during an individual’s employment.
[What personnel security measures are taken for a janitor? for the CEO? for outsourced personnel? for your IT auditor?]
4.1.1 Security in job descriptions
Job descriptions should define security roles and responsibilities.
[Where in the janitor’s job description are their security roles and responsibilities described? for the CEO? for outsourced personnel? for your acocuntantcy firm’s employees?]
4.1.2 Recruitment screening
Applications for employment should be screened if the job involves access to an organization’s IT facilities handling sensitive information.
[How do you determine which job positions have access to sensitive information? Is the janitor position one of them? Is the CEO? Are all the programmers and data entry clerks? Are outsourcing firm employees checked byt he same process? What checks do you make of applications for those positions before hiring them?]
4.1.3 Confidentiality agreement
Users of organizational IT facilities should sign a confidentiality undertaking.
[Can you show me the signed confidentiality agreement for each of these (pick a statistically meaningful sample set of employees) employees?]
4.2 User training
Objective: To ensure that users are aware of information security threats and concerns, and are equipped to support organizational security policy in the course of their normal work.
Users should be trained in security procedures and the correct use of IT facilities.
[How do you make certain that your employees know how to follow all of your security procedures?]
4.2.1 Information security education and training (Key)
Users should be given adequate security education and technical training.
[What is the educational background of your most highly trusted employee with computer security responsibilities? Your average trusted employee with those responsibilities? Your least security-educated employee with those responsibilities?]
4.3 Responding to incidents
Objective: To minimize the damage from security incidents and malfunctions and to monitor and learn from such incidents.
Incidents affecting security should be reported through management channels as quickly as possible.
[What is the longest lag time that has ever occurred between the first detection of a security-related incident and notification of an appointed computer security person responsible for responding to the incident?]
4.3.1 Reporting of security incidents (Key)
Security incidents should be reported through management channels as quickly as possible.
[How often are the chief executives briefed on computer security incidents?]
4.3.2 Reporting of security weaknesses
Suspected security weaknesses should be reported.
[How many security weaknesses have been reported in the last day, week, and month? How do people report them when they find them?]
4.3.3 Reporting of software malfunctions
Software malfunctions should be reported.
[When your computer has a problem, who do you report it to and what do they do about it?]
4.3.4 Disciplinary process
A disciplinary process is essential for dealing with security breaches.
[What is the punishment for telling your password to another employee so they can get access when you’re out of town, and who administers the punishment?]
Section 5. Physical and environmental security
5.1 Secure areas
Objective: To prevent unauthorized access, damage and interference to IT services.
IT facilities supporting critical or sensitive business activities should be housed in secure areas.
[What kind of door locks protect the air conditioner that keeps the computer rooms cooled during the summer? Why are these locks selected for those doors? Who selected them?]
5.1.1 Physical security perimeter
Physical security protection should be based on defined perimeters.
[When you bring one of your children into work with you to show them around, how do you bring them into your office?]
5.1.2 Physical entry controls
Secure areas should be protected by appropriate entry controls.
[What kind of access control device do you use to limit access to the area where accounting processes invoices?]
5.1.3 Security of data centres and computer rooms
Data centres and computer rooms supporting critical business activities should have good physical security.
[List the data centers that have special physical security protection and describe what special protections they have.]
5.1.4 Isolated delivery loading areas
An intermediate holding area should be considered for deliveries to computer rooms.
[When printer paper is delivered to the printer room, how does the delivery-person get the paper into the computer room?]
5.1.5 Clear desk policy
A clear desk policy should protect information from unauthorized access and loss or damage.
[Who has the messiest desk in the company and just how messy is it?]
5.1.6 Removal of property
Removal of property belonging to the organization should require authorization.
[How often does the guard search people when they leave through the loading area? Who do you show the permission form to when you bring your laptop computer home to work at night?]
5.2 Equipment security
Objective: To prevent loss, damage or compromise of assets and interruption to business activities.
Equipment should be physically protected from security threats and environmental hazards.
[What protection does your office have from water damage to computers resulting from the sprinkler system going off in a fire?]
5.2.1 Equipment siting and protection
Equipment should be sited or protected to reduce the risks of damage, interference and unauthorized access.
[When you want to move your computer screen from one desk to another, what rules do you follow about where the screen can be placed on the desk?]
5.2.2 Power supplies
Equipment should be protected from power failures or other electrical anomalies.
[Does the computer on your desk have an uninterruptible power supply? What kind?]
5.2.3 Cabling security
Power and telecommunication cabling should be protected from interception or damage.
[What kind of network connection do computers have and how is the network controlled from illicit connections?]
5.2.4 Equipment maintenance
Equipment should be appropriately maintained.
[Is there a maintenance contract on all vital office equipment? How do you get service on the copier when it breaks?]
5.2.5 Security of equipment off-premises
Security procedures and controls should cover the security of equipment used outside an organization’s premises.
[How do you protect cellular telephones, laptop computers, and other similar equipment when you take it home or use in in a client’s office? Have you ever gotten a virus from another system when you were off-site?]
5.2.6 Secure disposal of equipment
Data should be erased from equipment prior to disposal.
[What is the procedure for disposing of a computer system, old backup tapes, and floppy disks? Is there a procedure for handling these items before sending a computer out for repair?]
Section 6. Computer and network management
6.1 Operational procedures and responsibilities
Objective: To ensure the correct and secure operation of computer and network facilities.
Responsibilities and procedures for the management and operation of all computers and networks should be established.
[Are there procedures for managing and operating each of the computers in your work area? What are they?]
6.1.1 Documented operating procedures
Documented procedures should be provided for the operation of all computer systems.
[Can you show me the documents that describe the procedures for operating your computers?]
6.1.2 Incident management procedures
Incident management responsibilities and procedures should be established.
[Who is responsible for handling security incidents relating to this computer? Who do you call if this computer stops working properly and you can’t figure out why?]
6.1.3 Segregation of duties
Segregation of duties minimizes the risk of negligent or deliberate system misuse.
[Are different people responsible for different functions on all of the computers? Who is responsible for what?]
6.1.4 Separation of development and operational facilities
Development and testing facilities should be isolated from operational systems.
[Do you do development or programming on the same systems used by users? How do you assure that programming mistakes or errors and omissions don’t cause the operational system to fail? Do you have a change control program? Please describe it.]
6.1.5 External facilities management
Proposals to use an external facilities management service should identify the full security implications and include appropriate security controls.
[Do you use an outside firm for facilities management? If so, please show me the proposals for that service and indicate where they mandate security controls. Are those controls comparable to the controls required within your organization? How do they stack up?]
6.2 System planning and acceptance
Objective: To minimize the risk of systems failure.
Advance planning and preparation are required to ensure the availability of adequate capacity and resources.
[How do you plan for peak usage periods, normal usage periods, and the potential for expansion?]
6.2.1 Capacity planning
Capacity requirements should be monitored to avoid failures due to inadequate capacity.
[How do you monitor usage against capacity and how and when does this monitoring trigger the expansion of capacity?]
6.2.2 System acceptance
Acceptance criteria for new systems should be established and suitable tests carried out prior to acceptance.
[Do you have a standard for testing new hardware and software for compatible operation within your environment? Is this part of the acceptance criteria required for all new equipment?]
6.2.3 Fallback planning
Fallback requirements should be coordinated and reviewed.
[Who reviews fall-back plans used in case of major system outages? When there is such an outage, who is responsible for coordinating change-over? Do they practice continuity plans with simulated failures? If so, how and how often do they do that?]
6.2.4 Operational change control
Changes to IT facilities and systems should be controlled.
[Is there a comprehensive change control program that assures that changes to information systems are necessary, appropriate, and that change-over goes smoothly?]
6.3 Protection from malicious software
Objective: To safeguard the integrity of software and data.
Precautions are required to prevent and detect the introduction of malicious software.
[How do you detect malicious software? Does this work for malicious software added by your programmers? Your users? Computer viruses? Contract programmers? People who work for companies you buy software from?]
6.3.1 Virus controls (Key)
Virus detection and prevention measures and appropriate user awareness procedures should be implemented.
[What training do your employees get about computer viruses? What technical safeguards do you have in place against viruses?]
Objective: To maintain the integrity and availability of IT services.
Housekeeping measures are required to maintain the integrity and availability of services.
[What regular maintenance functions are performed on systems?]
6.4.1 Data back-up
Back-up copies of essential business data and software should be regularly taken.
[Are backups of all systems done on a regular and scheduled basis? By whom? How often? How is the schedule determined?]
6.4.2 Operator logs
Computer operators should maintain a log of all work carried out.
[Which systems have operator logs? Show all the operator logs from one of those systems to me.]
6.4.3 Fault logging
Faults should be reported and corrective action taken.
[Is every system error and crash logged, and if so, how is follow-on action coordinated? Is a root cause analysis done in each of these cases?]
6.4.4 Environmental monitoring
Computer environments should be monitored where necessary.
[What environmental monitoring do you have in place to detect particles in the air in computer rooms? Smoke? Fire? Water? Chemical vapors? Other pollutants?]
6.5 Network management
Objective: To ensure the safeguarding of information in networks and the protection of the supporting infrastructure.
The security management of computer networks, which may span organizational boundaries, requires special attention.
[How is computer network security managed differently than other computer security?]
6.5.1 Network security controls
A range of security controls is required in computer networks.
[What are the security controls in your computer network and what was the basis for their selection?]
6.6 Media handling and security
Objective: To prevent damage to assets and interruptions to business activities.
Computer media should be controlled and physically protected.
[What are the procedures for controlling access to disks, tapes, floppy disks, and other computer storage and transfer media?]
6.6.1 Management of removable computer media
Removable computer media should be controlled.
[Are there special controls for removable media? What are they?]
6.6.2 Data handling procedures
Procedures for handling sensitive data should be established.
[Are the handling procedures different for more sensitive information? In what way?]
6.6.3 Security of system documentation
System documentation should be protected from unauthorized access.
[How do you prevent unauthorized people from looking at, modifying, or removing the documentation for your systems?]
6.6.4 Disposal of media
Computer media should be disposed of securely and safely when no longer required.
[What do you use as your data remnants standard and how do you assure that all media are properly cleaned when no longer used?]
6.7 Data and software exchange
Objective: To prevent loss, modification or misuse of data.
Exchanges of data and software between organizations should be controlled.
[How do you control the purchase of hardware and software? How do you prevent users from accessing software from the Internet? How do you prevent users from emailing sensitive company information to the wrong recipient? How do you make certain that file transfers between your organization and other organizations are not intercepted, corrupted, or blocked from within the other organization?]
6.7.1 Data and software exchange agreements
Agreements for the exchange of data and software should specify security controls.
[Show me the clauses in our agreements with each outside partner, vendor, or customer that detail the specific security controls required when we do business with them. Are the controls specified in those clauses equivalent to the internal controls used within this organization? If not, why not? In what ways are they different?]
6.7.2 Security of media in transit
Computer media in transit should be protected from loss or misuse.
[How are floppy disks sent between offices protected? How are file transfers over the Internet protected? How are backup tapes stored in off-site storage facilities protected as they are sent, when at the off-site location, and when returned on an emergency basis for recovery?]
6.7.3 EDI security
Special security controls should be applied where necessary, to protect electronic data interchange.
[Where are special protections required for electronic data interchange and why? What protections are in place to protect those interchanges and how were they determined?]
6.7.4 Security of electronic mail
Controls should be applied where necessary, to reduce the business and security risks associated with electronic mail.
[How do you assure that all internal email remains only within the organization’s network and never goes through outside systems or infrastructure without special protection?]
6.7.5 Security of electronic office systems
Clear policies and guidelines are required to control the business and security risks associated with electronic office systems.
[What are the policies and guidelines for controlling office telephone systems, copiers, computers, pagers, and cell-phones?]
Section 7. System access control
7.1 Business requirement for system access
Objective: To control access to business information.
Access to computer services and data should be controlled on the basis of business requirements.
[What are the business requirements for controlling access to this computer (point to any computers in the area) and how are those requirements used as the basis for the protections in place for that computer?]
7.1.1 Documented access control policy
Business requirements for access control should be defined and documented.
[Show me the written documents that describe the business requirements for protecting this computer (pick one that’s in sight) and how those requirements were translated into the access control policy used on this computer.]
7.2 User access management
Objective: To prevent unauthorized computer access.
There should be formal procedures to control allocation of access rights to IT services.
[What are the formal procedures used to grant and remove access rights to users over information on this computer?]
7.2.1 User registration
There should be a formal user registration and de-registration procedure for access to all multi-user IT services.
[Show me the formal user registration and removal process for the network file server you use.]
7.2.2 Privilege management
The use of special privileges (see 0.3.14) should be restricted and controlled.
[Who has special privileges on this computer (pick one), what special privileges do they have, and how are those privileges restricted and controlled?]
7.2.3 User password management
The allocation of user passwords should be securely controlled.
[How do you secure the generation of passwords to make sure they are hard to guess and only the originator can ever get access to them?]
7.2.4 Review of user access rights.
User access rights should be reviewed at regular intervals.
[Who reviews all of the access control bits in each computer and how often? How do they tell the difference between a properly set protection bit and an improperly set one and what do they do when they find an improperly set one?]
7.3 User responsibilities
Objective: To prevent unauthorized user access.
The cooperation of authorized users is essential for effective security.
[How do you measure the cooperation of authorized users? At what threshold do you identify users as becoming uncooperative? What is the procedure for removing authorization from users that are below the threshold of cooperation?]
7.3.1 Password use
Users should follow good security practices in the selection and use of passwords.
[How do you select your password? Is there training to help you tell the difference between a good and a bad password? Does the computer system tell you how good or bad a password is when you try to set one?]
7.3.2 Unattended user equipment
Users should ensure that unattended equipment has appropriate security protection.
[What is the appropriate protection for unattended equipment? If nobody is there to attend the equipment, how do you assure that the security measures are always in effect?]
7.4 Network access control
Objective: Protection of networked services.
Connections to networked services should be controlled.
[How do you control connections to networked services?]
7.4.1 Limited services
Users should only be able to gain access to the services that they are authorized to use.
[What services is each individual authorized to use? Where is this information stored? How is it updated? How is this information used in real-time to control access? If some user were using an unauthorized service, how would you know? How soon would you know? How could you legally prove that the user knowingly used an unauthorized service as a basis for subsequent sanctions against them?]
7.4.2 Enforced path
The route from the user terminal to the computer service may need to be controlled.
[How do you prevent users from dialing out on their PCs to external Internet Service Providers? How do you control the internal routing of information through your networks? When access requirements change, how do you make certain that no controls are violated when you reconfigure your network to affect the new access?]
7.4.3 User authentication
Connections by remote users via public (or non-organization) networks should be authenticated.
[How do you make certain that the person at the other end of a dial-in or network-based access is who they claim to be? How do you make certain that once a connection is established, the user on the other end or the connection in between doesn’t change? What is the basis for asserting that this level of assurance is adequate to the business need for protection?]
7.4.4 Node authentication
Connections by remote computer systems should be authenticated.
[How do you make certain that the computer at the other end of a dial-in or network-based access is who they claim to be? How do you make certain that once a connection is established, the equipment on the other end or the connection in between doesn’t change? What is the basis for asserting that this level of assurance is adequate to the business need for protection?]
7.4.5 Remote diagnostic port protection
Access to diagnostic ports should be securely controlled.
[How do you allow vendors to do remote support and at the same time protect the support connections from being abused to attack your systems?]
7.4.6 Segregation in networks
Large networks may have to be divided into separate domains.
[How do you determine when security issues force the division of networks into subnetworks and how does that division provide added protection?]
7.4.7 Network connection control
The connection capability of users may need to be controlled to support the access policy requirements of certain business applications.
[How are business application access control policies reflected in limitations on network connections? When you design or implement new applications, how do you take network connections into consideration?]
7.4.8 Network routing control
Shared networks may require network routing controls.
[How do you control network routing and why do you use those controls? How do those controls relate to business requirements for protection? What is the basis for determining that those specific controls are more or less appropriate than others?]
7.4.9 Security of network services
The risks associated with the use of network services should be established.
[How do you measure the risks of using network services? How does the measured risk get related to the business decision about who may use which services and for what purpose?]
7.5 Computer access control
Objective: To prevent unauthorized computer access.
Access to computer facilities should be controlled.
[How do you control access to computing facilities? Computer rooms? Telephone rooms? Wire rooms? Individual network wires? Connections between these?]
7.5.1 Automatic terminal identification
Automatic terminal identification should be considered to authenticate connections to specific locations.
[Do you use automatic terminal identification? If not, how do you tell which equipment is connected on which connection?]
7.5.2 Terminal logon procedures
Access to IT services should be via a secure logon process.
[How do you secure the logon process against wire taps? Against forgeries? Against logical attacks on network elements? Against snooping by authorized individuals on host systems?]
7.5.3 User identifiers
Computer activities should be traceable to individuals.
[If you detect a computer virus spreading throughout your organization’s networks, how do you determine which individual in the organization first allowed the virus to enter? If a systems administrator trying to cover the tracks of an illicit activity intentionally deletes all information on a system’s disks, uses the proper data remnants removal techniques, reformats the disk, replaces it in the original computer, and restores the contents from day-old backups, how do you determine which individual did it?]
7.5.4 Password management system
An effective password system should be used to authenticate users.
[How effective is your password system? What measures of password system effectiveness do you use?]
7.5.5 Duress alarm to safeguard users
Provision of a duress alarm (see 0.3.4) should be considered for users who might be the target of coercion.
[Have duress alarms been considered for your users? How was their use analyzed? What determination was made about their use and why?]
7.5.6 Terminal time-out
Inactive terminals in high risk locations, or serving high risk systems, should be set to time out, to prevent access by unauthorized persons.
[What terminals are in high risk locations? What terminals serve high risk systems? What timeouts are used to prevent unauthorized access to those systems? Why are those timeouts selected? How are they implemented and tested?]
7.5.7 Limitation of connection time
Restrictions on connection times should provide additional security for high-risk applications.
[What applications do you have that justify restrictions on connection times? What are those restrictions? How were they determined?]
7.6 Application access control
Objective: To prevent unauthorized access to information held in computer systems.
Logical access controls should be used to control access to application systems and data.
[What protection settings are used on (name a file) associated with (pick an application) to assure that only authorized users can perform only authorized actions on that file? Who are the authorized users for that file? What rights do they have to access that file? Do they need all of those rights? Do those rights grant access beyond that needed for their jobs? What additional controls are used to prevent their excessive access?]
7.6.1 Information access restriction
Access to data and IT services should be granted in accordance with business access policy.
[What is the business access policy? How is access granted in accordance with that policy? How is access revoked in accordance with that policy? How soon after a person falls into a policy category no longer requiring access are all access rights of that individual removed from all applications they no longer require access to? What is the longest time ever taken for this process?]
7.6.2 Use of system utilities
Access to system utilities should be restricted and controlled.
[How are users prevented from using system utility programs? How are they prevented from bringing in their own copy of those programs and using that copy on the system?]
7.6.3 Access control to program source library
Access to program source libraries should be restricted and controlled.
[What special controls are placed on source programs and libraries?]
7.6.4 Sensitive system isolation
Sensitive systems might require a dedicated (isolated) computing environment.
[Are there any systems with information so sensitive that they must be physically isolated? How is this isolation done?]
7.7 Monitoring system access and use
Objective: To detect unauthorized activities.
Systems should be monitored to ensure conformity to access policy and standards.
[How is it detected when access control and policy standards are violated? How long does detection take? What are the limits of detectability?]
7.7.1 Event logging
Audit trails of security events should be maintained.
[How are audit trails of security-relevant events generated, stored, and retained?]
7.7.2 Monitoring system use
Procedures for monitoring system use should be established.
[What procedures are in place to provide for legal and authorized system and user monitoring?]
7.7.3 Clock synchronization
Computer clocks should be synchronized for accurate recording.
[How is clock skew handled? How are systems synchronized? What analytical methods are used to compensate for clock skew in reviewing and analyzing audit records?]
Section 8. Systems development and maintenance
8.1 Security requirements of systems
Objective: To ensure that security is built into IT systems.
Security requirements should be identified and agreed prior to the development of IT systems.
[At what phase in the system development process are security requirements identified and agreed to?]
8.1.1 Security requirements analysis and specification
An analysis of security requirements should be carried out at the requirements analysis stage of each development project.
[Are security requirements explicitly and adequately covered in the requirements phase of system development? Are all corporate security elements analyzed with respect to the system in the requirements phase? Are cost analyses inclusive of security lifecycle costs?]
8.2 Security in application systems
Objective: To prevent loss, modification or misuse of user data in application systems.
Appropriate security controls, including audit trails, should be designed into application systems.
[Are security controls included in all application system designs? How is the determination made about which applications include which controls? How are system audits integrated into application audits and what provisions are made to allow these audit trails to be analyzed against each other for consistency checks? What fields are mandated in all audit trails and why?]
8.2.1 Input data validation
Data input to application systems should be validated.
[How is input data validated by applications systems? Are different data elements cross-correlated (e.g., postal codes correlated with cities) to verify consistency?]
8.2.2 Internal processing validation
Data processed by application systems should be validated.
[How is input data passed from other applications validated?]
8.2.3 Data encryption
Encryption should be considered for highly sensitive data.
[Under what circumstances do you require encryption? What encryption do you use?]
8.2.4 Message authentication
A message authentication system should be considered for applications which involve the transmission of sensitive data.
[Is sensitive data authenticated during transmission and in storage to assure it’s integrity against illicit or accidental changes? How is this done?]
8.3 Security of application system files
Objective: To ensure that IT projects and support activities are conducted in a secure manner.
Access to system files should be controlled.
[How are appropriate system file protections identified and verified? How often is verification carried out?]
8.3.1 Control of operational software
Strict control should be exercised over the implementation of software on operational systems.
[Hos is control exercised over software on operational systems? Does this apply to all software? Does this include macros and interpreted instructions? ]
8.3.2 Protection of system test data
Test data should be protected and controlled.
[How do you generate, control, and protect test data? What is the coverage requirement for tests on vital systems and how is coverage determined and measured?]
8.4 Security in development and support environments
Objective: To maintain the security of application system software and data.
Project and support environments should be strictly controlled.
[What special provisions are made for the protection of support and project teams and the systems they depend on?]
8.4.1 Change control procedures
There should be formal change control procedures.
[Are there formal change control procedures? What are they? Are they effective against malicious insiders?]
8.4.2 Technical review of operating system changes
The impact of operating system changes on security should be reviewed.
[How do you review operating system changes for security?]
8.4.3 Restrictions on changes to software packages
Modifications to software packages should be discouraged. Any essential changes should be strictly controlled.
[How do you discourage software modification? What rules are there about the circumstances under which operation-critical software is changed?]
Section 9. Business continuity planning
9.1 Aspects of business continuity planning
Objective: To have plans available to counteract interruptions to business activities.
Business continuity plans should be available to protect critical business processes from the effects of major failures or disasters.
[If your most critical computing facilities and the normal staff that operates them were to be destroyed in a freak accident at this moment, how soon would whose business functions be back at full capacity? How do you know that this answer is accurate?]
9.1.1 Business continuity planning process (Key)
There should be a managed process in place for developing and maintaining business continuity plans across the organization.
[Do you have a business continuity planning process? What it is? Who is in charge of it? How is it managed?]
9.1.2 Business continuity planning framework
A consistent framework of business continuity plans should be maintained.
[Do you have a business continuity framework that covers the entire organization? How is the framework promulgated throughout the organization?]
9.1.3 Testing business continuity plans
Business continuity plans should be tested.
[How do you test your business continuity plans and what do the results of those tests reveal?]
9.1.4 Updating business continuity plans
Business continuity plans should be updated regularly.
[How often do you revisit the business continuity planning process and how often does it change?]
Section 10. Compliance
10.1 Compliance with legal requirements
Objective: To avoid breaches of any statutory, criminal or civil obligations and of any security requirements.
The design, operation and use of IT systems may be subject to statutory and contractual security requirements.
[Are you aware of all the legal requirements for operations of all your systems in all legal venues they have contact with? How do you stay aware? Are you in compliance? How do you verify this?]
10.1.1 Control of proprietary software copying (Key)
Attention is drawn to the legal restrictions on the use of copyright material.
[How do you verify that employees don’t have or use illegal copies of software? Is there an organizational policy to this effect? Show it to me.]
10.1.2 Safeguarding of organizational records (Key)
Important records of an organization should be protected from loss, destruction and falsification.
[What provisions do you use to assure that all legal requirements for retention of documents are adhered to, even by parties who might want to violate these requirements as part of an illegal activity?]
10.1.3 Data protection (Key)
Applications handling personal data on individuals should comply with data protection legislation and principles.
[Is personal data about individuals protected to the standards of all applicable laws? How is this done?]
10.1.4 Prevention of misuse of IT facilities
IT facilities should only be used for authorized business purposes.
[Is there a policy mandating that information technology of the organization may only be used for legitimate purposes of the organization? Are there safeguards in place to prevent, detect, or respond to attempts to violate this policy?]
10.2 Security reviews of IT systems
Objective: To ensure compliance of systems with organizational security policies and standards.
The security of IT systems should be regularly reviewed.
[How often are security audits or reviews done of each system? Is this regularity dictated on some specific basis? What is that basis?]
10.2.1 Compliance with security policy (Key)
All areas within the organization should be considered for regular review to ensure compliance with security policies and standards.
[Which areas have been considered for a security review, and when were they last considered? Which areas have not been considered and why?]
10.2.2 Technical compliance checking
IT facilities should be regularly checked for compliance with security implementation standards.
[How often are facilities checked against corporate security standards? How detailed are these checks? What is covered and not covered? Who performs these checks? Who do they work for?]