U.S. patent application number 11/858832 was filed with the patent office on 2008-08-28 for security maturity assessment method.
Invention is credited to Claude Baudoin, Colin Elliott.
Application Number | 20080209565 11/858832 |
Document ID | / |
Family ID | 29399206 |
Filed Date | 2008-08-28 |
United States Patent
Application |
20080209565 |
Kind Code |
A2 |
Baudoin; Claude ; et
al. |
August 28, 2008 |
SECURITY MATURITY ASSESSMENT METHOD
Abstract
In general, the invention relates to a method for assessing an
information security policy and practice of an organization. The
method includes collecting information about the information
security policy and practice of the organization, generating a
rating for each of a plurality of information security items using
a security maturity assessment matrix and the collected
information, and generating a graphical assessment of the ratings.
The security maturity assessment matrix includes a first dimension
and a second dimension, where the first dimension corresponds to
the information security items and the second dimension corresponds
to maturity levels. Further, each rating is derived using the first
dimension and the second dimension.
Inventors: |
Baudoin; Claude; (Houston,
TX) ; Elliott; Colin; (London, GB) |
Correspondence
Address: |
OSHA . LIANG L.L.P. / SLB
1221 MCKINNEY STREET
SUITE 2800
HOUSTON
TX
77010
UNITED STATES
713-228-8600
713-228-8778
lord@oshaliang.com
|
Prior
Publication: |
|
Document Identifier |
Publication Date |
|
US 20080047018 A1 |
February 21, 2008 |
|
|
Family ID: |
29399206 |
Appl. No.: |
11/858832 |
Filed: |
September 20, 2007 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
10/134,815 |
Apr 29, 2002 |
|
|
|
11858832 |
Sep 20, 2007 |
|
|
|
Current U.S.
Class: |
726/25 ;
711/E12.001 |
Current CPC
Class: |
G06Q 40/08 20130101 |
Class at
Publication: |
726/025 ;
711/E12.001 |
International
Class: |
G06F 12/14 20060101
G06F012/14 |
Claims
1.-19. (canceled)
20. A method for assessing an information security policy and
practice of an organization, comprising: collecting information
about the information security policy and practice of the
organization; generating a rating for each of a plurality of
information security items using a security maturity assessment
matrix and the collected information, wherein the security maturity
assessment matrix comprises a first dimension and a second
dimension, wherein the first dimension corresponds to the plurality
of information security items, wherein the second dimension
corresponds to a plurality of maturity levels, and wherein each
rating is derived using the first dimension and the second
dimension; generating a graphical assessment of the ratings; and
displaying the graphical assessment of the ratings.
21. The method of claim 20, Other comprising: generating a new
rating for each of a plurality of information security items using
the security maturity assessment matrix when there is a change in
an information security environment of the organization.
22. The method of claim 20, wherein the graphical assessment of the
ratings is generated by a security maturity assessment reporting
tool.
23. The method of claim 22, wherein the security maturity
assessment reporting tool comprises functionality to track the
ratings of each of the plurality of information security items over
time.
24. The method of claim 22, wherein the security maturity
assessment reporting tool comprises functionality to graphically
compare the ratings associated with each of the plurality of
information security items with a corresponding rating goal
associated with each of the plurality of information security
items.
25. The method of claim 20, further comprising: determining how to
modify the information security policy and practice of the
organization using the rating for the at least one of the plurality
of security items.
26. The method of claim 25, wherein determining how to modify the
information security policy and practice of the organization,
comprises: generating a corrective action using the rating for at
least one of the plurality of information security items and the
security maturity assessment matrix.
27. The method of claim 26, wherein generating the corrective
action comprises: obtaining a first description from the security
maturity assessment matrix corresponding to the rating of the at
least one of the plurality of information security items; obtaining
a second description from the security maturity assessment matrix
corresponding to a goal rating of the at least one of the plurality
of information security items; and comparing the first description
with the second description to obtain the corrective action for the
at least one of the plurality of information security items.
28. The method of claim 27, further comprising: executing the
corrective action to create a new security information policy and
practice.
29. The method of claim 28, further comprising; monitoring the new
security information policy and practice.
30. The method of claim 20, wherein at least one of the plurality
of security items corresponds to an information security item
associated with at least one selected from the group consisting of
BS7799 and ISO17799.
31. The method of claim 20, wherein at least one of the plurality
of maturity levels corresponds to a maturity level associated with
a Capability Maturity Model
32. The method of claim 31, wherein the maturity level is at least
one selected from the group consisting of: initial, repeatable,
defined, managed, and optimized.
33. The method of claim 20, wherein at least one of the plurality
of information security items in the first dimension is associated
with a scope requirement.
34. The method of claim 33, wherein the scope requirement defines
what portions of the organization to which the at least one of the
plurality of information security items applies.
35. The method of claim 30, wherein the first dimension is
displayed using at least one row and the second dimension is
displayed using at least one column.
36. A computer system for assessing an information security policy
and practice of an organization, comprising: a processor; a memory;
an input means; and software instructions stored in the memory for
enabling the computer system under control of the processor, to:
collect information about the information security policy and
practice of the organization; generate a rating for each of a
plurality of information security items using a security maturity
assessment matrix and the collected information, wherein the
security maturity assessment matrix comprises a first dimension and
a second dimension, wherein the first dimension corresponds to the
plurality of information security items, wherein the second
dimension corresponds to a plurality of maturity levels, and
wherein each rating is derived using the first dimension and the
second dimension; generate a graphical assessment of the ratings;
display the graphical assessment of the ratings.
37. The computer system of claim 36, further comprising software
instructions stored in the memory for enabling the computer system
under control of the processor, to: generate a new rating for each
of a plurality of information security items using the security
maturity assessment matrix when there is a change in an information
security environment of the organization.
38. The computer system of claim 36, wherein the graphical
assessment of the ratings is generated by a security maturity
assessment reporting tool.
39. The computer system of claim 38, wherein the security maturity
assessment reporting tool comprises functionality to track the
ratings of each of the plurality of information security items over
time.
40. The computer system of claim 38, wherein the security maturity
assessment reporting tool comprises functionality to graphically
compare the ratings associated with each of the plurality of
information security items with a corresponding rating goal
associated with each of the plurality of information security
items.
41. The computer system of claim 36, further comprising software
instructions stored in the memory for enabling the computer system
under control of the processor, to: determine how to modify the
information security policy and practice of the organization using
the rating for the at least one of the plurality of security
items.
42. The computer system of claim 41, wherein software instructions
stored in the memory for enabling the computer system under control
of the processor, to determine how to modify the information
security policy and practice of the organization, comprise software
instructions for: generating a corrective action using the rating
for at least one of the plurality of information security items and
the security maturity assessment matrix.
43. The computer system of claim 42, wherein software instructions
stored in the memory for enabling the computer system under control
of the processor, to generate the corrective action comprise
software instructions for: obtaining a first description from the
security maturity assessment matrix corresponding to the rating of
the at least one of the plurality of information security items;
obtaining a second description from the security maturity
assessment matrix corresponding to a goal rating of the at least
one of the plurality of information security items; and comparing
the first description with the second description to obtain the
corrective action for the at least one of the plurality of
information security items.
44. The computer system of claim 42, further comprising software
instructions stored in the memory for enabling the computer system
under control of the processor, to: execute the corrective action
to create a new security information policy and practice.
45. The computer system of claim 44, further comprising software
instructions stored in the memory for enabling the computer system
under control of the processor, to: monitor the new security
information policy and practice.
46. The computer system of claim 36, wherein at least one of the
plurality of security items corresponds to an information security
item associated with at least one selected from the group
consisting of BS7799 and ISO17799.
47. The computer system of claim 36, wherein at least one of the
plurality of maturity levels corresponds to a maturity level
associated with a Capability Maturity Model
48. The computer system of claim 47, wherein the maturity level is
at least one selected from the group consisting of: initial,
repeatable, defined, managed, and optimized.
49. The computer system of claim 36, wherein at least one of the
plurality of information security items in the first dimension is
associated with a scope requirement.
50. The computer system of claim 49, wherein the scope requirement
defines what portions of the organization to which the at least one
of the plurality of information security items applies.
51. The computer system of claim 36, wherein the first dimension is
displayed using at least one row and the second dimension is
displayed using at least one column.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application is a continuation, pursuant to 35 U.S.C.
.sctn. 120, of U.S. patent application Ser. No. 10/134,815 filed on
Apr. 29, 2002.
BACKGROUND OF INVENTION
[0002] Information Security encompasses the protection of
information against unauthorized disclosure, transfer,
modification, or destruction, whether accidental or intentional.
Information security has become a prevalent concern of
organizations as a result of the trends towards e-commerce,
e-business, universal email and web access, and well-publicized
security exploits. As a result, organizations are attempting to
apply information security principles in a pragmatic framework.
[0003] To enable organizations to apply information security
principles in a pragmatic framework, a number of information
standards and tools have been developed. One widely recognized
standard, BS7799/ISO17799, was developed by the British Standards
Institution (BSI) and adopted by the International Organization for
Standardization (ISO). The BS7799/ISO17799 standard is a
comprehensive set of controls that outline best mode practices in
information security. The aim of BS7799/ISO17799 is to serve as a
single reference point to determine the appropriate information
security policy for a variety of systems and organizations. The
BS7799/ISO17799 standard includes 10 sections, each addressing a
specific area of information security. See, "ISO17799 Security
Standard: ISO 17799 Compliance & Positioning."
[0004] The process of managing compliance with the BS7799/ISO17799
is a non-trivial task. As a result, a number of risk analysis and
risk management products have been developed to help organizations
comply with the BS7799/ISO17799 standard. One such product is
COBRA, which was developed by C & A Systems, Inc. COBRA is used
to semi-automate the assessment process. COBRA utilizes a series of
online questionnaires to obtain information about the current
security policy. Using the answers from the questionnaires, COBRA
creates reports that provide information about the organization's
current compliance position, on a pass/fail basis, with respect to
each section of the BS7799/ISO17799 standard.
[0005] Another tool that has been developed to enable organizations
to apply information security principles in a pragmatic framework
is the Systems Security Engineering Capability Maturity Model
(SSE-CMM). The SSE-CMM is derived from concepts of the Software
Engineering Institute (SEI) Capability Maturity Model initially
created for software development. The SSE-CMM describes the
essential characteristics of an organization's security engineering
process that must exist to ensure good security engineering. The
SSE-CMM does not prescribe a process or standard such as
BS7799/ISO17799, but rather uses a model that captures practices
generally observed in the industry. Additionally, the SSE-CMM is
based on a maturity model that defines specific goals and practices
for the entire life cycle of an organization. Further, the SSE-CMM
defines an overall assessment process and roles for security
engineering within an organization. See, "System Security
Engineering Capability Maturity Model-Model & Appraisal Method
Summary April 1999." The resulting assessment obtained from
applying the SSE-CCM is typically not associated with a reporting
tool to report the maturity level.
SUMMARY OF INVENTION
[0006] In general, in one aspect, the invention relates to a method
for assessing an information security policy and practice of an
organization, comprising determining a risk associated with the
information security policy and practice, collecting information
about the information security policy and practice, generating a
rating using a security maturity assessment matrix, the collected
information, and the risk associated with the information security
policy and practice, generating a list of corrective actions using
the rating, executing the list of corrective actions to create a
new security information policy and practice, and monitoring the
new security information policy and practice.
[0007] In general, in one aspect, the invention relates to an
apparatus for assessing an information security policy and practice
of an organization, comprising means for determining a risk
associated with the information security policy and practice, means
for collecting information about the information security policy
and practice, means for generating a rating using a security
maturity assessment matrix, the collected information, and the risk
associated with the information security policy and practice, means
for generating a list of corrective actions using the rating, means
for executing the list of corrective actions to create a new
security information policy, and means for monitoring the new
security information policy.
[0008] In general, in one aspect, the invention relates to a
computer system for assessing an information security policy and
practice of an organization, comprising a processor, a memory, an
input means, and software instructions stored in the memory for
enabling the computer system under control of the processor, to
perform determining a risk associated with the information security
policy and practice, collecting information about the information
security policy and practice using the input means, generating a
rating using a security maturity assessment matrix, the collected
information, and the risk associated with the information security
policy and practice, generating a list of corrective actions using
the rating, executing the list of corrective actions to create a
new security information policy and practice, and monitoring the
new security information policy and practice.
[0009] Other aspects and advantages of the invention will be
apparent from the following description and the appended
claims.
BRIEF DESCRIPTION OF DRAWINGS
[0010] FIG. 1 illustrates a typical computer system.
[0011] FIG. 2 illustrates a flowchart detailing the Security
Maturity Assessment method in accordance with one embodiment of the
invention.
[0012] FIG. 3 illustrates a portion of a Security Maturity
Assessment Reporting Tool report in accordance with one or more
embodiments of the invention.
[0013] FIG. 4 illustrates a flowchart detailing the Security
Maturity Assessment method in accordance with another embodiment of
the invention.
DETAILED DESCRIPTION
[0014] Exemplary embodiments of the invention will be described
with reference to the accompanying drawings. Like items are denoted
by like reference numerals throughout the drawings for
consistency.
[0015] In the following detailed description of the invention,
numerous specific details are set forth in order to provide a more
thorough understanding of the invention. However, it will be
apparent to one of ordinary skill in the art that the invention may
be practiced without these specific details. In other instances,
well-known features have not been described in detail to avoid
obscuring the invention.
[0016] The invention relates to a method for assessing a security
maturity of an organization. Further, the invention relates to
assessing the security maturity of an organization using a security
assessment matrix. Further, the invention relates to basing the
security assessment matrix on the BS7799/ISO17799 standard and the
Capability Maturity Model (CMM). Further, the invention relates to
a method for providing quantitative, action-oriented results using
the security assessment matrix. Further, the invention relates to a
method to compare the security maturity of an organization to a
pre-determined goal, or to the security maturity of the same
organization at another point in time, or to the security maturity
level mandated by another organization or authority.
[0017] The invention may be implemented on virtually any type
computer regardless of the platform being used. For example, as
shown in FIG. 1, a typical computer (28) includes a processor (30),
associated memory (32), a storage device (34), and numerous other
elements and functionalities typical of today's computers (not
shown). The computer (28) may also include input means, such as a
keyboard (36) and a mouse (38), and output means, such as a monitor
(40). Those skilled in the art will appreciate that these input and
output means may take other forms in an accessible environment.
[0018] The Security Maturity Assessment (SMA) method involves five
distinct stages: (1) management awareness and commitment, (2)
security maturity assessment, (3) corrective action plan (CAP), (4)
corrective action plan execution (CAPE), and (5) ongoing
monitoring. Each of the aforementioned stages is explained below in
greater detail. Those skilled in the art will appreciate that the
names used to denote the stages may vary without detracting from
the invention.
[0019] FIG. 2 illustrates a flowchart detailing the SMA method in
accordance with one embodiment of the invention. The SMA method is
initiated by ensuring that an organization's management is aware
and committed to improving the organization's information security
practices and policies (Step 100). An assessment entity (e.g.,
individual/company conducting assessment) then assesses the
organization's information security practices and policies (Step
102). Using the information gained in Step 102, the assessment
entity develops a corrective action plan (Step 104). The corrective
action plan is subsequently executed (Step 106). If the
organization desires continuous monitoring after the execution of
the corrective action plan (Step 108), then the assessment entity
may continuously monitor revised information security policies and
practices of the organization (Step 110). Following the continuous
monitoring, the method may return to Step 100 to ensure that the
organization's management is still aware and committed, or
potentially proceed directly to Step 102 if the organization's
management continues to be aware and committed. If the organization
desires not to have continuous monitoring after the execution of
the corrective action plan (Step 108), then the method ends.
[0020] The management awareness and commitment stage is the first
stage of the SMA method and is used to raise awareness within the
management of the organization being assessed and to initiate
gathering of information. Specifically, in the management awareness
and commitment stage, an assessment entity gathers information to
understand the organization's business goals. Further, the
assessment entity gathers information to understand the associated
risks in terms of information security. For example, if the
organization is using a wireless Local Area Network (LAN), there
are different information security risks to consider than if the
organization is using a conventional LAN where all computers are
connected via Ethernet cable. Additionally, the assessment entity
creates awareness in the organization by presenting the security
maturity assessment methodology and method. In one or more
embodiments of the invention, the assessment entity may also
provide additional information about the underlying standards,
e.g.) the ISO standard. In one or more embodiments of the
invention, the assessment entity may also provide an explanation of
the concept of a maturity model as it applies to the security
assessment.
[0021] The security maturity assessment stage is initiated by the
assessment entity identifying participants required to perform the
SMA. Additionally, the assessment entity, in conjunction with the
organization, determines the effect and cost to be used to perform
the SMA. A time line is also set to allow the assessment entity and
the organization to have a means to track the progress of the SMA.
At this point, in one or more embodiments of the invention, the
assessment entity may request that the organization sign an
assessment contract to ensure commitment by the organization to
follow through with the SMA. Once the aforementioned steps have
been completed, the assessment entity proceeds to perform the
SMA.
[0022] The assessment entity initiates the SMA by collecting
documents detailing the organization's existing information
security policies and practices. After review of the collected
documents, additional information is typically obtained via
interviews with participants identified at the beginning of this
stage. Using the information obtained from the collected documents
and the interviews, a preliminary rating is generated. The
preliminary rating details the maturity of individual sections and
the overall maturity level of the organization's information
security practices and policies.
[0023] In one or more embodiments of the invention, the preliminary
rating is generated using a security assessment matrix (SAM). The
SAM defines each level of maturity for each information security
item. The SAM includes 61 rows corresponding to the groups of the
BS7799/ISO17799 standard information security items, and 5 columns
defining the maturity level. The five maturity levels, arranged
from least mature to most mature, are Initial (Level 1), Repeatable
(Level 2), Defined (Level 3), Managed (Level 4), and Optimizing
(Level 5). For each intersection of row and column, there is a
paragraph that defines a specific "capability maturity" level. The
paragraphs contained in a given row of the SAM represent successive
capability maturity levels for the same information security item.
Further, some rows of the SAM represent successive capability
maturity levels associated with a single information security item,
as described in one paragraph of the BS7799/ISO17799 standard.
Other rows of the SAM may represent successive capability maturity
levels of information security items that the BS7799/ISO17799
standard describes in separate paragraphs or sections.
[0024] In one or more embodiments of the invention, an item
definition for each information security item is included in the
SAM. The item definition acts as a legend for the level definitions
for a particular information security item. Further, in one or more
embodiments of the invention, the SAM includes level definitions as
follows: Level 1--Initial; Level 2--Not written down, but
communicated via coaching; Level 3--Written down; Level
4--Responsibility is defined; Level 5--Process exists for catching
deviations and improving the information security to prevent them.
Further, in one or more embodiments of the invention, the SAM
includes scope requirements. The scope requirements indicate to
which various aspect of an organization's operations the criteria
set forth in a particular row of the SAM must be applied.
[0025] The combination of a certain level definition (e.g., Level
1) with one information security item (i.e., a specific row of the
SAM) yields a specific criterion that one skilled in the art can
apply to establish if the organization being assessed meets, fails
or exceeds this level of maturity for this information security
item. Furthermore, those skilled in the art can apply the general
definition of the maturity level (Level 1 through 5) to a specific
information security item in such a way that they can readily
determine whether the organization being assessed meets, fails or
exceeds this level of maturity for this security item, even if the
specific criterion set forth at the intersection of this row and
column of the SAM is, for any reason, not directly applicable in
the case of this organization.
[0026] Table 1 illustrates the SAM in accordance with one or more
embodiments of the invention: TABLE-US-00001 TABLE 1 Security
Assessment Matrix Level 1 Level 2 Level 3 Level 5 (Initial)
(Repeatable) (Defined) Level 4 (Managed) (Optimizing) Level
Definitions Process exists for catching Not written deviations and
down, but making ISO 17799 Item communicated Responsibility is
constant Scope Categories Definitions via coaching Written down
defined improvements Requirements III.1 Information Coverage of No
security Security policy Specific Security policy Clear Goal and
Security Policy Security Policy policy in exists, but as a policy
exists, covers all areas of responsibilities principle of Review of
effective place general clearly stating business. Security and
every implementation of statement. in detail what policy is owned
by mechanisms in information information security Inferring what is
mandated appropriate functions place to security policy is
specifically or prohibited. including IT but also upgrade policy
Information Review of mandated or A "normal" Finance, HR, Legal, if
required sharing Information prohibited person can etc.
Organization after every management Security Policy requires easily
policies define the breach of and consulting understand it. roles
and policy, also if responsibilities specialized Reviews
responsibilities in business personnel. No carried out at following
changes regular reviews. intervals, but procedures. Reviews
(acquisition, no clear carried out - intervals divestiture, or
management and responsibility for major changes responsibility the
reviews are in process such to trigger defined explicitly in as
reviews or the policy. outsourcing) exploit results occur.
Availability of No security Security policy There is a Security
policy Each security Staff Security Policy to policy is discussed
Security communication is incident is awareness and Employees
communication with employees Policy part of written IT and subject
to a education Security Education to and contract or manual,
Personnel post mortem Responsibilities and Technical employees
temporary mentioned on procedures. Training procedure that and
Training (non- personnel upon public notice and/or includes a
emergency existent, or hiring. board and/or communication on review
of arrangements limited to on web page. security policy occur
whether Well defined IT at least once a year. applicable policy
personnel). policies were Security correctly training communicated.
integrated into Users are personnel taught the development incident
program reporting Management procedures. responsibility to provide
security training, including the specification of a clear desk and
clear screen policy for all employees. Review of Security Issued
once, Occasionally Reviewed at A clearly There is a defined General
Process never reviewed if intervals, but designated person
mechanism to management reviewed senior no clear or body has review
and responsibility management, management responsibility for
upgrade the auditors, etc., responsibility the process, and policy
after every ask to trigger reviews it security incident reviews of
regularly. (is anything exploit results missing from the policy
that could have prevented the problem?) IV.1 Information
Responsibility for the No responsibility Specific A matrix for A
specific party is Security Individual Security Infrastructure
protection of individual assets is assigned. individuals are the
responsible for responsibility is a assets refer to aware of their
responsibility defining and required field in the responsibility of
protection maintaining the the asset organization's to protect some
of assets responsibility management physical assets. The list
exists and is matrix for the process, so rows assets (e.g., of
assigned published. protection of in the matrix are computers,
responsibilities individual assets. created when new printers, is
not Successive assets are media, etc.) documented. versions of the
acquired. Assets matrix are without a archived to help in
responsible party future is immediately investigations. flagged for
corrective action. Security in job No formally Specific
Responsibility A specific party is Job descriptions Interpretation
definition and defined individuals are for security responsible for
and personnel is based on resourcing process. aware of their
decision developing job screening SSO/IRT responsibility. making
has responsibilities, arrangements are type position. been assigned
personnel periodically and screening and reviewed to documented.
confidentiality conform to the agreements. changing security needs
of the business. Also personnel are required to sign and agree to
confidentiality agreements. Information security No formally Key
members Training for A specific party is Security education and
defined of personnel personnel is responsible for curriculum is
training training plan are trained on defined and defining the
periodically an ad-hoc performed training plan reviewed to basis.
periodically. developing conform to the training schedules changing
needs for all personnel of the business. Training records are
reviewed against policy and exceptions lead to training program
updates. Approval process No approval Informal, A clear A specific
party is The approval for the acquisition process undocumented
approval responsible for process is and installation of exists.
knowledge of process is defining and periodically IT facilities.
steps to be defined for maintaining the reviewed to followed when
the approval process conform to the acquiring or acquisition for IT
facility changing needs installing IT and acquisition and of the
business. facilities exists. installation of installation. The
approval IT facilities process for each and published acquisition
and across the installation of IT enterprise. facilities is
reviewed for accuracy and corrective action is taken where
appropriate. IV.2 Security of Security Control of No control
Physical access The access Third-party access The access logs Third
Party Third Party Access mechanism control allows control rules is
linked to the rest and the list of Access to Information ad hoc are
of the authorized third Processing Facilities decisions by IT
documented. organization's parties is staff, who have There is a
security system regularly audited been told formal through the and
changes to informally contract with issuance of access procedures
is what to do. each party tokens, and made when the that requires
accesses are need arises. access. logged. IV.3 Outsourcing Security
Controls None; IT, Security, The There is a registry Procedures are
Critical for External contractors Legal, or procedures for of
contractors. reviewed on at applications Contractors are handled
Purchasing contractor They sign the least an annual stay in house
by task apply some security are security policy, basis for possible
Approval of owner regular steps documented NODE and IP
improvements. business without when a in writing and agreements.
owners. specific contract is personnel and Audits are run at
Implications policies or issued. These managers least quarterly to
for business procedures. steps are not have access to make sure the
list continuity specifically them and are of contractors is plans.
documented. aware of their current. The Security contents. owner of
the standards and process is defined. compliance Security incident
procedures. V.1 Accountability Coverage of Asset No inventory
Manual Inventory Schedule, triggers, There is a process Information
for Assets Inventory inventory, performed roles and to review what
Asset Maintenance occasional, on according to responsibly, are
happened after Inventory demand. written defined. each inventory.
Software procedures, Ownership is clear Inventories are Asset but
schedule and known incremental, not Inventory and triggering
throughout the IT from scratch Physical events are not organization
and every time. Asset Asset well defined. management. inventories
are Inventory Typically not automated. Services automated.
Inventory Ease of Alteration Information There is There is a There
are control There is a Printed of Information assets can be
informal documented mechanisms (e.g., mechanism in Reports Assets
altered knowledge that change access controls) to place to review
Screen without classified procedure that prevent alteration the
effectiveness Displays control documents applies to all without
proper of the change Magnetic cannot be classified authorization.
control process Media altered at will, information and detect the
Electronic but no assets. No need for Messages systematic
systematic improvements. File Transfers procedures. control
mechanisms in place. Coverage of No Covers some There is an
Information Information Information Information procedures in
information Information handling handling training Asset Handling
place for assets. Little Handling procedures are is part of written
Inventory Procedures handling formality. No manual, owned by IT and
Personnel Software information. regular mentioned on appropriate
procedures. Asset reviews. the public functions including Processes
in Inventory Applied by few web page, and IT but also place to
report Physical business units. covering Finance, HR, and learn
from Asset essentially all Legal, etc. cases when Inventory types
of assets Organization information has Services and all policies
define the been handled Inventory business roles and incorrectly.
Printed units. responsibilities in Reports following Screen
procedures. Displays Magnetic Media Electronic Messages File
Transfers
("Handling" = copying, storage, electronic transmission, spoken
transmission, destruction) V.2 Information Classification of No Ad
hoc Information Ownership of the Security Printed Classification
Information Assets classification classification, asset
classification is classification is Reports Labeling of at document
classification clearly defined as reviewed Engineering Information
Assets owner's is published part of company periodically. List
files (photos, initiative. and "pushed" procedures and is of
documents microfiche, Most to all potential known of with highest
etc.) documents not document management. classification is Screen
marked. If owners. It reviewed Displays marked, labels covers
periodically. Magnetic are security. Declassification Media
inconsistent. Classified procedures exist. Electronic No systematic
information is Messages awareness labeled, File Transfers campaign.
consistently. VI.1 Security in Job Screening of Incomplete
Screening of Documented and A specific party is Procedures are
Applicant Definition and new or a lack of applicants is published
responsible for reviewed regularly refers to all Resourcing
applicants. screening of performed procedures for defining and for
improvements employees Complete applicants. informally, is
applicant maintaining the and compliance. (contractor, checking of
Contractor not documented, screening exist screening procedure.
Security issues found permanent, the new hiring are and is not and
are used by Results of the to be related to or part time)
applicant's not vetted performed the organization. screening are
failings in the CV. through HR. consistently. captured in the
screening procedure Screening of applicant's HR file. mandate
immediate contractor review and update of and the procedure.
temporary staff VI.2 User Training Security Little Discussed with
Documented in Roles and Audits of the security awareness of
awareness of employees and writing and made responsibilities to
acknowledgments are personnel corporate contract or available to
all maintain and performed. A system security. temporary staff.
Employees communicate the of re- personnel upon receive a copy of
security policy are acknowledgment hiring. security policy on
defined. occurs periodically hiring and are Acknowledgement and
upon changes to required to of the policy is the security policy.
acknowledge tracked and stored Incidents are receipt. as part of
the HR analyzed for policy of the performance employee. improvement
to the security awareness procedures. Security No education
Security Security A specific party is Training plans are education
or training is education and education is responsible for
periodically reviewed and technical provided. technical documented
and defining and to conform to the training training are not
included as part maintaining the changing needs of the provided of
the hiring security education business. Training consistently and
process. and technical records are reviewed the Technical training
program. against policy and responsibility is training roadmaps
Training records are exceptions lead to at the discretion exist for
each captured in the corrective actions. of management. employee.
employee's file. Review and planning for future training is part of
the appraisal process. VI.3 Responding to Disciplinary None
Managers have The definition of The documented After each incident
Security Process for documented. intuitive violations, process
includes that causes the Incidents and Company Reaction is
awareness of investigation roles and procedure to be Malfunctions
Security ad hoc. need, can quote process, and list responsibilities
for invoked, the process Violation multiple levels of applicable
each step, and a is reviewed and, of penalty, penalties is clear
workflow. when applicable, the including but not documented,
process is revised limited to firing. distributed, (including the
Managers and signed by the training or the HR appropriate penalty
clauses). independently parties, and agree on how to personnel has
initiate and been educated as conduct to the content. disciplinary
actions. VII.1 Secure Areas Protection The IT Access control is
List of secure All access to secure Auditing of access from
equipment is provided on an perimeters and IT areas is control
system logs is unauthorized left ad hoc basis access rights to
performed by a done periodically. access. unattended typically by
IT those areas are mechanism (e.g., Changes in facilities Physical
with no manager. No documented and badge access control and
management entry control controls defined list of published.
system) that allows trigger a review and to office, beyond access
rights is for personal revision of the access room. physical
published or identification and procedures. Physical building
managed. auditing. Access security for access. control is managed
IT facilities. centrally for granting and revoking rights and is
linked to hiring and termination policies. VII.2 Equipment Fire
alarm The fire Procedures for The fire alarm Reaction to actual
Security system in not alarm system the fire alarm system is
tested. alarms is reviewed present. exists and system are
Procedures exist and improvements people have visible and for
evaluation of implemented into been posted, the fire alarm the
current system informally including system including and
alternative made aware evacuation path, damage systems reviewed of
the behavioral assessment and where necessary. system. actions,
Halon recovery, warnings, etc. evacuation headcount, etc. Personal
No policies Policies for There is a A specific party is The
personal workstation for personal personal documented responsible
for workstation policy is policy workstations workstations policy
for defining and regularly reviewed to exist. exist but are not
personal maintaining the ensure it conforms to published or
workstations and personal the changing needs of adopted fully steps
are taken to workstation the business. Personal across the spread
its policy. workstation needs are organization. awareness among
Sensitive reviewed and changes employees. information is are made
where protected by necessary. Audits are means of carried out to
ensure encryption. that the organization maintains a recognized
workstation policy to ensure efficient management. Protection There
are no There is an There is a formal A specific party is The safety
threat policy from procedures informal safety documented
responsible for is regularly reviewed to environmental in place to
threat protection policy in place. It defining and ensure it
conforms with threats and protect from policy in place. details all
the maintaining the the changing needs of hazards. safety threats
This is not steps that need to safety threat the business. The
Protection or hazards. enforced be followed to control guidelines.
policy is regularly from human throughout the protect from reviewed
and changes carelessness organization and potential hazards. are
made where (eating, the details of the necessary to ensure smoking,
policy are not continued compliance. drinking). documented.
Protection from power and communication cabling from interception
or damage. VII.3 General Controls Inspection of Incoming There is
no There is a A responsible The key goods incoming goods are formal
process documented party is identified screening process is goods
for not to inspect process whereby to manage the regularly reviewed
to hazards inspected. incoming goods. all incoming processes and
ensure they conform to It is carried out goods are procedures for
the changing needs of in an adhoc inspected per a inspecting the
business. Goods manner. defined plan. incoming goods screening
needs are for safety reviewed and changes compliance. are made
where necessary. The organization maintains historical files of
incoming goods; these are regularly reviewed to ensure that there
are no discrepancies. Process of There is no An informal A formal
process An inventory of Audits of the removal of standardized
process exists is documented organizational organization's property
organization's procedure for property and published the property is
are carried out property for removal removal. to organization
maintained and periodically and of property. for property updated
regularly. changes to the removal removal. A group or process are
made individual is where necessary. identified to verify that the
process is followed. Equipment There are no Equipment Equipment is
A responsible Record of equipment maintenance equipment maintenance
is covered by party is identified maintenance is maintenance
carried out on an insurance and the to oversee examined to
determine policies and ad hoc basis equipment equipment fault
patterns or abuses. the based on maintenance maintenance
Appropriate changes equipment manufacturer controls the policies
are are incorporated into maintenance recommended determination of
followed. the maintenance is done only service intervals risk.
policies. on failure. Sensitive Data Data disposal Data disposal A
responsible The disposal procedure data disposal disposal procedure
is procedure is party is identified is audited regularly and
procedure procedure is informally formally defined to oversee that
the appropriate steps not defined. defined. and published to
disposal procedure incorporated into the the organization. is
followed. procedure. VIII.1 Operational Management None - each
Common Documented in Roles and Procedures include a Reporting
Procedures and Responsibilities incident is awareness of writing
and made responsibilities are mechanism to evolve procedures
Responsibilities and handled ad procedures. available to all IT
defined. them. Incidents are cover: Procedures hoc on a best Effort
for staff (and other Escalation and analyzed to suggest All types
of Incident effort basis. repeatability department staff reporting
chains improvements. There security Reporting includes staff with
IT roles) exist. Issues and is a quality incident
Procedures meetings, requests are improvement process, Contingency
training recorded as documented and plans sessions, trouble
tickets. applied. Audit trails coaching and similar Recover actions
and authority VIII.2 System Planning Testing of None; new Testing
is A formal The responsibility Policy is Includes issues and
Acceptance new systems are informal and is document to define,
review, periodically of capacity information placed in performed
based defining the and ensure reviewed and planning and systems
operation on individuals' testing and compliance with revised upon
any Systems requirements without any knowledge, not deployment of
the testing policy change in the Acceptance. and upgrades formal
test on a formal new and is defined. There production systems
Issues to be prior to procedure. process. upgraded systems are
system level or organizational considered deployment is defined.
tools that prevent structure. Testing include: unauthorized
methodology and Performance changes to tools are and Computer
production continuously Capacity systems. examined to Requirements
Documents exist determine Error Recovery detailing applicability to
the and Restart interfaces into the organization and Procedures
change then introduced. Security management Controls/Issues
process. Manual Processes Business Continuity Arrangements
Additional Load on existing machines Training in the operation of
the new equipment VIII.3 Protection Detection and No IT staff has A
formal, A specific party is The procedure Procedures Against
protection detection, informally documented responsible for
includes a cover: Malicious against protection defined procedure
for defining and mechanism for All types of Software malicious
measures, procedures for detecting and maintaining the evolution.
Incidents virus and software. reporting, detecting and handling
detection and are analyzed to malicious User or recovery handling
malicious protection suggest software awareness of procedures
malicious software and procedures, improvements. The incident
procedures to exist, and software and virus attacks informing and
toolset is Contingency deal with dealing virus attacks. exists and
is training the users, continuously plans malicious with There are
no communicated to managing the examined and Audit trails and
software malicious common tools, all employees as detection and
updated to provide similar Procedures software formal part of the
recovery efforts, maximum protection Recover actions for reporting
and virus documentation, corporate security and selecting and
against changing and authority and recovery attacks is or training
policy. A maintaining the treats. from virus entirely programs for
all standard set of protective tools. attacks reactive employees.
protective tools is and defined and handled in deployed. an ad hoc
Training is given manner. to all employees. Policy No policy
Software A software A specific party is List of authorized relating
to or monitoring licensing policy responsible for software is
licensed monitoring policies are is documented monitoring and
periodically software and exists informal and and published to
maintaining reviewed to conform prohibition of regarding performed
on an all employees. authorized to the changing unauthorized
software ad hoc basis. The software licenses needs of the software
installation. IT organization, for the enterprise. business.
Software when involved in A software audits are reviewed software
inventory and exceptions lead procurement, licensing tool is to
corrective actions. applies controls used to monitor informally.
and ensure compliance. VIII.4 Housekeeping Monitoring of No
Informal Capacity plan and Ownership of the New technology,
processing monitoring monitoring as capacity capacity plan and
contractual power and exists. part of system management capacity
agreements, and storage to Capacity management process covering
management supplier selection ensure adjustments procedures
processing process is defined. are continuously availability are
performed on an power, memory, Formal researched and performed as
needed basis. disc space, mechanism for introduced into the in
reaction No management LAN/WAN business managers environment in to
capacity plan or capacity, backup to place order to provide the
problems. model is capacity, number requirements into necessary
resources specifically of user the plan and a link while optimizing
the defined. workstations, exists between the costs. physical space
capacity planning and power. process and the budgeting process.
VIII.5 Network Covered by other Management questions in this
section VIII.6 Media Handling Procedures No IT staff has Formal, A
specific party is Procedures are Media includes: and Security and
controls procedures informally documented responsible for
periodically IT computer to protect or controls defined procedures
for defining and reviewed to address room media computer are in
place procedures and protecting maintaining the changes in the type
(e.g., backup media to protect controls for computer media
procedures for the or volume of tapes, computer protecting exist
and are access control computer media to removable hard media.
computer media. communicated to systems and be handled. Audit
drives, CD- There is no all employees as auditing of access logs
are reviewed ROMs, etc.) formal part of the to computer and
exceptions lead User media documentation, corporate security media.
to corrective action. (e.g., CD- access logs, or policy. Controls
ROMs, floppy training programs are in place to discs, etc.) for all
employees. limit and track access to media. Training is given to
all employees. VIII.7 Exchanges of Security of No defined No
corporate A corporate A specific party is The standards are
Standards for Information and exchange of procedures standard or
policy standard for the responsible for periodically secure
Software data and to secure exists addressing security exchange
defining and reviewed to address exchange of software with the
securing the of data and maintaining the changes to the data data
and other exchange exchange of data software with standards for the
being exchanged or software with organizations. of data or and
software with other secure exchange the means of 3rd parties and
software. other organizations is of data and exchanging. The
outsourcing organizations. documented and software. An information
vendors. published to all information classification policy
Information employees. classification continually evolves.
classification policy determines policy what can be and how it is
transmitted. IX.1 Business Documentation No An informal, An access
policy A specific party is The access policy Access rights
Requirements of business awareness undocumented statement
responsible for statement is encompasses for Access requirements or
practice access control defining access defining and periodically
accounts for Control for access of access practice is rights of
each maintaining the reviewed to conform network, control. control.
applied on an ad user or group of access policy to the changing
operating Access policy hoc basis. users exists and is statement
and needs of the system, and statement published. ensuring it is in
business. Security application defining the alignment with
incidents are access. access right of business reviewed and ACLs,
user and each user or requirements. modifications to the system
group of users. access policy accounts, etc. Protection of
statement are made Automatic connected where appropriate.
identification of services from terminals and unauthorized portable
use. devices. Review of user Timeout of access right remote systems
and left unattended capabilities for extended Policy periods of
time concerning the use of network and network services. Network
controls in place IX.2 User Access System of No An informal, A user
account A specific party is The user account Deletion vs.
Management formal control undocumented policy defining responsible
for policy is disabling registration/de- over user account access
rights, defining and periodically accounts. registration for access
to practice is privilege levels, maintaining the reviewed to
conform Unique id for access to IT IT applied on an ad and user
account to the changing all users. services. services. hoc basis.
creation/deletion policy. User needs of the Immediate rules exists
and is account business. Audit account published. creation/deletion
requirements are removal for records are reviewed and users who
archived. modifications to the change duties user account policy or
leave the are made where company. appropriate. User's Multiple
accounts privilege in per individual are overriding created or
deleted system/application through a single restriction. point of
control. Record kept of all privileges allocated. System routine to
grant privilege to users. Access control to program source library
IX.3 User Security of user Passwords An informal, A published A
specific party The password policy is Limit the number
Responsibilities password. User are not undocumented password is
responsible periodically reviewed of password password used.
password policy defines for defining and to conform to the attempt
before confidentiality practice is password maintaining the
changing needs of the the system locks level applied on an strength
(e.g., password policy. business. Periodic out the user. ad hoc
basis. length, Record of audits (cracking) of Record and make
inclusion of password passwords are user aware of special histories
is performed to ensure unsuccessful characters), archived.
compliance and logon attempts aging, and exceptions are noted,
Enforcement of usage. documented, and password rules corrective
action is taken. Good-practice No An informal, A good-practice A
specific party A process exists to No display of guidelines to
guidelines undocumented guidelines is responsible solicit
suggestions for system identifiers users in exist. guidelines is
statement is for defining and best-practice guidelines until logon
has ensuring good provided to defined and maintaining the from
internal and been successful security. users on an ad incorporated
good-practice external sources and to General notice hoc basis.
into user guidelines. incorporate them into warning that the
training the organization's user system should programs. security
guidelines. only be used by authorized users If error occurs at
logon do not indicate what the error was Cryptographic No An
informal, A good-practice A specific party A process exists to
Controls guidelines undocumented guidelines is responsible solicit
suggestions for exist. guidelines is statement is for defining and
best-practice guidelines provided to defined and maintaining the
from internal and users on an ad incorporated good-practice
external sources and to hoc basis. into user guidelines.
incorporate them into training the organization's user programs.
The security guidelines. guidelines cover: encryption, digital
signatures, key management, non-repudiation services IX.4 Network
Covered in other area in this Access Control section IX.5 Operating
Covered in other area in this System Access section Control IX.6
Application Covered in other area in this Access Control section
IX.7 Monitoring Covered in other area in this System Access section
and Use IX.8 Mobile Mobile No An informal, A good-practice A
specific party A process exists to Laptop, Mobile, Computing and
Computing and guidelines undocumented guidelines is responsible
solicit suggestions for and Palmtop Teleworking Teleworking exist.
guidelines is statement is for defining and best-practice
guidelines security to ensure provided to defined and maintaining
the from internal and company users on an ad incorporated
good-practice external sources and to information is not hoc basis.
into user guidelines. incorporate them into compromised. training
the organization's user programs. security guidelines. X.1 Security
Risk There is no An informal A published A specific party The risk
assessment Requirements assessment and framework undocumented risk
assessment is responsible and risk management of Systems risk of
risk risk and risk for defining and policies are management
assessment. assessment management maintaining the periodically
reviewed used for and risk procedure risk assessment to conform to
the analyzing management exists. and risk changing needs of the
security practice is management business. Changes are requirement
applied on an guidelines. made to the policy ad-hoc basis. An
archive is where required. kept of the risks identified and the
action taken to manage the risk. Safety check No safety An informal
There is a A specific party The safety checks are while procuring
checks are procedure documented is responsible regularly reviewed
to new program carried out exists whereby procedure that for
defining and ensure that they and software when new programs is
followed maintaining the conform to the procuring and software
before any software safety changing needs of the new are assessed
software is check business. There is a software. before being
purchased. guidelines. regular risk analysis is put in to the This
ensures Modifications to carried out to ensure operational that all
software vendor supplied safety of existing environment. purchased
packages are systems and This task in conforms to made to comply
compromise to their performed on company with system security is
controlled. an ad-hoc security requirements Emphasis is given on
basis. guidelines. and vendor quality certification of consent is
new products. obtained before doing so. X.2 Security in Validation
There is no An informal There is a A specific party The validation
control Application control while validation process exists
published is responsible procedure is regularly Systems data input
to of where data is standard which for defining and reviewed to
ensure that application information both verified describes the
maintaining the they conform to the system on before it is
validation tests validation changing needs of the Data validation
application entered in to that are control business. Periodic of
stored systems. applications performed. guidelines. audits are
performed of information and existing There is a data on
application Output Data data is documented systems to ensure
Validation verified. Basic process which compliance. tests like is
followed. Exceptions are noted, missing or documented and
incomplete corrective action is data, invalid taken. characters in
fields are performed on an ad-hoc basis. X.3 Cryptographic
Cryptographic There are There is an There is a A specific party The
cryptographic Controls control no informal documented is
responsible controls are regularly cryptographic practice procedure
for defining and reviewed to ensure that controls employed which
defines maintaining the they conform to the or existing whereby
some the steps which cryptography changing needs of the system
files are outlines which control business. Audits are architecture
encrypted. document guidelines. carried regularly to does not This
is done at classifications Separate key ensure that information
support the user need to be management that should be cryptography.
discretion and encrypted and procedures are encrypted is kept on an
ad-hoc the process to used for digital encrypted and that the
basis. be followed to signatures and encryption method achieve
this. encryption. used is adequate. Vulnerabilities There are There
is a There is a A specific party The key management of no key
process in documented is responsible system is regularly
cryptographic management place where by key for defining and
reviewed to ensure keys. procedures. suitable key management
maintaining the they conform to the Key management system which key
management changing needs of the management exists, based defines
the system. business. Key system. upon an steps to be Separate key
management needs are Documentation informal set of followed. This
management reviewed and changes of key standards, ensures that the
procedures are are made where management procedures and type of
used for digital necessary. Audits are system secure algorithm and
signatures and carried out to ensure (activation & methods.
length of keys encryption. that the organization de-activation are
considered Cryptographic maintains a recognized date, certificate
to identify level keys have certification authority information) of
defined to ensure key cryptographic activation and protection and
efficient protection deactivation key management. dates. All keys
are protected against modification and destruction in case of
private key compromise. X.4 Security of Protection and No change An
informal There is a A specific party The change control System
Files control of control procedure documented is responsible policy
is regularly system test procedure exists for standard for defining
and reviewed to ensure data. in place and change available to
maintaining the that it conforms to Change control no control. This
employs change control the changing needs procedure provisions task
is describing the guidelines. of the business. Control of for the
performed on procedures to Version control Version control
operational protection an ad-hoc follow to ensure for software logs
are audited and software of system basis. that the change update is
any exceptions are test data. control maintained and documented,
noted procedures are archives are kept and corrective followed of
all versions. action is taken if correctly necessary. X.5 Security
in Awareness of There is no An informal There is a A specific party
The software The new software is Development software process in
procedure documented is responsible update policy is put in a test
and Support upgrade to place to exists to standard for defining and
regularly reviewed environment to check Processes enhance the
monitor monitor available to maintaining the to ensure that it for
anomalies with security level security risk vendor web employees
software update conforms to the security policies posed by sites to
obtain describing the guidelines. An changing needs of before
software software procedures to archive is kept the business.
implementation installed on updates. This follow to ensure of all
software Periodic audits are machines. task is that all software
upgrades. performed of Software performed on installed on Change
control software upgrades upgrade an ad-hoc their machines
procedures and to ensure does not basis. is of the latest
contractual compliance. take into Security issues version.
agreements exist Exceptions are account the defined by the All
security to escalate noted, documented security of vendors are
issues with the security issues to and corrective the new only new
release appropriate action is taken if releases considered.
specific to levels and necessary. organizational remedy them.
system platform are identified and confirmed with the vendor. XI.1
Aspects of Contents of No plan. There is some There is a Employees
are Includes process Risk analysis of critical Business Business
knowledge of written and trained, and for improvement business
processes. Continuity Continuity what to do in properly training is
after each Identifies events that Management Process case of
disaster distributed plan. periodically invocation. can cause
interruptions Procedures and (e.g., based on Process refreshed. to
business processes, Schedules training or on includes: Plan
includes and includes assessment Included in the prior Fallback
alternate of the impact of those Process experience) procedures
communication interruptions. but no Resumption methods if
documented procedures communication process. Maintenance is
severely schedules affected. Process also includes: Assignment of
responsibilities Conditions for activation Development of Plan does
A set of There is a The The process is Business continuity
Business not exist. measures can written business management
reviewed in case process covers events Continuity Some be applied
in continuity chain of change in that are specific to the Process
awareness case of a process that responsible for system, staff,
local environment (i.e., Testing of of measures business includes
risks, executing the disaster recovery flood, power outage,
Business that can be interruption. events, roles business
contractor or political unrest, fire, Continuity taken in They do
not and continuity contract, hurricane, earthquakes, Process case
of a constitute responsibilities, process is business, etc.) and
business needs Review and business formal, technical define, and
all application, (i.e., credit card center Update of interruption.
defined, measures, managers and locations, or cannot be down more
Continuity Actions published, or reporting, and staff know what
legislation. than a few minutes) Process would occur managed plan.
communication. the chain is. Post-mortem Reasons that in an ad hoc
The plan has Testing occurs at reviews after Cause Review manner.
been tested at least annually execution with of the Plan least
once. and maintains documented the business improvement continuity
actions. process. XII.1 Compliance Restrictions in No Ad hoc
Systematic Clear Periodic review Copyright policy with Legal Place
on the restrictions restriction on restrictions, responsibility to
of the policy for Acquisition procedures Requirements Use of in
place. some documented, enforce the continuing Copyright awareness
Materials for documents based on the restrictions. improvement.
information Which There only. information Training is Periodic
review Maintenance of licenses May Be classification provided. of
the Check on software Intellectual Employees are restrictions to
held/used Property Rights aware. make sure Policy on software
they're disposal appropriate. Compliance with licenses Safeguards
No Some Clear Safeguards in Periodic review Personnel information
against loss, safeguards organizational responsibilities place
covering of systems in Copyright information destruction or
employed. data backed up to ensure that all place and Company
confidential falsification of No defined and secured. organization
organizational security of information organizational hierarchy as
Backups may records are not records. systems that deal Public web
sites records to whom be kept onsite. compromised. Training with
has access No logs kept Some user provided to organizational to
what of user activity is educate users. records. Each information.
activity. logged. Management incident is Organizational responsibly
to subject to a post data is kept ensure that mortem securely.
records are kept procedure that Documents are accurate and includes
a publicly secure. Access review of available that rights and
whether describe the privileges in applicable policy and place to
restrict policies were procedures that access to certain correctly
employees organizational communicated. should follow records. Web
Users are taught to maintain sites protected the incident integrity
and from reporting safety of defacement. procedures. Full
organizational Critical files audit logs records. identified and
maintained with protected against system falsification by
start/finish CRC checks, times, system etc. errors and corrective
action and name of person making alterations to the information.
Compliance Knowledge Data Legislation is Processes and There is a
with data of protection applied and procedures are regular process
protection legislation legislation is Data protection put in to
place in place to legislation is limited to discussed with
legislation is for monitoring review changes specific employees and
made available to ensure that the in legislation, or people or
contract or to employees in company is new needs of the departments
temporary a centralized continually business. (HR, Legal, personnel
location. compliant. The Training is etc.) and is upon hiring
Impact of responsibility to provided to not into specific
legislation and do so is clearly users to ensure documented.
departments. concerned data assigned. the continued has been
compliance with written up and legislation. The made available
process and to employees. responsibility to All affected receive,
processes investigate and include correct any appropriate reported
protection exception is steps. defined. Compliance of No Standards
and Standards and A clearly There is a regular Intellectual
Property information published codes of codes of designated process
in place to Rights systems with codes of practice are practice are
person or body review changes in Copyright published practice and
generally defined and has published standards Data Protection Act
standards or no understood but published responsibility for or
codes of codes of awareness are applied internally and the
reviewing, practice. Findings practice inconsistently are made
maintaining, and of non-compliance through the available to
training users on result in corrective organization. employees in a
the published action. centralized standards or location. codes of
practice. XII.2 Reviews of Documentation No Some Documents are
Responsibilities Documents are Laws on protection Security Policy
of regulatory documentation documentation made publicly are
assigned to created as soon as and/or correction of and Technical
and contractual exists. exists although available on the
individuals to there is a change in personal information Compliance
requirements it does not corporate web produce the contractual or
(employees and/or for each cover all site or on a documents as
regulatory clients, suppliers, information details of public notice
soon as a new requirements of the etc.) system
regulatory/contractual board. Full system is project. Procedures
for requirements documentation sourced. Documentation is disclosure
to proper for each IS. exists for Templates exist available to
authorities. There is no contractual and for the creation personnel
with ISO 9000 standard regulatory of documents correct clearance.
requirements document requirements and there is a Periodic
inventory Regulatory agencies template used, for all central of
information (e.g., FDA or FCC in documents are information
repository where systems includes the United States) created as and
systems in the they are stored. checks that when required
organization. The templates compliance by individual have
designated requirements exist. employees. owners. Exceptions
trigger There is no a well-defined central data process to review
store for the procedures in order documents to eliminate this (need
to ask risk. people who know). XII.3 System Audit Control Against
No controls Terms of use Terms of use of The Periodic reviews of
Considerations Computer or of computer organizations responsibility
of who is authorized Misuse safeguards equipment are computer
managers is to do what. Safeguard of in place discussed with
equipment are defined. Tools Information Audit Tools to employees
and available from a employed to gathered from Prevent Misuse
contract or centralized monitor usage of monitoring tools is
temporary location computer used to make personnel (Intranet site,
equipment. decisions for future upon hiring. office notice Staff
has well policy. boards, etc) defined roles There is an incident
and access rights review procedure. to computer file Periodic
"white systems. hat" intrusion Personnel are attempts are made made
aware that and followed by their computer corrective actions.
related activities are being monitored, and to what extent.
Review/Audit No process Occasionally Reviewed at A clearly There is
a defined of information is in place reviewed or intervals, but no
designated mechanism to systems to audited if clear person or body
review and upgrade ensure they are senior management has the policy
after in compliance management, responsibility to responsibility
for every security with security auditors, etc., trigger reviews
the process, and incident (Is policies and ask of exploit reviews
it anything missing standards results regularly. from the policy
that could have prevented the problem?) Coverage of No Few Clear
Audit tools are Safeguards in place System Regime coverage
safeguards in responsibilities only available covering all audit
(event logging) exists. place. Audit to ensure that for use by key
tools. Periodic tools are not audit tools are personnel. review of
systems managed not misused. Access rights in place and securely
and Training and privileges security of systems user access is
provided to are enforced to that audit systems. not monitored.
educate users. maintain Users are educated security. on the
importance of safeguarding their audit tools. Compliance of No
Standards and Standards and A clearly There is a regular
Intellectual Property information published codes of codes of
designated process in place to Rights systems with codes of
practice are practice are person or body review changes in
Copyright published practice and generally defined and has
published standards Data Protection Act standards or no understood
but published responsibility for or codes of codes of awareness are
applied internally and the reviewing, practice. Findings practice
inconsistently are made maintaining, and of non-compliance through
the available to training users on result in corrective
organization. employees in a the published action. centralized
standards or location. codes of practice.
* * * * *