Business Impact Analysis User Questionnaire

Document Sample
Business Impact Analysis User Questionnaire Powered By Docstoc
					               Technology Standard


Contingency Planning and Business Recovery Program
Business Impact Analysis User Questionnaire
Version: 1.0
Status: Approved: 02/21/07
Contact: Director, Technology Services



In conjunction with the Business Impact Analysis Template completion, this questionnaire
is helpful in further assessing existing safeguards and preventive controls that should be
examined to determine what the business unit is doing to mitigate loss or deter specific
threats, and what response mechanisms are in place in the event a disruption occurs. The
results of this questionnaire can also be used to gather information as the college develops
its contingency plan and implements security awareness training.

This questionnaire collects information from users and activity owners of information
technology resources on security procedures and practices for accessing critical or
sensitive information technology systems and applications. The Contingency Planning
Coordinator may use the template provided or create a more appropriate questionnaire.
The information should be tabulated as a component of the Business Impact Analysis
Executive Summary.

Users should check yes or no as requested. If a “no” answer is provided, the user should
further identify the risk. Comments may be provided. The Contingency Planning
Coordinator should summarize the answers within the Business Impact Analysis
Executive Summary Report.



QUESTIONS

1.   Is internet/intranet access limited to authorized personnel only?
     Check one:       Yes      No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response


     Comments:
2.   Are procedures in place to protect against unauthorized access?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:
3.   Are procedures in place to ensure that access to systems and applications is not
     totally dependent on one key person only?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


4.   Is staff access to systems and applications limited to only those who need access to
     perform their required job functions?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


5.   Are owners of the data responsible for determining appropriate levels of security for
     access to systems and applications?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


6.   Are students prevented from accessing employees’ desktops?
     Check one:       Yes      No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


7.   Is automatic screen-saver activation, with password protection, initiated after a
     specific period of inactivity on all desktop and laptop computers?
     Check one:       Yes      No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


8.   Are users formally trained on systems and applications necessary to perform their
     job functions?
     Check one:       Yes      No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:
9.   Are all employees adequately trained on data backup and recovery procedures?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


10. Have all IT users been formally notified of the VCCS ethics agreement?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


11. Are users held accountable for complying with the copyright licenses of off-the-shelf
    software?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


12. Are procedures documented for granting access privileges to new hires or employees
    whose job duties have changed?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response
     Comments:


13. Has all staff participated in an information security awareness training program to
    ensure they are aware of their security responsibilities and how to carry out those
    tasks?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


14. Are procedures for remote access to IT resources formally documented and
    enforced?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


15. Are procedures documented for granting or removing access privileges for
    contractors working on behalf of the college?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


16. Do trained and experienced system support personnel make all changes to software
    that resides on desktop computers?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


17. Are installation and utilization of unauthorized software prohibited?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


18. Are procedures in place to prevent unauthorized personnel from deleting, changing,
    or adding to databases or applications residing on a desktop?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


19. Is software installed on desktops checked for viruses and determined to be safe
    before it is installed?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response
     Comments:


20. Is all down-loaded software checked for viruses before it is loaded on a user
    desktop?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


21. Is all software at current release levels and supported by the vendor?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


22. Are all updates for software researched and applied in a timely manner?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


23. Do users screen email to check for viruses before downloading it to a desktop?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


24. Are procedures documented for using critical systems and applications?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


25. Are backup procedures documented and followed by all staff?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


26. Are users responsible for their own backups?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


27. Are procedures and guidelines documented for restoring or requesting restoration of
    data?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


28. Are backups stored in a secure off-site location?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


29. Are CDs and disks labeled to include names of the owners of the data, creation dates,
    and an explanation of the content?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


30. Are critical or sensitive data prohibited from being stored on unprotected desktop
    computers and laptops or other portable storage devices even for short periods of
    time?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:
31. Does the physical location of desktop or laptop computers protect them against
    unauthorized physical access?
     Check one:       Yes      No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


32. Does the physical location of critical desktop or laptop computers protect them
    against threats such as fire and water or electrical problems?
     Check one:       Yes      No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


33. Is sensitive or confidential information transmitted electronically over internet or
    intranet only if the recipient has been properly authorized and authenticated?
     Check one:       Yes      No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


34. When sharing data with other agencies, are documented agreements in place that
    clearly state the degree and levels of security or protection required?
     Check one:       Yes      No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


35. Is sufficient documentation available to allow verification of data accuracy?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


36. Are all data files periodically reviewed by the data/application owners?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


37. Is there a documented procedure in place to address the disposal of confidential,
    sensitive, or critical data and printed information?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:
38. Are storage media (e.g. disks, CDs) appropriately purged of all data before being
    discarded or redistributed/reused?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


39. Is printed output that contains confidential information distributed in such a way as
    to ensure confidentiality?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


40. Is printed output that contains confidential information disposed of in such a way as
    to ensure confidentiality?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


41. Are hand-held fire extinguishers that do not damage electrical equipment visibly
    located near computer equipment?
     Check one:       Yes     No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


42. Are all security violations or system vulnerabilities reported to the security
    administrator and security staff?
     Check one:       Yes      No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


43. Has a contingency/disaster recovery plan been developed to ensure that systems can
    recover from potentially severe interruptions to normal processing?
     Check one:       Yes      No
     If No, identify risks:
         Aware of risk; need to correct
        Aware of risk; risk is acceptable
        Not applicable or no response

     Comments:


44. In your opinion, has this questionnaire identified all security weaknesses or
    vulnerabilities?
     Check one:       Yes      No
     If No, provide recommendations:

     Comments:




http://www.vccs.edu/its/models/indexold.htm

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:26
posted:7/9/2012
language:English
pages:13