Information Systems Governance Template

Document Sample
Information Systems Governance Template Powered By Docstoc
					This template was purchased by AuditNet from a third party under a work for hire
agreement. However, while we have attempted to provide accurate information no
representation is made or warranty given as to the completeness or accuracy of the
template. In particular, you should be aware that the template may be incomplete,
may contain errors, or may have become out of date. While every reasonable
precaution has been taken in the preparation of this template, neither the author nor
AuditNet assumes responsibility for errors or omissions, or for damages resulting
from the use of the information contained herein. The information contained in this
document is believed to be accurate. However, no guarantee is provided. Use this
information at your own risk.
                  ACQUISITION, INCIDENT, BUSINESS CONTINUITY AND COMPLIANCE SECURITY
Reporting Year                                                                         30 June 2012


Company


Company Contact
email
Phone
Date


Assessor
email
Phone
Date




                               This checklist (once completed) should be classified:
                                                IN-CONFIDENCE
Principle 7 - System Acquisition, Development and Maintenance


#       Requirement                                                                                              Example evidence of compliance                                                                       Status        Comments (eg risk of non-compliance)


7.1     System security requirements

        Security controls are commensurate with the security classifications of the information contained        Company system security controls are commensurate with the highest level of security classification
7.1.1                                                                                                                                                                                                                Choose
        within, or passing across information systems, network infrastructures and applications                  of the information stored and passing through the system


7.1.2   Security requirements are addressed in the specifications, analysis and/or design phases                 Business requirements for all systems include information security requirements                   Choose

        Internal and/or external audit have been consulted when implementing new or significant changes to Records of audit results are documented for new or significant changes to financial or critical
7.1.3                                                                                                                                                                                                              Choose
        financial or critical business information systems                                                 business information systems

        Security controls have been established during all stages of system development, as well as when
7.1.4                                                                                                            Documented system security controls address acquisition, development and maintenance stages       Choose
        new systems are implemented and maintained in the operational environment

        Appropriate change control, acceptance and system testing, planning and migration control           Company records document change control, acceptance and system testing, planning and migration
7.1.5                                                                                                                                                                                                      Choose
        measures have been carried out when upgrading or installing software in the operational environment control measures have been taken when upgrading or installing software

        Accurate records must be maintained to show traceability from original business requirements to          Records of traceability from original business requirements to actual configuration and
7.1.6                                                                                                                                                                                                              Choose
        actual configuration and implementation, including appropriate justification and authorization           implementation are documented (including authorization)

7.2     Correct processing

        Access controls have been identified and implemented including access restrictions and
7.2.1                                                                                                            Records of the identified access controls and their implementation are documented                 Choose
        segregation/isolation of systems into all infrastructures, business and user developed applications


7.3     Cryptographic controls

7.3.1   Authentication processes are consistent                                                                  Authentication processes are consistent                                                           Choose

7.3.2   Cryptographic controls are consistent with Policy                                                        Company records document cryptographic controls in line with Policy                               Choose


7.4     System files

7.4.1   Access to system files is controlled to ensure integrity of business systems, applications and data      Access controls for system files are documented                                                   Choose


7.5     Secure development and support processes
        Processes (including data validity checks, audit trails and activity logging) have been established in
7.5.1   applications to ensure development and support processes do not compromise the security of               Records of the processes for secure development have been documented                              Choose
        applications, systems or infrastructure

7.6     Technical vulnerability management
        Processes to manage software vulnerability risks for all IT security infrastructure has been developed
7.6.1                                                                                                          Existence of an audit log for all technical vulnerability procedures undertaken                     Choose
        and implemented
        A patch management program for operating systems, firmware and applications of all assets must be
                                                                                                              Patch management program is implemented and documented including any tests that are carried
7.6.2   implemented to maintain vendor support, increase stability and reduce the likelihood of threats being                                                                                                      Choose
                                                                                                              out
        exploited




        Number of Requirements                                                                                                                                                                                                 13

        Total "Fully Compliant"                                                                                                                                                                                                0
Total "Substantially Compliant"                                                                                     0

Total "Partly Compliant"                                                                                            0

Total "Not Compliant"                                                                                               0

Total "Exception Granted"                                                                                           0

Total "Not Applicable"                                                                                              0

Worksheet completion status                                                                            Incomplete

Overall Full, Substanital and Partial principle alignment                                                     0.00%

Overall Full principle alignment                                                                              0.00%




Company signoff:


                                                            [Name], [Position], [Unit], [Department]
Principle 8 - Incident Management


#       Requirement                                                                                           Example evidence of compliance                                                                            Status         Comments (eg risk of non-compliance)


8.1     Event/weakness reporting
        All information security incidents have been reported and escalated through appropriate               Copies of information security incident reports. Receipt of incident reports by relevant management
8.1.1                                                                                                                                                                                                                 Choose
        management channels                                                                                   channels
                                                                                                              Company records indicate that information security incidents are reported to appropriate authorities
8.1.2   All information security incidents have been reported through appropriate authorities if applicable                                                                                                           Choose
                                                                                                              (e.g. police) where applicable
        Responsibilities and procedures have been communicated to all employees including contractors
                                                                                                              Training attendance records or documents signed by all employees, contractors and third parties that
8.1.3   and third parties for the timely reporting of information security events and incidents including                                                                                                          Choose
                                                                                                              document that they understand their responsibilities to report events/weaknesses and incidents
        breaches, threats and security weaknesses

8.2     Incident procedures

        Information security incident management procedures have been established to ensure appropriate       Company information security incident management procedures have been documented and covers
8.2.1                                                                                                                                                                                                     Choose
        responses in the event of information security incidents, breaches or system failures                 the review of and response to incidents


8.2.2   All Information security incidents caused by employees have been investigated                         Records of information security incident reports and corresponding investigations.                      Choose


                                                                                                              Disciplinary processes for deliberate violations or breaches of information security policy have been
        Where a deliberate information security violation or breach has occurred, formal disciplinary
8.2.3                                                                                                         approved by the senior executive management group/CEO. Where these incidents have occurred,             Choose
        processes have been applied
                                                                                                              Company records demonstrate that these processes have been applied

        An information security incident and response register has been established and maintained. All
8.2.4                                                                                                         Existence of a current Company information security incident and response register                      Choose
        incidents have been recorded within this register



8.2.6   Information security incidents have been submitted monthly                                            Reports have been submitted                                                                             Choose




        Number of Requirements                                                                                                                                                                                                     8

        Total "Fully Compliant"                                                                                                                                                                                                    0

        Total "Substantially Compliant"                                                                                                                                                                                            0

        Total "Partly Compliant"                                                                                                                                                                                                   0

        Total "Not Compliant"                                                                                                                                                                                                      0

        Total "Exception Granted"                                                                                                                                                                                                  0

        Total "Not Applicable"                                                                                                                                                                                                     0

        Worksheet completion status                                                                                                                                                                                   Incomplete

        Overall Full, Substanital and Partial principle alignment                                                                                                                                                              0.00%

        Overall Full principle alignment                                                                                                                                                                                       0.00%
Company signoff:


                   [Name], [Position], [Unit], [Department]
Principle 9 - Business continuity management


#       Requirement                                                                                         Example evidence of compliance                                                                        Status        Comments (eg risk of non-compliance)


9.1     Business continuity
        Business continuity plans have been established to enable information and Companyassets to be
9.1.1                                                                                                       Approved Company business continuity plan                                                           Choose
        restored or recovered in the event of a major security failure
        Business continuity processes have been established to enable information and Companyassets to      Processes that enable the information environment to be restored or recovered in the event of a
9.1.2                                                                                                                                                                                                           Choose
        be restored or recovered in the event of a major security failure                                   major information security failure have been approved
                                                                                                            Business continuity risk and impact assessment processes have been approved. Company records
        Business continuity processes have been established to assess the risk and impact of the loss of
9.1.3                                                                                                       indicate that these assessments are made, and inform the development of the Company's business      Choose
        information and Companyassets in the event of a security failure
                                                                                                            continuity plan

9.1.4   Methods have been developed to reduce known risks to information and Companyassets                  Existence of a risk register that documents how known risks will be managed                         Choose


        Business continuity plans have been maintained and tested to ensure information and             Business continuity plan is regularly updated. Business continuity tests are conducted and any
9.1.5                                                                                                                                                                                                           Choose
        Companyassets are available and consistent with Company business and service level requirements weaknesses identified as a result are addressed

                                                                                                            Records show that a business impact analysis has been undertaken, and the results have been used
9.1.6   A business impact analysis has been undertaken                                                                                                                                                       Choose
                                                                                                            to reduce risks
        All critical business processes and associated information and Companyassets have been identified   Records show that all critical business processes and associated assets have been identified,
9.1.7                                                                                                                                                                                                           Choose
        and prioritised                                                                                     prioritised and documented

9.2     Companydisaster recover
        An information and Company asset disaster recovery register has been established to assess and
9.2.1                                                                                                       Existence of disaster recovery register                                                             Choose
        classify systems to determine their criticality
        An Company disaster recovery plan has been established to enable information and Companyassets
9.2.2                                                                                                  Approved disaster recovery plan                                                                          Choose
        to be restored or recovered in the event of a disaster
        Company disaster recovery processes have been established to enable information and Company         Processes that enable the information environment to be restored or recovered in the event of a
9.2.3                                                                                                                                                                                                           Choose
        assets to be restored or recovered in the event of a disaster                                       disaster have been approved

        Company disaster recovery processes have been established to assess the risk and impact of the      Disaster recovery risk and impact assessment processes have been approved. Company records
9.2.4                                                                                                                                                                                                           Choose
        loss of information and Companyassets in the event of a disaster                                    indicate that these are made, and inform the development of the Company's disaster recovery plan


9.2.5   Methods have been developed to reduce known risks to information and Companyassets                  Existence of a risk register that documents how known risks will be managed                         Choose

        An Company disaster recovery plan has been maintained and tested to ensure information and      Disaster recovery plan is regularly updated. Disaster recovery tests are conducted and any
9.2.6                                                                                                                                                                                                           Choose
        Companyassets are available and consistent with Company business and service level requirements weaknesses identified as a result are addressed

                                                                                                            Clearly defined maximum acceptable downtimes are documented within Companydisaster recovery
9.2.7   Company disaster recovery plans must have clearly defined maximum acceptable downtimes                                                                                                                  Choose
                                                                                                            plans
        Maximum acceptable downtimes for Companyservices must also be defined in service and                Maximum acceptable downtimes for Companyservices are documented in all service and operational
9.2.8                                                                                                                                                                                                      Choose
        operational level agreements with external parties                                                  level agreements with external parties
        Copies of Company disaster recovery plans must be stored in multiple locations including at least   Copies of Company disaster recovery plans can be located in multiple locations including at least
9.2.9                                                                                                                                                                                                           Choose
        one location offsite                                                                                one offsite location




        Number of Requirements                                                                                                                                                                                             16

        Total "Fully Compliant"                                                                                                                                                                                            0

        Total "Substantially Compliant"                                                                                                                                                                                    0

        Total "Partly Compliant"                                                                                                                                                                                           0
Total "Not Compliant"                                                                                               0

Total "Exception Granted"                                                                                           0

Total "Not Applicable"                                                                                              0

Worksheet completion status                                                                            Incomplete

Overall Full, Substanital and Partial principle alignment                                                     0.00%

Overall Full principle alignment                                                                              0.00%




Company signoff:


                                                            [Name], [Position], [Unit], [Department]
Principle 10 - Compliance Management


#        Requirement                                                                                             Example evidence of compliance                                                                           Status        Comments (eg risk of non-compliance)


10.1     Legal requirements
         All legislative obligations relating to information security have been complied with and managed        Company has identified and documented all its legal obligations relating to information security and
10.1.1                                                                                                                                                                                                                  Choose
         appropriately                                                                                           its response to these.

                                                                                                                 A list of legislation compliance has been developed and is cross referenced against all information
10.1.2   All information security policies have been reviewed for legislative compliance on a regular basis                                                                                                             Choose
                                                                                                                 security policies on a regular basis (including when changes to legislation occur)

         The results of compliance reviews against information security policies have been reported to
10.1.3                                                                                                           Company management has signed off on the compliance review                                             Choose
         appropriate Company management

                                                                                                                 A list of legislation compliance has been developed and is cross referenced against all information
10.1.4   All information security processes have been reviewed for legislative compliance on a regular basis                                                                                                            Choose
                                                                                                                 security processes on a regular basis (including when changes to legislation occur)

         The results of compliance reviews against information security processes have been reported to
10.1.5                                                                                                           Company management has signed off on the compliance review                                             Choose
         appropriate Company management
                                                                                                                 A list of legislative compliance has been developed and is cross referenced against all information
         All information security requirements (including contracts with third parties) have been reviewed for
10.1.6                                                                                                           security requirements (including contracts with third parties) on a regular basis (including when      Choose
         legislative compliance on a regular basis
                                                                                                                 changes to legislation occur)
         The results of compliance reviews against all information security requirements (including contracts
10.1.7                                                                                                           Company management has signed off on the compliance review                                             Choose
         with third parties) have been reported to appropriate Company management
                                                                                                                 Company has identified and documented processes for assessing compliance against its information
         Processes to ensure legislative compliance across all Company activities have been developed and
10.1.8                                                                                                           security related legal obligations. Company records indicate that these processes are being      Choose
         implemented
                                                                                                                 conducted

10.2     Policy requirements
         All reporting obligations relating to information security have been complied with and managed
10.2.1                                                                                                           Company has identified all reporting obligations and have documented compliance and management Choose
         appropriately

                                                                                                                 Completed information security compliance checklist submitted annually to the Company Policy and
10.2.2   This Information Security Compliance Checklist is submitted annually                                                                                                                                           Choose
                                                                                                                 Coordination Office


10.3     Audit requirements

         All reasonable steps have been taken to monitor, review and audit Company information security          Examples include: completed internal and external audit against legal and policy requirements;
10.3.1                                                                                                                                                                                                                  Choose
         compliance                                                                                              completed information security maturity assessment; accreditation with appropriate standard

                                                                                                                 Employees with information security roles and responsibilities have signed a document stating that
10.3.2   All reasonable steps have been taken to ensure the assignment of appropriate security roles                                                                                                                    Choose
                                                                                                                 they are understand their roles and responsibilities

         All reasonable steps have been taken to ensure the engagement of internal and/or external auditors      Examples include: completed internal and external audit against legal and policy requirements;
10.3.3                                                                                                                                                                                                                  Choose
         and specialist organisations where required                                                             completed information security maturity assessment; accreditation with appropriate standard




         Number of Requirements                                                                                                                                                                                                    13

         Total "Fully Compliant"                                                                                                                                                                                                   0

         Total "Substantially Compliant"                                                                                                                                                                                           0

         Total "Partly Compliant"                                                                                                                                                                                                  0

         Total "Not Compliant"                                                                                                                                                                                                     0

         Total "Exception Granted"                                                                                                                                                                                                 0
Total "Not Applicable"                                                                                              0

Worksheet completion status                                                                            Incomplete

Overall Full, Substanital and Partial principle alignment                                                     0.00%

Overall Full principle alignment                                                                              0.00%




Company signoff:


                                                            [Name], [Position], [Unit], [Department]

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:2
posted:9/14/2012
language:English
pages:14