Checksheet

Document Sample
Checksheet Powered By Docstoc
					fb789b7d-fa46-43e6-a032-aed91e70f951.xls

Check Sheet for Business Partners on ISM Criteria (Ver 1.9)
Top priority Medeum priority Low priority Allocate Answer d score 3 3 2

Remarks

Score

1
1-1
1-2 1-3

Establishment of Information Security Management Structure
An organizational structure for information security management is established. Rules for information security are established and clearly documented.

Not filled Not filled Not filled

Regarding implementing items on information security in an organization, manager is identified and his/her roles and responsibilities are clarified.

2
(1)

Confidential Control for Information Assets
Clarification of Confidential Information
(2) 2-1-1 2-1-2 2-1-3 2-2-1 2-2-2 Confidential information specified by Our Company and any confidential information created with this information are clarified by making an information assets list (inventory list). Appropriate security controls to the confidential information listed in management ledger are implemented. The information assets list (inventory list) and actual state of information management are regularly checked (reviewed) by a person in charge. A management ledger for any vendor that you share confidential information with, is prepared. Nondisclosure agreement (or any signed document for confidentiality obligation), including the articles defined as follows, is made with the vendor.   a) Confidentiality obligation   b) The scope of information to be subject to non-disclosure   c) The period of compliance (including unlimited)   d) The purpose of the usage of the information   e) That parties accessing is limited to those who need to know about the task   f) Controls on specified important confidential information to be applied   g) Restriction on copies of specified important confidential information.   h) Return or disposal of information upon termination of the compliance agreement   i) Rights to check the situation under which the information is stored or handled, such as a hearing or audit by Panasonic   j) Rights in case of breaches of confidential obligation by the third party (to include articles for damage compensation and the right for injunction, etc)   k) Prohibition of re-commissioning by vendors without consent l) Prohibition of using a personally owned PC for business Rules for exchanging confidential information between you and your vendors are established as being the same as between Our Company and you.   a) All information passing to you from Our Company is handled as internal use only (nondisclosure to third parties) in principle.   b) When exchanging/disclosing confidential information is necessary, our approval is sought in advance.   c) When sending confidential information formatted in an electronic file, it is encrypted. 2-2-4 2-2-5 Actual status of information security for your vendors is regularly surveyed. Passing confidential information between you and vendors are recorded.   a) Rules are determined and made a statement of mutual agreement with any party when passing information assets between you and them. record of actual communication (passing) is kept and managed.   b) A Rules for returning/collecting information is determined between you and Our Company.   a) A method of returning/collecting, detailing the time limit and person in charge, is clarified when an operation ends. 2-2-7 2-2-8 Confidential information is exchanged/ returned/ collected based on the rules determined between you and Our Company. When exchanging information constantly via an e-commerce system or electronic system for passing drawings, an agreement is concluded between you and Our Company regarding measures of confidentiality such as procedures and operating methods and they are implemented.   a) Procedures for sending/ receiving, shipping/ receiving, and their notification   b) Methods of recording/ reading information, and transmitting   c) Responsibility and guaranty in case of data loss (3) 2-3-1 2-3-2 2-3-3 Areas are sectionalized so that entrance by persons who are not concerned with a site /building/room can be limited. There is a physical system to limit entrance. Entrance is granted only to persons who need to know certain information.   a) Permission to enter the room is given only to persons/in occasions judged necessary for business reasons by the manager .   b) Logs are kept of all who are both or either of entering/exiting a room. 2-3-4 Wall, ID card authentication systems, surveillance cameras, sensors, etc are installed when strengthening security. ※Example   Business Zone: Logs are kept for all entries/ exits with ID card authentication. Important Zone: Entry/ exit are monitored by a surveillance camera. Logs are kept for all entries/ exits with ID card authentication. 2-3-5 2-3-6 2-3-7 Entry/ exit logs (including their images) are regularly inspected. There is a system to distinguish between employees and visitors.   a) Your employees wear name tag/ ID card in order to be able to distinguish them from visitors. There is a system that only persons who need to know confidential information can access it.   a) Confidential information is kept in a locker, locked with a key. (4) Control for Taking2-4-1   b) The quantity of prototypes is managed and the number of accesses to them is kept at a minimum. Bringing PCs, mobile phones with built-in camera, PDAs, music player, recording media (SD card, USB memory), etc into areas where confidential information is handled is prohibited, except for business reasons.   a) Permission from a person in charge is required when bringing such items into those areas. A personally-owned PC is not used for business. Also, such PCs are prohibited to be brought into the workplace. A management ledger for recording media/ PCs that are necessary for business is made. Rules for taking-out electronic media/ PCs that are necessary for business are established and implemented.   a) In principle, it's prohibited to take out a PC. Hard disk of taken-out PCs are encrypted, multiplex passwords for log in are set. Confidential information is encrypted, etc. A procedure for the disposal of paper (documents) on which confidential information is included has been established.   a) Confidential documents are shredded, dissolved or burned in an incinerator. A procedure for the disposal of confidential information and items in which confidential information is embodied such as prototypes has been established.   a) Items in which design information is embodied are destroyed so that the information can no longer be understood.   b) An NDA (nondisclosure agreement) contract is made with industrial waste disposal contractors. When accessing digitized information, individual ID/password are used and a record of the person who accesses confidential information shared with Our Company is obtained. There is rules for issuing an ID.   a) Users does not share their ID with others.   b) An ID issuing procedure and a person who is in charge of giving permission are determined. There are management rules for passwords.   a) Passwords which are not easily predicted are set. They consist of at least 6 digits or longer and include alphanumeric characters.   b) Passwords are changed periodically. These are made at least once every 30 days.   c) Passwords are kept private. 2-5-4 (6) 2-6-1 2-6-2 2-6-3 Management status of IDs is checked regularly.   a) Unused ID, unauthorized ID such as ID issued to resigned staff, temporary ID, etc. are checked. Internal networks are separated from external network such as internet by installing router/ firewall. A procedure has been established for the installation of an IT system. Controls for IT systems have been established.   a) Information is stored on servers instead of individual PCs for business use and security control for servers are conducted. When storing information from Our Company, please confirm the following b) to g);   b) Laptop PCs are locked away in a drawer or cabinet when the owner is not present.    c) Desktop PCs are wired to firm objects such as desk.   d) When taking PC out, data on PC are encrypted in order to prevent leakage of information when stolen.    e) While taken out, PCs is carried by the user at all times.    f) Passwords are set for BIOS (starting up PC), OS (logging in Windows) and screen saver.    g) When leaving your desk, your screen is locked or logged off, or setting is made so that the screen is locked if there is no activity for a certain period (around 5 minutes are recommended).
1 / 2 ページ Not filled NA

3 1 2 2 3

Not filled Not filled Not filled Not filled NA

Control for Exchanging Confidential Information

2-2-3

2
Not filled NA

1 2

Not filled NA Not filled NA

2-2-6

2 2 1

Not filled Not filled

Not filled NA

1 1 2

Not filled Not filled

Not filled

1
Not filled NA

Physical Controls

1 1 1

Not filled Not filled

Not filled

2

out/Bringing-into of Confidential Information/Recordin 2-4-2 g Media/ PCs, and 2-4-3 their Disposal. 2-4-4

Not filled Not filled NA Not filled NA Not filled NA

1 1 3

2-4-5

2

Not filled

2-4-6

2
Not filled

(5)

2-5-1 2-5-2

2 1

Not filled NA

Not filled NA

Management of User IDs and Passwords of 2-5-3 IT Systems

1
Not filled NA

1 1 1 2

Not filled NA Not filled NA Not filled NA

Control of Installing and Discarding Information Systems such as PCs and Servers

Not filled NA

Control of Installing and Discarding Information Systems such as PCs and Servers
2-6-4 2-6-5 2-6-6

fb789b7d-fa46-43e6-a032-aed91e70f951.xls

Rules for the disposal/ reuse of IT systems (including exchange due to their failure) have beenManagement Establishment of Information Security established.   a) These include that all information on the hard disk is completely deleted or physically destroyed. Servers have been installed in appropriate places where security can be ensured.
Entrance to server management places is restricted.

Structure

Allocate Answer d score 2 1 1 3 2

Remarks

Score
Not filled NA Not filled NA Not filled NA

   a) Servers containing confidential information are located in security-managed zones and stored in racks with locked doors or an

(7)

2-7-1 2-7-2

equivalent control are applied. Countermeasures and rules against computer viruses and malicious programs have been established.    a) A system administrator (or a provider) has properly specified the types and versions of anti-virus software and installed it already. Countermeasures and rules against computer viruses and malicious programs have been conducted.   a) Anti-virus software is permanently installed on each specific PC and fully enabled in an active protection environment.   b) Pattern files are regularly updated. (more than once a day is recommended).   c) All stored files are regularly scanned. (more than once a week is recommended)

Not filled NA

Not filled NA

Countermeasures against malicious programs

2-7-3 2-7-4 2-7-5 2-7-6

There is a self inspection check sheet and an arrangement to check the implemented situation of anti-virus countermeasures. Rules are established in order to minimize damage by viruses.   a) Physical approach and how to report/ notice at the time of virus infection are included. Installing/ using file-sharing software such as Winny / Share are prohibited. Management regularly confirms that prohibited software is not installed.   a) Checks are made by ISM Manager, or by using an automatic detection tool. Rules for backup are established. a) The necessity/frequency of backup for important systems are discussed. b) Business continuity is secured.

1 1 2 2 2

Not filled NA Not filled NA Not filled NA Not filled NA

(8)

2-8-1

Not filled NA

Implementation of Backup

2-8-2 2-8-3

Backup is regularly implemented according to the rules.
Storage rules are established for backup data and implemented according to the rules.   a) Proper management for all backup media for information systems that handle confidential information are confirmed in accordance with

1 1

Not filled NA Not filled NA

confidentiality classification.

3
(1)
3-1-1 An educational program for information security is established.

Personnel Controls
1
  a) Regarding information security, there is a system for educating all staff (by use of videos, guide books, training, etc.) and there is an actual plan to educate them. Information security education for managers, including the organizational managers and project leaders, is provided regularly and an attendance record is maintained. Information security education for all staff including temporary employees is provided. Your vendors should implement the same information security education for their staff. An attendance record is maintained.   a) Information security education and regular education are implemented at every opportunity -- when entering a company, being transferred, being promoted, and so on.    b) Such education is implemented at the time of acceptance and at other times on later occasions. 3-1-4 3-1-5 A self check sheet for self inspection is prepared and it is implemented by all staff. A system to improve nonconformity, based on the results of self check, is established.    a) The Manager checks the results of self check, and where any nonconforming items are found, provides instructions for improvement and thereafter records them. Rules for clear desks (prohibit leaving confidential documents on desks) and clear screens (introducing a non-display screen and a screen saver with a password when leaving his or her desk) are included in the self check sheet. An item of confidentiality is included in employment regulations or other rules —a signed document for nondisclosure should be obtained from staff. An NDA is obtained from temporary staff when arriving.    a) An equivalent confidentiality management to regular employees is implemented and their NDAs are filed in their agency.

Not filled Not filled

3-1-2 3-1-3

1 1

Information Security Awareness, Education and Training

Not filled

2 1

Not filled Not filled

3-1-6

1 1 1 2

Not filled Not filled Not filled NA Not filled NA

(2)

3-2-1

Signed document for confidentiality obligation from staff

3-2-2

3-2-3

In case of business outsourcing, outsourcing company obtains a signed document for nondisclosure from their staff.    a) An equivalent confidentiality management to regular employees in outsourcing company is implemented and their NDAs should be filed.

4
4-1

Information Security Incidents and Accidents Handling
There is a person in charge of communication/ handling when an accident occurs and an accident reporting structure is established. a) When a problem related to information security is discovered or danger of its occurrence is felt or when an incident/accident or its trace is discovered, immediate reporting structure to Our Company has been established.

1 2

Not filled

4-2

Regarding confidential information shared with Our Company, when the problem mentioned above and/ or the incident/ accident are discovered or danger of their occurrence is felt, there are rules to immediately inform Our Company of it. a) A route for reporting and a time limit until reporting have been established, and they are shared with all staff.

Not filled

4-3

A manual is maintained to clarify procedure when information security incidents occur, highlighting the following points; a) The damage is grasped and emergency measures are taken to minimize effects. b) The cause is investigated and tentative measures are taken.   c) Measures are taken to enable related persons to take self defense measure in case of information leakage.   d) If necessary, public relations response/ report to governments is made.

1
Not filled

4-4 4-5

There are rules for recording details and actions on the incidents when an incident occurs. There is a system to promptly conduct preventive measures against the incident and sharing it with all staff when an incident occurs.

1 1

Not filled Not filled

5
5-1

Implementation of Information Security Management
Contents of self check regarding organizational information security activity have been determined .   a) The contents enable you to check whether the rules for information security have been observed.   b) It also includes items written on a check sheet of the supplementary clause. 5-2 Self check is implemented regularly on an organizational basis.    a) The self check is implemented once or more times every six months. 5-3 An improvement plan for nonconforming items based on result of self check is developed.    a) An ISM leader set out an improvement plan which includes descriptions, person in charge and timing, and implement it after obtaining approval from ISM manager.

3
Not filled

2 2

Not filled

Not filled

Total

0

0

2 / 2 ページ


				
DOCUMENT INFO