Assessing Performance by zos95951

VIEWS: 50 PAGES: 26

Assessing Performance document sample

More Info
									                                                                                                                                                                                    Question                                                                     Question
   Primary Security Domain                      COBIT 4.0 Control Objective                         ISO 27001/17799                          ISO 20000/ITIL Reference                                  Question (Control Objective) Business Staff                                              Question (Control Objective) IT Staff
                                                                                                                                                                                    Number                                                                       Number


I. Security Policy                 PO6 Communicate Management Aims and Direction          3.1 Information Security Policy         6.6 Information Security Management           1              Are you and members of your department aware of information       1          Has an information security policy framework been developed including who is
                                   PO4.14 Contracted Staff Policies and Procedures        4.1 Information Security Infrastructure 6.6.1 General (See ISO Mapping for additional                security policies and have you been provided with any type of                       responsible for development, review, and approval of policies?
                                                                                                                                  details)                                                            awareness training or ongoing communications?
                                                                                                                                  6.6.6 Controls c)
I. Security Policy                 PO6 Communicate Management Aims and Direction          3.1 Information Security Policy         6.6 Information Security Management           2                For policies that have been provided, are the supported and     2          Has the policy framework been implemented resulting in creation of information
                                   PO4.14 Contracted Staff Policies and Procedures        4.1 Information Security Infrastructure 6.6.1 General (See ISO Mapping for additional                           enforced by your department's leadership?                          security policies that are supported in the highest levels of the organization?
                                                                                                                                  details)
                                                                                                                                  6.6.6 Controls c)

I. Security Policy                 M1 Monitor the Processes                               12.2 Reviews of Security Policy and       6.6 Information Security Management           3            Is there a process in place to review employee compliance with 3             Does internal staff regularly monitor security controls to measure performance
                                   1.1 Collecting Monitoring Data                         Technical Compliance                      6.6.1 General (See ISO Mapping for additional                                   organizational policies?                                                                and adequacy?
                                   1.2 Assessing Performance                                                                        details)
                                   1.3 Assessing Customer Satisfaction                                                              6.6.6 Controls (a,c,e)
                                   1.4 Management Reporting
                                   M2 Assess Control Adequacy
                                   2.1 Internal Control Monitoring

I. Security Policy                 M1 Monitor the Processes                               12.2 Reviews of Security Policy and       6.6 Information Security Management                                                                                          3.1        If you answered yes to question 3, is effectiveness measured against security
                                   1.1 Collecting Monitoring Data                         Technical Compliance                      6.6.1 General (See ISO Mapping for additional                                                                                                             policy, regulatory/contract compliance?
                                   1.2 Assessing Performance                                                                        details)
                                   1.3 Assessing Customer Satisfaction                                                              6.6.6 Controls (a,c,e)
                                   1.4 Management Reporting
                                   M2 Assess Control Adequacy
I. Security Policy                 M1 Monitor the Processes                               12.2 Reviews of Security Policy and       6.6 Information Security Management           4            Has your department or employees ever requested an exception 4               Is there a current process for defining and ongoing review of policy exceptions?
                                   1.1 Collecting Monitoring Data                         Technical Compliance                      6.6.1 General (See ISO Mapping for additional                                   from policy items?
                                   1.2 Assessing Performance                                                                        details)
                                   1.3 Assessing Customer Satisfaction                                                              6.6.6 Controls (a,c,e)
                                   1.4 Management Reporting
                                   M2 Assess Control Adequacy
                                   2.1 Internal Control Monitoring
I. Security Policy                 M1 Monitor the Processes                               12.2 Reviews of Security Policy and       6.6 Information Security Management           4.1          Are you familiar with the University's Risk Acceptance Process? 4.1                 Are you familiar with the University's Risk Acceptance Process?
                                   1.1 Collecting Monitoring Data                         Technical Compliance                      6.6.1 General (See ISO Mapping for additional
                                   1.2 Assessing Performance                                                                        details)
                                   1.3 Assessing Customer Satisfaction                                                              6.6.6 Controls (a,c,e)
                                   1.4 Management Reporting
                                   M2 Assess Control Adequacy
                                   2.1 Internal Control Monitoring
I. Security Policy                 11.18 Protection of Disposed Sensitive Information,    5.2.2 Information labeling and handling 6.6 Information Security Management           5              Do policies and procedures exist for the handling of paper copy
                                   11.26 Archiving                                                                                6.6.1 General (See ISO Mapping for additional                                        documents?
                                                                                                                                  details)



I. Security Policy                 11.27 Protection of Sensitive Messages                 3 Security Policy                         6.6 Information Security Management             6          Are you aware of email and Internet acceptable usage policies?
                                                                                          6.2.1 Information security education      6.6.6 Controls (a,c,e)
                                                                                          and training


II. Organizational Security        PO1 Define a Strategic IT Plan                         4.1 Information Security Infrastructure 4 Planning and Implementing Service               7           Does your department collaborate with the IT department for      5            Is strategic IT planning performed to determine business requirements that
                                   PO4.11 IT Staffing                                                                             Management                                                                 purposes of strategic planning?                                    could have an impact on technologies, staffing, and information security
                                                                                                                                                                                                                                                                                                             requirements?



II. Organizational Security        4.2 Organizational Placement of the IT Function        4.1 Information Security Infrastructure   6.6 Information Security Management           8              Are members of your department assigned responsibilities for 6              Has a security organizational structure been created that defines information
                                   4.4 Roles and Responsibilities                         6.11 Including Security in                6.6.1 General (See ISO Mapping for additional              information security and if so do they have specific directives for                               security roles and responsibilities?
                                   4.6 Responsibility for Logical and Physical Security   Responsibilities                          details)                                                                    protecting critical information?
                                                                                          8.1 Operational procedures and            6.6.6 Controls (a,c,d)
                                                                                          responsibilities




II. Organizational Security        PO7 Manage Human Resources                             6.1 Personnel Security                    3.3.2 Professional Development a)               9           Are background and reference checks performed and verified       7             Are background and reference checks performed and verified during the
                                   7.1 Personnel Recruitment and Promotion                                                          Recruitment                                                         during the recruiting hiring and processes?                                            recruiting and hiring and processes?
                                   7.2 Personnel Qualifications
                                   7.5 Cross-training or Staff Backup
                                   7.6 Personnel Clearance Procedures


              Fusion Alliance, Inc. , University of Cincinnati Confidential                                                                                                  7/7/2010                                                                                                                                                              Page 1
                                                                                                                                                                             Question                                                                       Question
   Primary Security Domain                      COBIT 4.0 Control Objective                      ISO 27001/17799                      ISO 20000/ITIL Reference                                   Question (Control Objective) Business Staff                                                Question (Control Objective) IT Staff
                                                                                                                                                                             Number                                                                         Number


II. Organizational Security        PO7 Manage Human Resources                         6.1 Personnel Security                 3.3 Competence, Awareness, and Training                                                                                        8           Are security skill requirements reviewed and mapped to current security staff
                                   7.1 Personnel Recruitment and Promotion                                                                                                                                                                                                capabilities and evaluated against organizational security requirements?
                                   7.2 Personnel Qualifications
                                   7.5 Cross-training or Staff Backup
                                   7.6 Personnel Clearance Procedures
II. Organizational Security        PO7 Manage Human Resources                         6.1 Personnel Security                 6.6 Information Security Management                                                                                            9           Are security skills redundant within staff members so that no critical security
                                   7.1 Personnel Recruitment and Promotion                                                   6.6.1 General (See ISO Mapping for additional                                                                                                             functions are dependent on a single employee?
                                   7.2 Personnel Qualifications                                                              details)
II. Organizational Security        7.5 Cross-training or StaffServices
                                   DS2 Manage Third-party Backup                      4.3 Outsourcing                        7.3 Supplier Management (See ISO 27001                                                                                         10            Are there specific criteria that a business partner or vendor must meet for
                                   2.4 Third-party Qualifications                     4.3.1 Security requirements in         mapping for additional details)                                                                                                                                         security requirements?
                                   2.5 Outsourcing Contracts                          outsourcing contracts

II. Organizational Security        DS2 Manage Third-party Services                    4.3 Outsourcing                        7.3 Supplier Management                         10          Does your department include information security requirements 11                When partnering with a third party or contracting services, is a risk review
                                   2.6 Continuity of Services                         4.3.1 Security requirements in         6.6.3 Security Risk Assessment Practices                   in contracts with third parties that handle or change sensitive data              performed to determine risks such as handling sensitive data and sharing
                                   2.7 Security Relationships                         outsourcing contracts                                                                                                          or systems?                                                       proprietary information or intellectual property?
                                                                                      4.2, 4.3, 6.1, 6.3, 8.1, 8.7, 10.5
II. Organizational Security        DS5 Ensure Systems Security                        4.2.2 Security requirements in third   7 Relationship Process                                                                                                         12         Are business associate agreements or similar contracts required for third party
                                   5.13 Counterparty Trust                            party contracts                        7.3 Supplier Management                                                                                                                   partners that contain expected levels of security? Are those contracts typically
                                                                                      4.3 Outsourcing                        7.3.2 Contract Management                                                                                                                             included and signed for all partner access to systems?
III. Asset Classification and      PO2.3 Data Classification Scheme                   4.3.1 Security requirements in
                                                                                      5.2 Information Classification         6.62 Identifying and Classifying Information    11           Do you know which of the data items in your department need 13                     Has a data and/or asset classification scheme been developed and
Control                            PO4.7 Ownership and Custodianship                                                         Assets                                                        protected? Do you have a way of identifying this data that is               implemented and does it map handling requirements to the classification levels?
                                   PO4.8 Data and System Ownership                                                                                                                       different than the words and vocabulary you use to identify data
                                                                                                                                                                                                            that does not need secured?
III. Asset Classification and      PO2.3 Data Classification Scheme                   5.2 Information Classification         6.62 Identifying and Classifying Information    12          Do you know which computer systems in your department are 14                  Has an asset inventory system been implemented that includes asset criticality
Control                                                                                                                      Assets                                                     used to process or store critical or private data? Are you aware of                                    and/or classification ratings?
                                                                                                                                                                                                any mechanism to document any such systems?
III. Asset Classification and      PO4.8 Data and System Ownership                    3 Security Policy                      6.6 Information Security Management           13           Have you worked with members of the IT department to map out 15                     Have information flows and systems moves into and out of systems and
Control                                                                               7.2.5 Security of equipment off-       6.6.1 General (See ISO Mapping for additional                    information flows into and out of the organization?                      facilities been identified? Is there a policy that defines this flow of data, systems,
                                                                                      premises                               details)                                                                                                                                                                     and information?
                                                                                      8.7.2 Security of media in transit
                                                                                      9.8.1 Mobile computing

III. Asset Classification and      PO8 Ensure Compliance with External Requirements   3 Security Policy                      6.6 Information Security Management           13.1         Have you worked with members of the IT department to map out 15.1              Is there a policy that defines acceptable flow of data, systems, and information
Control                            8.4 Privacy, Intellectual Property and Data Flow   7.2.5 Security of equipment off-       6.6.1 General (See ISO Mapping for additional              systems movement (such as mobile devices) into and out of the                                                between third parties?
                                                                                      premises                               details)                                                                          organization?
                                                                                      8.7.2 Security of media in transit
                                                                                      9.8.1 Mobile computing
III. Asset Classification and      PO7 Manage Human Resources                         7.2.5 Security of equipment off-       6.6 Information Security Management           14             Do you have the ability to track information, mobile or storage
Control                            7.8 Job Change and Termination                     premises                               6.6.1 General (See ISO Mapping for additional              devices in the possession of employees and ensure safe return of
                                   PO4.8 Data and System Ownership                    8.7.2 Security of media in transit     details)                                                                those items upon employee termination?
                                                                                      9.8.1 Mobile computing
III. Asset Classification and      DS9 Manage the Configuration                       10.4.1 Control of operational software 9.1 Configuration Management                                                                                                   16         Is there a document or system that contains hardware, software, application, or
Control                            9.1 Configuration Recording                        10.5.2 Technical review of operating   9.1.4 Configuration Status Accounting and                                                                                                 operating system configurations for your department?
                                   9.3 Status Accounting                              system changes                         Reporting
                                   9.4 Configuration Control                          7.2 Equipment Security
                                   9.8 Software Accountability
IX. Access Control                 DS5 Ensure Systems Security                        9.1 BUSINESS REQUIREMENT FOR           6.6 Information Security Management         15             Do you provide IT with access requirements to information, data, 17            Are there defined procedures for granting access levels to staff and third parties
                                   5.3 Security of Online Access to Data              ACCESS CONTROL                         6.6.7 Documents and Records d) control over                         and applications in use by your department?                                      based on there job requirement to access the information?
                                   5.4 User Account Management                        9.1 Business Requirement for Access    access to information, assets, and systems
                                                                                      Control
IX. Access Control                 DS5 Ensure Systems Security                        9.2 User Access Management             6.6 Information Security Management         16              Is a new employee or terminated employee process in place to       18         Have employees been identified that add/remove user accounts and is account
                                   5.4 User Account Management                        9.2.1 User registration                6.6.7 Documents and Records d) control over                   add or remove employees access to key systems and data?                       creation/removal logged so that information can be audited or reviewed?
                                   5.5 Management Review of User Accounts             9.2.4 Review of user access rights     access to information, assets, and systems
                                   5.21 Protection of Electronic Value

IX. Access Control                 DS5 Ensure Systems Security                        9.2.3 User password management         6.6 Information Security Management           17             Are you aware of requirements for the complexity or length of
                                   5.2 Identification, Authentication and Access                                             6.6.1 General (See ISO Mapping for additional                                      your password?
                                   5.4 User Account Management                                                               details)
                                   5.5 Management Review of User Accounts                                                    6.6.7 Documents and Records
                                   5.6 User Control of User Accounts                                                           d) control over access to information,
                                                                                                                             assets, and systems




              Fusion Alliance, Inc. , University of Cincinnati Confidential                                                                                              7/7/2010                                                                                                                                                                  Page 2
                                                                                                                                                                                   Question                                                                         Question
   Primary Security Domain                     COBIT 4.0 Control Objective                         ISO 27001/17799                          ISO 20000/ITIL Reference                                   Question (Control Objective) Business Staff                                                 Question (Control Objective) IT Staff
                                                                                                                                                                                   Number                                                                           Number


IX. Access Control                DS5 Ensure Systems Security                           9.2.3 User password management             6.6 Information Security Management           18                         Do you change you password often?
                                  5.2 Identification, Authentication and Access                                                    6.6.1 General (See ISO Mapping for additional
                                  5.4 User Account Management                                                                      details)
                                  5.5 Management Review of User Accounts                                                           6.6.7 Documents and Records
                                  5.6 User Control of User Accounts                                                                  d) control over access to information,
                                                                                                                                   assets, and systems
IX. Access Control                DS5 Ensure Systems Security                           5.2.2 Information labeling and handling 6.6 Information Security Management           19              Do you ever utilize a password or userID that is shared between
                                  5.2 Identification, Authentication and Access         9.2 User Access Management              6.6.1 General (See ISO Mapping for additional                                        multiple employees?
                                  5.4 User Account Management                                                                   details)
                                  5.5 Management Review of User Accounts                                                        6.6.7 Documents and Records
IX. Access Control                5.6 User Control of User Accounts
                                  DS5 Ensure Systems Security                                                                     d) control over access to information,
                                                                                        5.2.2 Information labeling and handling 6.6 Information Security Management           20                 Use accounts that have system administrator rights only in
                                  5.2 Identification, Authentication and Access         9.2 User Access Management              6.6.1 General (See ISO Mapping for additional                 special situations, such as when installing software or configuring
                                  5.4 User Account Management                                                                   details)                                                                                 your system?
                                  5.5 Management Review of User Accounts                                                        6.6.7 Documents and Records
                                  5.6 User Control of User Accounts                                                               d) control over access to information,
                                                                                                                                assets, and systems
V. Physical and Environmental     DS12 Manage Facilities                                7.1 Secure Areas                           6.6 Information Security Management           21           Is access controlled, monitored, and recorded to your work areas 19              Are physical security controls implemented for key IT systems such as the data
Security                          12.1 Physical Security                                7.2 Equipment Security                     6.6.1 General (See ISO Mapping for additional                                         or facilities?                                             center and has a third party assessed those controls for the level of
                                                                                                                                   details)                                                                                                                                                                     effectiveness?

VI. Equipment Security            PO6 Communicate Management Aims and Direction         9.8.1 Mobile computing                     6.6 Information Security Management           22            Do employees in your department understand requirements to           20           Has a policy been defined and implemented that outlines security for mobile
                                  6.3 Communication of Organization Policies                                                       6.6.1 General (See ISO Mapping for additional                protect mobile devices that contain sensitive or critical data?                 devices such as laptops and PDA's, and mobile storage such as flash drives?
                                  6.6 Compliance with Policies, Procedures and                                                     details)
                                  Standards
                                  6.11 Communication of IT Security Awareness
                                  PO8 Ensure Compliance with External Requirements
                                  8.4 Privacy, Intellectual Property and Data Flow
                                  DS7 Educate and Train Users
VII. General Controls             PO9 Assess Risks                                      4.2.1 Identification of risks from third   6.6.3 Security Risk Assessment Practices        23         Has your department worked with the IT or Information Security 21                Have you worked with departments in the organization to assess risks to critical
                                  9.1 Business Risk Assessment                          party access                               6.6.4 Risks to Information Assets                           department to identify risks to key systems and data for your                   data or systems and the resulting impact to the business should those risks be
                                  9.3 Risk Identification                               12.3 System Audit Considerations                                                                                                department?                                                                               realized?
                                  DS5 Ensure Systems Security                           12.3.1 System audit controls
                                  5.8 Data Classification
VII. General Controls             PO9 Assess Risks                                      4.2.1 Identification of risks from third   6.6.3 Security Risk Assessment Practices                                                                                         22             Have high risk areas identified through risk assessment activities been
                                  9.5 Risk Action Plan                                  party access                               6.6.4 Risks to Information Assets                                                                                                                prioritized and a plan to prioritize the remediation of these risks been
                                  AI1 Identify Automated Solutions                      12.3 System Audit Considerations                                                                                                                                                                                           developed?
                                  1.9 Cost-effective Security Controls                  12.3.1 System audit controls
VII. General Controls             AI1 Identify Automated Users
                                  DS7 Educate and TrainSolutions                        No direct mapping (See COBIT               6.6 Information Security Management                                                                                              23         Does automation of businesses processes through IT systems cause additional
                                  1.1 Definition of Information Requirements            mapping for additional details)            6.6.1 General (See COBIT Mapping for                                                                                                        risk to the security of information and have you worked to the identify automated
                                                                                                                                   additional details)                                                                                                                                              processes that might contain those risks?
VII. General Controls             DS11 Manage Data                                     8.7.3 Electronic commerce security          9.1.3 Configuration Control                     24            Are automated or manual processes in place to ensure the           24         Have integrity controls been implemented in systems that process transactions
                                  11.1 Data Preparation Procedures                     10.2 Security in Application Systems        10.1.5 Design, Build and Configure Release                   accuracy, validity, and non-repudiation of transactions in your                                to verify accuracy, validity, and non-repudiation?
                                  11.2 Source Document Authorization Procedures        10.3 Cryptographic Controls                 b) ensure the integrity is maintained during                                          department?
                                  11.3 Source Document Data Collection                                                             build, installation, packaging, and delivery
                                  11.4 Source Document Error Handling
                                  11.7 Accuracy, Completeness and Authorization Checks
                                  11.8 Data Input Error Handling
                                  11.9 Data Processing Integrity
                                  11.10 Data Processing Validation and Editing
                                  11.11 Data Processing Error Handling
                                  11.14 Output Balancing and Reconciliation
                                  11.15 Output Review and Error Handling
                                  11.27 Protection of Sensitive Messages
                                  11.29 Electronic Transaction Integrity


VII. General Controls             M1 Monitor the Processes                              12.2 Reviews of Security Policy and        6.6 Information Security Management                                                                                              25         Is regular security assessment and testing performed that includes things such
                                  1.1 Collecting Monitoring Data                        Technical Compliance                       6.6.1 General (See ISO Mapping for additional                                                                                                as penetration testing, vulnerability scanning, policy and configuration review?
                                  1.2 Assessing Performance                                                                        details)
                                  1.3 Assessing Customer Satisfaction                                                              6.6.3 Security Risk Assessment Practices
                                  1.4 Management Reporting
                                  M2 Assess Control Adequacy
                                  2.1 Internal Control Monitoring




             Fusion Alliance, Inc. , University of Cincinnati Confidential                                                                                                    7/7/2010                                                                                                                                                                 Page 3
                                                                                                                                                                                   Question                                                                     Question
   Primary Security Domain                     COBIT 4.0 Control Objective                            ISO 27001/17799                       ISO 20000/ITIL Reference                                   Question (Control Objective) Business Staff                                             Question (Control Objective) IT Staff
                                                                                                                                                                                   Number                                                                       Number


VII. General Controls             M3 Obtain Independent Assurance                         No relevant mapping                      6.6 Information Security Management                                                                                          26          Does your organization provision the services of a trusted advisor to assess
                                  3.3 Independent Effectiveness Evaluation of IT Services                                          6.6.1 General (See ISO Mapping for additional                                                                                            information security controls and provide guidance for areas of weakness or
                                  3.4 Independent Effectiveness Evaluation of Third-party                                          details)                                                                                                                                                                 vulnerability?
                                  Service Providers                                                                                6.6.6 Controls
                                  3.5 Independent Assurance of Compliance with Laws                                                f) Expert help on risk assessment and control
                                  and Regulatory Requirements and Contractual                                                      implementation
                                  Commitments
                                  3.6 Independent Assurance of Compliance with Laws
                                  and Regulatory Requirements by Third-party Service
                                  Providers
                                  3.7 Competence of Independent Assurance Function
VII. General Controls             11.18 Protection of Disposed Sensitive Information       5.2.2 Information labeling and handling 6.6 Information Security Management           25              Does your organization have a secure disposal process for      27
                                                                                                                                   6.6.1 General (See ISO Mapping for additional                   dispose of paper copy documents containing sensitive
                                                                                                                                   details)                                                                            information?

VII. General Controls             11.18 Protection of Disposed Sensitive Information      5.2.2 Information labeling and handling 6.6 Information Security Management            26               Have you ever had to disclose a loss or leak of sensitive     28
                                                                                                                                  6.6.1 General (See ISO Mapping for additional                                 information to a student?
                                                                                                                                  details)
                                                                                                                                  6.6.5 Security and Availability of Information
                                                                                                                                    a) disclosure of sensitive information to
                                                                                                                                  unauthorized parties
                                                                                                                                  6.6.6 Controls
                                                                                                                                    f) Expert help on risk assessment and
                                                                                                                                  control implementation
VII. General Controls             11.26 Archiving, 11.27 Protection of Sensitive Messages 8.7.4 Security of electronic mail       6.6 Information Security Management            27                    Do you know how long your email is retained?
                                                                                                                                  6.6.1 General (See ISO Mapping for additional
                                                                                                                                  details)
VII. General Controls             11.26 Archiving, 11.27 Protection of Sensitive Messages 8.7.4 Security of electronic mail        6.6 Information Security Management           28           Do you archive email and if so, where do you store the archive?
                                                                                                                                   6.6.1 General (See ISO Mapping for additional
                                                                                                                                   details)
VIII. Communications &            PO9 Assess Risks                                         10 Systems Development and              6.6 Information Security Management                                                                                          29            If you answered yes to question 17, do you prioritize patches and perform
Operations Management             AI3-3.6 Acquire and Maintain Technology Infrastructure   Maintenance                             6.6.1 General (See ISO Mapping for additional                                                                                              testing to determine suitability to be implemented on production systems?
                                  PO11 Manage Quality                                      8.1.5 Separation of development and     details)
                                                                                           operational facilities
VIII. Communications &            AI4 Develop and Maintain Procedures                      6.2 User Training                       3.3 Competence, Awareness, and Training         29         Are information security related procedures integrated into work 30          Are specific work procedures either documented or provided verbally? If so, is
Operations Management             4.2 User Procedures Manual                                                                       3.3.1 General                                              procedures and are employees in your department provided any                                    security integrated into the procedures?
                                  4.3 Operations Manual                                                                            3.3.2 Professional Development                                              security awareness training?
                                  4.4 Training Materials
                                  DS7 Educate and Train Users
                                  7.1 Identification of Training Needs
VIII. Communications &            DS5 Ensure Systems Security                              8.3 Protection against Malicious        6.6 Information Security Management           30           Do your systems all have antivirus and antispyware software and 31           Do all systems in your department have current anti-virus software installed and
Operations Management             5.19 Malicious Software Prevention, Detection and        Software                                6.6.1 General (See ISO Mapping for additional                    do employees ever disable or remove the software?                            are definition files updated on a regular basis (preferably every day)?
                                  Correction                                                                                       details)
VIII. Communications &            DS5 Ensure Systems Security                              8.3 Protection against Malicious        6.6 Information Security Management           30.1         If you answered yes to question 30, do employees ever disable or 31.1          If you answered yes to question 32, are definition files updated on a regular
Operations Management             5.19 Malicious Software Prevention, Detection and        Software                                6.6.1 General (See ISO Mapping for additional                                    remove the software?                                                            basis (preferably every day)?
                                  Correction                                                                                       details)
X. Systems Development and        AI3 Acquire and Maintain Technology Infrastructure       10.1 Security Requirements of           7.3 Supplier Management                                                                                                      32              Is security an integrated component of the evaluation and selection of
Maintenance                       3.1 Assessment of New Hardware and Software              Systems                                                                                                                                                                                                 Information Technology solutions?
                                  DS8 Assist and Advise Customers                          10.1.1 Security requirements analysis
                                  PO11 Manage Quality                                      and specification
                                  11.9 Acquisition and Maintenance Framework for the
                                  Technology Infrastructure
X. Systems Development and        PO9 Assess Risks                                         8.1.2 Operational change control      6.6.3 Security Risk Assessment Practices                                                                                       33           Is a risk review performed prior to the implementation of new infrastructure
Maintenance                       9.1 Business Risk Assessment                             10.5.1 Change control procedures                                                                                                                                                                   (routers, switches, servers, firewalls, etc)?
                                  9.3 Risk Identification                                  10.1 Security Requirements of
                                  AI3-3.6 Acquire and Maintain Technology Infrastructure   Systems
                                  11.9 Acquisition and Maintenance Framework for the       10.1.1 Security requirements analysis
                                  Technology Infrastructure                                and specification
                                                                                           12.3.1 System audit controls
X. Systems Development and        PO9 Assess Risks                                         10 Systems Development and            6.6 Information Security Management                                                                                            34            Is there a defined process for monitoring vendors for software patches or
Maintenance                       AI3-3.6 Acquire and Maintain Technology Infrastructure   Maintenance                           6.6.1 General (See ISO Mapping for additional                                                                                                    vulnerabilities that impact the infrastructure systems in production?
                                  PO11 Manage Quality                                                                            details)
X. Systems Development and         AI5 Install and Accredit Systems                        8.2 System Planning and Acceptance 10 Release Process                                                                                                                35          Are changes to existing systems or new implementations performed in a test
Maintenance                        5.7 Testing of Changes                                  8.1.5 Separation of development and 10.1.2 Release Policy c) authority of release                                                                                                             environment separate from production systems?
                                   5.11 Operational Test                                   operational facilities              into acceptance test and production
                                   5.12 Promotion to Production                                                                environments
             Fusion Alliance, Inc. , University of Cincinnati Confidential                                                                                                   7/7/2010                                                                                                                                                              Page 4
                                                                                                                                                                             Question                                                                          Question
   Primary Security Domain                    COBIT 4.0 Control Objective                      ISO 27001/17799                        ISO 20000/ITIL Reference                                   Question (Control Objective) Business Staff                                                        Question (Control Objective) IT Staff
                                                                                                                                                                             Number                                                                            Number


X. Systems Development and       AI5 Install and Accredit Systems                    8.2.2 System acceptance                10 Release Process                               32          Does you department review and accept new technology system 36                     Is acceptance testing a part of the pre-production testing process and does
Maintenance                      5.9 Final Acceptance Test                                                                  10.1.2 Release Policy g) verification and                   functionality and is information security a component of the review                          acceptance include both key IT and Business personnel?
                                 5.13 Evaluation of Meeting User Requirements                                               acceptance of release                                                             and acceptance process?
                                 5.14 Management’s Post-implementation Review
X. Systems Development and       AI5 Install and Accredit Systems                    8.1.2 Operational change control       10 Release Process                               33              Do you review or test any changes to your systems and             37          Is a formal or informal change management function practiced for changes to
Maintenance                      5.7 Testing of Changes                              10.5 Security in Development and       10.1.2 Release Policy c) authority of release                   applications prior to the IT department implementing those                       systems? Does it include changes to configuration including patching and
                                 AI6 Manage Changes                                  Support Processes                      into acceptance test and production                                                       changes?                                                                             functionality.
                                 6.4 Emergency Changes                               10.5.1 Change control procedures       environments g) verification and acceptance
                                                                                     10.5.2 Technical review of operating   of release
                                                                                     system changes                         9.2 Change Management
                                                                                     10.5.3 Restrictions on changes to
                                                                                     software packages
X. Systems Development and       AI5 Install and Accredit Systems                    8.1.2 Operational change control       9.2 Change Management                                                                                                              38         Is there a log or document that outlines all changes including who reviewed the
Maintenance                      5.7 Testing of Changes                              10.5 Security in Development and       9.2.4 Change management reporting,                                                                                                                changes, testing performed, back out plans, acceptance/denial, and who
                                 AI6 Manage Changes                                  Support Processes                      analysis, and actions                                                                                                                                                     performed the changes?
                                 6.4 Emergency Changes                               10.5.1 Change control procedures
                                                                                     10.5.2 Technical review of operating
                                                                                     system changes
                                                                                     10.5.3 Restrictions on changes to
                                                                                     software packages
XI. Business Continuity          DS4 Ensure Continuous Service                       11 Business Continuity Management 6.3 Service Continuity and Availability           34              Has your department worked with the IT or Information Security 39                   Has a business impact analysis been performed with regard to identifying
                                 4.2 IT Continuity Plan Strategy and Philosophy      11.1.2 Business continuity and impact Management                                                       department to identify the core systems, applications, and                                          critical or sensitive information?
                                 4.4 Minimizing IT Continuity Requirements           analysis                              6.3.4 Service Continuity Planning and Testing                information in order to determine the impact to the department in
                                 4.10 Critical IT Resources                                                                                                                                   the event of un-availability, loss, theft, or disclosure?
                                 DS10 Manage Problems and Incidents
                                 10.1 Problem Management System
                                 10.2 Problem Escalation
                                 DS12 Manage Facilities
                                 12.6 Uninterruptible Power Supply
XI. Business Continuity          DS4 Ensure Continuous Service                       11 Business Continuity Management      6.3 Service Continuity and Availability                                                                                            40            If you answered yes to question 26, have provisions been made to ensure
                                 4.2 IT Continuity Plan Strategy and Philosophy      11.1.3 Writing and implementing        Management                                                                                                                                      critical information is available for mission critical business processes in the
                                 4.4 Minimizing IT Continuity Requirements           continuity plans                       6.3.4 Service Continuity Planning and Testing                                                                                                                             event of a security incident?
                                 4.10 Critical IT Resources                          11.1.4 Business continuity planning
                                 DS10 Manage Problems and Incidents                  framework
                                 10.1 Problem Management System
                                 10.2 Problem Escalation
                                 DS12 Manage Facilities
                                 12.6 Uninterruptible Power Supply
XI. Business Continuity          DS4 Ensure Continuous Service                       11 Business Continuity Management      6.3 Service Continuity and Availability       35               Does your department have requirements for timeframes to            41         Does your department have the ability to identify and resolve such incidents in a
                                 4.3 IT Continuity Plan Contents                     11.1.3 Writing and implementing        Management                                                    recover each of the core systems, applications, or information                          timeframe consistent with business operational requirements?
                                 4.9 User Department Alternative Processing Backup   continuity plans                       6.3.3 Service Continuity Strategy a) maximum                            that affect the departments operations?
                                 Procedures                                                                                 acceptable period of lost service
XI. Business Continuity          DS4 Ensure Continuous Service                       11.1 Aspects of Business Continuity    6.3 Service Continuity and Availability       36            Are you aware of procedures or contact listings in the event of a 42              Has your department developed business continuity or disaster recovery plans
                                 4.2 IT Continuity Plan Strategy and Philosophy      Management                             Management                                                          disaster involving your facility and IT systems?                           that include maintaining or restoring basic IT resources during a disaster or
                                 4.10 Critical IT Resources                          11.1.3 Writing and implementing        6.3.4 Service Continuity Planning and Testing                                                                                                                                     outage?
                                 DS10 Manage Problems and Incidents                  continuity plans
                                 10.1 Problem Management System
                                 10.2 Problem Escalation
XI. Business Continuity          DS4 Ensure Continuous Service                       11.1 Aspects of Business Continuity    6.3 Service Continuity and Availability       37             Has your department been involved with any testing of disaster        43         Are these plans tested on a recurring basis and updated as required depending
                                 4.3 IT Continuity Plan Contents                     Management                             Management                                                                             plans?                                                                            on the outcome of tests?
                                 4.9 User Department Alternative Processing Backup   11.1.5 Testing, maintaining and re-    6.3.4 Service Continuity Planning and Testing
                                 Procedures                                          assessing business continuity plans
XI. Business Continuity          DS4 Ensure Continuous Service                       8.4 Housekeeping                       6.3 Service Continuity and Availability       38             Do employees in your department have access to store files on         44             Has the IT staff collaborated with key business users to make sure that
                                 4.6 Testing the IT Continuity Plan                  8.4.1 Information back-up              Management                                                   network folders that are backed up on a daily basis? If so, have                    business critical information is backed up and available offsite? If so, have
                                 4.12 Offsite Backup Storage                         11.1 Aspects of Business Continuity    6.3.4 Service Continuity Planning and Testing                  you been able to successfully restore data when required?                                        restore operations been tested successfully?
                                 DS11 Manage Data                                    Management
                                 11.23 Backup and Restoration
                                 11.24 Backup Jobs
                                 11.25 Backup Storage
XII. Compliance                  PO8 Ensure Compliance with External Requirements    12.1 Compliance With Legal             6.6.5 Security and Availability of Information   39             Are any regulatory requirements relevant to information your        45         Does an employee responsible for information security review requirements for
                                 8.1 External Requirements Review                    Requirements                                                                                           department creates or stores? Examples of potential legal or                     regulatory compliance and legal obligations and collaborate with executive
                                 8.2 Practices and Procedures for Complying with                                                                                                        regulatory requirements are; PCI Compliance (Visa, MasterCard),                      leadership and legal counsel to determine which issues are relevant to the
                                 External Requirements                                                                                                                                       HIPAA (Healthcare), GLB (Insurance, Financial), software                     organization? Examples include PCI Compliance (Visa, MasterCard), HIPAA (Healthcare), GLB
                                 8.3 Safety and Ergonomic Compliance                                                                                                                     licensing, intellectual property rights, contractual obligations, etc.           (Insurance, Financial), software licensing, intellectual property rights, contractual obligations, etc.
                                 8.4 Privacy, Intellectual Property and Data Flow
                                 8.5 Electronic Commerce
                                 8.6 Compliance With Insurance Contracts

            Fusion Alliance, Inc. , University of Cincinnati Confidential                                                                                                7/7/2010                                                                                                                                                                                     Page 5
                                                                                                                                                                   Question                                                                    Question
   Primary Security Domain                    COBIT 4.0 Control Objective              ISO 27001/17799                        ISO 20000/ITIL Reference                               Question (Control Objective) Business Staff                                              Question (Control Objective) IT Staff
                                                                                                                                                                   Number                                                                      Number


XII. Compliance                  DS5 Ensure Systems Security                 12.1 Compliance with Legal             6.6.6 Controls c) See ISO 27001 mapping for 40              Does your department have the ability to monitor employee      46         Have you deployed processes and/or automated alerts so that policy violations
                                 5.7 Security Surveillance                   Requirements                           additional detail                                          behavior with regard to compliance to organizational policies              and intrusive behavior can be identified? This includes things such as account
                                 5.11 Incident Handling                      12.3 System Audit Considerations                                                                                 and/or identify illegal activities?                         lockout alerts, intrusion detections systems, virus alerting, intellectual property
                                                                             9.7 Monitoring System Access and                                                                                                                                                                               violations, etc.
                                                                             Use
                                                                             12.2.1 Compliance with security policy
                                                                             12.2.2 Technical compliance checking
                                                                             6.3 Responding to Security Incidents
                                                                             and Malfunctions


XII. Compliance                  DS9 Manage the Configuration                5.1.1 Inventory of assets               9.1 Configuration Management                                                                                              47           Is there a software licensing inventory that provides the ability to effectively
                                 9.5 Unauthorized Software                   12.1 Compliance with Legal              9.1.2 Configuration Identification e) licenses                                                                                       review and manage for license compliance and is there an ongoing process to
                                 9.8 Software Accountability                 Requirements                            9.1.4 Configuration Status Accounting and                                                                                                                             review licenses?
                                                                             12.1.2 Intellectual property rights     Reporting
XII. Compliance                  DS11 Manage Data                            8.6 Media Handling and Security         6.6 Information Security Management            41        Are you aware of legal or organization policy or requirements to 48           Is there a policy and/or standard that defines data retention requirements?
                                 11.5 Source Document Retention              12 Compliance                           6.6.1 General (See ISO Mapping for additional              retain data? (note: Examples could include financial, health, or
                                 11.19 Storage Management                    12.1.3 Safeguarding of organizational   details)                                                                 transaction history / information)
                                 11.20 Retention Periods and Storage Terms   records
                                 11.26 Archiving                             12.1.4 Data protection and privacy of
                                                                             personal information




            Fusion Alliance, Inc. , University of Cincinnati Confidential                                                                                      7/7/2010                                                                                                                                                             Page 6
                                                                                                                          Current Maturity Rating
      Answer      Describe Existing Key Security                                                                     (Please read FAQ for definitions)
                                                         Describe Key Weaknesses     Describe any Current Projects
Yes/No/Somewhat/N   Controls Supporting This                                                                                  0 - Non Existent              Primary Security Domain
                                                         Relative to This Question     Relative to This Question
   ot Applicable            Question                                                                                         1 - Initial / Ad-Hoc
                                                                                                                        2 - Repeatable but Intuitive
                                                                                                                                                         I. Security Policy
    Not
 Applicable                                                                                                                        1
                                                                                                                                                         I. Security Policy




                                                                                                                                                         I. Security Policy




                                                                                                                                                         I. Security Policy




                                                                                                                                                         I. Security Policy




                                                                                                                                                         I. Security Policy




                                                                                                                                                         I. Security Policy




                                                                                                                                                         I. Security Policy




                                                                                                                                                         II. Organizational Security




                                                                                                                                                         II. Organizational Security




                                                                                                                                                         II. Organizational Security




           Fusion Alliance, Inc. , University of Cincinnati Confidential                                                                                            7/7/2010           Page 7
                                                                                                                          Current Maturity Rating
      Answer      Describe Existing Key Security                                                                     (Please read FAQ for definitions)
                                                         Describe Key Weaknesses     Describe any Current Projects
Yes/No/Somewhat/N   Controls Supporting This                                                                                  0 - Non Existent              Primary Security Domain
                                                         Relative to This Question     Relative to This Question
   ot Applicable            Question                                                                                         1 - Initial / Ad-Hoc
                                                                                                                        2 - Repeatable but Intuitive
                                                                                                                                                         II. Organizational Security




                                                                                                                                                         II. Organizational Security


                                                                                                                                                         II. Organizational Security




                                                                                                                                                         II. Organizational Security




                                                                                                                                                         II. Organizational Security


                                                                                                                                                         III. Asset Classification and
                                                                                                                                                         Control



                                                                                                                                                         III. Asset Classification and
                                                                                                                                                         Control


                                                                                                                                                         III. Asset Classification and
                                                                                                                                                         Control




                                                                                                                                                         III. Asset Classification and
                                                                                                                                                         Control




                                                                                                                                                         III. Asset Classification and
                                                                                                                                                         Control



                                                                                                                                                         III. Asset Classification and
                                                                                                                                                         Control




                                                                                                                                                         IX. Access Control



                                                                                                                                                         IX. Access Control




                                                                                                                                                         IX. Access Control




           Fusion Alliance, Inc. , University of Cincinnati Confidential                                                                                           7/7/2010              Page 8
                                                                                                                          Current Maturity Rating
      Answer      Describe Existing Key Security                                                                     (Please read FAQ for definitions)
                                                         Describe Key Weaknesses     Describe any Current Projects
Yes/No/Somewhat/N   Controls Supporting This                                                                                  0 - Non Existent              Primary Security Domain
                                                         Relative to This Question     Relative to This Question
   ot Applicable            Question                                                                                         1 - Initial / Ad-Hoc
                                                                                                                        2 - Repeatable but Intuitive
                                                                                                                                                         IX. Access Control




                                                                                                                                                         IX. Access Control




                                                                                                                                                         IX. Access Control




                                                                                                                                                         V. Physical and Environmental
                                                                                                                                                         Security



                                                                                                                                                         VI. Equipment Security




                                                                                                                                                         VII. General Controls




                                                                                                                                                         VII. General Controls




                                                                                                                                                         VII. General Controls



                                                                                                                                                         VII. General Controls




                                                                                                                                                         VII. General Controls




           Fusion Alliance, Inc. , University of Cincinnati Confidential                                                                                           7/7/2010              Page 9
                                                                                                                          Current Maturity Rating
      Answer      Describe Existing Key Security                                                                     (Please read FAQ for definitions)
                                                         Describe Key Weaknesses     Describe any Current Projects
Yes/No/Somewhat/N   Controls Supporting This                                                                                  0 - Non Existent              Primary Security Domain
                                                         Relative to This Question     Relative to This Question
   ot Applicable            Question                                                                                         1 - Initial / Ad-Hoc
                                                                                                                        2 - Repeatable but Intuitive
                                                                                                                                                         VII. General Controls




                                                                                                                                                         VII. General Controls



                                                                                                                                                         VII. General Controls




                                                                                                                                                         VII. General Controls



                                                                                                                                                         VII. General Controls



                                                                                                                                                         VIII. Communications &
                                                                                                                                                         Operations Management



                                                                                                                                                         VIII. Communications &
                                                                                                                                                         Operations Management




                                                                                                                                                         VIII. Communications &
                                                                                                                                                         Operations Management


                                                                                                                                                         VIII. Communications &
                                                                                                                                                         Operations Management

                                                                                                                                                         X. Systems Development and
                                                                                                                                                         Maintenance




                                                                                                                                                         X. Systems Development and
                                                                                                                                                         Maintenance




                                                                                                                                                         X. Systems Development and
                                                                                                                                                         Maintenance


                                                                                                                                                         X. Systems Development and
                                                                                                                                                         Maintenance


           Fusion Alliance, Inc. , University of Cincinnati Confidential                                                                                           7/7/2010           Page 10
                                                                                                                          Current Maturity Rating
      Answer      Describe Existing Key Security                                                                     (Please read FAQ for definitions)
                                                         Describe Key Weaknesses     Describe any Current Projects
Yes/No/Somewhat/N   Controls Supporting This                                                                                  0 - Non Existent              Primary Security Domain
                                                         Relative to This Question     Relative to This Question
   ot Applicable            Question                                                                                         1 - Initial / Ad-Hoc
                                                                                                                        2 - Repeatable but Intuitive
                                                                                                                                                         X. Systems Development and
                                                                                                                                                         Maintenance



                                                                                                                                                         X. Systems Development and
                                                                                                                                                         Maintenance




                                                                                                                                                         X. Systems Development and
                                                                                                                                                         Maintenance




                                                                                                                                                         XI. Business Continuity




                                                                                                                                                         XI. Business Continuity




                                                                                                                                                         XI. Business Continuity



                                                                                                                                                         XI. Business Continuity




                                                                                                                                                         XI. Business Continuity



                                                                                                                                                         XI. Business Continuity




                                                                                                                                                         XII. Compliance




           Fusion Alliance, Inc. , University of Cincinnati Confidential                                                                                           7/7/2010           Page 11
                                                                                                                          Current Maturity Rating
      Answer      Describe Existing Key Security                                                                     (Please read FAQ for definitions)
                                                         Describe Key Weaknesses     Describe any Current Projects
Yes/No/Somewhat/N   Controls Supporting This                                                                                  0 - Non Existent              Primary Security Domain
                                                         Relative to This Question     Relative to This Question
   ot Applicable            Question                                                                                         1 - Initial / Ad-Hoc
                                                                                                                        2 - Repeatable but Intuitive
                                                                                                                                                         XII. Compliance




                                                                                                                                                         XII. Compliance



                                                                                                                                                         XII. Compliance




           Fusion Alliance, Inc. , University of Cincinnati Confidential                                                                                          7/7/2010            Page 12
                                                                                                          Security Control Maturity Rating
             Information Security Domains
                                               0 - Non Existent   1 - Initial / Ad-Hoc   2 - Repeatable but Intuitive    3 - Defined Process   4 - Managed and Measurable   5 - Optimized

I. Security Policy


II. Organizational Security

III. Asset Classification and Control

IV. Personnel Security


V. Physical and Environmental Security


VI. Equipment Security

VII. General Controls

VIII. Communications & Operations Management
IX. Access Control
X. Systems Development and Maintenance
XI. Business Continuity

XII. Compliance
0 - Non-existent   Complete lack of any recognizable processes. The enterprise has not even recognized that there is an issue to be addressed.



                   There is evidence that the enterprise has recognized that the issues exist and need to be addressed. There are, however, no standardized processes;
1 - Initial        instead there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized.


                   Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or
                   communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and,
2 - Repeatable     therefore, errors are likely.



                   Procedures have been standardized and documented, and communicated through training. It is, however, left to the individual to follow these processes,
3 - Defined        and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.


                   It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are
4 - Managed        under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.



                   Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modeling with other enterprises. IT is
5 - Optimized      used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt

                   .
PO1 Define a Strategic IT Plan
1.1 IT as Part of the Organization’s Long and Short Range Plan
1.2 IT Long-range Plan
1.3 IT Long-range Planning—Approach and Structure
1.4 IT Long-range Plan Changes
1.5 Short-range Planning for the IT Function
1.6 Communication of IT Plans
1.7 Monitoring and Evaluating of IT Plans
1.8 Assessment of Existing Systems
PO2 Define the Information Architecture
2.1 Information Architecture Model
2.2 Corporate Data Dictionary and Data Syntax Rules
2.3 Data Classification Scheme
2.4 Security Levels
PO3 Determine Technological Direction
3.1 Technological Infrastructure Planning
3.2 Monitor Future Trends and Regulations
3.3 Technological Infrastructure Contingency
3.4 Hardware and Software Acquisition Plan
3.5 Technology Standards
PO4 Define the IT Organization and Relationships
4.1 IT Planning or Steering Committee
4.2 Organizational Placement of the IT Function
4.3 Review of Organizational Achievements
4.4 Roles and Responsibilities
4.5 Responsibility for Quality Assurance
4.6 Responsibility for Logical and Physical Security
4.7 Ownership and Custodianship
4.8 Data and System Ownership
4.9 Supervision
4.10 Segregation of Duties
4.11 IT Staffing
4.12 Job or Position Descriptions for IT Staff
4.13 Key IT Personnel
4.14 Contracted Staff Policies and Procedures
4.15 Relationships
PO5 Manage the IT Investment
5.1 Annual IT Operating Budget
5.2 Cost and Benefit Monitoring
5.3 Cost and Benefit Justification
PO6 Communicate Management Aims and Direction
6.1 Positive Information Control Environment
6.2 Management’s Responsibility for Policies
6.3 Communication of Organization Policies
6.4 Policy Implementation Resources
6.5 Maintenance of Policies
6.6 Compliance with Policies, Procedures and Standards
6.7 Quality Commitment
6.8 Security and Internal Control Framework Policy
6.9 Intellectual Property Rights
6.10 Issue-specific Policies
6.11 Communication of IT Security Awareness
PO7 Manage Human Resources
7.1 Personnel Recruitment and Promotion
7.2 Personnel Qualifications
7.3 Roles and Responsibilities
7.4 Personnel Training
7.5 Cross-training or Staff Backup
7.6 Personnel Clearance Procedures
7.7 Employee Job Performance Evaluation
7.8 Job Change and Termination
PO8 Ensure Compliance with External Requirements
8.1 External Requirements Review
8.2 Practices and Procedures for Complying with External Requirements
8.3 Safety and Ergonomic Compliance
8.4 Privacy, Intellectual Property and Data Flow
8.5 Electronic Commerce
8.6 Compliance With Insurance Contracts
PO9 Assess Risks
9.1 Business Risk Assessment
9.2 Risk Assessment Approach
9.3 Risk Identification
9.4 Risk Measurement
9.5 Risk Action Plan
9.6 Risk Acceptance
9.7 Safeguard Selection
9.8 Risk Assessment Commitment
PO10 Manage Projects
10.1 Project Management Framework
10.3 Project Team Membership and Responsibilities
10.4 Project Definition
10.5 Project Approval
10.6 Project Phase Approval
10.7 Project Master Plan
10.8 System Quality Assurance Plan
10.9 Planning of Assurance Methods
10.10 Formal Project Risk Management
10.11 Test Plan
10.12 Training Plan
10.13 Post-implementation Review Plan
PO11 Manage Quality
11.1 General Quality Plan
11.2 Quality Assurance Approach
11.3 Quality Assurance Planning
11.4 Quality Assurance Review of Adherence to IT Standards and Procedures
11.5 System Development Life Cycle Methodology
11.6 System Development Life Cycle Methodology for Major Changes to Existing Technology
11.7 Updating of the System Development Life Cycle Methodology
11.8 Coordination and Communication
11.9 Acquisition and Maintenance Framework for the Technology Infrastructure
11.10 Third-party Implementer Relationships
11.11 Program Documentation Standards
11.12 Program Testing Standards
11.13 System Testing Standards
11.14 Parallel/Pilot Testing
11.15 System Testing Documentation
11.16 Quality Assurance Evaluation of Adherence to Development Standards
11.17 Quality Assurance Review of the Achievement of IT Objectives
11.18 Quality Metrics
11.19 Reports of Quality Assurance Reviews
AI1 Identify Automated Solutions
1.1 Definition of Information Requirements
1.2 Formulation of Alternative Courses of Action
1.3 Formulation of Acquisition Strategy
1.4 Third-party Service Requirements
1.5 Technological Feasibility Study
1.6 Economic Feasibility Study
1.7 Information Architecture
1.8 Risk Analysis Report
1.9 Cost-effective Security Controls
1.10 Audit Trails Design
1.11 Ergonomics
1.12 Selection of System Software
1.13 Procurement Control
1.14 Software Product Acquisition
1.15 Third-party Software Maintenance
1.16 Contract Application Programming
1.17 Acceptance of Facilities
1.18 Acceptance of Technology
AI2 Acquire and Maintain Application Software
2.1 Design Methods
2.2 Major Changes to Existing Systems
2.3 Design Approval
2.4 File Requirements Definition and Documentation
2.5 Program Specifications
2.6 Source Data Collection Design
2.7 Input Requirements Definition and Documentation
2.8 Definition of Interfaces
2.9 User-machine Interface
2.10 Processing Requirements Definition and Documentation
2.11 Output Requirements Definition and Documentation
2.12 Controllability
2.13 Availability as a Key Design Factor
2.14 IT Integrity Provisions in Application Program Software
2.15 Application Software Testing
2.16 User Reference and Support Materials
2.17 Reassessment of System Design
AI3 Acquire and Maintain Technology Infrastructure
3.1 Assessment of New Hardware and Software
3.2 Preventive Maintenance for Hardware
3.3 System Software Security
3.4 System Software Installation
3.5 System Software Maintenance
3.6 System Software Change Controls
3.7 Use and Monitoring of System Utilities
AI4 Develop and Maintain Procedures
4.1 Operational Requirements and Service Levels
4.2 User Procedures Manual
4.3 Operations Manual
4.4 Training Materials
AI5 Install and Accredit Systems
5.1 Training
5.2 Application Software Performance Sizing
5.3 Implementation Plan
5.4 System Conversion
5.5 Data Conversion
5.6 Testing Strategies and Plans
5.7 Testing of Changes
5.8 Parallel/Pilot Testing Criteria and Performance
5.9 Final Acceptance Test
5.10 Security Testing and Accreditation
5.11 Operational Test
5.12 Promotion to Production
5.13 Evaluation of Meeting User Requirements
5.14 Management’s Post-implementation Review
AI6 Manage Changes
6.1 Change Request Initiation and Control
6.2 Impact Assessment
6.3 Control of Changes
6.4 Emergency Changes
6.5 Documentation and Procedures
6.6 Authorized Maintenance
6.7 Software Release Policy
6.8 Distribution of Software
DS1 Define and Manage Service Levels
1.1 Service Level Agreement Framework
1.2 Aspects of Service Level Agreements
1.3 Performance Procedures
1.4 Monitoring and Reporting
1.5 Review of Service Level Agreements and Contracts
1.6 Chargeable Items
1.7 Service Improvement Program
DS2 Manage Third-party Services
2.1 Supplier Interfaces
2.2 Owner Relationships
2.3 Third-party Contracts
2.4 Third-party Qualifications
2.5 Outsourcing Contracts
2.6 Continuity of Services
2.7 Security Relationships
2.8 Monitoring
DS3 Manage Performance Capacity
3.1 Availability and Performance Requirements
3.2 Availability Plan
3.3 Monitoring and Reporting
3.4 Modeling Tools
3.5 Proactive Performance Management
3.6 Workload Forecasting
3.7 Capacity Management of Resources
3.8 Resources Availability
3.9 Resources Schedule
DS4 Ensure Continuous Service
4.1 IT Continuity Framework
4.2 IT Continuity Plan Strategy and Philosophy
4.3 IT Continuity Plan Contents
4.4 Minimizing IT Continuity Requirements
4.5 Maintaining the IT Continuity Plan
4.6 Testing the IT Continuity Plan
4.7 IT Continuity Plan Training
4.8 IT Continuity Plan Distribution
4.9 User Department Alternative Processing Backup Procedures
4.10 Critical IT Resources
4.11 Backup Site and Hardware
4.12 Offsite Backup Storage
4.13 Wrap-up Procedures
DS5 Ensure Systems Security
5.1 Manage Security Measures
5.2 Identification, Authentication and Access
5.3 Security of Online Access to Data
5.4 User Account Management
5.5 Management Review of User Accounts
5.6 User Control of User Accounts
5.7 Security Surveillance
5.8 Data Classification
5.9 Central Identification and Access Rights
5.10 Management Violation and Security Activity Reports
5.11 Incident Handling
5.12 Reaccreditation
5.13 Counterparty Trust
5.14 Transaction Authorization
5.15 Nonrepudiation
5.16 Trusted Path
5.17 Protection of Security Functions
5.18 Cryptographic Key Management
5.19 Malicious Software Prevention, Detection and Correction
5.20 Firewall Architectures and Connections with Public Networks
5.21 Protection of Electronic Value
DS6 Identify and Allocate Costs
6.1 Chargeable Items
6.2 Costing Procedures
6.3 User Billing and Chargeback Procedures
DS7 Educate and Train Users
7.1 Identification of Training Needs
7.2 Training Organization
7.3 Security Principles and Awareness Training
DS8 Assist and Advise Customers
8.1 Help Desk
8.2 Registration of Customer Queries
8.3 Customer Query Escalation
8.4 Monitoring of Clearance
8.5 Trend Analysis and Reporting
DS9 Manage the Configuration
9.1 Configuration Recording
9.2 Configuration Baseline
9.3 Status Accounting
9.4 Configuration Control
9.5 Unauthorized Software
9.6 Software Storage
9.7 Configuration Management Procedures
9.8 Software Accountability
DS10 Manage Problems and Incidents
10.1 Problem Management System
10.2 Problem Escalation
10.3 Problem Tracking and Audit Trail
10.4 Emergency and Temporary Access Authorization
10.5 Emergency Processing Priorities
DS11 Manage Data
11.1 Data Preparation Procedures
11.2 Source Document Authorization Procedures
11.3 Source Document Data Collection
11.4 Source Document Error Handling
11.5 Source Document Retention
11.6 Data Input Authorization Procedures
11.7 Accuracy, Completeness and Authorization Checks
11.8 Data Input Error Handling
11.9 Data Processing Integrity
11.10 Data Processing Validation and Editing
11.11 Data Processing Error Handling
11.12 Output Handling and Retention
11.13 Output Distribution
11.14 Output Balancing and Reconciliation
11.15 Output Review and Error Handling
11.16 Security Provision for Output Reports
11.17 Protection of Sensitive Information During Transmission and Transport
11.18 Protection of Disposed Sensitive Information
11.19 Storage Management
11.20 Retention Periods and Storage Terms
11.21 Media Library Management System
11.22 Media Library Management Responsibilities
11.23 Backup and Restoration
11.24 Backup Jobs
11.25 Backup Storage
11.26 Archiving
11.27 Protection of Sensitive Messages
11.28 Authentication and Integrity
11.29 Electronic Transaction Integrity
11.30 Continued Integrity of Stored Data
DS12 Manage Facilities
12.1 Physical Security
12.2 Low Profile of the IT Site
12.3 Visitor Escort
12.4 Personnel Health and Safety
12.5 Protection Against Environmental Factors
12.6 Uninterruptible Power Supply
DS13 Manage Operations
13.1 Processing Operations Procedures and Instructions Manual
13.2 Start-up Process and Other Operations Documentation
13.3 Job Scheduling
13.4 Departures from Standard Job Schedules
13.5 Processing Continuity
13.6 Operations Logs
13.7 Safeguard Special Forms and Output Devices
13.8 Remote Operations
M1 Monitor the Processes
1.1 Collecting Monitoring Data
1.2 Assessing Performance
1.3 Assessing Customer Satisfaction
1.4 Management Reporting
M2 Assess Control Adequacy
2.1 Internal Control Monitoring
2.2 Timely Operation of Internal Controls
2.3 Internal Control Level Reporting
2.4 Operational Security and Internal Control Assurance
M3 Obtain Independent Assurance
3.1 Independent Security and Internal Control Certification/Accreditation of IT Services
3.2 Independent Security and Internal Control Certification/Accreditation of Third-party Service Providers
3.3 Independent Effectiveness Evaluation of IT Services
3.4 Independent Effectiveness Evaluation of Third-party Service Providers
3.5 Independent Assurance of Compliance with Laws and Regulatory Requirements and Contractual Commitments
3.6 Independent Assurance of Compliance with Laws and Regulatory Requirements by Third-party Service Providers
3.7 Competence of Independent Assurance Function
3.8 Proactive Audit Involvement
M4 Provide for Independent Audit
4.1 Audit Charter
4.2 Independence
4.3 Professional Ethics and Standards
4.4 Competence
4.5 Planning
4.6 Performance of Audit Work
4.7 Reporting
4.8 Follow-up Activities
3 SECURITY POLICY
3.1 INFORMATION SECURITY POLICY
3.1.1 Information security policy document
3.1.2 Review and evaluation
4 ORGANIZATIONAL SECURITY
4.1 INFORMATION SECURITY INFRASTRUCTURE
4.1.1 Management information security forum
4.1.2 Information security co-ordination
4.1.3 Allocation of information security responsibilities
4.1.4 Authorization process for information processing facilities
4.1.5 Specialist information security advice
4.1.6 Co-operation between organizations
4.1.7 Independent review of information security
4.2 SECURITY OF THIRD PARTY ACCESS
4.2.1 Identification of risks from third party access
4.2.2 Security requirements in third party contracts
4.3 OUTSOURCING
4.3.1 Security requirements in outsourcing contracts
5 ASSET CLASSIFICATION AND CONTROL
5.1 ACCOUNTABILITY FOR ASSETS
5.1.1 Inventory of assets
5.2 INFORMATION CLASSIFICATION
5.2.1 Classification guidelines
5.2.2 Information labelling and handling
6 PERSONNEL SECURITY
6.1 SECURITY IN JOB DEFINITION AND RESOURCING
6.1.1 Including security in job responsibilities
6.1.2 Personnel screening and policy
6.1.3 Confidentiality agreements
6.1.4 Terms and conditions of employment
6.2 USER TRAINING
6.2.1 Information security education and training
6.3 RESPONDING TO SECURITY INCIDENTS AND MALFUNCTIONS
6.3.1 Reporting security incidents
6.3.2 Reporting security weaknesses
6.3.3 Reporting software malfunctions
6.3.4 Learning from incidents
6.3.5 Disciplinary process
7 PHYSICAL AND ENVIRONMENTAL SECURITY
7.1 SECURE AREAS
7.1.1 Physical security perimeter
7.1.2 Physical entry controls
7.1.3 Securing offices, rooms and facilities
7.1.4 Working in secure areas
7.1.5 Isolated delivery and loading areas
7.2 EQUIPMENT SECURITY
7.2.1 Equipment siting and protection
7.2.2 Power supplies
7.2.3 Cabling security
7.2.4 Equipment maintenance
7.2.5 Security of equipment off-premises
7.2.6 Secure disposal or re-use of equipment
7.3 GENERAL CONTROLS
7.3.1 Clear desk and clear screen policy
7.3.2 Removal of property
8 COMMUNICATIONS AND OPERATIONS MANAGEMENT
8.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES
8.1.1 Documented operating procedures
8.1.2 Operational change control
8.1.3 Incident management procedures
8.1.4 Segregation of duties
8.1.5 Separation of development and operational facilities
8.1.6 External facilities management
8.2 SYSTEM PLANNING AND ACCEPTANCE
8.2.1 Capacity planning
8.2.2 System acceptance
8.3 PROTECTION AGAINST MALICIOUS SOFTWARE
8.3.1 Controls against malicious software
8.4 HOUSEKEEPING
8.4.1 Information back-up
8.4.2 Operator logs
8.4.3 Fault logging
8.5 NETWORK MANAGEMENT
8.5.1 Network controls
8.6 MEDIA HANDLING AND SECURITY
8.6.1 Management of removable computer media
8.6.2 Disposal of media
8.6.3 Information handling procedures
8.6.4 Security of system documentation
8.7 EXCHANGES OF INFORMAT ION AND SOFTWARE
8.7.1 Information and software exchange agreements
8.7.2 Security of media in transit
8.7.3 Electronic commerce security
8.7.4 Security of electronic mail
8.7.5 Security of electronic office systems
8.7.6 Publicly available systems
8.7.7 Other forms of information exchange
9 ACCESS CONTROL
9.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL
9.1.1 Access control policy
9.2 USER ACCESS MANAGEMENT
9.2.1 User registration
9.2.2 Privilege management
9.2.3 User password management
9.2.4 Review of user access rights
9.3 USER RESPONSIBILITIES
9.3.1 Password use
9.3.2 Unattended user equipment
9.4 NETWORK ACCESS CONTROL
9.4.1 Policy on use of network services
9.4.2 Enforced path
9.4.3 User authentication for external connections
9.4.4 Node authentication
9.4.5 Remote diagnostic port protection
9.4.6 Segregation in networks
9.4.7 Network connection control
9.4.8 Network routing control
9.4.9 Security of network services
9.5 OPERATING SYSTEM ACCE SS CONTROL
9.5.1 Automatic terminal identification
9.5.2 Terminal log-on procedures
9.5.3 User identification and authentication
9.5.4 Password management system
9.5.5 Use of system utilities
9.5.6 Duress alarm to safeguard users
9.5.7 Terminal time-out
9.5.8 Limitation of connection time
9.6 APPLICATION ACCESS CONTROL
9.6.1 Information access restriction
9.6.2 Sensitive system isolation
9.7 MONITORING SYSTEM ACCESS AND USE
9.7.1 Event logging
9.7.2 Monitoring system use
9.7.3 Clock synchronization
9.8 MOBILE COMPUTING AND TELEWORKING
9.8.1 Mobile computing
9.8.2 Teleworking
10 SYSTEMS DEVELOPMENT AND MAINTENANCE
10.1 SECURITY REQUIREMENTS OF SYSTEMS
10.1.1 Security requirements analysis and specification
10.2 SECURITY IN APPLICATION SYSTEMS
10.2.1 Input data validation
10.2.2 Control of internal processing
10.2.3 Message authentication
10.2.4 Output data validation
10.3 CRYPTOGRAPHIC CONTROLS
10.3.1 Policy on the use of cryptographic controls
10.3.2 Encryption
10.3.3 Digital signatures
10.3.4 Non-repudiation services
10.3.5 Key management
10.4 SECURITY OF SYSTEM FILES
10.4.1 Control of operational software
10.4.2 Protection of system test data
10.4.3 Access control to program source library
10.5 SECURITY IN DEVELOPMENT AND SUPPORT PROCE SSES
10.5.1 Change control procedures
10.5.2 Technical review of operating system changes
10.5.3 Restrictions on changes to software packages
10.5.4 Covert channels and Trojan code
10.5.5 Outsourced software development
11 BUSINESS CONTINUITY MANAGEMENT
11.1 ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
11.1.1 Business continuity management process
11.1.2 Business continuity and impact analysis
11.1.3 Writing and implementing continuity plans
11.1.4 Business continuity planning framework
11.1.5 Testing, maintaining and re-assessing business continuity plans
12 COMPLIANCE
12.1 COMPLIANCE WITH LEGAL REQUIREMENTS
12.1.1 Identification of applicable legislation
12.1.2 Intellectual property rights (IPR)
12.1.3 Safeguarding of organizational records
12.1.4 Data protection and privacy of personal information
12.1.5 Prevention of misuse of information processing facilities
12.1.6 Regulation of cryptographic controls
12.1.7 Collection of evidence
12.2 REVIEWS OF SECURITY P OLICY AND TECHNICAL COMPLIANCE
12.2.1 Compliance with security policy
12.2.2 Technical compliance checking
12.3 SYSTEM AUDIT CONSIDERATIONS
12.3.1 System audit controls
12.3.2 Protection of system audit tools
3 The management system
3.1 Management and Responsibility
3.2 Documentation requirements
3.3 Competence, awareness and training
3.3.1 General
3.3.2 Professional development
3.3.3 Approaches to be considered
4 Planning and implementing service management
4.1 Plan service management (Plan)
4.1.1 Scope of service Management
4.1.2 Planning approaches
4.1.3 Events to be considered
4.1.4 Scope and contents of the plan
4.2 Implement service management and provide the services
4.3 Monitoring, measuring and reviewing (Check)
4.4 COntinual improvement (Act)
4.4.1 Policy
4.4.2 Planning for service improvements
5 Planning and implementing new or changed services
5.1 Topics for consideration
5.2 Change records
6 Service delivery process
6.1 Service level management
6.1.1 Service catalogue
6.1.2 Service level agreements (SLAs)
6.1.3 Service level management (SLM) process
6.1.4 Supporting service agreements
6.2 Service reporting
6.2.1 Policy
6.2.2 Purpose and quality checks on service reports
6.2.3 Service reports
6.3 Service continuity and availability management
6.3.1 General
6.3.2 Availability monitoring and activities
6.3.3 Service continuity strategy
6.3.4 Service continuity planning and testing
6.4 Budgeting and accounting for IT services
6.4.1 General
6.4.2 Policy
6.4.3 Budgeting
6.4.4 Accounting
6.5 Capacity management
6.6 Information security management
6.6.1 General
6.6.2 Identifying and classifying information assets
6.6.3 Seruciry risk assessment practices
6.6.4 Risks to information assets
6.6.5 Security and availability of information
6.6.6 Controls
6.6.7 Documents and records
7 Relationship processes
7.1 General
7.2 Business relationship management
7.2.1 Service reviews
7.2.2 Service complaints
7.2.3 Customer satisfaction measurement
7.3 Supplier management
7.3.1 Introduction
7.3.2 Contract management
7.3.3 Service definition
7.3.4 Manageing multiple suppliers
7.3.5 Contractual disputes management
7.3.6 Contract end
8 Resolution processes
8.1 Background
8.1.1 Setting priorities
8.1.2 Workarounds
8.2 Incident management
8.2.1 General
8.2.2 Major incidents
8.3 Problem management
8.3.1 Scope of problem management
8.3.2 Initiation of problem management
8.3.3 Known errors
8.3.4 Problem resolution management
8.3.5 Communication
8.3.6 Tracking and escalation
8.3.7 Incident and problem record closure
8.3.8 Problem reviews
8.3.9 Topics for reviews
8.3.10 Problem prevention
9 Control processes
9.1 Configuratin management
9.1.1 Configuration management planning and implementation
9.1.2 Configuration identification
9.1.3 Configuration control
9.1.4 Configuration status accounting and reporting
9.1.5 Configuration verification and audit
9.2 Change management
9.2.1 Planning and implementation
9.2.2 Closing and reviewing the change request
9.2.3 Emergency changes
9.2.4 Change management reporting, analysis and actions
10 Release process
10.1 Release management process
10.1.1 General
10.1.2 Release policy
10.1.3 Release and roll-out planning
10.1.4 Developing or acquiring software
10.1.5 Design, uild and configure release
10.1.6 Release verification and acceptance
10.1.7 Documentation
10.1.8 Roll-out, distribution and installation
10.1.9 Post release and roll-out

								
To top