Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

ESP - Amazon Web Services

VIEWS: 4 PAGES: 10

									Copyright     First Legion Consulting Pvt. Ltd.

License       This work is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 2.5 India Licen

Version       1
Released on   14-Jun-10
                 Change History
mercial-Share Alike 2.5 India License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/2.5/in/ or send a
censes/by-nc-sa/2.5/in/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.
sco, California, 94105, USA.
                                                                           ESP (Expected Security Practices with
No:                                 ESP                                                        Awareness Measurement
                                                                              Awareness Criterion
 1    Information classification practices                   the company information classification policies


                                                             Customer information classification policies
      Access control practices                               Essential password protection


 2    Email security practices                               DO's and DON't's with corporate email ID




 3    Malware security                                       Is aware of atleast 4 different types of malware


      Clear screen/ desk / printer/ white board/ thrash
 4    practices                                              Aware of what each clear policy means




 5    Backup practices                                       Securing the company information
 6    Incident reporting practices                           Incident reporting procedures
                                                             Distinguish security incidents from IT incidents


 7    Internet security practices                            Aware of internet security policy, DO's and DON't's



 8    Intellectual property protection practices             Aware of what IP, IPR and copyright protection is




 9    Social engineering detection and aviodance practices   Understands the term social engineering


                                                             Understands the channels of social engineering
10 Physical security practices                               Access control policies (location, access)




11 Secure disposal of information practices                  Aware of secure disposal policy


12 Portable/mobile computing security practices              Aware of policy regarding external personal devices
13 Information disclosure practices                         Aware of information disclosure policy

                                                            Is aware of dangers of posting business info in
                                                            personal blogs, Is aware of dangers of posting business
14 Safe blogging and social networking security practices   info in social networks




                                                            Is aware of dangers of connceting to open access
15 Wireless security practices                              points
                                                            Is aware of procedured to be followed in case of
16 Information recovery practices                           system crash or data loss


                                                            Aware that the company data must not be copied or
                                                            synchronized with mobile devices


17 External workforce (contractor) access practices         Is aware of DO's and DON't's as an external employee



18 Emergency response practices                             Aware of emergency evacuation/ fire drill
curity Practices with assessment guidance)
ess Measurement                                                                   Behavior Measurement
              Suggested mode of assessment                     Behavior Criterion
           Interview                         Ability to classify documents during creation
                                             Ability to store classified documents in the correct
           Interview                         location
           Interview                         Does not share password under duress
                                             Does not accept password of colleagues
           Interview                         Does not forward inappropriate emails
                                             Does not download suspicious attachments nor clicks
                                             on it
                                             Report any inappropriate mail
                                             Does not subscribe to sites (personal content) using
                                             official ID
           Interview                         Does not click on suspicious links
                                             Does not click on suspicious pop-ups


           Interview                         Locks screen/ desk while leaving the work station
                                             Takes paper out as soon as it is printed
                                             Wipes boards after meeting
                                             Tears documents or shreds it while disposing
                                             Correct storage of important information in backup
           Interview                         server
           Interview                         Reports a visible incident
           Interview


           Interview                         Avoids suspicious pop-ups
                                             Avoids inappropriate sites


           Interview                         Does not store or install illegal copyrighted content.
                                             IPR of different client codes
                                             Does not download illegal copyrighted content
                                             Does not provide the company information to
           Interview                         anonymous callers
                                             Does not responds to suspicious emails asking for
           Interview                         business info
           Interview                         Access card is worn properly
                                             Access cards are not shared
                                             Does not allow piggy backing


                                             Reports people without visible ID inside the facility
           Interview                         Disposes sensitive documents properly
                                             Does not connect external personal devices to
           Interview                         company systems
                                             Does not copy the company business info into
                                             personal devices
            Does not disclose official and classified business
Interview   information

            Does not post the company business info in personal
            blogs, Does not post the company business info in
Interview   social networks
            Does not respond to queries on personal blogs asking
            for company business info


Interview   Does not connect to open Wi-Fi access points


Interview   Reports data loss or system crash


            Does not copy or synchronize data from the company
Interview   computers with personal mobile device
            Check of adherence to information security policies
Interview   of the company



Interview   Has attended fire drill
            Demonstrates exit procedures for evacuation
ior Measurement
              Suggested Mode of assessment
           Observation


           Observation
           Social Engineering
           Social Engineering
           Social Engineering


           Social Engineering



           Data mining from web
           Social Engineering
           Social Engineering


           Observation
           Observation
           Observation
           Observation


           Audits
           Social Engineering/ Observation



           Social Engineering
           Proxy log review


           Desktop audit


           Social Engineering


           Social Engineering


           Social Engineering
           Observation
           Observation/ Social Engineering
           Observation/ Social Engineering


           Social Engineering
           Social Engineering test


           Review from ADS logs
Social engineering



Data mining from web


Social engineering and Data Mining


System audit/ Wireless NIC properties
Remedy log review and comparison
with data loss reports



System audit


Observation



Review of records
Observation

								
To top