This 7799 checklist shall be used to audit Organisation's Information Technology Security standard. This checklist does not provide vendor specific security considerations but rather attempts to provide a generic checklist of security considerations to be used when auditing an organisation's Information Technology Security.
This checklist is not a replacement for any 7799 Standard. But this checklist can be used in conjunction with 7799 standard to review and evaluate IT security of the organisation.
The document discusses several IT audit methodologies: CobiT, BS 7799, BSI, ITSEC, and Common Criteria. It provides an overview of each methodology, including their main uses, structures, and summaries. CobiT is used for IT audits and governance and has 4 domains and 34 processes. BS 7799 focuses on information security management and lists 109 security controls. BSI is the German IT baseline protection manual with 34 security modules. ITSEC and Common Criteria are evaluation criteria used for security certification.
This document outlines a project plan for implementing an Information Security Management System (ISMS) compliant with ISO 27001 in an organization. The plan defines the project goals as obtaining ISO 27001 certification by a target date, identifies key results and risks, and provides a schedule and roles. It also describes tools and documents that will be used, such as a shared folder for all project materials and regular reporting from the project manager.
Here is an easy to use checklist for ISO 27001
if you require any advise please call CAW Consultancy Business Solutions on 01772 932058 or our 24 hour hotline 07427535662
The document discusses auditing IT infrastructure including hardware, networks, and telecommunications devices. It provides details on objectives of IT audits such as assessing continuity, management/maintenance, and security of systems. It also discusses standards and guidelines for auditing such as CobiT, ISO 27001, and reviewing hardware assets, network design, security, backups, and telecommunication agreements and invoices.
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
IT Infrastructure Audit would help organization to understand its current IT environment, have an action plan to realize the optimal benefits from its IT infrastructure investment. IIA is about safeguard assets, maintain data integrity & operate effectively to achieve the organization goals. Documentation of policies, procedures, practices & org structures designed to provide reasonable assurance that business objectives would be achieved & undesired events will be prevented or detected and corrected.
This presentation explains COBIT (Control Objectives for Information and Related Technology) standard.
Courtesy:
http://www.ifour-consultancy.com
http://www.ifourtechnolab.com
An IT security audit involves independently examining an organization's IT systems, controls, policies and procedures. The document outlines the key steps in an IT audit including planning, testing and reporting. It also discusses defining auditors and their roles, preparing for an audit, and how audits are conducted at the application level to assess controls related to administration, security, disaster recovery and more. The goal of an audit is to evaluate security adequacy and recommend improvements.
The document discusses several IT audit methodologies: CobiT, BS 7799, BSI, ITSEC, and Common Criteria. It provides an overview of each methodology, including their main uses, structures, and summaries. CobiT is used for IT audits and governance and has 4 domains and 34 processes. BS 7799 focuses on information security management and lists 109 security controls. BSI is the German IT baseline protection manual with 34 security modules. ITSEC and Common Criteria are evaluation criteria used for security certification.
This document outlines a project plan for implementing an Information Security Management System (ISMS) compliant with ISO 27001 in an organization. The plan defines the project goals as obtaining ISO 27001 certification by a target date, identifies key results and risks, and provides a schedule and roles. It also describes tools and documents that will be used, such as a shared folder for all project materials and regular reporting from the project manager.
Here is an easy to use checklist for ISO 27001
if you require any advise please call CAW Consultancy Business Solutions on 01772 932058 or our 24 hour hotline 07427535662
The document discusses auditing IT infrastructure including hardware, networks, and telecommunications devices. It provides details on objectives of IT audits such as assessing continuity, management/maintenance, and security of systems. It also discusses standards and guidelines for auditing such as CobiT, ISO 27001, and reviewing hardware assets, network design, security, backups, and telecommunication agreements and invoices.
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
IT Infrastructure Audit would help organization to understand its current IT environment, have an action plan to realize the optimal benefits from its IT infrastructure investment. IIA is about safeguard assets, maintain data integrity & operate effectively to achieve the organization goals. Documentation of policies, procedures, practices & org structures designed to provide reasonable assurance that business objectives would be achieved & undesired events will be prevented or detected and corrected.
This presentation explains COBIT (Control Objectives for Information and Related Technology) standard.
Courtesy:
http://www.ifour-consultancy.com
http://www.ifourtechnolab.com
An IT security audit involves independently examining an organization's IT systems, controls, policies and procedures. The document outlines the key steps in an IT audit including planning, testing and reporting. It also discusses defining auditors and their roles, preparing for an audit, and how audits are conducted at the application level to assess controls related to administration, security, disaster recovery and more. The goal of an audit is to evaluate security adequacy and recommend improvements.
Understanding IT Governance and Risk Managementjiricejka
Describes IT Governance Holistic Framework for establishing transparent relation between Business and IT environment.
Describes Governance services and Risk Management Methods
IT Governance or Corporate governance of information technology is a subset discipline of corporate
governance, focused on information and technology (IT) and its performance and risk management.
The interest in IT Governance is due to the ongoing need within organizations to focus value creation efforts
on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders.
Celonis has achieved TISAX AL3 certification, the highest level, which requires a full on-site audit of all IT security controls. This certification demonstrates that Celonis securely handles customer data within its Intelligent Business Cloud platform. The TISAX assessment was conducted by an independent auditor and focused on Celonis' Munich data centers. Customers can verify Celonis' certification status and details on the ENX portal using the provided Assessment ID and Scope ID.
ISO 27001, the international standard for information security management
‘’ "ISO 27001" (or ISO/IEC 27001:2013, "Information Security Management Systems") is a standard that provides a good practical framework for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS. The key purpose of the ISMS is to bring information risk and security under management control.’’
This document provides an overview of IT governance and the system development life cycle (SDLC). It discusses 9 study objectives related to IT governance, strategic management, and the various phases of the SDLC. The phases of the SDLC include systems planning, systems analysis, systems design, systems implementation, and operation and maintenance. Systems planning involves evaluating strategic objectives, prioritizing IT systems, and conducting feasibility studies. The IT governance committee oversees strategic management of IT and the SDLC process.
This document provides an overview of several IT audit methodologies: CobiT, BS 7799, BSI, ITSEC, and Common Criteria. CobiT is a framework for IT governance and control developed by ISACA that defines 34 processes across 4 domains (planning, acquisition, delivery, and monitoring). BS 7799 is a British standard focused on IT security baseline controls across 10 categories. BSI is a German manual that describes 34 security modules, 420 security measures, and 209 threats. ITSEC and Common Criteria are methodologies for evaluating the security of IT systems and products at defined assurance levels. Each methodology has different strengths in areas like scope, structure, user-friendliness, and frequency of updates
Secure Your Medical Devices From the Ground Up ICS
The Food and Drug Administration (FDA) has recently released new guidance on cybersecurity for medical devices. This presentation will provide an overview of this guidance and review what is required for 510(k) submissions. We will also discuss the upcoming European Union (EU) cybersecurity regulations and how they compare to the FDA guidance.
This webinar with ICS and partner RTI, the largest software framework company for autonomous systems, will focus on threat modeling and cybersecurity risk assessments in light of the new guidance, and how these activities impact design requirements for medical devices. You will learn common pitfalls and mistakes to avoid when establishing organizational best practices in cybersecurity.
We will also discuss the challenges to securing data in motion for connected medical devices and describe how a data-centric software framework based on open standards, addresses the design requirements for highly reliable, scalable and secure systems.
Attendees will gain an understanding of the current regulatory expectations, best practices for cybersecurity risk assessments, and standards-based solutions for secure data connectivity.
Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
The document provides an overview of the Cybersecurity Capability Maturity Model (C2M2). The C2M2 focuses on implementing and managing cybersecurity practices for information, IT, and OT assets. It can be used to strengthen cybersecurity capabilities, evaluate capabilities, share best practices, and prioritize improvements. The model includes 342 practices organized across 10 domains. It uses a scale of 0-3 maturity indicator levels (MILs) to assess progression in each domain. Higher MILs indicate more advanced, institutionalized, and consistent implementation of practices. The document outlines how organizations can use the C2M2 by performing a self-evaluation, identifying gaps, prioritizing improvements, and implementing plans in an
This document provides an overview of ISMS audits using ISO 27001:2013. It discusses ISO and the ISO 27000 series of standards. It then covers the process-based ISMS approach and outlines the mandatory and discretionary controls in ISO 27001. The document defines an audit and outlines key audit principles. It describes the different types of audits and details the audit process, including developing audit checklists and the stages of an on-site audit.
This document provides an overview and agenda for a presentation on ISO 27001 and information security management systems (ISMS). It introduces key terms like information security, the CIA triad of confidentiality, integrity and availability. It describes the components of an ISMS like policy, procedures, risk assessment and controls. It explains that ISO 27001 specifies requirements for establishing, implementing and maintaining an ISMS. The standard is popular because it can be used by all organizations to improve security, comply with regulations and build trust. Implementing an ISMS also increases awareness, reduces risks and justifies security spending.
Enterprise Architecture and Information SecurityJohn Macasio
A thinking tool to ask and describe the alignment requirements of business, information, technology and security to improve and secure the management of process, data, application and infrastructure of performance.
This document provides guidance on information security controls. It discusses organizational controls related to policies, roles, risk management, asset management, access controls, suppliers, incidents, and compliance. It also addresses people controls around roles, training, awareness, and monitoring. Technical controls involve secure system administration, system development and support, protective technologies, and technical vulnerability management.
Nowadays, IT operations are required to run on a tight budget and under constant watch. Compliance, security and mobile innovation are making proper auditing of IT systems absolutely necessary. Knowing the most fundamental facts, like who changed what, when, and where, will save hours of troubleshooting, satisfy compliance needs, and secure the environment. This white paper shows a methodical approach to IT infrastructure auditing. That includes proper planning, estimation of time needed to implement an effective IT auditing solution, and critical resources.
ISO 27701 is important for privacy compliance because it provides a comprehensive framework for organizations to manage the privacy of personal data. The standard covers all aspects of privacy management, from data collection and processing to security and compliance.
ISO 27701 is aligned with the General Data Protection Regulation (GDPR), which is the most comprehensive privacy law in the world. The standard also supports compliance with other privacy laws, such as the California Consumer Privacy Act (CCPA) and the Brazilian General Data Protection Law (LGPD).
By implementing ISO 27701, organizations can demonstrate to their customers, employees, and regulators that they are committed to protecting personal data. The standard can also help organizations to reduce their risk of data breaches and other privacy incidents.
Here are some of the benefits of implementing ISO 27701:
Demonstrate compliance with privacy laws and regulations
Reduce the risk of data breaches and other privacy incidents
Improve customer trust and confidence
Enhance the organization's reputation
Gain a competitive advantage
If your organization handles personal data, then ISO 27701 is an important standard to consider. The standard can help you to protect personal data, comply with privacy laws, and improve your organization's overall privacy posture.
Here are some of the specific requirements of ISO 27701:
Establish a privacy management policy
Conduct a privacy risk assessment
Implement technical and organizational measures to protect personal data
Implement procedures for managing data breaches
Provide individuals with access to their personal data
Respond to data subject requests
Monitor and improve the privacy management system
Cyber Security IT GRC Management Model and Methodology.360factors
A discussion and presentation on cyber security trends in oil and gas, the benefits of an IT GRC Management System, and IT GRC Management Model and Methodology.
The document discusses governance and the evolution of COBIT from versions 4.1 to 5.0, noting key changes like new principles, a focus on enablers, a new process reference model, and new/modified processes. It provides an overview of COBIT 5.0's framework for linking business goals to IT goals and processes. The presentation is by Dr. Santipat Arunthari, Chief Technology Officer of PTT ICT Solutions Company Limited.
- Maturity models provide frameworks for organizations to evaluate their security capabilities and identify areas for improvement. They allow benchmarking against peers.
- There are different types of models including progress-based models that measure advancement through levels and capability maturity models (CMM) that assess process institutionalization. Hybrid models combine aspects of both.
- Examples discussed include the Systems Security Engineering Capability Maturity Model (SSE-CMM) that evaluates security engineering practices across five levels and the CISO Platform Security Benchmarking that compares technologies adopted to peers.
This document summarizes key aspects of process improvement discussed in two lectures. It discusses the process improvement process, including process measurement, analysis, and change. It describes approaches like the CMMI framework and how it is used to assess process maturity levels. It outlines the stages of process change and challenges like resistance to change.
This document provides a detailed checklist to review the health of a project. It contains over 100 questions across various categories including project planning, management, quality, resources, users, and development approach. The questions assess the relevance and strength of different project attributes such as having a formal project plan, adequate risk management, proper quality assurance processes, sufficient resourcing and user involvement, and use of a recognized development methodology. The checklist is intended to assist project managers in auditing and improving their project.
Understanding IT Governance and Risk Managementjiricejka
Describes IT Governance Holistic Framework for establishing transparent relation between Business and IT environment.
Describes Governance services and Risk Management Methods
IT Governance or Corporate governance of information technology is a subset discipline of corporate
governance, focused on information and technology (IT) and its performance and risk management.
The interest in IT Governance is due to the ongoing need within organizations to focus value creation efforts
on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders.
Celonis has achieved TISAX AL3 certification, the highest level, which requires a full on-site audit of all IT security controls. This certification demonstrates that Celonis securely handles customer data within its Intelligent Business Cloud platform. The TISAX assessment was conducted by an independent auditor and focused on Celonis' Munich data centers. Customers can verify Celonis' certification status and details on the ENX portal using the provided Assessment ID and Scope ID.
ISO 27001, the international standard for information security management
‘’ "ISO 27001" (or ISO/IEC 27001:2013, "Information Security Management Systems") is a standard that provides a good practical framework for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS. The key purpose of the ISMS is to bring information risk and security under management control.’’
This document provides an overview of IT governance and the system development life cycle (SDLC). It discusses 9 study objectives related to IT governance, strategic management, and the various phases of the SDLC. The phases of the SDLC include systems planning, systems analysis, systems design, systems implementation, and operation and maintenance. Systems planning involves evaluating strategic objectives, prioritizing IT systems, and conducting feasibility studies. The IT governance committee oversees strategic management of IT and the SDLC process.
This document provides an overview of several IT audit methodologies: CobiT, BS 7799, BSI, ITSEC, and Common Criteria. CobiT is a framework for IT governance and control developed by ISACA that defines 34 processes across 4 domains (planning, acquisition, delivery, and monitoring). BS 7799 is a British standard focused on IT security baseline controls across 10 categories. BSI is a German manual that describes 34 security modules, 420 security measures, and 209 threats. ITSEC and Common Criteria are methodologies for evaluating the security of IT systems and products at defined assurance levels. Each methodology has different strengths in areas like scope, structure, user-friendliness, and frequency of updates
Secure Your Medical Devices From the Ground Up ICS
The Food and Drug Administration (FDA) has recently released new guidance on cybersecurity for medical devices. This presentation will provide an overview of this guidance and review what is required for 510(k) submissions. We will also discuss the upcoming European Union (EU) cybersecurity regulations and how they compare to the FDA guidance.
This webinar with ICS and partner RTI, the largest software framework company for autonomous systems, will focus on threat modeling and cybersecurity risk assessments in light of the new guidance, and how these activities impact design requirements for medical devices. You will learn common pitfalls and mistakes to avoid when establishing organizational best practices in cybersecurity.
We will also discuss the challenges to securing data in motion for connected medical devices and describe how a data-centric software framework based on open standards, addresses the design requirements for highly reliable, scalable and secure systems.
Attendees will gain an understanding of the current regulatory expectations, best practices for cybersecurity risk assessments, and standards-based solutions for secure data connectivity.
Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
The document provides an overview of the Cybersecurity Capability Maturity Model (C2M2). The C2M2 focuses on implementing and managing cybersecurity practices for information, IT, and OT assets. It can be used to strengthen cybersecurity capabilities, evaluate capabilities, share best practices, and prioritize improvements. The model includes 342 practices organized across 10 domains. It uses a scale of 0-3 maturity indicator levels (MILs) to assess progression in each domain. Higher MILs indicate more advanced, institutionalized, and consistent implementation of practices. The document outlines how organizations can use the C2M2 by performing a self-evaluation, identifying gaps, prioritizing improvements, and implementing plans in an
This document provides an overview of ISMS audits using ISO 27001:2013. It discusses ISO and the ISO 27000 series of standards. It then covers the process-based ISMS approach and outlines the mandatory and discretionary controls in ISO 27001. The document defines an audit and outlines key audit principles. It describes the different types of audits and details the audit process, including developing audit checklists and the stages of an on-site audit.
This document provides an overview and agenda for a presentation on ISO 27001 and information security management systems (ISMS). It introduces key terms like information security, the CIA triad of confidentiality, integrity and availability. It describes the components of an ISMS like policy, procedures, risk assessment and controls. It explains that ISO 27001 specifies requirements for establishing, implementing and maintaining an ISMS. The standard is popular because it can be used by all organizations to improve security, comply with regulations and build trust. Implementing an ISMS also increases awareness, reduces risks and justifies security spending.
Enterprise Architecture and Information SecurityJohn Macasio
A thinking tool to ask and describe the alignment requirements of business, information, technology and security to improve and secure the management of process, data, application and infrastructure of performance.
This document provides guidance on information security controls. It discusses organizational controls related to policies, roles, risk management, asset management, access controls, suppliers, incidents, and compliance. It also addresses people controls around roles, training, awareness, and monitoring. Technical controls involve secure system administration, system development and support, protective technologies, and technical vulnerability management.
Nowadays, IT operations are required to run on a tight budget and under constant watch. Compliance, security and mobile innovation are making proper auditing of IT systems absolutely necessary. Knowing the most fundamental facts, like who changed what, when, and where, will save hours of troubleshooting, satisfy compliance needs, and secure the environment. This white paper shows a methodical approach to IT infrastructure auditing. That includes proper planning, estimation of time needed to implement an effective IT auditing solution, and critical resources.
ISO 27701 is important for privacy compliance because it provides a comprehensive framework for organizations to manage the privacy of personal data. The standard covers all aspects of privacy management, from data collection and processing to security and compliance.
ISO 27701 is aligned with the General Data Protection Regulation (GDPR), which is the most comprehensive privacy law in the world. The standard also supports compliance with other privacy laws, such as the California Consumer Privacy Act (CCPA) and the Brazilian General Data Protection Law (LGPD).
By implementing ISO 27701, organizations can demonstrate to their customers, employees, and regulators that they are committed to protecting personal data. The standard can also help organizations to reduce their risk of data breaches and other privacy incidents.
Here are some of the benefits of implementing ISO 27701:
Demonstrate compliance with privacy laws and regulations
Reduce the risk of data breaches and other privacy incidents
Improve customer trust and confidence
Enhance the organization's reputation
Gain a competitive advantage
If your organization handles personal data, then ISO 27701 is an important standard to consider. The standard can help you to protect personal data, comply with privacy laws, and improve your organization's overall privacy posture.
Here are some of the specific requirements of ISO 27701:
Establish a privacy management policy
Conduct a privacy risk assessment
Implement technical and organizational measures to protect personal data
Implement procedures for managing data breaches
Provide individuals with access to their personal data
Respond to data subject requests
Monitor and improve the privacy management system
Cyber Security IT GRC Management Model and Methodology.360factors
A discussion and presentation on cyber security trends in oil and gas, the benefits of an IT GRC Management System, and IT GRC Management Model and Methodology.
The document discusses governance and the evolution of COBIT from versions 4.1 to 5.0, noting key changes like new principles, a focus on enablers, a new process reference model, and new/modified processes. It provides an overview of COBIT 5.0's framework for linking business goals to IT goals and processes. The presentation is by Dr. Santipat Arunthari, Chief Technology Officer of PTT ICT Solutions Company Limited.
- Maturity models provide frameworks for organizations to evaluate their security capabilities and identify areas for improvement. They allow benchmarking against peers.
- There are different types of models including progress-based models that measure advancement through levels and capability maturity models (CMM) that assess process institutionalization. Hybrid models combine aspects of both.
- Examples discussed include the Systems Security Engineering Capability Maturity Model (SSE-CMM) that evaluates security engineering practices across five levels and the CISO Platform Security Benchmarking that compares technologies adopted to peers.
This document summarizes key aspects of process improvement discussed in two lectures. It discusses the process improvement process, including process measurement, analysis, and change. It describes approaches like the CMMI framework and how it is used to assess process maturity levels. It outlines the stages of process change and challenges like resistance to change.
This document provides a detailed checklist to review the health of a project. It contains over 100 questions across various categories including project planning, management, quality, resources, users, and development approach. The questions assess the relevance and strength of different project attributes such as having a formal project plan, adequate risk management, proper quality assurance processes, sufficient resourcing and user involvement, and use of a recognized development methodology. The checklist is intended to assist project managers in auditing and improving their project.
This document provides an overview of GRCPerfect, an enterprise governance, risk, and compliance management system developed by Adaptive Processes Consulting. GRCPerfect offers modules to support project governance and management, risk management, quantitative process management, and compliance with standards like CMMI, ISO 9001, ISO 27001. It provides automated reporting, role-based permissions, and dashboards. GRCPerfect integrates various project artifacts like schedule, defects, risks, issues and change requests. It is configurable for customization and supports multiple organizations, business units, accounts and projects.
Este documento presenta los conceptos básicos y la metodología de la norma ISO 17799 para la gestión de la seguridad de la información. La norma establece once dominios de control que cubren esta gestión, como la política de seguridad, aspectos organizativos, clasificación de activos, seguridad del personal, y conformidad legal. Siguiendo esta norma, las organizaciones pueden mejorar la seguridad de sus sistemas, garantizar la continuidad del negocio, y aumentar la confianza de clientes y socios.
The document discusses ISO 27001 internal audit requirements and challenges with conducting internal audits. It proposes two approaches for outsourcing ISO 27001 audits to an external firm: 1) co-sourcing where the firm provides audit resources under the organization's direction, or 2) a managed assurance service where the firm develops and runs the entire audit program. The benefits cited include overcoming resourcing challenges, ensuring objectivity, and focusing internal resources on high risk areas.
La norma ISO 17799 proporciona recomendaciones para gestionar la seguridad de la información en las organizaciones. Se estructura en once dominios de control relacionados con aspectos como la política de seguridad, clasificación de activos, seguridad física, control de accesos y desarrollo de sistemas. Su objetivo es establecer una base para desarrollar normas de seguridad internas y crear confianza entre empresas manejando la información de forma segura.
The document discusses auditing IT compliance and governance. It introduces CobIT, an IT governance framework that can be used to manage IT risks and compliance. CobIT provides over 300 control objectives that help ensure business objectives are met and undesired events are prevented or detected. The document outlines how CobIT can be used to design, implement, assess, and monitor an organization's IT compliance program.
ISO 17799 provides a framework for establishing an information security management system. It outlines controls in several areas, including security policy, asset classification, access control, and business continuity management. Implementing ISO 17799 involves developing a security policy statement, defining an information security management structure, performing risk assessments, and establishing controls. The standard offers benefits such as a benchmark for security, a defined process for managing security, and a way to demonstrate an organization's security status.
This presentation provides an overview of the COBIT framework for IT governance and control. It is designed for academic courses covering topics like information systems management, information security management, auditing, and accounting information systems. The presentation introduces the driving forces behind IT governance and control, an overview of the COBIT framework, and how COBIT maps to other relevant standards and frameworks.
Use this checklist to record evidence of conformance to the new and enhanced requirements of ISO/IEC 27001:2013. You may complete it
during one or more visits.
Este documento presenta un resumen de la Norma ISO 17799 para la gestión de la seguridad de la información. Explica que la ISO 17799 proporciona recomendaciones para establecer un sistema de gestión de seguridad de la información y cubre áreas como la política de seguridad, aspectos organizativos, clasificación de activos, seguridad del personal, seguridad física, gestión de operaciones, control de acceso, desarrollo de sistemas, continuidad del negocio y cumplimiento. Asimismo, detalla la estruct
Business is evolving, and IT governance frameworks like COBIT can help organizations adapt. COBIT provides a comprehensive framework for ensuring IT is properly governed and aligned with business needs. It addresses key areas like strategic alignment, value delivery, risk management, and resource management through establishing clear processes and controls. By implementing COBIT, organizations can improve transparency, accountability, compliance and overall IT performance.
Governance and Management of Enterprise IT with COBIT 5 FrameworkGoutama Bachtiar
This courseware was designed for the training entitled 'Governance and Management of Enterprise IT with COBIT 5 Framework' with the objective of understanding COBIT 5 Framework as well as achieving IT Governance effectiveness using the respective framework.
COBIT 5 IT Governance Model: an Introductionaqel aqel
This lecture provides quick and direct insight about Information technologies governance using COBIT 5 framework. COBIT 5 in its fifth edition released by information systems audit and control association (www.isaca.org) in 2012 to supersede the version 4.1 / 2007. It also included ISACA’s VAL-IT model that aimed to manage the financial perspective of IT as well as RISK-IT framework.
The lecture was part of ISACA- Riyadh chapter activities in April 2015 under the sponsorship of Al-Fisal University.
This document is an internal audit checklist for ISO 9001:2008. It contains questions to evaluate an organization's compliance with ISO 9001 requirements for quality management systems. The checklist addresses topics such as quality manual documentation, document control, infrastructure, product realization planning, customer requirements, internal audits, and monitoring. Auditors will use this checklist to assess conformance and identify any nonconformities.
This document provides an overview of COBIT 5, a framework for the governance and management of enterprise IT. COBIT 5 helps enterprises create optimal value from IT by balancing benefits realization with risk optimization and resource use. The framework is designed to be a single integrated governance framework that covers the entire enterprise from end to end. It separates governance, which evaluates options and sets direction, from management, which implements activities. COBIT 5 aims to help enterprises maintain high quality information, generate value from IT, achieve operational excellence, manage IT risks, optimize costs, and ensure compliance.
White Paper Guide For Developing Security Plansbdana68
This white paper is an interpretation of NIST SP 800-18, Guide for Developing Security Plans for Information Technology System, that was released by NIST in December of 1998. In 1998 when the publication became available it covered the major systems of the day: the general support system (GSS) and the Major Applications (MA). Since 1998 we have seen the development of a third system that is a neither truly a GSS or a MA but a fusion of the two, the Intranet and Extranet, which this document refers to as a web support system. This white paper interprets NIST SP 800-18 to reflect the need for a separate security plan for a web support system and how to define and determine what a web support system is. NOTE: This document has no official relationship to any other NIST Special Publication nor should any be drawn.
White Paper: Gigya's Information Security and Data Privacy PracticesGigya
The document discusses Gigya's information security and data privacy practices, including their infrastructure, data security, compliance, and privacy measures. It describes Gigya's state-of-the-art hosting in five regional data centers, data security measures like ISO 27001 certification and successful SOC2 Type 2 audits, compliance with various regulations and social network policies, and privacy features such as permission-based social login and user data controls.
This document provides a five-day guide for setting up an application security program. Day 1 involves evaluating current security measures and identifying business priorities. Key stakeholders are interviewed to understand security mandates, resources, and IT/business goals. Day 2 focuses on discovering application assets, prioritizing risks, and developing a communication plan. Day 3 entails performing vulnerability assessments through static and dynamic analysis and delivering found vulnerabilities. Day 4 is about measuring security metrics. Day 5 covers compensating/mitigating controls, prioritizing remediation, and concluding the initial application security program setup.
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantOlivia Grey
Here is a detailed analysis of Requirements and Security Assessment Procedures for PCI Data Security. This guide will help in eliminating redundancy between documents, and make both general and specific changes from PCI DSS Security Audit Procedures v1.1. For more information, visit: https://www.c7.com/data-center/compliance-security/
This document provides an overview of information security governance, risk management, program development, program management, and incident management and response. Key points include:
1. Effective governance requires strategic alignment of security with business objectives, collective risk understanding, prioritizing security based on risk analysis, and performance measurement.
2. Risk management involves assessing threats, vulnerabilities, risks and their potential impacts, evaluating risks, treating risks, and integrating controls.
3. Developing a security program involves defining objectives, scope, resources, metrics, and implementing according to a roadmap using methods like PDCA.
CA Service Desk Administrator Guide with ExamplesArshad Havaldar
This document is an instructor guide for a Computer Associates course on administering Unicenter Service Desk. It includes information on:
- The role of a Unicenter Service Desk administrator and the architecture of Unicenter Service Desk, including the physical database layer, logical database layer, object layer, and client layer.
- Starting and stopping Unicenter Service Desk processes.
- Exploring the Unicenter Service Desk web client administration page.
- Establishing the business data structure in Unicenter Service Desk, including creating reference, configuration item support, and transactional record support data.
- Implementing security in Unicenter Service Desk, including
This whitepaper examines the challenges in integrating malware protection into broader product offerings, provides an in-depth review of the VIPRE® SDK, and covers the benefits of partnering with the GFI Advanced Technology Group to deliver the most efficient and effective protection solutions available.
This document provides a summary of new features in Oracle10i Database Release 1 (10.1) - BETA 2. It describes enhancements in areas such as performance and scalability, clustering, server manageability, availability, security and directory services, business intelligence, information integration, and application development. The document is copyrighted by Oracle Corporation and is marked as a beta draft, indicating it is a preliminary version and may contain errors. It contains 3 pages of overview information about the new release.
The document outlines the basic components of an information security program for mortgage industry professionals. It discusses 13 first priority cybersecurity practices like managing risk, protecting systems from malware, patching systems, and training employees. It also discusses 10 second priority practices such as encrypting sensitive data, third party risk management, and disaster recovery planning. The document is intended to provide a succinct overview of security risks and basic practices to help small and medium businesses manage those risks.
The document discusses the basic components of an information security program for mortgage industry professionals. It provides an overview of information security risks and explains practices to help manage those risks, with a focus on small and medium businesses. The document is aligned with the National Institute of Standards and Technology's Cybersecurity Framework and identifies practices according to the framework's five core functions: identify, protect, detect, respond, and recover. It aims to help businesses understand security risks and develop basic programs to address them.
Perform 7 Steps To Information ProtectionSajjad Haider
The document outlines a 7-step process for organizations to protect confidential information: 1) Assess information loss and compromise risks; 2) Identify and classify confidential information; 3) Develop policies and procedures; 4) Deploy technologies to enable policy compliance; 5) Communicate and educate stakeholders; 6) Integrate practices into business processes; and 7) Audit to ensure accountability. The first step involves determining an information protection strategy through risk assessment surveys and identifying technical risks with software.
This document discusses considerations for business managers regarding the total cost of ownership of SOA gateways. It covers factors like cost of implementation, which can be impacted by a gateway's deployability across hardware, software, and virtual form factors, as well as its extensibility through SDKs and standards support. The cost of ongoing operation is also discussed, including manageability, scalability, reliability, and costs associated with updating and upgrading gateways over time. Layer 7 Technologies is highlighted as offering multiple deployment options and a focus on avoiding vendor lock-in.
This document provides a comprehensive IT security and audit policy for a government department. It outlines policies for general users, departments, system administrators, database administrators (DBAs), and information systems audits. The policies cover various topics including password protection, backups, access controls, network security, software management, and staff training. The document was created by IT experts from the government department, CDAC Noida, and IT consultants to help secure the department's IT systems and data.
This document provides a 3-sentence summary of the given document:
The document is the user's guide and reference for PL/SQL Release 2 (9.2) from Oracle Corporation, covering the main features and functionality of PL/SQL such as blocks, variables, cursors, control structures, modularity, and error handling. It was last updated in March 2002 and has John Russell listed as the primary author along with several contributing authors. The document is copyrighted by Oracle Corporation and contains proprietary information regarding PL/SQL that is provided under a license agreement.
a book authored by Dr. sami khiami discusses the concept of web application security and explain the attack process, attack types and different used methodologies to achieve an acceptable level of application security.
This document provides a framework for developing an organizational or project-based Building Information Modeling (BIM) deployment plan. It outlines key elements to address such as modeling standards, staffing needs, planned models and analyses. The goal is to help users streamline project communications and reduce costs through collaborative planning and BIM implementation. Sections provide guidance on developing a BIM vision and goals, modeling standards, planned model types and analyses, staffing structure and skills requirements. Users can fill in provided templates and tables to develop a customized plan suited to their specific needs and applications of BIM.
VeraCode State of software security report volume5 2013Cristiano Caetano
The document is the State of Software Security Report Volume 5 from Veracode. It analyzes data on 22,430 application builds assessed over an 18 month period to examine trends in application security quality, remediation, and policy compliance. A key finding is that 70% of applications failed to comply with security policies on first submission, representing a significant increase from the previous report. Additionally, the prevalence of SQL injection vulnerabilities has plateaued at around 32% over the last 6 quarters. The report provides predictions for how these trends could continue and recommendations for improving application security.
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...Symantec
Who should read this paper:
IT, security managers, and executives who use legacy on-premise two factor authentication solutions and are considering a switch to another provider’s solution for two-factor authentication should read this document. This solution brief offers advice about gauging the security of a new solution, understanding the ease of deployment and management, choosing the right strategy for migration, and measuring the total cost effectiveness of a new solution.
White Paper: The Cyber Resilience Blueprint: A New Perspective on SecuritySymantec
Who should read this paper
For business leaders. In this sophisticated threat environment,traditional security tactics are failing. Symantec™ encourages organisations to revisit their security posture to build a more cyber resilient enterprise. Resilience is not defined by a series of checklists,but through evaluations based on the current threat environment and the acceptable risk level for the organisation. This whitepaper presents best practice-based approaches recommended for minimising cyber risk. These are arranged across five pillars and provide specific actions for each pillar to be performed by identifiable IT jobs.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Iso 17799 checklist
1. Interested in learning more
about security
management?
SANS Institute
Security Consensus Operational Readiness Evaluation
This checklist is from the SCORE Checklist Project. Reposting is not permited without express, written permission.
ISO 17799 Checklist
Copyright SANS Institute
Author Retains Full Rights
2. Information Security Management
BS 7799.2:2002
Audit Check List
for SANS
Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant.
Approved by: Algis Kibirkstis
Owner: SANS
Extracts from BS 7799 part 1: 1999 are reproduced with the permission of BSI under license number 2003DH0251. British Standards can be purchased from BSI Customer
Services, 389 Chiswick High Road, London W4 4AL. Tel : 44 (0)20 8996 9001. email: customerservices@bsi-global.com
3. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Table of Contents
Security Policy 9
Information security policy..................................................................................................................................................................... 9
Information security policy document ................................................................................................................................................ 9
Review and evaluation........................................................................................................................................................................ 9
Organisational Security 10
Information security infrastructure ....................................................................................................................................................... 10
Management information security forum ......................................................................................................................................... 10
Information security coordination..................................................................................................................................................... 10
Allocation of information security responsibilities........................................................................................................................... 10
Authorisation process for information processing facilities ............................................................................................................. 10
Specialist information security advise .............................................................................................................................................. 11
Co-operation between organisations ................................................................................................................................................. 11
Independent review of information security..................................................................................................................................... 11
Security of third party access................................................................................................................................................................ 11
Identification of risks from third party access .................................................................................................................................. 11
Security requirements in third party contracts .................................................................................................................................. 12
Outsourcing........................................................................................................................................................................................... 12
Security requirements in outsourcing contracts ................................................................................................................................ 12
Asset classification and control 12
Accountability of assets ........................................................................................................................................................................ 12
Inventory of assets ............................................................................................................................................................................ 12
Information classification ..................................................................................................................................................................... 12
Classification guidelines ................................................................................................................................................................... 12
Information labelling and handling................................................................................................................................................... 12
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 2
4. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Personnel security 12
Security in job definition and Resourcing ............................................................................................................................................ 12
Including security in job responsibilities .......................................................................................................................................... 12
Personnel screening and policy......................................................................................................................................................... 12
Confidentiality agreements ............................................................................................................................................................... 12
Terms and conditions of employment ............................................................................................................................................... 12
User training.......................................................................................................................................................................................... 12
Information security education and training ..................................................................................................................................... 12
Responding to security incidents and malfunctions .............................................................................................................................. 12
Reporting security incidents.............................................................................................................................................................. 12
Reporting security weaknesses ......................................................................................................................................................... 12
Reporting software malfunctions ...................................................................................................................................................... 12
Learning from incidents.................................................................................................................................................................... 12
Disciplinary process .......................................................................................................................................................................... 12
Physical and Environmental Security 12
Secure Area ........................................................................................................................................................................................... 12
Physical Security Perimeter .............................................................................................................................................................. 12
Physical entry Controls ..................................................................................................................................................................... 12
Securing Offices, rooms and facilities .............................................................................................................................................. 12
Working in Secure Areas .................................................................................................................................................................. 12
Isolated delivery and loading areas ................................................................................................................................................... 12
Equipment Security............................................................................................................................................................................... 12
Equipment siting protection.............................................................................................................................................................. 12
Power Supplies.................................................................................................................................................................................. 12
Cabling Security................................................................................................................................................................................ 12
Equipment Maintenance ................................................................................................................................................................... 12
Securing of equipment off-premises................................................................................................................................................. 12
Secure disposal or re-use of equipment ............................................................................................................................................ 12
General Controls ................................................................................................................................................................................... 12
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 3
5. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Clear Desk and clear screen policy................................................................................................................................................... 12
Removal of property ......................................................................................................................................................................... 12
Communications and Operations Management 12
Operational Procedure and responsibilities .......................................................................................................................................... 12
Documented Operating procedures................................................................................................................................................... 12
Operational Change Control ............................................................................................................................................................. 12
Incident management procedures...................................................................................................................................................... 12
Segregation of duties......................................................................................................................................................................... 12
Separation of development and operational facilities....................................................................................................................... 12
External facilities management ......................................................................................................................................................... 12
System planning and acceptance........................................................................................................................................................... 12
Capacity Planning ............................................................................................................................................................................. 12
System acceptance ............................................................................................................................................................................ 12
Protection against malicious software .................................................................................................................................................. 12
Control against malicious software................................................................................................................................................... 12
Housekeeping........................................................................................................................................................................................ 12
Information back-up.......................................................................................................................................................................... 12
Operator logs..................................................................................................................................................................................... 12
Fault Logging.................................................................................................................................................................................... 12
Network Management........................................................................................................................................................................... 12
Network Controls .............................................................................................................................................................................. 12
Media handling and Security ................................................................................................................................................................ 12
Management of removable computer media..................................................................................................................................... 12
Disposal of Media ............................................................................................................................................................................. 12
Information handling procedures...................................................................................................................................................... 12
Security of system documentation.................................................................................................................................................... 12
Exchange of Information and software ................................................................................................................................................. 12
Information and software exchange agreement ................................................................................................................................ 12
Security of Media in transit............................................................................................................................................................... 12
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 4
6. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Electronic Commerce security.......................................................................................................................................................... 12
Security of Electronic email.............................................................................................................................................................. 12
Security of Electronic office systems ................................................................................................................................................ 12
Publicly available systems ................................................................................................................................................................ 12
Other forms of information exchange ............................................................................................................................................... 12
Access Control 12
Business Requirements for Access Control.......................................................................................................................................... 12
Access Control Policy....................................................................................................................................................................... 12
User Access Management ..................................................................................................................................................................... 12
User Registration............................................................................................................................................................................... 12
Privilege Management ...................................................................................................................................................................... 12
User Password Management ............................................................................................................................................................. 12
Review of user access rights ............................................................................................................................................................. 12
User Responsibilities ............................................................................................................................................................................ 12
Password use ..................................................................................................................................................................................... 12
Unattended user equipment ............................................................................................................................................................... 12
Network Access Control....................................................................................................................................................................... 12
Policy on use of network services..................................................................................................................................................... 12
Enforced path.................................................................................................................................................................................... 12
User authentication for external connections.................................................................................................................................... 12
Node Authentication......................................................................................................................................................................... 12
Remote diagnostic port protection.................................................................................................................................................... 12
Segregation in networks.................................................................................................................................................................... 12
Network connection protocols .......................................................................................................................................................... 12
Network routing control.................................................................................................................................................................... 12
Security of network services............................................................................................................................................................. 12
Operating system access control........................................................................................................................................................... 12
Automatic terminal identification..................................................................................................................................................... 12
Terminal log-on procedures.............................................................................................................................................................. 12
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 5
7. SANS Institute
BS 7799 Audit Checklist
6/08/2003
User identification and authorisation................................................................................................................................................ 12
Password mana gement system.......................................................................................................................................................... 12
Use of system utilities....................................................................................................................................................................... 12
Duress alarm to safeguard users........................................................................................................................................................ 12
Terminal time-out ............................................................................................................................................................................. 12
Limitation of connection time........................................................................................................................................................... 12
Application Access Control .................................................................................................................................................................. 12
Information access restriction........................................................................................................................................................... 12
Sensitive system isolation................................................................................................................................................................. 12
Monitoring system access and use ........................................................................................................................................................ 12
Event logging .................................................................................................................................................................................... 12
Monitoring system use ...................................................................................................................................................................... 12
Clock synchronisation....................................................................................................................................................................... 12
Mobile computing and teleworking ...................................................................................................................................................... 12
Mobile computing ............................................................................................................................................................................. 12
Teleworking ...................................................................................................................................................................................... 12
System development and maintenance 12
Security requirements of systems ......................................................................................................................................................... 12
Security requirements analysis and specification ............................................................................................................................. 12
Security in application systems............................................................................................................................................................. 12
Input data validation.......................................................................................................................................................................... 12
Control of internal processing........................................................................................................................................................... 12
Message authentication..................................................................................................................................................................... 12
Output data validation....................................................................................................................................................................... 12
Cryptographic controls.......................................................................................................................................................................... 12
Policy on use of cryptographic controls............................................................................................................................................ 12
Encryption......................................................................................................................................................................................... 12
Digital Signatures.............................................................................................................................................................................. 12
Non-repudiation services .................................................................................................................................................................. 12
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 6
8. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Key management ............................................................................................................................................................................... 12
Security of system files......................................................................................................................................................................... 12
Control of operational software ........................................................................................................................................................ 12
Protection of system test data............................................................................................................................................................ 12
Access Control to program source library ........................................................................................................................................ 12
Security in development and support process....................................................................................................................................... 12
Change control procedures................................................................................................................................................................ 12
Technical review of operating system changes................................................................................................................................. 12
Technical review of operating system changes................................................................................................................................. 12
Covert channels and Trojan code...................................................................................................................................................... 12
Outsourced software development.................................................................................................................................................... 12
Business Continuity Management 12
Aspects of Business Continuity Management ...................................................................................................................................... 12
Business continuity management process......................................................................................................................................... 12
Business continuity and impact analysis........................................................................................................................................... 12
Writing and implementing continuity plan....................................................................................................................................... 12
Business continuity planning framework.......................................................................................................................................... 12
Testing, maintaining and re-assessing business continuity plan....................................................................................................... 12
Compliance 12
Compliance with legal requirements..................................................................................................................................................... 12
Identification of applicable legislation.............................................................................................................................................. 12
Intellectual property rights (IPR) ...................................................................................................................................................... 12
Safeguarding of organisational records............................................................................................................................................. 12
Data protection and privacy of personal information ....................................................................................................................... 12
Prevention of misuse of information processing facility .................................................................................................................. 12
Regulation of cryptographic controls................................................................................................................................................ 12
Collection of evidence ...................................................................................................................................................................... 12
Reviews of Security Policy and technical compliance ......................................................................................................................... 12
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 7
9. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Compliance with security policy ...................................................................................................................................................... 12
Technical compliance checking ........................................................................................................................................................ 12
System audit considerations.................................................................................................................................................................. 12
System audit controls ........................................................................................................................................................................ 12
Protection of system audit tools ........................................................................................................................................................ 12
References 12
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 8
10. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Audit Checklist
Auditor Name:___________________________ Audit Date:___________________________
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
Security Policy
1.1 3.1
Information security policy
1.1.1 3.1.1 Whether there exists an Information security policy,
Information which is approved by the management, published and
security policy communicated as appropriate to all employees.
document Whether it states the management commitment and set
out the organisational approach to managing
information security.
1.1.2 3.1.2 Whether the Security policy has an owner, who is
Review and responsible for its maintenance and review according
evaluation to a defined review process.
Whether the process ensures that a review takes place
in response to any changes affecting the basis of the
original assessment, example: significant security
incidents, new vulnerabilities or changes to
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 9
11. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
organisational or technical infrastructure.
Organisational Security
2.1 4.1
Information security infrastructure
2.1.1 4.1.1 Whether there is a management forum to ensure there
Management is a clear direction and visible management support for
information security initiatives within the organisation.
security forum
2.1.2 4.1.2 Whether there is a cross-functional forum of
Information management representatives from relevant parts of the
security organisation to coordinate the implementation of
information security controls.
coordination
2.1.3 4.1.3 Whether responsibilities for the protection of
Allocation of individual assets and for carrying out specific security
information processes were clearly defined.
security
responsibilities
2.1.4 4.1.4 Whether there is a management authorisation process
Authorisation in place for any new information processing facility.
process for This should include all new facilities such as hardware
and software.
information
processing
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 10
12. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
facilities
2.1.5 4.1.5 Whether specialist information security advice is
Specialist obtained where appropriate.
information A specific individual may be identified to co-ordinate
security advise in-house knowledge and experiences to ensure
consistency, and provide help in security decision
making.
2.1.6 4.1.6 Whether appropriate contacts with law enforcement
Co-operation authorities, regulatory bodies, information service
between providers and telecommunication operators were
maintained to ensure that appropriate action can be
organisations quickly taken and advice obtained, in the event of a
security incident.
2.1.7 4.1.7 Whether the implementation of security policy is
Independent reviewed independently on regular basis. This is to
review of provide assurance that organisational practices
properly reflect the policy, and that it is feasible and
information
effective.
security
2.2 4.2
Security of third party access
2.2.1 4.2.1 Whether risks from third party access are identified
Identification and appropriate security controls implemented.
of risks from Whether the types of accesses are identified, classified
third party
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 11
13. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
access and reasons for access are justified.
Whether security risks with third party contractors
working onsite was identified and appropriate controls
are implemented.
2.2.2 4.2.2 Whether there is a formal contract containing, or
Security referring to, all the security requirements to ensure
requirements compliance with the organisation’s security policies
and standards.
in third party
contracts
2.3 4.3
Outsourcing
2.3.1 4.3.1 Whether security requirements are addressed in the
Security contract with the third party, when the organisation has
requirements outsourced the management and control of all or some
of its information systems, networks and/ or desktop
in outsourcing
environments.
contracts
The contract should address how the legal
requirements are to be met, how the security of the
organisation’s assets are maintained and tested, and the
right of audit, physical security issues and how the
availability of the services is to be maintained in the
event of disaster.
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 12
14. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
Asset classification and control
3.1 5.1
Accountability of assets
3.1.1 5.1.1 Whether an inventory or register is maintained with the
Inventory of important assets associated with each information
assets system.
Whether each asset identified has an owner, the
security classification defined and agreed and the
location identified.
3.2 5.2
Information classification
3.2.1 5.2.1 Whether there is an Information classification scheme
Classification or guideline in place; which will assist in determining
guidelines how the information is to be handled and protected.
3.2.2 5.2.2 Whether an appropriate set of procedures are defined
Information for information labelling and handling in accordance
labelling and with the classification scheme adopted by the
organisation.
handling
Personnel security
4.1 6.1
Security in job definition and Resourcing
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 13
15. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
4.1.1 6.1.1 Whether security roles and responsibilities as laid in
Including Organisation’s information security policy is
security in job documented where appropriate.
responsibilities This should include general responsibilities for
implementing or maintaining security policy as well as
specific responsibilities for protection of particular
assets, or for extension of particular security processes
or activities.
4.1.2 6.1.2 Whether verification checks on permanent staff were
Personnel carried out at the time of job applications.
screening and This should include character reference, confirmation
policy of claimed academic and professional qualifications
and independent identity checks.
4.1.3 6.1.3 Whether employees are asked to sign Confidentiality
Confidentiality or non-disclosure agreement as a part of their initial
agreements terms and conditions of the employment.
Whether this agreement covers the security of the
information processing facility and organisation assets.
4.1.4 6.1.4 Whether terms and conditions of the employment
Terms and covers the employee’s responsibility for information
conditions of security. Where appropriate, these responsibilities
might continue for a defined period after the end of the
employment employment.
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 14
16. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
4.2 6.2
User training
4.2.1 6.2.1 Whether all employees of the organisation and third
Information party users (where relevant) receive appropriate
security Information Security training and regula r updates in
organisational policies and procedures.
education and
training
4.3 6.3
Responding to security incidents and malfunctions
4.3.1 6.3.1 Whether a formal reporting procedure exists, to report
Reporting security incidents through appropriate management
security channels as quickly as possible.
incidents
4.3.2 6.3.2 Whether a formal reporting procedure or guideline
Reporting exists for users, to report security weakness in, or
security threats to, systems or services.
weaknesses
4.3.3 6.3.3 Whether procedures were established to report any
Reporting software malfunctions.
software
malfunctions
4.3.4 6.3.4 Whether there are mechanisms in place to enable the
Learning from types, volumes and costs of incidents and malfunctions
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 15
17. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
incidents to be quantified and monitored.
4.3.5 6.3.5 Whether there is a formal disciplinary process in place
Disciplinary for employees who have violated organisational
process security policies and procedures. Such a process can
act as a deterrent to employees who might otherwise be
inclined to disregard security procedures.
Physical and Environmental Security
5.1 7.1
Secure Area
5.1.1 7.1.1 What physical border security facility has been
Physical implemented to protect the Information processing
Security service.
Perimeter Some examples of such security facility are card
control entry gate, walls, manned reception etc.,
5.1.2 7.1.2 What entry controls are in place to allow only
Physical entry authorised personnel into various areas within
Controls organisation.
5.1.3 7.1.3 Whether the rooms, which have the Information
Securing processing service, are locked or have lockable
Offices, rooms cabinets or safes.
and facilities
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 16
18. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
Whether the Information processing service is
protected from natural and man-made disaster.
Whether there is any potential threat from
neighbouring premises.
5.1.4 7.1.4 The information is only on need to know basis.
Working in Whether there exists any security control for third
Secure Areas parties or for personnel working in secure area.
5.1.5 7.1.5 Whether the delivery area and information processing
Isolated area are isolated from each other to avoid any
delivery and unauthorised access.
loading areas
Whether a risk assessment was conducted to determine
the security in such areas.
5.2 7.2
Equipment Security
5.2.1 7.2.1 Whether the equipment was located in appropriate
Equipment place to minimise unnecessary access into work areas.
siting
protection
Whether the items requiring special protection were
isolated to reduce the general level of protection
required.
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 17
19. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
Whether controls were adopted to minimise risk from
potential threats such as theft, fire, explosives, smoke,
water, dist, vibration, chemical effects, electrical
supply interfaces, electromagnetic radiation, flood.
Whether there is a policy towards eating, drinking and
smoking on in proximity to information processing
services.
Whether environmental conditions are monitored
which would adversely affect the information
processing facilities.
5.2.2 7.2.2 Whether the equipment is protected from power
Power Supplies failures by using permanence of power supplies such
as multiple feeds, uninterruptible power supply (ups),
backup generator etc.,
5.2.3 7.2.3 Whether the power and telecommunications cable
Cabling carrying data or supporting information services are
Security protected from interception or damage.
Whether there are any additional security controls in
place for sensitive or critical information.
5.2.4 7.2.4 Whether the equipment is maintained as per the
Equipment supplier’s recommended service intervals and
Maintenance specifications.
Whether the maintenance is carried out only by
authorised personnel.
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 18
20. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
Whether logs are maintained with all suspected or
actual faults and all preventive and corrective
measures.
Whether appropriate controls are implemented while
sending equipment off premises.
If the equipment is covered by insurance, whether the
insurance requirements are satisfied.
5.2.5 7.2.5 Whether any equipment usage outside an
Securing of organisation’s premises for information processing has
equipment off- to be authorised by the management.
premises
Whether the security provided for these equipments
while outside the premises are on par with or more
than the security provided inside the premises.
5.2.6 7.2.6 Whether storage device containing sensitive
Secure disposal information are physically destroyed or securely over
or re-use of written.
equipment
5.3 7.3
General Controls
5.3.1 7.3.1 Whether automatic computer screen locking facility is
Clear Desk and enabled. This would lock the screen when the
clear screen computer is left unattended for a period.
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 19
21. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
policy Whether employees are advised to leave any
confidential material in the form of paper documents,
media etc., in a locked manner while unattended.
5.3.2 7.3.2 Whether equipment, information or software can be
Removal of taken offsite without appropriate authorisation.
property
Whether spot checks or regular audits were conducted
to detect unauthorised removal of property.
Whether individuals are aware of these types of spot
checks or regular audits.
Communications and Operations Management
6.1 8.1
Operational Procedure and responsibilities
6.1.1 8.1.1 Whether the Security Policy has identified any
Documented Operating procedures such as Back-up, Equipment
Operating maintenance etc.,
procedures
Whether such procedures are documented and used.
6.1.2 8.1.2 Whether all programs running on production systems
Operational are subject to strict change control i.e., any change to
Change be made to those production programs need to go
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 20
22. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
Control through the change control authorisation.
Whether audit logs are maintained for any change
made to the production programs.
6.1.3 8.1.3 Whether an Incident Management procedure exist to
Incident handle security incidents.
management
procedures
Whether the procedure addresses the incident
management responsibilities, orderly and quick
response to security incidents.
Whether the procedure addresses different types of
incidents ranging from denial of service to breach of
confidentiality etc., and ways to handle them.
Whether the audit trails and logs relating to the
incidents are maintained and proactive action taken in
a way that the incident doesn’t reoccur.
6.1.4 8.1.4 Whether duties and areas of responsibility are
Segregation of separated in order to reduce opportunities for
duties unauthorised modification or misuse of information or
services.
6.1.5 8.1.5 Whether the development and testing facilities are
Separation of isolated from operational facilities. For example
development development software should run on a different
computer to that of the computer with production
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 21
23. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
and software. Where necessary development and
operational production network should be separated from each
other.
facilities
6.1.6 8.1.6 Whether any of the Information processing facility is
External managed by external company or contractor (third
facilities party).
management
Whether the risks associated with such management is
identified in advance, discussed with the third party
and appropriate controls were incorporated into the
contract.
Whether necessary approval is obtained from business
and application owners.
6.2 8.2
System planning and acceptance
6.2.1 8.2.1 Whether the capacity demands are monitored and
Capacity projections of future capacity requirements are made.
Planning This is to ensure that adequate processing power and
storage are available.
Example: Monitoring Hard disk space, RAM, CPU on
critical servers.
6.2.2 8.2.2 Whether System acceptance criteria are established for
System new information systems, upgrades and new versions.
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 22
24. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
acceptance Whether suitable tests were carried out prior to
acceptance.
6.3 8.3
Protection against malicious software
6.3.1 8.3.1 Whether there exists any control against malicious
Control against software usage.
malicious Whether the security policy does address software
software licensing issues such as prohibiting usage of
unauthorised software.
Whether there exists any Procedure to verify all
warning bulletins are accurate and informative with
regards to the malicious software usage.
Whether Antivirus software is installed on the
computers to check and isolate or remove any viruses
from computer and media.
Whether this software signature is updated on a regular
basis to check any latest viruses.
Whether all the traffic originating from un-trusted
network in to the organisation is checked for viruses.
Example: Checking for viruses on email, email
attachments and on the web, FTP traffic.
6.4 8.4
Housekeeping
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 23
25. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
6.4.1 8.4.1 Whether Back-up of essential business information
Information such as production server, critical network
back-up components, configuration backup etc., were taken
regularly.
Example: Mon-Thu: Incremental Backup and Fri: Full
Backup.
Whether the backup media along with the procedure to
restore the backup are stored securely and well away
from the actual site.
Whether the backup media are regularly tested to
ensure that they could be restored within the time
frame allotted in the operational procedure for
recovery.
6.4.2 8.4.2 Whether Operational staffs maintain a log of their
Operator logs activit ies such as name of the person, errors, corrective
action etc.,
Whether Operator logs are checked on regular basis
against the Operating procedures.
6.4.3 8.4.3 Whether faults are reported and well managed. This
Fault Logging includes corrective action being taken, review of the
fault logs and checking the actions taken
6.5 8.5
Network Management
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 24
26. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
6.5.1 8.5.1 Whether effective operational controls such as separate
Network network and system administration facilities were be
Controls established where necessary.
Whether responsibilities and procedures for
management of remote equipment, including
equipment in user areas were established.
Whether there exist any special controls to safeguard
confidentiality and integrity of data processing over the
public network and to protect the connected systems.
Example: Virtual Private Networks, other encryption
and hashing mechanisms etc.,
6.6 8.6
Media handling and Security
6.6.1 8.6.1 Whether there exist a procedure for management of
Management removable computer media such as tapes, disks,
of removable cassettes, memory cards and reports.
computer
media
6.6.2 8.6.2 Whether the media that are no longer required are
Disposal of disposed off securely and safely.
Media
Whether disposal of sensitive items are logged where
necessary in order to maintain an audit trail.
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 25
27. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
6.6.3 8.6.3 Whether there exists a procedure for handling the
Information storage of information. Does this procedure address
handling issues such as information protection from
unauthorised disclosure or misuse.
procedures
6.6.4 8.6.4 Whether the system documentation is protected from
Security of unauthorised access.
system Whether the access list for the system documentation is
documentation kept to minimum and authorised by the application
owner. Example: System documentation need to be
kept on a shared drive for specific purposes, the
document need to have Access Control Lists enabled
(to be accessible only by limited users.)
6.7 8.7
Exchange of Information and software
6.7.1 8.7.1 Whether there exists any formal or informal agreement
Information between the organisations for exchange of information
and software and software.
exchange
agreement
Whether the agreement does addresses the security
issues based on the sensitivity of the business
information involved.
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 26
28. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
6.7.2 8.7.2 Whether security of media while being transported
Security of taken into account.
Media in Whether the media is well protected from unauthorised
transit access, misuse or corruption.
6.7.3 8.7.3 Whether Electronic commerce is well protected and
Electronic controls implemented to protect against fraudulent
Commerce activity, contract dispute and disclosure or
modification of information.
security
Whether Security controls such as Authentication,
Authorisation are considered in the ECommerce
environment.
Whether electronic commerce arrangements between
trading partners include a documented agreement,
which commits both parties to the agreed terms of
trading, including details of security issues.
6.7.4 8.7.4 Whether there is a policy in place for the acceptable
Security of use of electronic mail or does security policy does
Electronic address the issues with regards to use of electronic
mail.
email
Whether controls such as antivirus checking, isolating
potentially unsafe attachments, spam control, anti
relaying etc., are put in place to reduce the risks
created by electronic email.
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 27
29. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
6.7.5 8.7.5 Whether there is an Acceptable use policy to address
Security of the use of Electronic office systems.
Electronic
office systems
Whether there are any guidelines in place to effectively
control the business and security risks associated with
the electronic office systems.
6.7.6 8.7.6 Whether there is any formal authorisation process in
Publicly place for the information to be made publicly available.
available Such as approval from Change Control which includes
Business, Application owner etc.,
systems
Whether there are any controls in place to protect the
integrity of such information publicly available from
any unauthorised access.
This might include controls such as firewalls,
Operating system hardening, any Intrusion detection
type of tools used to monitor the system etc.,
6.7.7 8.7.7 Whether there are any policies, procedures or controls
Other forms of in place to protect the exchange of information through
information the use of voice, facsimile and video communication
facilities.
exchange
Whether staffs are reminded to maintain the
confidentiality of sensitive information while using
such forms of information exchange facility.
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 28
30. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
Access Control
7.1 9.1
Business Requirements for Access Control
7.1.1 9.1.1 Whether the business requirements for access control
Access Control have been defined and documented.
Policy
Whether the Access control policy does address the
rules and rights for each user or a group of user.
Whether the users and service providers were given a
clear statement of the business requirement to be met
by access controls.
7.2 9.2
User Access Management
7.2.1 9.2.1 Whether there is any formal user registration and de-
User registration procedure for granting access to multi-user
Registration information systems and services.
7.2.2 9.2.2 Whether the allocation and use of any privileges in
Privilege multi-user information system environment is
Management restricted and controlled i.e., Privileges are allocated
on need-to-use basis; privileges are allocated only after
formal authorisation process.
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 29
31. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
7.2.3 9.2.3 The allocation and reallocation of passwords should be
User Password controlled through a formal management process.
Management
Whether the users are asked to sign a statement to keep
the password confidential.
7.2.4 9.2.4 Whether there exist a process to review user access
Review of user rights at regular intervals. Example: Special privilege
access rights review every 3 months, normal privileges every 6
moths.
7.3 9.3
User Responsibilities
7.3.1 9.3.1 Whether there are any guidelines in place to guide
Password use users in selecting and maintaining secure passwords.
7.3.2 9.3.2 Whether the users and contractors are made aware of
Unattended the security requirements and procedures for protecting
user equipment unattended equipment, as well as their responsibility to
implement such protection.
Example: Logoff when session is finished or set up
auto log off, terminate sessions when finished etc.,
7.4 9.4
Network Access Control
7.4.1 9.4.1 Whether there exists a policy that does address
Policy on use of concerns relating to networks and network services
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 30
32. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
network such as:
services Parts of network to be accessed,
Authorisation services to determine who is allowed to
do what,
Procedures to protect the access to network
connections and network services.
7.4.2 9.4.2 Whether there is any control that restricts the route
Enforced path between the user terminal and the designated computer
services the user is authorised to access example:
enforced path to reduce the risk.
7.4.3 9.4.3 Whether there exist any authentication mechanism for
User challenging external connections. Examples:
authentication Cryptography based technique, hardware tokens,
for external software tokens, challenge/ response protocol etc.,
connections
7.4.4 9.4.4 Whether connections to remote computer systems that
Node are outside organisations security management are
Authentication authenticated. Node authentication can serve as an
alternate means of authenticating groups of remote
users where they are connected to a secure, shared
computer facility.
7.4.5 9.4.5 Whether accesses to diagnostic ports are securely
Remote controlled i.e., protected by a security mechanism.
diagnostic port
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 31
33. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
protection
7.4.6 9.4.6 Whether the network (where business partner’s and/ or
Segregation in third parties need access to information system) is
networks segregated using perimeter security mechanisms such
as firewalls.
7.4.7 9.4.7 Whether there exists any network connection control
Network for shared networks that extend beyond the
connection organisational boundaries. Example: electronic mail,
web access, file transfers, etc.,
protocols
7.4.8 9.4.8 Whether there exist any network control to ensure that
Network computer connections and information flows do not
routing control breach the access control policy of the business
applications. This is often essential for networks shared
with non-organisations users.
Whether the routing controls are based on the positive
source and destination identification mechanism.
Example: Network Address Translation (NAT).
7.4.9 9.4.9 Whether the organisation, using public or private
Security of network service does ensure that a clear description of
network security attributes of all services used is provided.
services
7.5 9.5
Operating system access control
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 32
34. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
7.5.1 9.5.1 Whether automatic terminal identification mechanism
Automatic is used to authenticate connections.
terminal
identification
7.5.2 9.5.2 Whether access to information system is attainable
Terminal log- only via a secure log-on process.
on procedures
Whether there is a procedure in place for logging in to
an information system. This is to minimise the
opportunity of unauthorised access.
7.5.3 9.5.3 Whether unique identifier is provided to every user
User such as operators, system administrators and all other
identification staff including technical.
and The generic user accounts should only be supplied
authorisation under exceptional circumstances where there is a clear
business benefit. Additional controls may be necessary
to maintain accountability.
Whether the authentication method used does
substantiate the claimed identity of the user; commonly
used method: Password that only the user knows.
7.5.4 9.5.4 Whether there exists a password management system
Password that enforces various password controls such as:
management individual password for accountability, enforce
password changes, store passwords in encrypted form,
system
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 33
35. SANS Institute
BS 7799 Audit Checklist
6/08/2003
Information Security Management BS 7799.2:2002 Audit Check List
Reference Audit area, objective and question Results
Checklist Standard Section Audit Question Findings Compliance
not display passwords on screen etc.,
7.5.5 9.5.5 Whether the system utilities that comes with computer
Use of system installations, but may override system and application
utilities control is tightly controlled.
7.5.6 9.5.6 Whether provision of a duress alarm is considered for
Duress alarm users who might be the target of coercion.
to safeguard
users
7.5.7 9.5.7 Inactive terminal in public areas should be configured
Terminal time- to clear the screen or shut down automatically after a
out defined period of inactivity.
7.5.8 9.5.8 Whether there exist any restriction on connection time
Limitation of for high-risk applications. This type of set up should be
connection considered for sensitive applications for which the
terminals are installed in high-risk locations.
time
7.6 9.6
Application Access Control
7.6.1 9.6.1 Whether access to application by various groups/
Information personnel within the organisation should be defined in
access the access control policy as per the individual business
application requirement and is consistent with the
restriction organisation’s Information access policy.
Author: Val Thiagarajan | Approved by: Algis Kibirkstis | Owner: SANS Institute
Page - 34