RiskAssessmentCheckListInformationSecurityPolicy1.InformationsecuritypolicydocumentDoesanInformationsecuritypolicyexist,whichisapprovedbythemanagement,publishedandcommunicatedasappropriatetoallemployees?Doesitstatethemanagementcommitmentandsetouttheorganizationalapproachtomanaginginformationsecurity?2.ReviewandEvaluationDoestheSecuritypolicyhaveanowner,whoisresponsibleforitsmaintenanceandreviewaccordingtoadefinedreviewprocess?Doestheprocessensurethatareviewtakesplaceinresponsetoanychangesaffectingthebasisoftheoriginalassessment,example:significantsecurityincidents,newvulnerabilitiesorchangestoorganizationalortechnicalstructure?OrganizationalSecurityInformationsecurityinfrastructure1.Allocationofinformationsecurityresponsibilitiesa.Areresponsibilitiesfortheprotectionofindividualassetsandforcarryingoutspecificsecurityprocessesclearlydefined?2.Co-operationbetweenorganizationsa.Aretheappropriatecontactswithlawenforcementauthorities,regulatorybodies,utilityproviders,informationserviceprovidersandtelecommunicationoperatorsmaintainedtoensurethatappropriateactioncanbequicklytakenandadviceobtained,intheeventofanincident?3.IndependentreviewofinformationsecurityYesNoInProgressa.Istheimplementationofsecuritypolicyreviewedindependentlyonregularbasis?Thisistoprovideassurancethatorganizationalpracticesproperlyreflectthepolicy,andthatitisfeasibleandeffective.Securityofthirdpartyaccess1.Identificationofrisksfromthirdpartya.Arerisksfromthirdpartyaccessidentifiedandappropriatesecuritycontrolsimplemented?b.Arethetypesofaccessesidentified,classifiedandreasonsforaccessjustified?c.Aresecurityriskswiththirdpartycontractorsworkingonsiteidentifiedandappropriatecontrolsimplemented?2.Securityrequirementsinthirdpartycontractsa.Isthereaformalcontractcontaining,orreferringto,allthesecurityrequirementstoensurecompliancewiththeorganization=ssecuritypoliciesandstandards?Outsourcing1.Securityrequirementsinoutsourcingcontractsa.Aresecurityrequirementsaddressedinthecontractwiththethirdparty,whentheorganizationhasoutsourcedthemanagementandcontrolofallorsomeofitsinformationsystems,networksand/ordesktopenvironments?Doescontractaddresshowthelegalrequirementsaretobemet,howthesecurityoftheorganization=sassetsaremaintainedandtested,andtherightofaudit,physicalsecurityissuesandhowtheavailabilityoftheservicesistobemaintainedintheeventofdisaster?AssetclassificationandcontrolAccountabilityofassetsYesNoInProgress1.Inventoryofassetsa.Isthereamaintainedinventoryorregisteroftheimportantassetsassociatedwitheachinformationsystem?Informationclassification1.Classificationguidelinesa.IsthereanInformationclassificationschemeorguidelineinplace;whichwillassistindetermininghowtheinformationistobehandledandprotected?2.Informationlabelingandhandlinga.Isthereanappropriatesetofproceduresdefinedforinformationlabelingandhandlinginaccordancewiththeclassificationschemeadoptedbytheorganization?PersonnelsecuritySecurityinjobdefinitionandResourcing1.Includingsecurityinjobresponsibilitiesa.AresecurityrolesandresponsibilitiesaslaidinOrganization=sinformationsecuritypolicydocumentedwhereappropriate?Doesthisincludegeneralresponsibilitiesforimplementingormaintainingsecuritypolicyaswellasspecificresponsibilitiesforprotectionofparticularassets,orforextensionofparticularsecurityprocessesoractivities?2.Confidentialityagreementsa.DoemployeessignConfid...
