Add to collection(s) Add to saved
  1. No category
Uploaded by black white

1. WF Risk Assesment (Tech Div As a Whole)

advertisement 
HEISC Information Security Benchmark Assessment Tool for Higher Education
November 2012
B
C
This tool can be used to assess an enterprise information security program, department, or
other. Please select from the drop down box ->
10
1. N.M.I Raisul Bari
2. Md. Ekramul Hoq
3. Nazia Mahbub
Name of Division or institution (if applicable):
Technology Division, bKash Limited
Date completed:
13
Questions
14
16
F
G
Item Score
Category
Score
Help
Reset Worksheet ----->
Sl No
Risk Management (ISO 27005:2011)
15
E
Enterprise Information Security Program
Name of persons completing assessment
11
12
D
1
Does your institution have a risk management program?
2
3
Not Performed = 0; Performed Informally = 1;
Planned = 2; Well Defined = 3;
Quantitatively Controlled = 4; Continuously Improving = 5; Not
Applicable = Blank
NOTE: 5 is the highest level of maturity
0.00
Total Score for Risk Management ->
no
0
Does your institution have a process for identifying and assessing reasonably foreseeable internal and external risks to the
security, confidentiality, and/or integrity of any electronic, paper, or other records containing sensitive information?
Not Performed
0
Does your organization conduct routine risk assessments to identify the key objectives that need to be supported by your
information security program?
Not Performed
0
17
18
20
21
22
4
5
6
25
26
27
Has it been published and communicated to all relevant parties?
Does your institution review the policy at defined intervals to encompass significant change and monitor for compliance?
Well Defined
3
Well Defined
3
Planned
2
7
Does your information security function have the authority it needs to manage and ensure compliance with the information
security program?
8
2.29
Total Score for ISO 6 ->
Organization of Information Security (ISO 6)
23
24
Does your institution have an information security policy that has been approved by management?
2.67
Total Score for ISO 5->
Information Security Policies (ISO 5)
19
Well Defined
3
Does your institution have an individual with enterprise-wide information security responsibility and authority written in
their job description, or equivalent? Note: This may be the CIO, CISO, CSO, or other.
Continuously Improving
5
9
Is responsibility clearly assigned for all areas of the information security architecture, compliance, processes, and audits?
Well Defined
3
10
Is there a formal process for having the individual with information security responsibility assess and sign off on appropriate
hardware, software, and services, ensuring they follow security policies and requirements?
Not Performed
0
HEISC Information Security Benchmark Assessment Tool for Higher Education
November 2012
B
Sl No
C
D
E
F
G
Questions
Not Performed = 0; Performed Informally = 1;
Planned = 2; Well Defined = 3;
Quantitatively Controlled = 4; Continuously Improving = 5; Not
Applicable = Blank
NOTE: 5 is the highest level of maturity
Item Score
Category
Score
Help
Well Defined
3
Not Performed
0
Planned
2
14
28
29
30
11
12
Does your institution participate with local or national security groups (e.g., REN-ISAC, EDUCAUSE, InfraGard, Information
Systems Security Association, etc.)?
13
Does your institution have independent security reviews completed at planned intervals or when significant changes to the
environment occur?
33
34
35
36
14 Do all individuals interacting with systems receive information security awareness training?
15
16 Do the information security programs clearly state responsibilities, liabilities, and consequences?
17 Does your institution have a process for revoking system and building access and returning assigned assets?
18
39
Does your institution have a process for revoking system access when there is a position change or when responsibilities
change?
Planned
2
Well Defined
3
Not Performed
0
Well Defined
3
Well Defined
3
0.00
Total Score for ISO 8->
Asset Management (ISO 8)
37
38
Does your institution conduct specialized role-based training?
2.20
Total Score for ISO 7 ->
Human Resource Security (ISO 7)
31
32
Does your institution maintain relationships with local authorities?
19 Has your organization identified critical information assets and the functions that rely on them?
Not Performed
0
20 Does your institution classify information to indicate the appropriate levels of information security?
Not Performed
0
2.75
Total Score for ISO 9->
Access Control (ISO 9)
40
Does your institution have an access control policy for authorizing and revoking access rights to information systems?
21
Continuously Improving
5
Well Defined
3
Well Defined
3
24 Does your institution have procedures to regularly review users' access to ensure only needed privileges are applied?
Well Defined
3
25 Does your institution employ specific measures to secure remote access services?
Well Defined
3
41
Does your institution have a process in place for granting and revoking appropriate user access?
22
42
44
45
46
23
Does your institution have a password management program that follows current security standards?
HEISC Information Security Benchmark Assessment Tool for Higher Education
November 2012
B
C
D
E
F
G
Sl No
Questions
Not Performed = 0; Performed Informally = 1;
Planned = 2; Well Defined = 3;
Quantitatively Controlled = 4; Continuously Improving = 5; Not
Applicable = Blank
NOTE: 5 is the highest level of maturity
Item Score
Category
Score
Help
26
Does your institution employ technologies to block or restrict unencrypted sensitive information from traveling to untrusted
networks?
Well Defined
3
27
Does your institution have mechanisms in place to manage digital identities (accounts, keys, tokens) throughout their life
cycle, from registration through termination?
Well Defined
3
28 Is there a policy in place to restrict the sharing of passwords?
Well Defined
3
29 Does your institution prohibit use of generic accounts with privileged access to systems?
Well Defined
3
14
47
48
49
50
51
52
53
54
55
56
30
Does your institution have an authentication system in place that applies higher levels of authentication to protect resources
with higher levels of sensitivity?
Well Defined
3
31
Does your institution have an authorization system that enforces time limits lockout on login failure and defaults to
minimum privileges?
Well Defined
3
32
Does your institution have standards for isolating sensitive data and procedures and technologies in place to protect it from
unauthorized access and tampering?
Planned
2
33
Does your institution have usage guidance established for mobile computing devices (regardless of ownership) that store,
process, or transmit institutional data?
Planned
2
Planned
2
Well Defined
3
34 Does your institution require encryption on mobile (i.e., laptops, tablets, etc.) computing devices?
35
59
60
36 Does your institution use appropriate/vetted encryption methods to protect sensitive data in transit?
37 Do your policies indicate when encryption should be used (e.g., at rest, in transit, with sensitive or confidential data, etc.)?
38 Are standards for key management documented and employed?
62
63
64
Well Defined
3
Not Performed
0
Performed Informally
1
39
Do your institution's data centers include controls to ensure that only authorized parties are allowed physical access?
2.43
Total Score for ISO 11->
Physical and Environmental Security (ISO 11)
61
1.33
Total Score for ISO 10->
Cryptography (ISO 10)
57
58
Does your institution have a telework/communication policy that addresses multifactor access and security requirements for
the end point used?
Well Defined
3
40
Does your institution have preventative measures in place to protect critical hardware and wiring from natural and manmade threats?
Well Defined
3
41
Does your institution have a process for issuing keys, codes, and/or cards that require appropriate authorization and
background checks for access to these sensitive facilities?
Well Defined
3
HEISC Information Security Benchmark Assessment Tool for Higher Education
November 2012
B
Sl No
C
D
E
F
G
Questions
Not Performed = 0; Performed Informally = 1;
Planned = 2; Well Defined = 3;
Quantitatively Controlled = 4; Continuously Improving = 5; Not
Applicable = Blank
NOTE: 5 is the highest level of maturity
Item Score
Category
Score
Help
Well Defined
3
Planned
2
Well Defined
3
14
65
67
68
42 Does your institution follow vendor-recommended guidance for maintaining equipment?
Does your institution have a media-sanitization process that is applied to equipment prior to disposal, reuse, or release?
43
44 Are there processes in place to detect the unauthorized removal of equipment, information, or software?
70
71
72
73
74
75
76
77
78
79
80
81
82
83
45 Does your institution maintain security configuration standards for information systems and applications?
2.42
Total Score for ISO 12->
Operations Security (ISO 12)
69
Not Performed
0
46 Are changes to information systems tested, authorized, and reported?
Well Defined
3
47 Are duties sufficiently segregated to ensure unintentional or unauthorized modification of information is detected?
Well Defined
3
48 Are production systems separated from other stages of the development life cycle?
Well Defined
3
49
Does your institution have processes in place to monitor the utilization of key system resources and to mitigate the risk of
system downtime?
Well Defined
3
50
Are methods used to detect, quarantine, and eradicate known malicious code on information systems including
workstations, servers, and mobile computing devices?
Well Defined
3
51
Are methods used to detect and eradicate known malicious code transported by electronic mail, the web, or removable
media?
Well Defined
3
Planned
2
Planned
2
Performed Informally
1
55 Are Internet-accessible servers protected by more than one security layer (firewalls, network IDS, host IDS, application IDS)?
Well Defined
3
56 Are controls in place to protect, track, and report status of media that has been removed from secure organization sites?
Well Defined
3
52 Is your data backup process frequency consistent with the availability requirements of your organization?
Does your institution have a process for posture checking, such as current antivirus software, firewall enabled, OS patch
level, etc., of devices as they connect to your network?
Does your institution have a segmented network architecture to provide different levels of security based on the
54 information's classification?
53
57
Does your institution have a process in place to ensure data related to electronic commerce (e-commerce) traversing public
networks is protected from fraudulent activity, unauthorized disclosure, or modification?
Not Applicable
Blank
58
Are security-related activities such as hardware configuration changes, software configuration changes, access attempts, and
authorization and privilege assignments automatically logged?
Planned
2
HEISC Information Security Benchmark Assessment Tool for Higher Education
November 2012
B
C
D
E
F
G
Questions
Not Performed = 0; Performed Informally = 1;
Planned = 2; Well Defined = 3;
Quantitatively Controlled = 4; Continuously Improving = 5; Not
Applicable = Blank
NOTE: 5 is the highest level of maturity
Item Score
Category
Score
Help
59 Does your institution have a process for routinely monitoring logs to detect unauthorized and anomalous activities?
Well Defined
3
60 Does your institution record your log reviews (recertification/attestation)?
Well Defined
3
61 Are steps taken to secure log data to prevent unauthorized access and tampering?
Well Defined
3
62 Does your institution regularly review administrative and operative access to audit logs?
Well Defined
3
Sl No
14
84
85
86
87
63
Are file-integrity monitoring tools used to alert personnel to unauthorized modification of critical system files, configuration
files, or content files and to configure the software to perform critical file comparisons at least weekly?
Not Performed
0
64
Does your institution have a process to ensure synchronization of system clocks with an authoritative source (e.g., via NTP)
on a periodic basis commensurate with the potential risks?
Well Defined
3
88
89
91
92
93
65 Does your institution require the use of confidentiality or nondisclosure agreements for employees and third parties?
66 Does your institution routinely test your restore procedures?
67 Does your institution continuously monitor your wired and wireless networks for unauthorized access?
96
Quantitatively Controlled
4
Planned
2
Performed Informally
1
68
Does your institution have policies and procedures in place to protect exchanged information (within your organization and
in third-party agreements) from interception, copying, modification, misrouting, and destruction?
Planned
2
69
Does your institution ensure that user access to diagnostic and configuration ports is restricted to authorized individuals and
applications?
Planned
2
Planned
2
94
95
2.17
Total Score for ISO 13->
Communications Security (ISO 13)
90
70 Does your institution employ specific measures to prevent and detect rogue access for all of your wireless LANs?
71 Does your institution have a process for validating the security of purchased software products and services?
1.20
Total Score for ISO 14->
Systems Acquisition, Development, and Maintenance (ISO 14)
97
Performed Informally
1
Are new information systems or enhancements to existing information systems validated against defined security
requirements?
Performed Informally
1
Have standards been established that address secure coding practices (e.g., input validation, proper error handling, session
73 management, etc.), and take into consideration common application security vulnerabilities (e.g., CSRF, XSS, code injection,
etc.)?
101
Performed Informally
1
98
100
72
HEISC Information Security Benchmark Assessment Tool for Higher Education
November 2012
B
Sl No
C
D
E
F
G
Questions
Not Performed = 0; Performed Informally = 1;
Planned = 2; Well Defined = 3;
Quantitatively Controlled = 4; Continuously Improving = 5; Not
Applicable = Blank
NOTE: 5 is the highest level of maturity
Item Score
Category
Score
Help
Planned
2
Planned
2
14
102
103
104
105
106
107
108
109
110
111
112
74
75 Are policy and processes in place to check whether message integrity is required?
76
Incorrect output may occur, even in tested systems. Does your institution have validation checks to ensure data output is as
expected?
Planned
2
77
Have you established procedures for maintaining source code during the development life cycle and while in production to
reduce the risk of software corruption?
Performed Informally
1
78 Does your institution apply the same security standards for sensitive test data that you apply to sensitive production data?
Not Performed
0
79 Does your institution restrict and monitor access to source code libraries to reduce the risk of corruption?
Not Performed
0
Not Performed
0
Well Defined
3
Not Performed
0
Planned
2
Well Defined
3
80
Does your institution have a configuration-management process in place to ensure that changes to your critical systems are
for valid business reasons and have received proper authorization?
81
Are reviews and tests performed to ensure that changes made to production systems do not have an adverse impact on
security or operations?
82 Have you implemented tools and procedures to monitor for and prevent loss of sensitive data?
83 Do your contract agreements include security requirements for outsourced software development?
84
115
116
117
118
119
Does your institution have a patch management strategy in place and responsibilities assigned for monitoring and promptly
responding to patch releases, security bulletins, and vulnerability reports?
85
Does your institution specify security requirements in contracts with external entities (third party) before granting access to
sensitive institutional information assets?
86 Are requirements addressed and remediated prior to granting access to data, assets, and information systems?
87 Do agreements for external information system services specify appropriate security requirements?
88
Does your institution have a process in place for assessing that external information system providers comply with
appropriate security requirements?
89 Is external information system services provider compliance with security controls monitored?
90
Are external information system service agreements executed and routinely reviewed to ensure security requirements are
current?
0.83
Total Score for ISO 15->
Supplier Relationships (ISO 15)
113
114
Are validation checks incorporated into applications to detect any corruption of information through processing errors or
deliberate acts?
Planned
2
Well Defined
3
Not Performed
0
Not Performed
0
Not Performed
0
Not Performed
0
HEISC Information Security Benchmark Assessment Tool for Higher Education
November 2012
B
Sl No
C
D
E
F
G
Questions
Not Performed = 0; Performed Informally = 1;
Planned = 2; Well Defined = 3;
Quantitatively Controlled = 4; Continuously Improving = 5; Not
Applicable = Blank
NOTE: 5 is the highest level of maturity
Item Score
Category
Score
Help
14
121
122
91
Are incident-handling procedures in place to report and respond to security events throughout the incident life cycle,
including the definition of roles and responsibilities?
92 Are your incident response staff aware of legal or compliance requirements surrounding evidence collection?
Planned
2
Planned
2
Does your institution have a documented business continuity plan for information technology that is based on a business
93 impact analysis, is periodically tested, and has been reviewed and approved by senior staff or the board of trustees?
3.00
Total Score for ISO 17->
Information Security Aspects of Business Continuity Management (ISO 17)
123
2.00
Total Score for ISO 16->
Information Security Incident Management (ISO 16)
120
3
Well Defined
124
126
127
128
129
130
131
132
133
134
94
Does your institution have a records management or data governance policy that addresses the life cycle of both paper and
electronic records at your institution?
95 Does your institution have an enforceable data protection policy that covers personally identifiable information (PII)?
96 Does your institution have an Acceptable Use Policy that defines misuse?
97 Does your institution provide guidance for the community on export control laws?
98
Are standard operating procedures periodically evaluated for compliance with your organization's security policies,
standards, and procedures?
99
Does your institution perform periodic application and network layer vulnerability testing or penetration testing against
critical information systems?
100 Are you performing independent audits on information systems to identify strengths and weaknesses?
101
Are audit tools properly separated from development and operational system environments to prevent any misuse or
compromise?
THE END -- Overall Average ------>
1.43
Total Score for ISO 18->
Compliance (ISO 18)
125
Not Performed
0
Not Performed
0
Planned
2
Not Applicable
Blank
Not Performed
0
Planned
2
Well Defined
3
Well Defined
3
1.95
Related documents
Proposed draft liaison letter to ISO/IEC JTC 1/SC 25/WG 3,... request for review of “Expression of IEEE802.3an alien crosstalk requirements
Proposed draft liaison letter to ISO/IEC JTC 1/SC 25/WG 3,... request for review of “Expression of IEEE802.3an alien crosstalk requirements
Certified Currently Enrolled Letter DRAFT
Certified Currently Enrolled Letter DRAFT
Process Management and Improvement
Process Management and Improvement
Download
advertisement