HEISC Information Security Benchmark Assessment Tool for Higher Education November 2012 B C This tool can be used to assess an enterprise information security program, department, or other. Please select from the drop down box -> 10 1. N.M.I Raisul Bari 2. Md. Ekramul Hoq 3. Nazia Mahbub Name of Division or institution (if applicable): Technology Division, bKash Limited Date completed: 13 Questions 14 16 F G Item Score Category Score Help Reset Worksheet -----> Sl No Risk Management (ISO 27005:2011) 15 E Enterprise Information Security Program Name of persons completing assessment 11 12 D 1 Does your institution have a risk management program? 2 3 Not Performed = 0; Performed Informally = 1; Planned = 2; Well Defined = 3; Quantitatively Controlled = 4; Continuously Improving = 5; Not Applicable = Blank NOTE: 5 is the highest level of maturity 0.00 Total Score for Risk Management -> no 0 Does your institution have a process for identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing sensitive information? Not Performed 0 Does your organization conduct routine risk assessments to identify the key objectives that need to be supported by your information security program? Not Performed 0 17 18 20 21 22 4 5 6 25 26 27 Has it been published and communicated to all relevant parties? Does your institution review the policy at defined intervals to encompass significant change and monitor for compliance? Well Defined 3 Well Defined 3 Planned 2 7 Does your information security function have the authority it needs to manage and ensure compliance with the information security program? 8 2.29 Total Score for ISO 6 -> Organization of Information Security (ISO 6) 23 24 Does your institution have an information security policy that has been approved by management? 2.67 Total Score for ISO 5-> Information Security Policies (ISO 5) 19 Well Defined 3 Does your institution have an individual with enterprise-wide information security responsibility and authority written in their job description, or equivalent? Note: This may be the CIO, CISO, CSO, or other. Continuously Improving 5 9 Is responsibility clearly assigned for all areas of the information security architecture, compliance, processes, and audits? Well Defined 3 10 Is there a formal process for having the individual with information security responsibility assess and sign off on appropriate hardware, software, and services, ensuring they follow security policies and requirements? Not Performed 0 HEISC Information Security Benchmark Assessment Tool for Higher Education November 2012 B Sl No C D E F G Questions Not Performed = 0; Performed Informally = 1; Planned = 2; Well Defined = 3; Quantitatively Controlled = 4; Continuously Improving = 5; Not Applicable = Blank NOTE: 5 is the highest level of maturity Item Score Category Score Help Well Defined 3 Not Performed 0 Planned 2 14 28 29 30 11 12 Does your institution participate with local or national security groups (e.g., REN-ISAC, EDUCAUSE, InfraGard, Information Systems Security Association, etc.)? 13 Does your institution have independent security reviews completed at planned intervals or when significant changes to the environment occur? 33 34 35 36 14 Do all individuals interacting with systems receive information security awareness training? 15 16 Do the information security programs clearly state responsibilities, liabilities, and consequences? 17 Does your institution have a process for revoking system and building access and returning assigned assets? 18 39 Does your institution have a process for revoking system access when there is a position change or when responsibilities change? Planned 2 Well Defined 3 Not Performed 0 Well Defined 3 Well Defined 3 0.00 Total Score for ISO 8-> Asset Management (ISO 8) 37 38 Does your institution conduct specialized role-based training? 2.20 Total Score for ISO 7 -> Human Resource Security (ISO 7) 31 32 Does your institution maintain relationships with local authorities? 19 Has your organization identified critical information assets and the functions that rely on them? Not Performed 0 20 Does your institution classify information to indicate the appropriate levels of information security? Not Performed 0 2.75 Total Score for ISO 9-> Access Control (ISO 9) 40 Does your institution have an access control policy for authorizing and revoking access rights to information systems? 21 Continuously Improving 5 Well Defined 3 Well Defined 3 24 Does your institution have procedures to regularly review users' access to ensure only needed privileges are applied? Well Defined 3 25 Does your institution employ specific measures to secure remote access services? Well Defined 3 41 Does your institution have a process in place for granting and revoking appropriate user access? 22 42 44 45 46 23 Does your institution have a password management program that follows current security standards? HEISC Information Security Benchmark Assessment Tool for Higher Education November 2012 B C D E F G Sl No Questions Not Performed = 0; Performed Informally = 1; Planned = 2; Well Defined = 3; Quantitatively Controlled = 4; Continuously Improving = 5; Not Applicable = Blank NOTE: 5 is the highest level of maturity Item Score Category Score Help 26 Does your institution employ technologies to block or restrict unencrypted sensitive information from traveling to untrusted networks? Well Defined 3 27 Does your institution have mechanisms in place to manage digital identities (accounts, keys, tokens) throughout their life cycle, from registration through termination? Well Defined 3 28 Is there a policy in place to restrict the sharing of passwords? Well Defined 3 29 Does your institution prohibit use of generic accounts with privileged access to systems? Well Defined 3 14 47 48 49 50 51 52 53 54 55 56 30 Does your institution have an authentication system in place that applies higher levels of authentication to protect resources with higher levels of sensitivity? Well Defined 3 31 Does your institution have an authorization system that enforces time limits lockout on login failure and defaults to minimum privileges? Well Defined 3 32 Does your institution have standards for isolating sensitive data and procedures and technologies in place to protect it from unauthorized access and tampering? Planned 2 33 Does your institution have usage guidance established for mobile computing devices (regardless of ownership) that store, process, or transmit institutional data? Planned 2 Planned 2 Well Defined 3 34 Does your institution require encryption on mobile (i.e., laptops, tablets, etc.) computing devices? 35 59 60 36 Does your institution use appropriate/vetted encryption methods to protect sensitive data in transit? 37 Do your policies indicate when encryption should be used (e.g., at rest, in transit, with sensitive or confidential data, etc.)? 38 Are standards for key management documented and employed? 62 63 64 Well Defined 3 Not Performed 0 Performed Informally 1 39 Do your institution's data centers include controls to ensure that only authorized parties are allowed physical access? 2.43 Total Score for ISO 11-> Physical and Environmental Security (ISO 11) 61 1.33 Total Score for ISO 10-> Cryptography (ISO 10) 57 58 Does your institution have a telework/communication policy that addresses multifactor access and security requirements for the end point used? Well Defined 3 40 Does your institution have preventative measures in place to protect critical hardware and wiring from natural and manmade threats? Well Defined 3 41 Does your institution have a process for issuing keys, codes, and/or cards that require appropriate authorization and background checks for access to these sensitive facilities? Well Defined 3 HEISC Information Security Benchmark Assessment Tool for Higher Education November 2012 B Sl No C D E F G Questions Not Performed = 0; Performed Informally = 1; Planned = 2; Well Defined = 3; Quantitatively Controlled = 4; Continuously Improving = 5; Not Applicable = Blank NOTE: 5 is the highest level of maturity Item Score Category Score Help Well Defined 3 Planned 2 Well Defined 3 14 65 67 68 42 Does your institution follow vendor-recommended guidance for maintaining equipment? Does your institution have a media-sanitization process that is applied to equipment prior to disposal, reuse, or release? 43 44 Are there processes in place to detect the unauthorized removal of equipment, information, or software? 70 71 72 73 74 75 76 77 78 79 80 81 82 83 45 Does your institution maintain security configuration standards for information systems and applications? 2.42 Total Score for ISO 12-> Operations Security (ISO 12) 69 Not Performed 0 46 Are changes to information systems tested, authorized, and reported? Well Defined 3 47 Are duties sufficiently segregated to ensure unintentional or unauthorized modification of information is detected? Well Defined 3 48 Are production systems separated from other stages of the development life cycle? Well Defined 3 49 Does your institution have processes in place to monitor the utilization of key system resources and to mitigate the risk of system downtime? Well Defined 3 50 Are methods used to detect, quarantine, and eradicate known malicious code on information systems including workstations, servers, and mobile computing devices? Well Defined 3 51 Are methods used to detect and eradicate known malicious code transported by electronic mail, the web, or removable media? Well Defined 3 Planned 2 Planned 2 Performed Informally 1 55 Are Internet-accessible servers protected by more than one security layer (firewalls, network IDS, host IDS, application IDS)? Well Defined 3 56 Are controls in place to protect, track, and report status of media that has been removed from secure organization sites? Well Defined 3 52 Is your data backup process frequency consistent with the availability requirements of your organization? Does your institution have a process for posture checking, such as current antivirus software, firewall enabled, OS patch level, etc., of devices as they connect to your network? Does your institution have a segmented network architecture to provide different levels of security based on the 54 information's classification? 53 57 Does your institution have a process in place to ensure data related to electronic commerce (e-commerce) traversing public networks is protected from fraudulent activity, unauthorized disclosure, or modification? Not Applicable Blank 58 Are security-related activities such as hardware configuration changes, software configuration changes, access attempts, and authorization and privilege assignments automatically logged? Planned 2 HEISC Information Security Benchmark Assessment Tool for Higher Education November 2012 B C D E F G Questions Not Performed = 0; Performed Informally = 1; Planned = 2; Well Defined = 3; Quantitatively Controlled = 4; Continuously Improving = 5; Not Applicable = Blank NOTE: 5 is the highest level of maturity Item Score Category Score Help 59 Does your institution have a process for routinely monitoring logs to detect unauthorized and anomalous activities? Well Defined 3 60 Does your institution record your log reviews (recertification/attestation)? Well Defined 3 61 Are steps taken to secure log data to prevent unauthorized access and tampering? Well Defined 3 62 Does your institution regularly review administrative and operative access to audit logs? Well Defined 3 Sl No 14 84 85 86 87 63 Are file-integrity monitoring tools used to alert personnel to unauthorized modification of critical system files, configuration files, or content files and to configure the software to perform critical file comparisons at least weekly? Not Performed 0 64 Does your institution have a process to ensure synchronization of system clocks with an authoritative source (e.g., via NTP) on a periodic basis commensurate with the potential risks? Well Defined 3 88 89 91 92 93 65 Does your institution require the use of confidentiality or nondisclosure agreements for employees and third parties? 66 Does your institution routinely test your restore procedures? 67 Does your institution continuously monitor your wired and wireless networks for unauthorized access? 96 Quantitatively Controlled 4 Planned 2 Performed Informally 1 68 Does your institution have policies and procedures in place to protect exchanged information (within your organization and in third-party agreements) from interception, copying, modification, misrouting, and destruction? Planned 2 69 Does your institution ensure that user access to diagnostic and configuration ports is restricted to authorized individuals and applications? Planned 2 Planned 2 94 95 2.17 Total Score for ISO 13-> Communications Security (ISO 13) 90 70 Does your institution employ specific measures to prevent and detect rogue access for all of your wireless LANs? 71 Does your institution have a process for validating the security of purchased software products and services? 1.20 Total Score for ISO 14-> Systems Acquisition, Development, and Maintenance (ISO 14) 97 Performed Informally 1 Are new information systems or enhancements to existing information systems validated against defined security requirements? Performed Informally 1 Have standards been established that address secure coding practices (e.g., input validation, proper error handling, session 73 management, etc.), and take into consideration common application security vulnerabilities (e.g., CSRF, XSS, code injection, etc.)? 101 Performed Informally 1 98 100 72 HEISC Information Security Benchmark Assessment Tool for Higher Education November 2012 B Sl No C D E F G Questions Not Performed = 0; Performed Informally = 1; Planned = 2; Well Defined = 3; Quantitatively Controlled = 4; Continuously Improving = 5; Not Applicable = Blank NOTE: 5 is the highest level of maturity Item Score Category Score Help Planned 2 Planned 2 14 102 103 104 105 106 107 108 109 110 111 112 74 75 Are policy and processes in place to check whether message integrity is required? 76 Incorrect output may occur, even in tested systems. Does your institution have validation checks to ensure data output is as expected? Planned 2 77 Have you established procedures for maintaining source code during the development life cycle and while in production to reduce the risk of software corruption? Performed Informally 1 78 Does your institution apply the same security standards for sensitive test data that you apply to sensitive production data? Not Performed 0 79 Does your institution restrict and monitor access to source code libraries to reduce the risk of corruption? Not Performed 0 Not Performed 0 Well Defined 3 Not Performed 0 Planned 2 Well Defined 3 80 Does your institution have a configuration-management process in place to ensure that changes to your critical systems are for valid business reasons and have received proper authorization? 81 Are reviews and tests performed to ensure that changes made to production systems do not have an adverse impact on security or operations? 82 Have you implemented tools and procedures to monitor for and prevent loss of sensitive data? 83 Do your contract agreements include security requirements for outsourced software development? 84 115 116 117 118 119 Does your institution have a patch management strategy in place and responsibilities assigned for monitoring and promptly responding to patch releases, security bulletins, and vulnerability reports? 85 Does your institution specify security requirements in contracts with external entities (third party) before granting access to sensitive institutional information assets? 86 Are requirements addressed and remediated prior to granting access to data, assets, and information systems? 87 Do agreements for external information system services specify appropriate security requirements? 88 Does your institution have a process in place for assessing that external information system providers comply with appropriate security requirements? 89 Is external information system services provider compliance with security controls monitored? 90 Are external information system service agreements executed and routinely reviewed to ensure security requirements are current? 0.83 Total Score for ISO 15-> Supplier Relationships (ISO 15) 113 114 Are validation checks incorporated into applications to detect any corruption of information through processing errors or deliberate acts? Planned 2 Well Defined 3 Not Performed 0 Not Performed 0 Not Performed 0 Not Performed 0 HEISC Information Security Benchmark Assessment Tool for Higher Education November 2012 B Sl No C D E F G Questions Not Performed = 0; Performed Informally = 1; Planned = 2; Well Defined = 3; Quantitatively Controlled = 4; Continuously Improving = 5; Not Applicable = Blank NOTE: 5 is the highest level of maturity Item Score Category Score Help 14 121 122 91 Are incident-handling procedures in place to report and respond to security events throughout the incident life cycle, including the definition of roles and responsibilities? 92 Are your incident response staff aware of legal or compliance requirements surrounding evidence collection? Planned 2 Planned 2 Does your institution have a documented business continuity plan for information technology that is based on a business 93 impact analysis, is periodically tested, and has been reviewed and approved by senior staff or the board of trustees? 3.00 Total Score for ISO 17-> Information Security Aspects of Business Continuity Management (ISO 17) 123 2.00 Total Score for ISO 16-> Information Security Incident Management (ISO 16) 120 3 Well Defined 124 126 127 128 129 130 131 132 133 134 94 Does your institution have a records management or data governance policy that addresses the life cycle of both paper and electronic records at your institution? 95 Does your institution have an enforceable data protection policy that covers personally identifiable information (PII)? 96 Does your institution have an Acceptable Use Policy that defines misuse? 97 Does your institution provide guidance for the community on export control laws? 98 Are standard operating procedures periodically evaluated for compliance with your organization's security policies, standards, and procedures? 99 Does your institution perform periodic application and network layer vulnerability testing or penetration testing against critical information systems? 100 Are you performing independent audits on information systems to identify strengths and weaknesses? 101 Are audit tools properly separated from development and operational system environments to prevent any misuse or compromise? THE END -- Overall Average ------> 1.43 Total Score for ISO 18-> Compliance (ISO 18) 125 Not Performed 0 Not Performed 0 Planned 2 Not Applicable Blank Not Performed 0 Planned 2 Well Defined 3 Well Defined 3 1.95