Add to collection(s) Add to saved
  1. No category

Information Security Review

advertisement 
Information Security Review
OSU Department of Internal Audit
Purpose:
The purpose of this review is to gain a better appreciation for the types of
information security controls currently in place throughout the university. The
review is built around an international best practice model that has categorized
the security model into ten components. Our review will assess an organization’s
maturity level within each of the ten component areas based on the completion of
questionnaire, interview (if necessary), and external vulnerability scan results.
Additionally, when viewed collectively, category results should identify areas of
increased risk across the university.
Process Overview:
The review process will be broken up into two phases. Phase 1: Customers will
complete the survey (i.e., request for Information / questionnaire) and return it to
Internal Audit along with appropriate supporting documentation. We will then, if
needed, schedule an appointment with you to go over the responses to make
sure we have a thorough understanding of your Information Security
infrastructure. Phase 2: Internal Audit (IA) will run a vulnerability assessment
utility (Sunbelt Network Security Inspector (SNSI)) which will scan your network
for known security issues. The goal is to obtain scans from outside your
environment which would represent key external threats. The results of the
survey and scans will be shared with area IT management.
The Questionnaire:
The questionnaire you are about to complete is designed to evaluate an
organization’s Information Security infrastructure using IT-industry best practices
as its foundation. While this is not a comprehensive technical review, we believe
it is an indication of how you control and manage your organization’s Information
Security infrastructure.
The questionnaire is broadly based on British Standard (BS) 7799, the United
Kingdom standard for information security, which provides real, practical
guidance toward achieving the goals of information security. BS 7799 Part
2:2000, is also a sub-section in the International Organization for Standards
(ISO) / International Electrotechnical Commission (IEC) 17799 Code of Practice
for Information Security Management. ISO/IEC 17799:2000 addresses topics in
terms of policies and general good practices. The document specifically
identifies itself as “a starting point for developing organization specific guidance.”
As such, it is deemed to be a prudent best practice framework to evaluate an
organization’s approach to managing its Information Security infrastructure. The
questionnaire is based in large part from a questionnaire produced by the UK
Department of Trade and Industry (http://www.dti.gov.uk/index.html).
Internal Audit
106748597
Page 1
3/6/2016
The questionnaire is comprised of 11 sections. The first, General Information, is
designed to provide a high level overview of your environment. The remaining
10 sections follow the BS 7799 model and are comprised of a series of YES / NO
questions. These sections include Security Governance, Security Organization,
Asset Classification & Control, Personnel Security, Physical & Environmental
Security, Communications & Operations Management, Access Control, Systems
Development & Maintenance, Business Continuity Management, and
Compliance.
Note: the questionnaire is not a full risk assessment and does not fully replicate
the provisions of BS 7799 and cannot be used to claim adherence to the
standard.
Survey Instructions:
The request for information and questionnaire were built using Microsoft Excel to
make your data entry easy and manageable. Press TAB to move across fields.
Simply complete all the fields on the request for information and questions on the
questionnaire, save it, and send a copy of the file back to Internal Audit (see
contact information below).
Documentation identified on the request for
information should be emailed or mailed to Internal Audit. While the general
information section does have a few fill in the blank fields, most of the
questionnaire is comprised of YES/NO questions or a variation of that. The
questionnaire should take approximately 30-45 minutes to complete.
If you have problems opening the document in Excel or if you have any
questions, contact one of the members of our Information Systems Audit team:
Joseph Volpi (8-4266), James D’Innocenzo (8-4224), or Samir Sheth (8-4496).
Internal Audit Contact Information:
Department of Internal Audit – Attn: IS Audit
2080 Blankenship Hall
901 Woody Hayes Drive
Columbus, Ohio 43210
Email: iawebsurvey@ia.ohio-state.edu
Phone: 614-292-9680
Fax: 614-292-7938
Internal Audit
106748597
Page 2
3/6/2016
Related documents
Questionnaire suggestions - i
Questionnaire suggestions - i
Third Grade Parent Questionnaire
Third Grade Parent Questionnaire
Peer Relationships for Children (Parents)
Peer Relationships for Children (Parents)
a-133 mini-audit questionnaire
a-133 mini-audit questionnaire
PATIENT HEALTH QUESTIONNAIRE * PHQ-915
PATIENT HEALTH QUESTIONNAIRE * PHQ-915
MALARIA QUESTIONNAIRE FOR PATIENTS REQUIRING ANTI
MALARIA QUESTIONNAIRE FOR PATIENTS REQUIRING ANTI
Self Attributes Questionnaire (SAQ) - April Bleske
Self Attributes Questionnaire (SAQ) - April Bleske
Organizational Need Assessment Questionnaire
Organizational Need Assessment Questionnaire
Board member self assessment questionnaire
Board member self assessment questionnaire
Download
advertisement