ISO domain by admin | Jan 20, 2021 | 0 comments Welcome to the ISO domain questionnaire: (click next to go to the questions) [Access control] Access control [Access control] Do you need to change your corporate password minimum every 40 days? Yes No [Access control] Did your IT consult your DPO (Data Protection Officer) about using biometrics for authentication purposes before the implementation of the solution? Yes No [Access control] Do you use Single-Sign-On (i.e.. you need to enter only once your credentials and then you can access all your applications)? Yes No [Access control] Is it HR that is responsible for centrally triggering your on- and offboarding? Yes No [Access control] Is the turnover of your personnel higher than 15%? Yes No [Access control] Did you have in the past 15 months an incident that led to data lost (breached)? Yes No [Access control] Is access management administered (assigning user permissions within the application) by your business departments? Yes No [Access control] Your marketing department wants to have a view on your website visits (gender, location, device type), so they ask IT to get the statistics. They argue they need to know ad-hoc because the CEO asked for it. Is it OK for IT to deliver it? Yes No [Document management] Document management [Document management] Have you ever read your documents on logical access, change and incident management? Do you know where you can find them within your organisation? Yes No [Document management] Is the following statement correct? "Changes should be managed in a controlled way." Add description here! Yes No [Document management] Is the following statement correct? "You do not need detailed, written procedures for areas like access management, change management and incident management, because your people know how the processes work." Yes No [Document management] A control definition should be simple and short, but descriptive enough. Based on the above statement do you find the below control definition appropriate: "Changes need to be tested." Yes No [Network security] Network security [Network security] The most important technical device that protects your organisation from internet attacks is a router. Yes No [Network security] Does IT network security include physical access? Yes No [Network security] Can you and your employees access company applications and data from private devices (not issued by your company)? Yes No [Network security] Is it true that a firewall is a very thick wall that withholds the fire. Yes No [Network security] Have your organisation performed a penetration test on your network in the last 3 years? Yes No [Network security] Can you turn off your anti-virus system on your corporate PC/laptop? Yes No [Network security] Do you have a secure dedicated area where you store in an organised fashion your IT system configuration documentation? Do you know where that place is? Yes No [Human resource security] Human resource security [Human resource security] Do you check employment history of your employees with their previous employers? Do you check their criminal backgrounds? Yes No [Human resource security] Do you have a disciplinary process and do you make your employees confirm they read and understood it? Yes No [Human resource security] Do you have a training budget reserved so that your technical people can follow at least 1 training a year? Yes No [Human resource security] Did you have a security awareness training in the last 12 months? Yes No [Human resource security] Do you know with confidence if your organisation has no user accounts active for employees and contractors who have left the organisation? Yes No [Organization of information security] Organization of information security [Organization of information security] Do you have a security officer? Yes No [Organization of information security] Does you security office have other operational responsibility? Yes No [Organization of information security] Are you concerned about what your security officer does (whether he brings value to the table)? Yes No [Organization of information security] Does your security officer report to IT Manager (CIO)? Yes No [Asset management] Asset management [Asset management] Do you feel security is too much in your organisation? Yes No [Asset management] Is knowing the IT assets critical for IT security? Yes No [Asset management] Does your organisation have a central repository of IT assets that is complete? Yes No [Asset management] Does your organisation automated mechanism to keep the asset repository up-to-date? Yes No [Asset management] Do you consider the age and the available support when managing your IT assets? Yes No [Physical and environmental security] Physical and environmental security [Physical and environmental security] Do you allow externals (guest, no contractors with permanent presence required) just to wander around on your company premises without them being escorted? Yes No [Physical and environmental security] Do you have a badge reader on your data center / computer room? Yes No [Physical and environmental security] Do you review (regularly, minimum yearly) the list of active cards allowing access to your premises and the data center / computer room? Yes No [Physical and environmental security] Do you have in your organisation an access badge sharing practice? Or do you let people go through the badge reader controlled door when they do not badge? Yes No [Physical and environmental security] Are each employees and contractors assigned with only one access badge? Yes No [Operations security] Operations security [Operations security] Do you have your servers regularly (minimum quarterly) patched? Yes No [Operations security] Do you apply secure baseline configuration on your servers and databases? Yes No [Operations security] Do you monitor if the servers are up and running and are not overloaded? Yes No [Operations security] Can you turn off anti-virus on your corporate laptop/desktop? Yes No [Operations security] Have you been hit recently by a computer virus or a ransomware? Yes No [System acquisition, development and maintenance] System acquisition, development and maintenance [System acquisition, development and maintenance] Do you have a baseline requirement set to assess software to acquire meeting basic security requirements of your organisation? Yes No [System acquisition, development and maintenance] Do you have minimum 3 separate environments for each system where your organisation has custom built applications (development, user acceptance testing and production)? Yes No [System acquisition, development and maintenance] Does business always perform user acceptance testing on changes of business nature (i.e. non-technical)? Yes No [System acquisition, development and maintenance] Are your developers allowed to fix changes in the production environment? Yes No [Supplier relationships] Supplier relationships [Supplier relationships] Do you have your security requirements covered in your contract with your suppliers? Yes No [Supplier relationships] Do you review 3rd party audit reports or perform audits on your suppliers to confirm they have a secure operations? Yes No [Supplier relationships] Do you measure service level delivery for your suppliers? Yes No [Supplier relationships] Did you define in your contract with the service provider how data breaches should be handled and whose responsibility it is to report it to the Data Protection Authority? Yes No [Information security incident management] Information security incident management [Information security incident management] Does your contract with your service provider have provisions that they should only make changes to the systems based on approved change tickets? Yes No [Information security incident management] Do you have a formal incident management procedure in place? Yes No [Information security incident management] Does your incident management procedure have requirements on how to handle security incidents? Yes No [Information security incident management] Do you flag security related incidents with a special marker in your ticketing tool? Yes No [Information security incident management] Does your security incident process involve the security officer and the Data Protection Officer subject to predefined set of criteria? Yes No [Information security aspects of business continuity management] Information security aspects of business continuity management [Information security aspects of business continuity management] Do you have incidents recurring regularly (more than 5 per week on production systems at system level)? Yes No [Information security aspects of business continuity management] Do you have a Business Continuity or Contingency Plan (BCP) in place? Yes No [Information security aspects of business continuity management] Was your BCP tested in the last 2 years? Yes No [Information security aspects of business continuity management] Does your organisation have a Disaster Recovery Plan (DRP)? Yes No [Information security aspects of business continuity management] Was your DRP tested in the last 12 months? Yes No [Information security aspects of business continuity management] Did your IT assess if you can recover business operations under DRP meeting the expectations of the business? Yes No [Information security aspects of business continuity management] Do you have provisions in place concerning recovery site for your DRP? Yes No [Compliance] Compliance [Compliance] Do you think that your organisation is GDPR compliant? Yes No [Compliance] Do you have a Registry of Processing Activities? Yes No [Compliance] Does your organisation know how to handle data breaches (including but not limited to: whom to contact, timeframes available)? Yes No [Compliance] Do you know if the internet site of your company has appropriate cookie and privacy notices published? Yes No [Compliance] Are you sure that the cookie categorisation in your cookie policy is in line with the regulation (like googly analytics is not in the category functional/necessary)? Yes No [Compliance] Are you confident that your organisation takes into consideration all legislative requirements (not only GDPR that applies to all parties)? Yes No [Cryptography] Cryptography [Cryptography] Do you have a physically separated environment for managing the encryption management system? Yes No [Cryptography] Do you limit physical access to the encryption management system to the bare minimum (only to those who manage the encryption keys and the system itself)? Yes No [Cryptography] Do you think in order to comply with GDPR you need to have encryption used on personal data? Yes No Time is Up! Time's up Submit a Comment Cancel replyYour email address will not be published. Required fields are marked *Comment * Name * Email * Website Save my name, email, and website in this browser for the next time I comment.
Recent Comments