187
Appendix A-1
ISO 17799 Self-Assessment
Checklist
How to Use This Self-Assessment Checklist
This checklist is designed to assist you in taking “snapshots” of your organi-
zation’s security status. Answer each question, checking Y or N. The blank
column is designed for comments.
When you have finished each section, add the points — one for each question
answered Y.
Finally, total score (Sections 3 through 12): ______
Superior: > 95 “yes” answers
Fair: 82 – 95 “yes” answers
Marginal: 68 – 81 “yes” answers
Poor: 54 – 67 “yes” answers
At Risk: < 54 “yes” answers
188 Managing Network Vulnerability Assessment
3 Security Policy
Note: ISO17799, Sections 1 and 2 are nonaction items, and are not included in this checklist.
3.1 Information Security Policy Management direction and support for information security must be clearly
established.
3.1.1 Information Security Policy
Document Development
Has an information security policy document been developed?
Y ___ N ___
3.1.2 Information Security Policy
Document Publication
Has an information security policy document been published?
Y ___ N ___
Score (number of questions answered Yes):
4 Organizational Security
4.1 Information Security
Infrastructure
A management framework must be established to initiate and control the
implementation of information security within the organization.
4.1.1 Management Information
Security Forum
Has a forum been established to oversee and represent information security?
Y ___ N ___
4.1.2 Information Security
Coordination
Has a process been established to coordinate implementation of information
security measures?
Y ___ N ___
4.1.3 Allocation of Information
Security Responsibilities
Are responsibilities for accomplishment of information security requirements
clearly defined?
Y ___ N ___
4.1.4 Authorization Process for
Information Processing
Facilities
Has a management approval process been established to authorize new IT
facilities from both a business and technical standpoint?
Y ___ N ___
4.1.5 Specialist Information
Security Advice
Has a capability been established that provides specialized information security
advice?
Y ___ N ___
ISO 17799 Self-Assessment Checklist 189
4.1.6 Cooperation between
Organizations
Is there a liaison with external information security personnel and organizations,
including industry and government security specialists, law enforcement
authorities, IT service providers, telecommunications authorities?
Y ___ N ___
4.1.7 Independent Review of
Information Security
Has an independent review of information security practices been conducted to
ensure feasibility, effectiveness, and compliance with written policies?
Y ___ N ___
4.2 Security of Third-Party Access The organizational IT facilities and inf
ormation assets that control the access of
nonorganizational third parties must be kept secure.
4.2.1 Identification of Risks from
Third-Party Access
Have third-party connection risks been analyzed?
Y ___ N ___
Combating Risks from Third-
Party Connections
Have specific security measures been identified to combat third-party connection
risks?
Y ___ N ___
4.2.2 Security Conditions in Third-
Party Contracts
Are security requirements included in formal third-party contracts?
Y ___ N ___
4.3 Outsourcing The security of information should be maintained even when the responsibility
for the processing has been outsourced to another organization.
4.3.1 Security Requirements in
Outsourcing Contracts
Have the security requirements of the information owners been addressed in a
contract between the owners and the outsource organization?
Y ___ N ___
Score (number of questions answered Yes):
5 Asset Classification and Control
5.1 Accounting of Assets Appropriate accounting of organizational assets must be established.
5.1.1 Inventory of Assets Have inventories of major assets associated with each information system been
created?
Y ___ N ___
190 Managing Network Vulnerability Assessment
5.2 Information Classification Security classifications should be used to indicate the need f
or, and priorities for,
security protection of information assets.
5.2.1 Classification Guidelines Have security classification guidelines been established to indicate the need for,
and priorities for, security protection?
Y ___ N ___
5.2.2 Information Labeling and
Handling
Has a process been implemented for labeling information that requires security
protection?
Y ___ N ___
Score (number of questions answered Yes):
6 Personnel Security
6.1 Security in Job Definitions
and Resourcing
Security should be addressed at the recruitment stage, included in job
descriptions and contracts, and monitored during an individual’s employment.
6.1.1 Security in Job Descriptions Are security responsibilities included in employee job descriptions?
Y ___ N ___
6.1.2 Personnel Screening and
Policy
Are employment applications screened for jobs that require access to sensitiv
e
information?
Y ___ N ___
6.1.3 Confidentiality Agreement Are nondisclosure agreements required?
Y ___ N ___
6.1.4 Terms and Conditions of
Employment
Do the terms and conditions of employment include the employee’s
responsibility for information security, including duration after employment and
consequences of failure to fulfill these terms?
Y ___ N ___
6.2 User Training Users should be trained in security procedures and the correct use of IT facilities.
6.2.1 Information Security
Education and Training
Before they are granted access to IT facilities, are users trained in information
security policies and procedures, security requirements, business controls, and
the correct use of IT facilities?
Y ___ N ___
ISO 17799 Self-Assessment Checklist 191
6.3 Responding to Security
Incidents and Malfunctions
Incidents affecting security should be reported through management channels
as quickly as possible.
6.3.1 Reporting of Security
Incidents
Do formal reporting and incident response procedures exist to identify action to
be taken on receipt of an incident report?
Y ___ N ___
6.3.2 Reporting of Security
Weaknesses
Are users required to note and report all observed or suspected security
weaknesses in or threats to systems or services?
Y ___ N ___
6.3.3 Reporting of Software
Malfunctions
Are users required to note and report to IT support any software that does not
function correctly?
Y ___ N ___
6.3.4 Learning from Incidents Are mechanisms in place to monitor the types, volumes, and costs of incidents
and malfunctions?
Y ___ N ___
6.3.5 Disciplinary Process Does a formal disciplinary process exist for dealing with employees who violate
security policies and procedures?
Y ___ N ___
Score (number of questions answered Yes):
7 Physical and Environmental Security
7.1 Secure Areas IT facilities supporting critical or sensitive business activities belong in secure
areas.
7.1.1 Physical Security Perimeter Does physical security protection exist, based on defined perimeters through
strategically located barriers, throughout the organization?
Y ___ N ___
7.1.2 Physical Entry Controls Are entry controls employed over secure areas to ensure only authorized
personnel can gain access?
Y ___ N ___
7.1.3 Securing Offices, Rooms, and
Facilities
Is physical security for data centers and computer rooms commensurate with
threats?
Y ___ N ___
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset