192 Managing Network Vulnerability Assessment
7.1.4 Working in Secure Areas Are additional controls used for personnel or third parties working in the secure
area?
Y ___ N ___
7.1.5 Isolated Delivery and Loading
Areas
Are the computer room/data center delivery and loading areas isolated to prev
ent
unauthorized access?
Y ___ N ___
7.2 Equipment Security Equipment must be physically protected from security threats and environmental
hazards.
7.2.1 Equipment Location and
Protection
Is equipment located to reduce risks of environmental hazards and unauthoriz
ed
access?
Y ___ N ___
7.2.2 Power Supplies Is electronic equipment protected from power failures and other electrical
anomalies?
Y ___ N ___
7.2.3 Cabling Security Is power and telecommunications cabling protected from interception or
damage?
Y ___ N ___
7.2.4 Equipment Maintenance Have procedures been established to correctly maintain IT equipment to ensure
its continued availability and integrity?
Y ___ N ___
7.2.5 Security of Equipment
Off-Premises
Is equipment used off-site, regardless of ownership, provided the same degree
of protection afforded on-site IT equipment?
Y ___ N ___
7.3 General Controls Information and information processing facilities should be protected from
disclosure to, modification of, or theft by unauthorized persons, and controls
should be in place to minimize loss or damage.
7.3.1 Clear Desk and Clear Screen
Policy
Has a clear desk/clear screen policy for sensitive material been adopted to reduce
risks of unauthorized access, loss, or damage outside normal working hours?
Y ___ N ___
7.3.2 Removal of Property Are personnel required to have documented management authorization to tak
e
equipment, data, or software off-site?
Y ___ N ___
Score (number of questions answered Yes):
ISO 17799 Self-Assessment Checklist 193
8 Communications and Operations Management
8.1 Operational Procedures and
Responsibilities
Responsibilities and procedures must be established for the management and
operation of all computers and networks.
8.1.1 Documented Operating
Procedures
Are operating procedures clearly documented for all operational computer
systems to ensure their correct, secure operation?
Y ___ N ___
8.1.2 Operational Change Control Is there a process for controlling changes to IT facilities and systems to ensure
satisfactory control of all changes to equipment, software, or procedures?
Y ___ N ___
8.1.3 Incident Management
Procedures
Are incident management responsibilities and procedures in place to ensure a
quick, effective, orderly response to security incidents?
Y ___ N ___
8.1.4 Segregation of Duties Are sensitive duties or areas of responsibility kept separate to reduce
opportunities for unauthorized modification or misuse of data or services?
Y ___ N ___
8.1.5 Separation of Development
and Operational Facilities
Are development and operational facilities segregated to reduce the risk of
accidental changes or unauthorized access to operational software and business
data?
Y ___ N ___
8.2 System Planning and
Acceptance
Advance planning and preparation can ensure the availability of adequate
capacity and resources.
8.2.1 Capacity Planning Are capacity requirements monitored, and future requirements projected, to
reduce the risk of system overload?
Y ___ N ___
8.2.2 System Acceptance Has acceptance criteria for new systems been established, and have suitable tests
been performed prior to acceptance?
Y ___ N ___
8.3 Protection from Malicious
Software
Applying precautions to prevent and detect the introduction of malicious
software can safeguard the integrity of software and data.
8.3.1 Controls against Malicious
Software
Have virus detection and prevention measures and user awareness procedures
been implemented?
Y ___ N ___
194 Managing Network Vulnerability Assessment
8.4 Housekeeping Routine procedures should be established for making backup copies of data,
logging events and faults, and where appropriate, monitoring the equipment
environment.
8.4.1 Information Backup Has a process been established for making regular backup copies of essential
business data and software to ensure that it can be recovered following a
computer disaster or media failure?
Y ___ N ___
8.4.2 Operator Logs Are computer operators required to maintain a log of all work performed? Y ___ N ___
8.4.3 Fault Logging Do procedures exist for logging faults reported by users regarding problems with
computer or communications systems?
Y ___ N ___
8.5 Network Management The security of computer networks that may span organizational boundaries must
be managed to safeguard information and to protect the supporting
infrastructure.
8.5.1 Network Controls Do appropriate controls ensure the security of data in networks, and the
protection of connected services from unauthorized access?
Y ___ N ___
8.6 Media Handling and Security Computer media should be controlled and ph
ysically protected to prevent
damage to assets and interruptions to business activities.
8.6.1 Management of Removable
Computer Media
Do procedures exist for the management of removable computer media such as
tapes, disks, cassettes, and printed reports?
Y ___ N ___
8.6.2 Disposal of Media Is a process in place to ensure that computer media is disposed of securel
y and
safely when no longer required?
Y ___ N ___
8.6.3 Information Handling
Procedures
Do procedures exist for handling sensitive data to protect such data from
unauthorized disclosure or misuse?
Y ___ N ___
8.6.4 Security of System
Documentation
Is system documentation protected from unauthorized access?
Y ___ N ___
ISO 17799 Self-Assessment Checklist 195
8.7 Exchanges of Information and
Software
Exchanges of data and software between organizations should be controlled to
prevent loss, modification, or misuse of data.
8.7.1 Information and Software
Exchange Agreements
Do formal agreements exist, including software escrow agreements when
appropriate, for exchanging data and software (whether electronically or
manually) between organizations?
Y ___ N ___
8.7.2 Security of Media in Transit Are controls applied to safeguard computer media being transported between
sites to minimize its vulnerability to unauthorized access, misuse, or corruption
during transportation?
Y ___ N ___
8.7.3 Electronic Commerce
Security
Are security controls applied where necessary to protect electronic commerce
(electronic data interchange, electronic mail, and online transactions across a
public network such as the Internet) against unauthorized interception or
modification?
Y ___ N ___
8.7.4 Security of Electronic Mail Are controls applied where necessary to reduce the business and security risks
associated with electronic mail, to include interception, modification, and errors?
Y ___ N ___
8.7.5 Security of Electronic Office
Systems
Do clear policies and guidelines exist to control business and security risks
associated with electronic office systems?
Y ___ N ___
8.7.6 Publicly Available Systems Is there a formal authorization process before information is made publicl
y
available?
Y ___ N ___
8.7.7 Other Forms of Information
Exchange
Are procedures and controls in place to protect the exchange of information
through the use of voice, facsimile, and video communications facilities?
Y ___ N ___
Score (number of questions answered Yes):
9 Access Control
9.1 Business Requirement for
System Access
Policies for information dissemination and entitlement should control access to
computer services and data on the basis of business requirements.
9.1.1 Access Control Policy Are business requirements defined and documented for access control?
Y ___ N ___
196 Managing Network Vulnerability Assessment
9.2 User Access Management Formal procedures are needed to control allocation of access rights to IT
services.
9.2.1 User Registration Is there a formal user registration and deregistration procedure for access to all
multi-use IT services?
Y ___ N ___
9.2.2 Privilege Management Are there restrictions and controls over the use of any feature or facility of a
multi-user IT system that enables a user to override system or application
controls?
Y ___ N ___
9.2.3 User Password Management Has a formal password management process been established to control
passwords?
Y ___ N ___
9.2.4 Review of User Access Rights Does a formal process exist for periodic review of users’ access rights?
Y ___ N ___
9.3 User Responsibilities Users should be made aware of their responsibilities for maintaining effective
access controls, particularly regarding the use of passwords and security of user
equipment.
9.3.1 Password Use Have users been taught good security practices in the selection and use of
passwords?
Y ___ N ___
9.3.2 Unattended User Equipment Are all users and contractors made aware of the security requirements and
procedures for protecting unattended equipment?
Y ___ N ___
Are all users and contractors made aware of their responsibilities for
implementing such protection?
Y ___ N ___
9.4 Network Access Control Connections to network services should be controlled to ensure that connected
users or computer services do not compromise the security of any other
networked services.
9.4.1 Policy on Use of Network
Services
Does a process exist to ensure that network and computer services that can be
accessed by an individual user or from a particular terminal are consistent with
business access control policy?
Y ___ N ___
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.