isms risk calculator spread sht v0.1
DESCRIPTION
iso riskTRANSCRIPT
Access Control Asset Classification & Control Business Continuity Management Communications & Operations Management ComplianceOrganizational Security Personnel Security Physical and Environmental Security Security PolicySystems Development
04/19/2023 C BITS 2003. All rights reserved. 2
BITS KEY RISK MEASUREMENT TOOL FOR INFORMATION SECURITY OPERATIONAL RISKS
Threat EventAccess Control
10% 0 0 5 0.50Access Control
5 0.00Access Control Computer crime
5 0.00Access Control Computer crime
5 0.00Access Control Computer crime
5 0.00Access Control Computer crime
5 0.00Access Control DDoS or DoS attacks
5 0.00Access Control DDoS or DoS attacks
5 0.00Access Control DDoS or DoS attacks
5 0.00Access Control DDoS or DoS attacks
5 0.00Access Control DDoS or DoS attacks
5 0.00
ISO Domain Reference
Basel Loss Category
for Operation
al RiskVulnerability
Security Control
Likelihood of Threat
(Input)
Degree to which
Control is Implemente
d
(Input)
Impact if Control is
not Implemente
d
(Input)
Control vs.
Impact Score
Residual Risk Score
Business Disruption and System Failures
Application software failure
Security events are not logged at the application level.
Security events are logged at the application level.
Business Disruption and System Failures
Application software failure
Application testing is not performed.
Application testing is performed.
External Fraud
System access logs are not created and reviewed to identify use or attempted use and modification or attempted modification of critical systems components (files, registry entries, configurations, security settings/parameters,
System access logs are created and reviewed to identify use or attempted use and modification or attempted modification of critical systems components (files, registry entries, configurations, security settings/parameters, audit logs).
External Fraud
System access logs are not stored in a secure fashion with limited access and are not protected from alteration or deletion.
System access logs are stored in a secure fashion with limited access and protected from alteration or deletion.
Internal Fraud
Policies that define the removal of information from company facilities are not in place and are not communicated to all employees.
Policies that define the removal of information from company facilities are in place and communicated to all employees.
External Fraud
Policies that define the removal of information from company facilities are not in place and are not communicated to all employees.
Policies that define the removal of information from company facilities are in place and communicated to all employees.
Business Disruption and System Failures
Ingress/egress filtering is not enabled/supported on routers.
Network routers do ingress and egress filtering.
Business Disruption and System Failures
Routing access control lists are inappropriately configured or improperly maintained to ensure security.
Routing access control lists are maintained by designated personnel and used for security.
Business Disruption and System Failures
All external connections and/or external IP network access passes bypass firewalls.
All external connections and external IP network access passes through a firewall. External
FraudSNMP best practices have not been implemented.
SNMP best practice has been implemented.
Business Disruption and System Failures
Technology such as encryption, VPN client technology, etc. are not used during remote connectivity.
Confidentiality of sensitive information is ensured during remote connectivity using appropriate technology such as encryption, VPN client technology, etc.
04/19/2023 C BITS 2003. All rights reserved. 3
Access Control DDoS or DoS attacks
5 0.00Access Control DDoS or DoS attacks
5 0.00Access Control DDoS or DoS attacks
5 0.00Access Control DDoS or DoS attacks
5 0.00Access Control DDoS or DoS attacks
5 0.00Access Control Human error
5 0.00Access Control Human error
5 0.00Access Control Human error
5 0.00Access Control Lawsuits/ litigation
5 0.00Access Control Lawsuits/ litigation
5 0.00Access Control Lawsuits/ litigation
5 0.00Access Control Lawsuits/ litigation
5 0.00
Business Disruption and System Failures
The remote access client allows split tunneling.
The remote access client prohibits split tunneling.
Business Disruption and System Failures
Routing access control lists are inappropriately configured or improperly maintained to ensure security.
Routing access control lists are maintained by designated personnel and used for security.
Business Disruption and System Failures
Routing access control lists are inappropriately configured or improperly maintained to ensure security.
Routing access control lists are maintained by designated personnel and used for security.
Business Disruption and System Failures
All external connections and/or external IP network access passes bypass firewalls.
All external connections and external IP network access passes through a firewall. Business
Disruption and System Failures
All external connections and/or external IP network access passes bypass firewalls.
All external connections and external IP network access passes through a firewall. Execution ,
Delivery and Process Management
Host level system authorization mechanisms are not in place.
Host level system authorization mechanisms are in place.
Execution , Delivery and Process Management
Operating system master and sub-master consoles are not located in a protected and controlled area.
Operating system master and sub-master consoles are located in a protected and controlled area.
Execution , Delivery and Process Management
A comprehensive policy outlining remote user requirements is not in place and is not communicated to and/or is not understood or followed by the
A comprehensive policy outlining remote user requirements is in place and communicated via an agreement signed by the employee.
External Fraud
Procedures do not exist to verify the authenticity of the counter party providing electronic instructions or transactions through trusted exchange of passwords, tokens, or cryptographic keys.
Procedures exist to verify the authenticity of the counter party providing electronic instructions or transactions through trusted exchange of passwords, tokens, or cryptographic keys.
Execution , Delivery and Process Management
Procedures do not exist to verify the authenticity of the counter party providing electronic instructions or transactions through trusted exchange of passwords, tokens, or cryptographic keys.
Procedures exist to verify the authenticity of the counter party providing electronic instructions or transactions through trusted exchange of passwords, tokens, or cryptographic keys.
Clients, Products and Business Practices
Procedures do not exist to verify the authenticity of the counter party providing electronic instructions or transactions through trusted exchange of passwords, tokens, or cryptographic keys.
Procedures exist to verify the authenticity of the counter party providing electronic instructions or transactions through trusted exchange of passwords, tokens, or cryptographic keys.
Execution , Delivery and Process Management
Ingress/egress filtering is not enabled/supported on routers.
Network routers do ingress and egress filtering.
04/19/2023 C BITS 2003. All rights reserved. 4
Access Control Lawsuits/ litigation
5 0.00Access Control Lawsuits/ litigation
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control Lost or stolen laptops
5 0.00
Execution , Delivery and Process Management
Processes/procedures have not been implemented to ensure third party connections are appropriately authorized, documented, and managed.
An authorization, documentation and management process is in place for all external connections.
Execution , Delivery and Process Management
Session encryption is not used for external IP access.
External IP access, including system-to-system authentication, uses session encryption.
Internal Fraud
Leaving computer screen exposed or
unlocked
Workstation screensaver/lockout features are not enabled/system enforced. Policies/guidelines do
The desktop is configured to log off, lock or use a password protected screen saver whenever the computer is left unattended. External
FraudLeaving computer screen exposed or
unlocked
Workstation screensaver/lockout features are not enabled/system enforced. Policies/guidelines do
The desktop is configured to log off, lock or use a password protected screen saver whenever the computer is left unattended. Internal
FraudLeaving computer screen exposed or
unlocked
No limitations or restrictions have been placed on connection times.
Limitations and/or restrictions have been placed on connection times for activities such as batch processing (i.e., restricting connections, time-outs, and/or
External Fraud
Leaving sensitive documents exposed
Policies that define the removal of information from company facilities are not in place and are not communicated to all employees.
Policies that define the removal of information from company facilities are in place and communicated to all employees.
External Fraud
Leaving sensitive documents exposed
Security controls for equipment and information used in mobile computers have not been established.
Security controls for equipment and information used in mobile computers have been established including: permissible equipment use and security of that equipment (e.g., double-wrapped envelopes, locked briefcases/cabinets, encrypted data, digital certificates, etc.), security and backup of information
External Fraud
Security controls for equipment and information used in mobile computers have not been established.
Security controls for equipment and information used in mobile computers have been established including: permissible equipment use and security of that equipment (e.g. double-wrapped envelopes, locked briefcases/cabinets, encrypted data, digital certificates, etc), security and back up of
04/19/2023 C BITS 2003. All rights reserved. 5
Access Control Malicious code
5 0.00Access Control Malicious code
5 0.00Access Control Malicious code
5 0.00Access Control Malicious code
5 0.00Access Control Malicious code
5 0.00Access Control Network spoofing
5 0.00Access Control Network spoofing
5 0.00Access Control Network spoofing
5 0.00Access Control Network spoofing
5 0.00Access Control Network spoofing
5 0.00Access Control Network spoofing
5 0.00Access Control Network spoofing
5 0.00Access Control Network spoofing
5 0.00Access Control Network spoofing
5 0.00Access Control Network spoofing
5 0.00
Business Disruption and System Failures
Processes/procedures have not been implemented to ensure third party connections are appropriately authorized, documented, and managed.
An authorization, documentation and management process is in place for all external connections.
Business Disruption and System Failures
Processes/procedures have not been implemented to ensure third party connections are appropriately authorized, documented,
An authorization, documentation and management process is in place for all external connections.
Business Disruption and System Failures
All external connections and/or external IP network access passes bypass firewalls.
All external connections and external IP network access passes through a firewall. Business
Disruption and System Failures
The internal address range is exposed or unprotected.
The internal address range is protected (e.g., NAT).
Business Disruption and System Failures
Applications in use or considered for use do not conform to the security feature criteria in the BITS Product Certification Program or other recognized product certifications.
Applications in use or considered for use conform to the security criteria in the BITS Product Certification Program or other recognized product certifications.
Internal Fraud
Routing access control lists are inappropriately configured or improperly maintained to ensure security.
Routing access control lists are maintained by designated personnel and used for security.
External Fraud
Routing access control lists are inappropriately configured or improperly maintained to ensure security.
Routing access control lists are maintained by designated personnel and used for security.
Business Disruption and System Failures
Routing access control lists are inappropriately configured or improperly maintained to ensure security.
Routing access control lists are maintained by designated personnel and used for security.
Internal Fraud
All external connections and/or external IP network access passes bypass firewalls.
All external connections and external IP network access passes through a firewall. External
FraudAll external connections and/or external IP network access passes bypass firewalls.
All external connections and external IP network access passes through a firewall. Business
Disruption and System Failures
All external connections and/or external IP network access passes bypass firewalls.
All external connections and external IP network access passes through a firewall. Business
Disruption and System Failures
The internal address range is exposed or unprotected.
The internal address range is protected (e.g., NAT).
External Fraud
The internal address range is exposed or unprotected.
The internal address range is protected (e.g. NAT). External
FraudSession encryption is not used for external IP access.
External IP access, including system-to-system authentication, uses session encryption.
External Fraud
Local and wide area networks are not fully switched.
Local area and wide area networks are fully switched.
04/19/2023 C BITS 2003. All rights reserved. 6
Access Control Network spoofing
5 0.00Access Control Network spoofing
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00
External Fraud
Technology such as encryption, VPN client technology, etc. are not used during remote connectivity.
Confidentiality of sensitive information is ensured during remote connectivity using appropriate technology such as encryption, VPN client technology, etc.
External Fraud
The remote access client allows split tunneling.
The remote access client prohibits split tunneling.
Internal Fraud
Network/application backdoor
Time, day, or similar restrictions are not enabled.
Access to resources is controlled by a combination of any of the following: (1) method or location of accessing user (2) time-of-day (3) day-of-week (4) calendar date (5) specific program used to access the resource.
External Fraud
Network/application backdoor
Time, day, or similar restrictions are not enabled.
Access to resources is controlled by a combination of any of the following: (1) method or location of accessing user (2) time-of-day (3) day-of-week (4) calendar date (5) specific program used to access the resource.
Internal Fraud
Network/application backdoor
Authorization engine fails in an open state.
If the authorization engine for the system fails, the access control rules default to ‘no access”.External
FraudNetwork/application
backdoorAuthorization engine fails in an open state.
If the authorization engine for the system fails, the access control rules default to "no access.”Internal
FraudNetwork/application
backdoorAccess administration processes do not ensure that user access is based on least privilege or consistent with job function.
User access capabilities are configured with least privilege, and are consistent with the users’ assigned job responsibilities for performing a particular function or transaction.
External Fraud
Network/application backdoor
Access administration processes do not ensure that user access is based on least privilege or consistent with job function.
User access capabilities are configured with least privilege, and are consistent with the users’ assigned job responsibilities for performing a particular function or transaction.
Internal Fraud
Network/application backdoor
Access administration change (employee status changes) processes are informal or inadequate.
Procedures are in place to amend user access rights when a user changes roles in the organization and revoke rights when a user leaves the organization.
External Fraud
Network/application backdoor
Access administration change (employee status changes) processes are informal or inadequate.
Procedures are in place to amend user access rights when a user changes roles in the organization and revoke rights when a user leaves the
04/19/2023 C BITS 2003. All rights reserved. 7
Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00
Internal Fraud
Network/application backdoor
No processes in place to ensure default user ids are renamed/disabled
Default user IDs are renamed or disabled.
External Fraud
Network/application backdoor
No processes in place to ensure default user ids are renamed/disabled
Default user IDs are renamed or disabled.
Internal Fraud
Network/application backdoor
Temporary, generic, guest or anonymous user IDs are not tightly controlled/monitored.
Temporary, generic, guest or anonymous user IDs are limited in use and tightly controlled. External
FraudNetwork/application
backdoorTemporary, generic, guest or anonymous user IDs are not tightly controlled/monitored.
Temporary, generic, guest or anonymous user ids are limited in use and tightly controlled. Internal
FraudNetwork/application
backdoorPassword policies/standards have not been established.
Guidelines are provided to users for generating secure passwords including simple instruction such as passwords must not be shared, passwords must not be written down and stored in obvious places, etc.
External Fraud
Network/application backdoor
Password policies/standards have not been established.
Guidelines are provided to users for generating secure passwords including simple instruction such as passwords must not be shared, passwords must not be written down and stored in obvious places, etc.
Internal Fraud
Network/application backdoor
Policies/procedures addressing security of stored passwords have not been established. Systems features to secure store passwords (e.g., encryption) have not been enabled.
Appropriate controls are established for the secure storage and maintenance of password lists.
External Fraud
Network/application backdoor
Policies/procedures addressing security of stored passwords have not been established. Systems features to secure store passwords (e.g., encryption) have not been enabled.
Appropriate controls are established for the secure storage and maintenance of password lists.
04/19/2023 C BITS 2003. All rights reserved. 8
Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00
Internal Fraud
Network/application backdoor
Systems features (forced password change) have not been enabled or do not exist. In absence of systems controls, manual processes/procedures have not been established to remind
The system is configured to require the user to change initial password during first logon.
External Fraud
Network/application backdoor
Systems features (forced password change) have not been enabled or do not exist. In absence of systems controls, manual processes/procedures have not been established to remind
The system is configured to require the user to change initial password during first logon.
Internal Fraud
Network/application backdoor
Systems features (strong passwords) are not enabled or do not exist. In absence of systems controls, policies/guidelines encouraging strong passwords have not been established.
Restrictions are placed on user password creation and use including expiration after a certain time period, minimum length, reuse, and appropriate strength (i.e., user ID not equal to password, password not equal to “password”, limit repetitive characters, require alphanumeric and
External Fraud
Network/application backdoor
Systems features (strong passwords) are not enabled or do not exist. In absence of systems controls, policies/guidelines encouraging strong passwords have not been established.
Restrictions are placed on user password creation and use including expiration after a certain time period, minimum length, reuse, and appropriate strength ((i.e. User Id not equal to password, password not equal to “password”, limit repetitive characters, require alphanumeric and
Internal Fraud
Network/application backdoor
System timeout features have not been enabled or do not exist.
The system is configured to disconnect or force re-authentication of users after a specified period of inactivity.External
FraudNetwork/application
backdoorSystem timeout features have not been enabled or do not exist.
The system is configured to disconnect or force re-authentication of users after a specified period of inactivity.Internal
FraudNetwork/application
backdoorSystem unsuccessful logon attempt features are not enabled or do not exist.
The system is configured to disable or suspend user IDs after a fixed number of unsuccessful logon attempts.External
FraudNetwork/application
backdoorSystem unsuccessful logon attempt features are not enabled or do not exist.
The system is configured to disable or suspend user IDs after a fixed number of unsuccessful logon attempts.Internal
FraudNetwork/application
backdoorRemote network access paths are not restricted to designated gateways and/or resources.
Remote network access paths are restricted to designated gateways and/or resources.External
FraudNetwork/application
backdoorRemote network access paths are not restricted to designated gateways and/or resources.
Remote network access paths are restricted to designated gateways and/or resources.
04/19/2023 C BITS 2003. All rights reserved. 9
Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00
External Fraud
Network/application backdoor
Strong authentication features are not enabled/supported.
Additional forms of access control are used to safeguard against unauthorized access from external connections (e.g., dial back, two-part authentication, challenge-response, time of day or week restriction, read-only restrictions, etc.).
External Fraud
Network/application backdoor
Processes/procedures have not been implemented to ensure third party connections are appropriately authorized, documented,
An authorization, documentation and management process is in place for all external connections.
Internal Fraud
Network/application backdoor
Internal network segments are not segregated and do not have controlled access through network level
Internal network segments are segregated and have controlled access through network level authorization.Internal
FraudNetwork/application
backdoorSecurity events are not logged at the application level.
Security events are logged at the application level. External
FraudNetwork/application
backdoorSecurity events are not logged at the application level.
Security events are logged at the application level. External
FraudNetwork/application
backdoorTechnology such as encryption, VPN client technology, etc. are not used during remote connectivity.
Confidentiality of sensitive information is ensured during remote connectivity using appropriate technology such as encryption, VPN client technology, etc.
Internal Fraud
Network/application time bomb
Time, day, or similar restrictions are not enabled.
Access to resources is controlled by a combination of any of the following: (1) method or location of accessing user (2) time-of-day (3) day-of-week (4) calendar date (5) specific program used to access the resource.
External Fraud
Network/application time bomb
Time, day, or similar restrictions not enabled.
Access to resources is controlled by a combination of any of the following: (1) method or location of accessing user (2) time-of-day (3) day-of-week (4) calendar date (5) specific program used to access the resource.
Internal Fraud
Network/application time bomb
Authorization engine fails in an open state.
If the authorization engine for the system fails, the access control rules default to "no access.”External
FraudNetwork/application
time bombAuthorization engine fails in an open state.
If the authorization engine for the system fails, the access control rules default to ‘no access”.Internal
FraudNetwork/application
time bombAccess administration processes do not ensure that user access is based on least privilege or consistent with job function.
User access capabilities are configured with least privilege, and are consistent with the users’ assigned job responsibilities for performing a particular function or transaction.
04/19/2023 C BITS 2003. All rights reserved. 10
Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00
External Fraud
Network/application time bomb
Access administration processes do not ensure that user access is based on least privilege or consistent with job function.
User access capabilities are configured with least privilege, and are consistent with the users’ assigned job responsibilities for performing a particular function or transaction.
Internal Fraud
Network/application time bomb
Access administration change (employee status changes) processes are informal or inadequate.
Procedures are in place to amend user access rights when a user changes roles in the organization and revoke rights when a user leaves the External
FraudNetwork/application
time bombAccess administration change (employee status changes) processes are informal or inadequate.
Procedures are in place to amend user access rights when a user changes roles in the organization and revoke rights when a user leaves the Internal
FraudNetwork/application
time bombNo processes are in place to ensure default user IDs are renamed/disabled.
Default user IDs are renamed or disabled.
External Fraud
Network/application time bomb
No processes are in place to ensure default user IDs are renamed/disabled.
Default user IDs are renamed or disabled.
Internal Fraud
Network/application time bomb
Temporary, generic, guest or anonymous user IDs are not tightly controlled/monitored.
Temporary, generic, guest or anonymous user IDs are limited in use and tightly controlled. External
FraudNetwork/application
time bombTemporary, generic, guest or anonymous user IDs are not tightly controlled/monitored.
Temporary, generic, guest or anonymous user IDs are limited in use and tightly controlled. Internal
FraudNetwork/application
time bombPassword policies/standards have not been established.
Guidelines are provided to users for generating secure passwords including simple instruction such as passwords must not be shared, passwords must not be written down and
External Fraud
Network/application time bomb
Password policies/standards have not been established.
Guidelines are provided to users for generating secure passwords including simple instruction such as passwords must not be shared, passwords must not be written down and stored in obvious places, etc.
04/19/2023 C BITS 2003. All rights reserved. 11
Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00
Internal Fraud
Network/application time bomb
Policies/procedures addressing security of stored passwords have not been established. Systems features to secure store passwords (e.g., encryption) have not been enabled.
Appropriate controls are established for the secure storage and maintenance of password lists.
External Fraud
Network/application time bomb
Policies/procedures addressing security of stored passwords have not been established. Systems features to secure store passwords
Appropriate controls are established for the secure storage and maintenance of password lists.
Internal Fraud
Network/application time bomb
Systems features (forced password change) have not been enabled or do not exist. In absence of systems controls, manual
The system is configured to require the user to change initial password during first logon.
External Fraud
Network/application time bomb
Systems features (forced password change) have not been enabled or do not exist. In absence of systems controls, manual processes/procedures have not been established to remind
The system is configured to require the user to change their initial password during first logon.
Internal Fraud
Network/application time bomb
Systems features (strong passwords) are not enabled or do not exist. In absence of systems controls, policies/guidelines encouraging strong passwords have not been established.
Restrictions are placed on user password creation and use including expiration after a certain time period, minimum length, reuse, and appropriate strength (e.g., user ID not equal to password, password not equal to “password”, limit repetitive characters, require alphanumeric and
External Fraud
Network/application time bomb
Systems features (strong passwords) are not enabled or do not exist. In absence of systems controls, policies/guidelines encouraging strong passwords have not been established.
Restrictions are placed on user password creation and use including expiration after a certain time period, minimum length, reuse, and appropriate strength (e.g., user I not equal to password, password not equal to “password”, limit repetitive characters,
Internal Fraud
Network/application time bomb
System timeout features have not been enabled or do not exist.
The system is configured to disconnect or force re-authentication of users after a specified period of inactivity.External
FraudNetwork/application
time bombSystem timeout features have not been enabled or do not exist.
The system is configured to disconnect or force re-authentication of users after a specified period of inactivity.
04/19/2023 C BITS 2003. All rights reserved. 12
Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00
Internal Fraud
Network/application time bomb
System unsuccessful logon attempt features are not enabled or do not exist.
The system is configured to disable or suspend user IDs after a fixed number of unsuccessful logon attempts.External
FraudNetwork/application
time bombSystem unsuccessful logon attempt features are not enabled or do not exist
The system is configured to disable or suspend user IDs after a fixed number of unsuccessful logon attempts.Internal
FraudNetwork/application
time bombRemote network access paths are not restricted to designated gateways and/or resources.
Remote network access paths are restricted to designated gateways and/or resources.
External Fraud
Network/application time bomb
Remote network access paths are not restricted to designated gateways and/or resources.
Remote network access paths are restricted to designated gateways and/or resources.
External Fraud
Network/application time bomb
Strong authentication features are not enabled/supported.
Additional forms of access control are used to safeguard against unauthorized access from external connections (e.g., dial back, two-part authentication, challenge-response, time of day or week restriction, read-only restrictions, etc.)
External Fraud
Network/application time bomb
Processes/procedures have not been implemented to ensure third party connections are appropriately authorized, documented, and managed.
An authorization, documentation and management process is in place for all external connections.
Business Disruption and System Failures
Network/application time bomb
Internal network segments are not segregated and do not have controlled access through network level authorization.
Internal network segments are segregated and have controlled access through network level authorization.
04/19/2023 C BITS 2003. All rights reserved. 13
Access Control Robbery
5 0.00Access Control Sabotage
5 0.00Access Control Social engineering
5 0.00Access Control Software defects
5 0.00Access Control System software failure
5 0.00Access Control System software failure
5 0.00Access Control System software failure
5 0.00Access Control
5 0.00Access Control
5 0.00
External Fraud
Security controls for equipment and information used in mobile computers have not been established.
Security controls for equipment and information used in mobile computers have been established including: permissible equipment use and security of that equipment (e.g., double-wrapped envelopes, locked briefcases/cabinets, encrypted data, digital certificates, etc.), security and backup of information
External Fraud
Processes/procedures have not been implemented to ensure third party connections are appropriately authorized, documented,
An authorization, documentation and management process is in place for all external connections.
External Fraud
Policies that define the removal of information from company facilities are not in place and are not communicated to all employees.
Policies that define the removal of information from company facilities are in place and communicated to all employees.
Business Disruption and System Failures
Applications in use or considered for use do not conform to the security feature criteria in the BITS Product Certification Program or other recognized product certifications.
Applications in use or considered for use conform to security feature criteria in the BITS Product Certification Programor other recognized product certifications.
Business Disruption and System Failures
System access logs are not created and reviewed to identify use or attempted use and modification or attempted modification of critical systems components (files, registry entries, configurations, security settings/parameters,
System access logs are created and reviewed to identify use or attempted use and modification or attempted modification of critical systems components (files, registry entries, configurations, security settings/parameters, audit logs).
Business Disruption and System Failures
System access logs are not stored in a secure fashion with limited access and are not protected from alteration or deletion.
System access logs are stored in a secure fashion with limited access and protected from alteration or deletion.
Business Disruption and System Failures
System access logs are not maintained for an appropriate period of time.
System access logs are maintained for an appropriate period of time (both online and archived).External
FraudUnauthorized network
accessInformal or inadequate access monitoring
User IDs are reviewed for appropriate access.
Internal Fraud
Unauthorized network access
Informal or inadequate access administration/monitoring processes over privileged accounts
Privileged users are controlled and monitored by a formal approval process.
04/19/2023 C BITS 2003. All rights reserved. 14
Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00
Internal Fraud
Unauthorized network access
Systems features (strong passwords) are not enabled or do not exist. In absence of systems controls, policies/guidelines encouraging strong passwords have not been established.
Restrictions are placed on user password creation and use including expiration after a certain time period, minimum length, reuse, and appropriate strength (e.g., user ID not equal to password, password not equal to “password”, limit repetitive characters, require alphanumeric and
External Fraud
Unauthorized network access
Systems features (strong passwords) are not enabled or do not exist. In absence of systems controls, policies/guidelines encouraging strong passwords have not been established.
Restrictions are placed on user password creation and use including expiration after a certain time period, minimum length, reuse, and appropriate strength (e.g., user ID not equal to password, password not equal to “password”, limit repetitive characters, require alphanumeric and
Internal Fraud
Unauthorized network access
Workstation screensaver/lockout features are not enabled/system enforced. Policies/guidelines do
The desktop is configured to log off, lock or use a password protected screen saver whenever the computer is left unattended. External
FraudUnauthorized network
accessWorkstation screensaver/lockout features are not enabled/system enforced. Policies/guidelines do
The desktop is configured to log off, lock or use a password protected screen saver whenever the computer is left unattended. Internal
FraudUnauthorized network
accessIngress/egress filtering is not enabled/supported on routers.
Network routers do ingress and egress filtering.
External Fraud
Unauthorized network access
Ingress/egress filtering is not enabled/supported on routers.
Network routers do ingress and egress filtering.
Internal Fraud
Unauthorized network or system access
Time, day, or similar restrictions are not enabled.
Access to resources is controlled by a combination of any of the following: (1) method or location of accessing user (2) time-of-day (3) day-of-week (4) calendar date (5) specific program used to access the resource.
External Fraud
Unauthorized network or system access
Time, day, or similar restrictions not enabled
Access to resources is controlled by a combination of any of the following: (1) method or location of accessing user (2) time-of-day (3) day-of-week (4) calendar date (5) specific program used to access the resource.
04/19/2023 C BITS 2003. All rights reserved. 15
Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00
Internal Fraud
Unauthorized network or system access
Authorization engine fails in an open state.
If the authorization engine for the system fails, the access control rules default to "no access.”
External Fraud
Unauthorized network or system access
Authorization engine fails in an open state.
If the authorization engine for the system fails, the access control rules default to "no access.”
Internal Fraud
Unauthorized network or system access
Access administration processes do verify user identities or ensure that access is approved and authorized.
The signature or identity of a person applying for access is verified/authenticated and authorized.
External Fraud
Unauthorized network or system access
access administration processes do verify user identities or ensure that access is approved and authorized
The signature or identity of a person applying for access is verified/authenticated and authorized. Internal
FraudUnauthorized network
or system accessAccess administration processes do not ensure that user access is based on least privilege or consistent with job function.
User access capabilities are configured with least privilege, and are consistent with the users’ assigned job responsibilities for performing a particular function or transaction.
04/19/2023 C BITS 2003. All rights reserved. 16
Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00
External Fraud
Unauthorized network or system access
Access administration processes do not ensure that user access is based on least privilege or consistent with job function.
User access capabilities are configured with least privilege, and are consistent with the users’ assigned job responsibilities for performing a particular function or transaction.
Internal Fraud
Unauthorized network or system access
Informal or inadequate access monitoring processes.
User IDs are reviewed for appropriate access.
Internal Fraud
Unauthorized network or system access
Access administration change (employee status changes) processes are informal or inadequate.
Procedures are in place to amend user access rights when a user changes roles in the organization and revoke rights when a user leaves the External
FraudUnauthorized network
or system accessAccess administration change (employee status changes) processes are informal or inadequate.
Procedures are in place to amend user access rights when a user changes roles in the organization and revoke rights when a user leaves the External
FraudUnauthorized network
or system accessInformal or inadequate access administration/monitoring processes over privileged accounts
Privileged users are controlled and monitored by a formal approval process.
Internal Fraud
Unauthorized network or system access
No processes in place to ensure default user IDs are renamed/disabled
Default user IDs are renamed or disabled.
External Fraud
Unauthorized network or system access
No processes in place to ensure default user IDs are renamed/disabled
Default user IDs are renamed or disabled.
Internal Fraud
Unauthorized network or system access
Temporary, generic, guest or anonymous user IDs are not tightly controlled/monitored.
Temporary, generic, guest or anonymous user IDs are limited in use and tightly controlled. External
FraudUnauthorized network
or system accessTemporary, generic, guest or anonymous user IDs are not tightly controlled/monitored.
Temporary, generic, guest or anonymous user IDs are limited in use and tightly controlled. Internal
FraudUnauthorized network
or system accessOngoing user security awareness programs have not been implemented.
Users are made aware of their responsibilities for maintaining effective access controls, particularly regarding the security of passwords and user equipment.
External Fraud
Unauthorized network or system access
Ongoing user security awareness programs have not been implemented.
Users are made aware of their responsibilities for maintaining effective access controls, particularly regarding the security of passwords and user equipment.
Internal Fraud
Unauthorized network or system access
Password policies/standards have not been established.
Guidelines are provided to users for generating secure passwords including simple instruction such as passwords must not be shared, passwords must not be written down and
External Fraud
Unauthorized network or system access
Password policies/standards have not been established.
Guidelines are provided to users for generating secure passwords including simple instruction such as passwords must not be shared, passwords must not be written down and
04/19/2023 C BITS 2003. All rights reserved. 17
Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00
Internal Fraud
Unauthorized network or system access
Policies/procedures addressing security of stored passwords have not been established. Systems features to secure store passwords (e.g., encryption) have not been enabled.
Appropriate controls are established for the secure storage and maintenance of password lists.
External Fraud
Unauthorized network or system access
Policies/procedures addressing security of stored passwords have not been established. Systems features to secure store passwords (e.g., encryption) have not been enabled.
Appropriate controls are established for the secure storage and maintenance of password lists.
Internal Fraud
Unauthorized network or system access
Systems features (forced password change) have not been enabled or do not exist. In absence of systems controls, manual processes/procedures have not been established to remind
The system is configured to require the user to change initial password during first logon.
External Fraud
Unauthorized network or system access
Systems features (forced password change) have not been enabled or do not exist. In absence of systems controls, manual processes/procedures have not been established to remind
The system is configured to require the user to change their initial password during first logon.
Internal Fraud
Unauthorized network or system access
System timeout features have not been enabled or do not exist.
The system is configured to disconnect or force re-authentication of users after a specified period of inactivity.External
FraudUnauthorized network
or system accessSystem timeout features have not been enabled or do not exist.
The system is configured to disconnect or force re-authentication of users after a specified period of inactivity.Internal
FraudUnauthorized network
or system accessSystem unsuccessful logon attempt features are not enabled or do not exist.
The system is configured to disable or suspend user IDs after a fixed number of unsuccessful logon attempts.External
FraudUnauthorized network
or system accessSystem unsuccessful logon attempt features are not enabled or do not exist.
The system is configured to disable or suspend user IDs after a fixed number of unsuccessful logon attempts.Internal
FraudUnauthorized network
or system accessRemote network access paths are not restricted to designated gateways and/or resources.
Remote network access paths are restricted to designated gateways and/or resources.
External Fraud
Unauthorized network or system access
Remote network access paths are not restricted to designated gateways and/or resources.
Remote network access paths are restricted to designated gateways and/or resources.
Internal Fraud
Unauthorized network or system access
Formal modem approval procedures are not in place.
A process is in place for requesting and approving modem connections to servers or desktops.
External Fraud
Unauthorized network or system access
Formal modem approval procedures are not in place.
A process is in place for requesting and approving modem connections to servers or desktops.
04/19/2023 C BITS 2003. All rights reserved. 18
Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00
Internal Fraud
Unauthorized network or system access
Routing access control lists are inappropriately configured or improperly maintained
Routing access control lists are maintained by designated personnel and used for security.
External Fraud
Unauthorized network or system access
Routing access control lists are inappropriately configured or improperly maintained
Routing access control lists are maintained by designated personnel and used for security.
External Fraud
Unauthorized network or system access
Strong authentication features are not enabled/supported.
Additional forms of access control are used to safeguard against unauthorized access from external connections (e.g., dial back, two-part authentication, challenge-response, time of day or week restriction, read-only restrictions, etc.)
Internal Fraud
Unauthorized network or system access
Processes/procedures have not been implemented to ensure third party connections are appropriately authorized, documented,
An authorization, documentation and management process is in place for all external connections
External Fraud
Unauthorized network or system access
Processes/procedures have not been implemented to ensure third party connections are appropriately authorized, documented,
An authorization, documentation and management process is in place for all external connections
Internal Fraud
Unauthorized network or system access
All external connections and/or external IP network access passes bypass firewalls.
All external connections and external IP network access passes through a firewall. External
FraudUnauthorized network
or system accessAll external connections and/or external IP network access passes bypass firewalls.
All external connections and external IP network access passes through a firewall. External
FraudUnauthorized network
or system accessSession encryption is not used for external IP access.
External IP access, including system-to-system authentication, uses session encryption.
External Fraud
Unauthorized network or system access
Local and wide area networks are not fully switched.
Local area and wide area networks are fully switched. Internal
FraudUnauthorized network
or system accessInternal network segments are not segregated and do not have controlled access through network level
Internal network segments are segregated and have controlled access through network level authorization.Internal
FraudUnauthorized network
or system accessNo limitations or restrictions have been placed on connection times.
Limitations and/or restrictions have been placed on connection times for activities such as batch processing (i.e., restricting connections, time-outs, and/or
Internal Fraud
Unauthorized network or system access
System access and use is not monitored based on current vulnerability and risk analysis, and is not integrated with an incident response
System access and use is monitored based on current vulnerability and risk analysis, and is integrated with an incident response
04/19/2023 C BITS 2003. All rights reserved. 19
Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00Access Control
5 0.00
Internal Fraud
Unauthorized network or system access
System access logs are not created and reviewed to identify use or attempted use and modification or attempted modification of critical systems components (files, registry entries, configurations, security settings/parameters,
System access logs are created and reviewed to identify use or attempted use and modification or attempted modification of critical systems components (files, registry entries, configurations, security settings/parameters, audit logs).
Internal Fraud
Unauthorized network or system access
System access logs are not stored in a secure fashion with limited access and are not protected from alteration or deletion.
System access logs are stored in a secure fashion with limited access and protected from alteration or deletion.
Internal Fraud
Unauthorized network or system access
System access logs are not maintained for an appropriate period of time.
System access logs are maintained for an appropriate period of time (both online and archived).Internal
FraudUnauthorized network
or system accessAlerting mechanisms are not used to notify appropriate individuals that security events related to system access have occurred.
Alerting mechanisms are used to notify appropriate individuals that security events related to system access have occurred.
External Fraud
Unauthorized network or system access
Alerting mechanisms are not used to notify appropriate individuals that security events related to system access have occurred.
Alerting mechanisms are used to notify appropriate individuals that security events related to system access have occurred.
Internal Fraud
Unauthorized network or system access
No process is in place to ensure accurate clock synchronization for system access and logging activity.
A process is in place to ensure accurate clock synchronization for system access and logging activity.External
FraudUnauthorized network
or system accessNo process is in place to ensure accurate clock synchronization for system access and logging activity.
A process is in place to ensure accurate clock synchronization for system access and logging activity.Internal
FraudUnauthorized network
or system accessTechnology such as encryption, VPN client technology, etc. are not used during remote connectivity.
Confidentiality of sensitive information is ensured during remote connectivity using appropriate technology such as encryption, VPN client technology, etc.
External Fraud
Unauthorized network or system access
Technology such as encryption, VPN client technology, etc. are not used during remote connectivity.
Confidentiality of sensitive information is ensured during remote connectivity using appropriate technology such as encryption, VPN client technology, etc.
Internal Fraud
Unauthorized network or system access
Remote access is not controlled using appropriate authentication controls.
Remote access is controlled using appropriate authentication controls. External
FraudUnauthorized network
or system accessRemote access is not controlled using appropriate authentication controls.
Remote access is controlled using appropriate authentication controls. External
FraudUnauthorized network
or system accessA comprehensive policy outlining remote user requirements is not in place and is not communicated to and/or is not understood or followed by the
A comprehensive policy outlining remote user requirements is in place and communicated via an agreement signed by the employee.
04/19/2023 C BITS 2003. All rights reserved. 20
Access Control
5 0.00Access Control Unauthorized scans
5 0.00Access Control Unauthorized scans
5 0.00Access Control Unauthorized scans
5 0.00Access Control Unauthorized scans
5 0.00Access Control Unauthorized scans
5 0.00Access Control Unauthorized scans
5 0.00Access Control Unauthorized scans
5 0.00Access Control Unauthorized scans
5 0.00Access Control Unauthorized scans
5 0.00Access Control Unauthorized scans
5 0.00Access Control Viruses
5 0.00Access Control Viruses
5 0.00Access Control Viruses
5 0.00Access Control War dialing
5 0.00
Internal Fraud
Unauthorized network or system access
Remote access user accounts are not reviewed on an appropriate schedule.
Remote access user accounts are reviewed on an appropriate schedule.
Internal Fraud
Routing access control lists are inappropriately configured or improperly maintained to ensure security
Routing access control lists are maintained by designated personnel and used for security.
External Fraud
Routing access control lists are inappropriately configured or improperly maintained to ensure security.
Routing access control lists are maintained by designated personnel and used for security.
Internal Fraud
All external connections and/or external IP network access passes bypass firewalls.
All external connections and external IP network access pass through a firewall. External
FraudAll external connections and/or external IP network access passes bypass firewalls.
All external connections and external IP network access passes through a firewall. Internal
FraudThe internal address range is exposed or unprotected.
The internal address range is protected (e.g., NAT). External
FraudThe internal address range is exposed or unprotected.
The internal address range is protected (e.g., NAT). Internal
FraudHost level system authorization mechanisms are not in place.
Host level system authorization mechanisms are in place.
Internal Fraud
Operating system master and sub-master consoles are not located in a protected and
Operating system master and sub-master consoles are located in a protected and controlled area.
External Fraud
Alerting mechanisms are not used to notify appropriate individuals that security events
Alerting mechanisms are used to notify appropriate individuals that security events related to system
External Fraud
Remote access user accounts are not reviewed on an appropriate schedule.
Remote access user accounts are reviewed on an appropriate schedule.
Business Disruption and System Failures
Processes/procedures have not been implemented to ensure third party connections are appropriately authorized, documented,
An authorization, documentation and management process is in place for all external connections.
External Fraud
SNMP best practices have not been implemented.
SNMP best practice has been implemented.
Business Disruption and System Failures
Security controls for equipment and information used in mobile computers have not been established.
Security controls for equipment and information used in mobile computers have been established including: permissible equipment use and security of that equipment (e.g., double-wrapped envelopes, locked briefcases/cabinets, encrypted data, digital certificates, etc.), security and backup of information
Internal Fraud
Formal modem approval procedures are not in place.
A process is in place for requesting and approving modem connections to servers or desktops.
04/19/2023 C BITS 2003. All rights reserved. 21
Access Control War dialing
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00
External Fraud
Formal modem approval procedures are not in place.
A process is in place for requesting and approving modem connections to servers or desktops.
External Fraud
No processes in place to ensure default user IDs are renamed/disabled.
Default user IDs are renamed or disabled.
Execution , Delivery and Process Management
No processes in place to ensure default user ids are renamed/disabled.
Default user ids are renamed or disabled.
Business Disruption and System Failures
No processes in place to ensure default user ids are renamed/disabled.
Default user IDs are renamed or disabled.
Clients, Products and Business Practices
No processes in place to ensure default user ids are renamed/disabled.
Default user ids are renamed or disabled.
External Fraud
Temporary, generic, guest or anonymous user IDs are not tightly controlled/monitored.
Temporary, generic, guest or anonymous user IDs are limited in use and tightly controlled. Execution ,
Delivery and Process Management
Temporary, generic, guest or anonymous user IDs are not tightly controlled/monitored.
Temporary, generic, guest or anonymous user IDs are limited in use and tightly controlled.
Business Disruption and System Failures
Temporary, generic, guest or anonymous user IDs are not tightly controlled/monitored.
Temporary, generic, guest or anonymous user IDs are limited in use and tightly controlled. Clients,
Products and Business Practices
Temporary, generic, guest or anonymous user IDs are not tightly controlled/monitored.
Temporary, generic, guest or anonymous user IDs are limited in use and tightly controlled. External
FraudPolicies/procedures addressing security of stored passwords have not been established. Systems features to secure stored passwords (e.g., encryption) have not been enabled.
Appropriate controls are established for the secure storage and maintenance of password lists.
Execution , Delivery and Process Management
Policies/procedures addressing security of stored passwords have not been established. Systems features to secure store passwords (e.g., encryption) have not been enabled.
Appropriate controls are established for the secure storage and maintenance of password lists.
Business Disruption and System Failures
Policies/procedures addressing security of stored passwords have not been established. Systems features to secure stored passwords (e.g., encryption) have not been enabled.
Appropriate controls are established for the secure storage and maintenance of password lists.
Clients, Products and Business Practices
Policies/procedures addressing security of stored passwords have not been established. Systems features to secure stored passwords (e.g., encryption) have not been enabled.
Appropriate controls are established for the secure storage and maintenance of password lists.
04/19/2023 C BITS 2003. All rights reserved. 22
Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00Access Control Web defacements
5 0.00
External Fraud
Systems features (forced password change) have not been enabled or do not exist. In absence of systems controls, manual processes/procedures have not been established to remind
The system is configured to require the user to change initial password during first logon.
Execution , Delivery and Process Management
Systems features (forced password change) have not been enabled or do not exist. In absence of systems controls, manual processes/procedures have not been established to remind
The system is configured to require the user to change initial password during first logon.
Business Disruption and System Failures
Systems features (forced password change) have not been enabled or do not exist. In absence of systems controls, manual processes/procedures
The system is configured to require the user to change initial password during first logon.
Clients, Products and Business Practices
Systems features (forced password change) have not been enabled or do not exist. In absence of systems controls, manual processes/procedures
The system is configured to require the user to change initial password during first logon.
External Fraud
System timeout features have not been enabled or do not exist.
The system is configured to disconnect or force re-authentication of users after a specified period of inactivity.
Execution , Delivery and Process Management
System timeout features have not been enabled or do not exist.
The system is configured to disconnect or force re-authentication of users after a specified period of inactivity.Business
Disruption and System Failures
System timeout features have not been enabled or do not exist.
The system is configured to disconnect or force re-authentication of users after a specified period of inactivity.Clients,
Products and Business Practices
System timeout features have not been enabled or do not exist.
The system is configured to disconnect or force re-authentication of users after a specified period of inactivity.External
FraudSystem unsuccessful logon attempt features are not enabled or do not exist.
The system is configured to disable or suspend user IDs after a fixed number of unsuccessful logon attempts.Execution ,
Delivery and Process Management
System unsuccessful logon attempt features are not enabled or do not exist.
The system is configured to disable or suspend user IDs after a fixed number of unsuccessful logon attempts.Business
Disruption and System Failures
System unsuccessful logon attempt features are not enabled or do not exist.
The system is configured to disable or suspend user IDs after a fixed number of unsuccessful logon attempts.
04/19/2023 C BITS 2003. All rights reserved. 23
Access Control Web defacements
5 0.00Access Control Worms
5 0.00Access Control Worms
5 0.00
5 0.00
5 0.00Dumpster diving
5 0.00Dumpster diving
5 0.00Embezzlement
5 0.00Embezzlement
5 0.00Human error
5 0.00
Clients, Products and Business Practices
System unsuccessful logon attempt features are not enabled or do not exist.
The system is configured to disable or suspend user IDs after a fixed number of unsuccessful logon attempts.Business
Disruption and System Failures
Processes/procedures have not been implemented to ensure third party connections are appropriately authorized, documented,
An authorization, documentation and management process is in place for all external connections.
External Fraud
SNMP best practices have not been implemented.
SNMP best practice has been implemented.
Asset Classification and Control
Internal Fraud
Discussing sensitive matters in open
Lack of appropriate level of security controls applied to sensitive information assets. Unauthorized disclosure of confidential information.
Information handling procedures for copying, storage, packaging for internal and external mail, electronic and spoken transmission and destruction are established based upon information asset
Asset Classification and Control
External Fraud
Discussing sensitive matters in open
Lack of appropriate level of security controls applied to sensitive information assets. Unauthorized disclosure of confidential information.
Information handling procedures for copying, storage, packaging for internal and external mail, electronic and spoken transmission and destruction are established based upon information asset
Asset Classification and Control
External Fraud
Lack of appropriate level of security controls applied to sensitive information assets. Unauthorized disclosure of confidential information.
Information handling procedures for copying, storage, packaging for internal and external mail, electronic and spoken transmission and destruction are established based upon information asset
Asset Classification and Control
External Fraud
Confidential/sensitive data located on a disposed of or reassigned asset can be accessed by an unauthorized user.
Data disposal procedures are defined for data on all types of media (e.g., paper, microfiche, and computer disks).
Asset Classification and Control
External Fraud
Unauthorized disclosure of sensitive information.
Procedures for labeling printed reports, screen displays, magnetic media, electronic messages and file transfers are defined.
Asset Classification and Control
External Fraud
Confidential/sensitive data located on a disposed of or reassigned asset can be accessed by an unauthorized user.
Data disposal procedures are defined for data on all types of media (e.g., paper, microfiche, and computer disks).
Asset Classification and Control
Execution , Delivery and Process Management
Lack of appropriate level of security controls applied to sensitive information assets. Unlawful disclosure of sensitive information.
Information assets that are processed, stored or transmitted are handled in accordance with asset classification (e.g., confidential, sensitive, and public) and are in compliance with applicable laws and
04/19/2023 C BITS 2003. All rights reserved. 24
Lawsuits/ litigation
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00Network spoofing
5 0.00
5 0.00
5 0.00
Asset Classification and Control
Execution , Delivery and Process Management
Lack of appropriate level of security controls applied to sensitive information assets. Unlawful disclosure of sensitive information.
Information assets that are processed, stored or transmitted are handled in accordance with asset classification (e.g., confidential, sensitive, and public) and are in compliance with applicable laws and
Asset Classification and Control
External Fraud
Leaving sensitive documents exposed
Confidential/sensitive data located on a disposed of or reassigned asset can be accessed by an unauthorized user. Licensing penalties can be incurred if not
Procedures and controls for asset handling -- including the introduction or purchase, licensing, transfer, removal, disposal and reuse of assets -- are established.
Asset Classification and Control
Internal Fraud
Leaving sensitive documents exposed
Unauthorized disclosure of sensitive information.
Procedures for labeling printed reports, screen displays, magnetic media, electronic messages and file transfers are defined.
Asset Classification and Control
External Fraud
Leaving sensitive documents exposed
Unauthorized disclosure of sensitive information.
Procedures for labeling printed reports, screen displays, magnetic media, electronic messages and file transfers are defined.
Asset Classification and Control
Internal Fraud
Leaving sensitive documents exposed
Lack of appropriate level of security controls applied to sensitive information assets. Unauthorized disclosure of confidential information.
Information handling procedures for copying, storage, packaging for internal and external mail, electronic and spoken transmission and destruction are established based upon information asset
Asset Classification and Control
External Fraud
Leaving sensitive documents exposed
Lack of appropriate level of security controls applied to sensitive information assets. Unauthorized disclosure of confidential information.
Information handling procedures for copying, storage, packaging for internal and external mail, electronic and spoken transmission and destruction are established based upon information asset
Asset Classification and Control
External Fraud
Leaving sensitive documents exposed
Confidential/sensitive data located on a disposed of or reassigned asset can be accessed by an unauthorized user.
Data disposal procedures are defined for data on all types of media (e.g., paper, microfiche, and computer disks).
Asset Classification and Control
External Fraud
Lack of appropriate level of security controls applied to sensitive information assets. Unauthorized disclosure of confidential
Data encryption and authentication requirements are established based on information asset classification. Asset
Classification and Control
External Fraud
Unauthorized network or system access
Lack of appropriate level of security controls applied to sensitive information assets. Unauthorized disclosure of confidential
Data encryption and authentication requirements are established based on information asset classification. Asset
Classification and Control
Internal Fraud
Unauthorized network or system access
Lack of appropriate level of security controls applied to sensitive information assets. Unauthorized disclosure of confidential
Data encryption and authentication requirements are established based on information asset classification.
04/19/2023 C BITS 2003. All rights reserved. 25
Unauthorized scans
5 0.00Biological agent attack
5 0.00Bomb attacks
5 0.00Chemical spill
5 0.00Civil disorder
5 0.00Civil disorder
5 0.00DDoS or DoS attacks
5 0.00DDoS or DoS attacks
5 0.00DNS failure
5 0.00
Asset Classification and Control
External Fraud
Lack of appropriate level of security controls applied to sensitive information assets. Unauthorized disclosure
Data encryption and authentication requirements are established based on information asset Business
Continuity Management
Business Disruption and System Failures
Crisis event management procedures, roles and responsibilities, and communication plans
Crisis event management testing plans are in place including emergency response, escalation and communication plan Business
Continuity Management
Damage to Physical Assets
Crisis event management procedures, roles and responsibilities, and communication plans
Crisis event management testing plans are in place including emergency response, escalation and communication plan Business
Continuity Management
Damage to Physical Assets
Crisis event management procedures, roles and responsibilities, and communication plans have not been defined or tested
Crisis event management testing plans are in place including emergency response, escalation and communication plan documentation, and clearly defined individual and organizational responsibilities (including public sector
Business Continuity Management
Business Disruption and System Failures
Crisis event management procedures, roles and responsibilities, and communication plans have not been defined or tested.
Crisis event management testing plans are in place including emergency response, escalation and communication plan documentation, and clearly defined individual and organizational responsibilities (including public sector
Business Continuity Management
Business Disruption and System Failures
There are no legal obligations, accountability or service level agreement for third party service providers engaged in the recovery of business functions and services.
The contract(s) governing the products or services delivered by third parties include terms describing the recovery service levels to be delivered, continuity plans and notification provisions in the event of continuity
Business Continuity Management
Business Disruption and System Failures
Business recovery procedures, roles and responsibilities, and corresponding technology recovery plans have not been defined or tested.
A comprehensive business continuity plan, including technology solutions is in place to address recovery of service during a time of business interruption.
Business Continuity Management
Business Disruption and System Failures
Business continuity and disaster recovery plans will fail to meet the recovery time objectives for critical business functions and services.
End-to-end business continuity and recovery plans are tested at appropriate intervals and results feed into a continuous recovery plan improvement cycle that is based on changes in business, technology,
Business Continuity Management
Business Disruption and System Failures
Business recovery procedures, roles and responsibilities, and corresponding technology recovery plans have not been defined or tested.
A comprehensive business continuity plan, including technology solutions is in place to address recovery of service during a time of business interruption.
04/19/2023 C BITS 2003. All rights reserved. 26
Floods
5 0.00Floods
5 0.00Human error
5 0.00Hurricane
5 0.00Lawsuits/ litigation
5 0.00Power failure
5 0.00Power failure
5 0.00
Business Continuity Management
Damage to Physical Assets
Unable to recover critical business capabilities within the required timeframes.
A risk assessment and business impact analysis is conducted to determine the events and environmental surroundings that could adversely impact the continuation of critical services or products and the respective required recovery time and
Business Continuity Management
Damage to Physical Assets
Crisis event management procedures, roles and responsibilities, and communication plans have not been defined or tested.
Crisis event management testing plans are in place including emergency response, escalation and communication plan documentation, and clearly defined individual and organizational responsibilities (including public sector
Business Continuity Management
Execution , Delivery and Process Management
There is a lack of responsibility for supporting and enhancing the business continuity program.
Accountability and compliance for the continuity planning program, tests, audits and results are clearly Business
Continuity Management
Damage to Physical Assets
Unable to recover critical business capabilities within the required timeframes.
A risk assessment and business impact analysis is conducted to determine the events and environmental surroundings s that could adversely impact the continuation of critical services or products and the respective required recovery time and
Business Continuity Management
Clients, Products and Business Practices
There are no legal obligations, accountability or service level agreement for third party service providers engaged in the recovery of business functions and services
The contract(s) governing the products or services delivered by third parties include terms describing the recovery service levels to be delivered, continuity plans and notification provisions in the event of continuity
Business Continuity Management
Business Disruption and System Failures
Business recovery procedures, roles and responsibilities, and corresponding technology recovery plans have not been defined or tested.
A comprehensive business continuity plan, including technology solutions is in place to address recovery of service during a time of business interruption.
Business Continuity Management
Business Disruption and System Failures
Unable to recover critical business capabilities within the required timeframes.
A risk assessment and business impact analysis is conducted to determine the events and environmental surroundings s that could adversely impact the continuation of critical services or products and the respective required recovery time and
04/19/2023 C BITS 2003. All rights reserved. 27
Power failure
5 0.00Power failure
5 0.00Power failure
5 0.00Sabotage
5 0.00System software failure
5 0.00
5 0.00
5 0.00
5 0.00
Business Continuity Management
Business Disruption and System Failures
Business recovery procedures, roles and responsibilities, and technology recovery plans have not been defined or tested for key service providers such as disaster recovery hot-sites, telecommunications
Documented business continuity plans and supporting recovery strategies are in place including the consideration of recovery of activities supported by dependent service providers.
Business Continuity Management
Business Disruption and System Failures
Business continuity and disaster recovery plans will fail to meet the recovery time objectives for critical business functions and services.
End-to-end business continuity and recovery plans are tested at appropriate intervals and results feed into a continuous recovery plan improvement cycle that is based on changes in business, technology,
Business Continuity Management
Business Disruption and System Failures
There are no legal obligations, accountability or service level agreement for third party service providers engaged in the recovery of business functions and services
The contract(s) governing the products or services delivered by third parties include terms describing the recovery service levels to be delivered, continuity plans and notification provisions in the event of continuity
Business Continuity Management
Business Disruption and System Failures
There is a lack of responsibility for supporting and enhancing the business continuity program.
Accountability and compliance for the continuity planning program, tests, audits and results are clearly Business
Continuity Management
Business Disruption and System Failures
Business recovery procedures, roles and responsibilities, and technology recovery plans have not been defined or tested for key service providers such as disaster recovery hot-sites, telecommunications
Documented business continuity plans and supporting recovery strategies are in place including the consideration of recovery of activities supported by dependent service providers.
Business Continuity Management
Business Disruption and System Failures
Telecommunications failure
Unable to recover critical business capabilities within the required timeframes.
A risk assessment and business impact analysis is conducted to determine the events and environmental surroundings s that could adversely impact the continuation of critical services or products and the respective required recovery time and
Business Continuity Management
Business Disruption and System Failures
Telecommunications failure
Business recovery procedures, roles and responsibilities, and technology recovery plans have not been defined or tested for key service providers such as disaster recovery hot-sites, telecommunications
Documented business continuity plans and supporting recovery strategies are in place including the consideration of recovery of activities supported by dependent service providers.
Business Continuity Management
Business Disruption and System Failures
Telecommunications failure
Business continuity and disaster recovery plans will fail to meet the recovery time objectives
End-to-end business continuity and recovery plans are tested at appropriate intervals and
04/19/2023 C BITS 2003. All rights reserved. 28
5 0.00Terrorist attack
5 0.00Terrorist attack
5 0.00Terrorist attack
5 0.00Terrorist attack
5 0.00Terrorist attack
5 0.00Airplane crash
5 0.00
5 0.00
5 0.00
5 0.00
Business Continuity Management
Business Disruption and System Failures
Telecommunications failure
There are no legal obligations, accountability or service level agreement for
The contract(s) governing the products or services delivered by third parties include terms describing
Business Continuity Management
Damage to Physical Assets
Business recovery procedures, roles and responsibilities, and corresponding
A comprehensive business continuity plan, including technology solutions is in place to address recovery
Business Continuity Management
Damage to Physical Assets
Unable to recover critical business capabilities within the required timeframes.
A risk assessment and business impact analysis is conducted to determine the events and environmental surroundings s that could adversely impact the continuation of critical services or products and the respective required recovery time and
Business Continuity Management
Damage to Physical Assets
Unable to recover critical business capabilities within the required timeframes.
A risk assessment and business impact analysis is conducted to determine the events and environmental surroundings s that could adversely impact the continuation of critical services or products and the respective required recovery time and
Business Continuity Management
Damage to Physical Assets
Crisis event management procedures, roles and responsibilities, and communication plans have not been defined or tested
Crisis event management testing plans are in place including emergency response, escalation and communication plan documentation and clearly defined individual and organizational responsibilities (including public sector
Business Continuity Management
Damage to Physical Assets
There are no legal obligations, accountability or service level agreement for third party service providers engaged in the recovery of business functions and services.
The contract(s) governing the products or services delivered by third parties include terms describing the recovery service levels to be delivered, continuity plans and notification provisions in the event of continuity
Communications and Operations Management
Damage to Physical Assets
Lack of information and media protection while in transit.
Procedures and standards to protect information and media in transit are established. Communications
and Operations Management
Business Disruption and System Failures
Application software failure
Lack of release management processes.
System and network operating release management processes and procedures are in place including analysis of new release functionality, testing and deployment
Communications and Operations Management
Business Disruption and System Failures
Application software failure
Applications, systems and network architectures lack high availability.
Application, system and network architectures are designed for high availability and operational redundancy. Communications
and Operations Management
Business Disruption and System Failures
Application software failure
Acceptance criteria for new applications, systems and networks are not in place.
Formal acceptance procedures and criteria (including security) for new applications, systems and networks are in
04/19/2023 C BITS 2003. All rights reserved. 29
5 0.00Automobile crash
5 0.00Bomb threats
5 0.00Computer crime
5 0.00Computer crime
5 0.00Computer crime
5 0.00Computer crime
5 0.00Computer crime
5 0.00Computer crime
5 0.00Computer crime
5 0.00Computer crime
5 0.00DDoS or DoS attacks
5 0.00DDoS or DoS attacks
5 0.00
Communications and Operations Management
Business Disruption and System Failures
Application software failure
Design requirements for applications, systems and networks are not met.
Implemented applications, systems and networks meet design requirements. Communications
and Operations Management
Damage to Physical Assets
Lack of information and media protection while in transit.
Procedures and standards to protect information and media in transit are established. Communications
and Operations Management
Business Disruption and System Failures
Lack of procedures for handling external communications in the event of an incident.
Procedures are in place to notify or handle inquiries from external stakeholders; customers or clients, news media, government offices, outside investigators,
Communications and Operations Management
Internal Fraud
System and data backups are able to be accessed freely.
On and off-site system and data backups are protected from unauthorized access and tampering.Communications
and Operations Management
External Fraud
System and data backups are able to be accessed freely.
On and off-site system and data backups are protected from unauthorized access and tampering.Communications
and Operations Management
Internal Fraud
Logs are aren't available for audits, forensics or prosecution.
Operator use logs are retained for an appropriate period of time. Communications
and Operations Management
External Fraud
Logs are aren't available for audits, forensics or prosecution.
Operator use logs are retained for an appropriate period of time. Communications
and Operations Management
External Fraud
Intrusion detection systems are not used or used ineffectively.
Intrusion detection systems are used appropriately within the overall network Communications
and Operations Management
Internal Fraud
Lack of accountability for network security logs.
Sufficient accountability is assigned to logs of security related events to the network.Communications
and Operations Management
External Fraud
Lack of accountability for network security logs.
Sufficient accountability is assigned to logs of security related events to the network.Communications
and Operations Management
External Fraud
Lack of strong authentication and authorization to e-commerce applications.
Online registration, authentication and authorization are required before e-commerce information and data exchanges are made. Communications
and Operations Management
Business Disruption and System Failures
Lack of documented incident management procedures.
Incident management procedures are in place and well documented including: actions to take in the event of information system failures or loss of service, denial of service attacks, errors resulting from incomplete or inaccurate business data, errors resulting from system or device misconfiguration, breaches or loss of confidentiality, recovery from specific incidents,
Communications and Operations Management
Business Disruption and System Failures
Incident response teams are unqualified.
Incident response teams have appropriate qualifications and necessary training.
04/19/2023 C BITS 2003. All rights reserved. 30
DDoS or DoS attacks
5 0.00DDoS or DoS attacks
5 0.00DDoS or DoS attacks
5 0.00DDoS or DoS attacks
5 0.00DDoS or DoS attacks
5 0.00DDoS or DoS attacks
5 0.00DNS failure
5 0.00Dumpster diving
5 0.00Fire
5 0.00Floods
5 0.00Floods
5 0.00Floods
5 0.00Floods
5 0.00
Communications and Operations Management
Business Disruption and System Failures
No network penetration testing is performed.
Regular, periodic vulnerability and penetration testing is performed on all networks in accordance with the risk of each security/control domain
Communications and Operations Management
Business Disruption and System Failures
Lack of network redundancy
Network redundancy or diverse network routing is maintained.
Communications and Operations Management
Business Disruption and System Failures
Network activities are not monitored.
Network activities are monitored (manually and/or using automated tools) through log reviews on a frequent, periodic basis.Communications
and Operations Management
Business Disruption and System Failures
Logs are aren't available for audits, forensics or prosecution.
Network activities are logged such as: access failures, logon patterns, allocation and use of privileged access accounts, selected transactions, sensitive resources, remote dial-up activity, firewall activity, failed operating system and application access
Communications and Operations Management
Business Disruption and System Failures
Firewalls are not used or are used ineffectively.
Firewalls are used appropriately within the overall network architecture. Communications
and Operations Management
External Fraud
Intrusion detection systems are not used or used ineffectively.
Intrusion detection systems are used appropriately within the overall network Communications
and Operations Management
Business Disruption and System Failures
Lack of network redundancy
Network redundancy or diverse network routing is maintained.
Communications and Operations Management
External Fraud
Lack of record destruction and disposal policies
Record destruction and disposal policies have been established for documents, computer media (tapes, disks, cassettes, etc.), input/output data and
Communications and Operations Management
Business Disruption and System Failures
Backup or recovery processes aren't working and no one is aware of it.
Testing of backup systems and timely restoration of data is performed at regular intervals.Communications
and Operations Management
Damage to Physical Assets
System and data backups aren't available for standard or disaster recovery purposes.
Regular system and data backups are performed at appropriate intervals by specific or dedicated units. Communications
and Operations Management
Damage to Physical Assets
System and data backups aren't available for standard or disaster recovery purposes.
Regular system and data backups are performed at appropriate intervals by specific or dedicated units. Communications
and Operations Management
Damage to Physical Assets
Recovery assets are destroyed in the original disaster.
Copies of system and data backups are taken and stored offsite at locations with an adequate distance from the production site and for an adequate period of time.
Communications and Operations Management
Business Disruption and System Failures
Backup or recovery processes aren't working and no one is aware of it.
Testing of backup systems and timely restoration of data is performed at regular intervals.
04/19/2023 C BITS 2003. All rights reserved. 31
Hardware failure
5 0.00Hardware failure
5 0.00Hardware failure
5 0.00Hardware failure
5 0.00Hardware failure
5 0.00Human error
5 0.00Human error
5 0.00Human error
5 0.00Human error
5 0.00
Communications and Operations Management
Business Disruption and System Failures
No ability to project future system capacity requirements.
Projection and planning for future system capacity requirements is performed. Communications
and Operations Management
Business Disruption and System Failures
New system requirements are not documented or tested prior to use.
Operational requirements for new systems is established, documented and tested prior to the system’s acceptance and Communications
and Operations Management
Business Disruption and System Failures
Applications, systems and network architectures lack high availability.
Application, system and network architectures are designed for high availability and operational redundancy. Communications
and Operations Management
Business Disruption and System Failures
Acceptance criteria for new applications, systems and networks are not in place.
Formal acceptance procedures and criteria (including security) for new applications, systems and networks are in Communications
and Operations Management
Business Disruption and System Failures
Maintenance logs aren't available for problem management and forensics.
Maintenance and upgrade logs are kept for hardware and/or software. Communications
and Operations Management
Execution , Delivery and Process Management
Lack of instructions for incident response at processing facilities.
Operating instructions for the management of processing facilities include incident response requirements such as escalation via a call tree, methods for handling errors, generating and handling special output and restarting and
Communications and Operations Management
Execution , Delivery and Process Management
No formal change control process is in place.
A formal change control process is in place detailing; testing (including regression and security testing as appropriate), assessment, formal approval, back out or contingency plans, separation of development and production software and systems, separation of development and
Communications and Operations Management
Execution , Delivery and Process Management
System and network changes are not documented.
All system and network operating changes are documented and incorporated back into system manuals. Communications
and Operations Management
Execution , Delivery and Process Management
Lack of documented incident management procedures.
Incident management procedures are in place and well documented including: actions to take in the event of information system failures or loss of service, denial of service attacks, errors resulting from incomplete or inaccurate business data, errors resulting from system or device misconfiguration, breaches or loss of confidentiality, recovery from specific incidents,
04/19/2023 C BITS 2003. All rights reserved. 32
Human error
5 0.00Human error
5 0.00Human error
5 0.00Human error
5 0.00Human error
5 0.00Hurricane
5 0.00Lawsuits/ litigation
5 0.00Lawsuits/ litigation
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
Communications and Operations Management
Execution , Delivery and Process Management
System monitoring does not have current signature files.
The security event monitoring system has current signature files.
Communications and Operations Management
Execution , Delivery and Process Management
Incident response teams are unqualified.
Incident response teams have appropriate qualifications and necessary training.
Communications and Operations Management
Execution , Delivery and Process Management
Lack of accountability for network security logs.
Sufficient accountability is assigned to logs of security related events to the network
Communications and Operations Management
Execution , Delivery and Process Management
Lack of record retention and storage policies.
Record retention and storage policies have been established for documents, computer media (tapes, disks, cassettes, etc.), input/output data and
Communications and Operations Management
Execution , Delivery and Process Management
Sensitive information can be inadvertently made publicly available.
A review and authorization process is in place to control information that is made publicly available. Communications
and Operations Management
Damage to Physical Assets
Recovery assets are destroyed in the original disaster.
Copies of system and data backups are taken and stored offsite at locations with an adequate distance from the production site and for an adequate period of time
Communications and Operations Management
Clients, Products and Business Practices
Lack of procedures for handling external communications in the event of an incident.
Procedures are in place to notify or handle inquiries from external stakeholders; customers or clients, news media, government offices, outside investigators,
Communications and Operations Management
Clients, Products and Business Practices
Lack of record retention and storage policies.
Record retention and storage policies have been established for documents, computer media (tapes, disks, cassettes, etc.), input/output data and
Communications and Operations Management
Execution , Delivery and Process Management
Leaving sensitive documents exposed
Lack of record destruction and disposal policies.
Record destruction and disposal policies have been established for documents, computer media (tapes, disks, cassettes, etc.), input/output data and
Communications and Operations Management
Execution , Delivery and Process Management
Leaving sensitive documents exposed
Lack of record retention and storage policies.
Record retention and storage policies have been established for documents, computer media (tapes, disks, cassettes, etc.), input/output data and
Communications and Operations Management
Execution , Delivery and Process Management
Leaving sensitive documents exposed
Lack of ability to support information and software exchange agreements.
Information and software exchange agreements (including software escrow) can be supported.
Communications and Operations Management
Execution , Delivery and Process Management
Leaving sensitive documents exposed
Sensitive information can be inadvertently made publicly available.
A review and authorization process is in place to control information that is made publicly available.
04/19/2023 C BITS 2003. All rights reserved. 33
Malicious code
5 0.00Malicious code
5 0.00Malicious code
5 0.00Network spoofing
5 0.00Network spoofing
5 0.00Network spoofing
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
Communications and Operations Management
Business Disruption and System Failures
Design requirements for applications, systems and networks are not met.
Implemented applications, systems and networks meet design requirements. Communications
and Operations Management
Business Disruption and System Failures
Code scanning is performed, inconsistently performed or not adequately performed.
A code scanning policy is in place and includes the types of security issues to be scanned for (e.g., malicious code, worms, Trojan horses, back doors, form input
Communications and Operations Management
Business Disruption and System Failures
Lack of filtering for malicious code.
Filtering for malicious code at the network parameter is employed.
Communications and Operations Management
External Fraud
Intrusion detection systems are not used or used ineffectively.
Intrusion detection systems are used appropriately within the overall network Communications
and Operations Management
External Fraud
Tools to detect rogue network devices are not used.
Tools are used to detect rogue network devices and services.
Communications and Operations Management
External Fraud
Loss or compromise of data related to audits, forensics or prosecution
Network security related event logs are secured against unauthorized access, change and deletion for an adequate period of time.Communications
and Operations Management
External Fraud
Network/application backdoor
Design requirements for applications, systems and networks are not met.
Implemented applications, systems and networks meet design requirements. Communications
and Operations Management
Internal Fraud
Network/application backdoor
Design requirements for applications, systems and networks are not met.
Implemented applications, systems and networks meet design requirements. Communications
and Operations Management
External Fraud
Network/application backdoor
Code scanning is performed, inconsistently performed or not adequately performed.
A code scanning policy is in place and includes the types of security issues to be scanned for (e.g., malicious code, worms, Trojan horses, back doors, form input
Communications and Operations Management
External Fraud
Network/application backdoor
Network management and security / control , domains aren't in place.
Network management security/control domains (perimeter, DMZ, etc.) and perimeters have been designed, applied and implemented on all networks.
Communications and Operations Management
External Fraud
Network/application backdoor
Non-secure configuration of network devices.
Network devices are securely configured according to their function within security/control zones (i.e., public/untrusted networks, semi-private networks, DMZs) and
Communications and Operations Management
External Fraud
Network/application backdoor
Network activities are not monitored.
Network activities are monitored (manually and/or using automated tools) through log reviews on a frequent, periodic basis.Communications
and Operations Management
External Fraud
Network/application backdoor
Tools to detect rogue network devices are not used.
Tools are used to detect rogue network devices and services.
04/19/2023 C BITS 2003. All rights reserved. 34
5 0.00
5 0.00Power failure
5 0.00Robbery
5 0.00Sabotage
5 0.00Seismic activity
5 0.00Social engineering
5 0.00Software defects
5 0.00Software defects
5 0.00Software defects
5 0.00
Communications and Operations Management
Business Disruption and System Failures
Network/application time bomb
Code scanning is performed, inconsistently performed or not adequately performed.
A code scanning policy is in place and includes the types of security issues to be scanned for (e.g., malicious code, worms, Trojan horses, back doors, form input
Communications and Operations Management
External Fraud
Network/application time bomb
Tools to detect rogue network devices are not used.
Tools are used to detect rogue network devices and services.
Communications and Operations Management
Business Disruption and System Failures
Lack of instructions for incident response at processing facilities.
Operating instructions for the management of processing facilities include incident response requirements such as escalation via a call tree, methods for handling errors, generating and handling special output and restarting and
Communications and Operations Management
External Fraud
Lack of information and media protection while in transit.
Procedures and standards to protect information and media in transit are established. Communications
and Operations Management
Business Disruption and System Failures
Lack of procedures for handling external communications in the event of an incident.
Procedures are in place to notify or handle inquiries from external stakeholders, customers or clients, news media, government offices, outside investigators,
Communications and Operations Management
Damage to Physical Assets
Recovery assets are destroyed in the original disaster.
Copies of system and data backups are taken and stored offsite at locations with an adequate distance from the production site and for an adequate period of time.
Communications and Operations Management
External Fraud
Sensitive information can be inadvertently made publicly available.
A review and authorization process is in place to control information that is made publicly available. Communications
and Operations Management
Execution , Delivery and Process Management
No formal change control process is in place.
A formal change control process is in place detailing: testing (including regression and security testing as appropriate), assessment, formal approval, back out or contingency plans, separation of development and production software and systems, separation of development and
Communications and Operations Management
Business Disruption and System Failures
Lack of release management processes.
System and network operating release management processes and procedures are in place including analysis of new release functionality, testing and deployment
Communications and Operations Management
Business Disruption and System Failures
Acceptance criteria for new applications, systems and networks are not in place.
Formal acceptance procedures and criteria (including security) for new applications, systems and networks are in
04/19/2023 C BITS 2003. All rights reserved. 35
Software defects
5 0.00System software failure
5 0.00System software failure
5 0.00System software failure
5 0.00System software failure
5 0.00System software failure
5 0.00System software failure
5 0.00System software failure
5 0.00System software failure
5 0.00
Communications and Operations Management
Business Disruption and System Failures
Design requirements for applications, systems and networks are not met.
Implemented applications, systems and networks meet design requirements. Communications
and Operations Management
Business Disruption and System Failures
Lack of instructions for incident response at processing facilities.
Operating instructions for the management of processing facilities include incident response requirements such as escalation via a call tree, methods for handling errors, generating and handling special output and restarting and
Communications and Operations Management
Business Disruption and System Failures
No formal change control process is in place.
A formal change control process is in place detailing: testing (including regression and security testing as appropriate), assessment, formal approval, back out or contingency plans, separation of development and production software and systems, separation of development and
Communications and Operations Management
Business Disruption and System Failures
System and network changes are not documented.
All system and network operating changes are documented and incorporated back into system manuals. Communications
and Operations Management
Business Disruption and System Failures
Lack of release management processes.
System and network operating release management processes and procedures are in place including analysis of new release functionality, testing and deployment
Communications and Operations Management
Business Disruption and System Failures
Lack of documented incident management procedures.
Incident management procedures are in place and well documented including: actions to take in the event of information system failures or loss of service, denial of service attacks, errors resulting from incomplete or inaccurate business data, errors resulting from system or device misconfiguration, breaches or loss of confidentiality, recovery from specific incidents,
Communications and Operations Management
Business Disruption and System Failures
Incident response teams are unqualified.
Incident response teams have appropriate qualifications and necessary training. Communications
and Operations Management
Business Disruption and System Failures
Incident response teams are not accessible in the event of an incident.
Incident response teams are accessible and available as needed.
Communications and Operations Management
Business Disruption and System Failures
No ability to project future system capacity requirements.
Projection and planning for future system capacity requirements is performed.
04/19/2023 C BITS 2003. All rights reserved. 36
System software failure
5 0.00System software failure
5 0.00System software failure
5 0.00System software failure
5 0.00System software failure
5 0.00System software failure
5 0.00System software failure
5 0.00
5 0.00
5 0.00
5 0.00Terrorist attack
5 0.00Tornados
5 0.00Trojans
5 0.00
Communications and Operations Management
Business Disruption and System Failures
New system requirements are not documented or tested prior to use.
Operational requirements for new systems is established, documented and tested prior to the system’s acceptance and Communications
and Operations Management
Business Disruption and System Failures
Applications, systems and network architectures lack high availability.
Application, system and network architectures are designed for high availability and operational redundancy. Communications
and Operations Management
Business Disruption and System Failures
Acceptance criteria for new applications, systems and networks are not in place.
Formal acceptance procedures and criteria (including security) for new applications, systems and networks are in Communications
and Operations Management
Business Disruption and System Failures
Design requirements for applications, systems and networks are not met.
Implemented applications, systems and networks meet design requirements. Communications
and Operations Management
Business Disruption and System Failures
System and data backups aren't available for standard or disaster recovery purposes.
Regular system and data backups are performed at appropriate intervals by specific or dedicated units. Communications
and Operations Management
Business Disruption and System Failures
Backup or recovery processes aren't working and no one is aware of it.
Testing of backup systems and timely restoration of data is performed at regular intervals.Communications
and Operations Management
Business Disruption and System Failures
Maintenance logs aren't available for problem management and forensics.
Maintenance and upgrade logs are kept for hardware and/or software. Communications
and Operations Management
Business Disruption and System Failures
Telecommunications failure
Lack of instructions for incident response at processing facilities.
Operating instructions for the management of processing facilities include incident response requirements such as escalation via a call tree, methods for handling errors, generating and handling special output and restarting and
Communications and Operations Management
Business Disruption and System Failures
Telecommunications failure
Backup or recovery processes aren't working and no one is aware of it.
Testing of backup systems and timely restoration of data is performed at regular intervals.Communications
and Operations Management
Business Disruption and System Failures
Telecommunications failure
Lack of network redundancy
Network redundancy or diverse network routing is maintained.
Communications and Operations Management
Damage to Physical Assets
Recovery assets are destroyed in the original disaster.
Copies of system and data backups are taken and stored offsite at locations with an adequate distance from the production site and for an adequate period of time
Communications and Operations Management
Damage to Physical Assets
Recovery assets are destroyed in the original disaster.
Copies of system and data backups are taken and stored offsite at locations with an adequate distance from the production site and for an adequate period of time
Communications and Operations Management
Business Disruption and System Failures
Security incidents and suspicious activities are not monitored.
Security incidents are monitored including, security breaches, internal fraud, unauthorized/unacceptable employee activity and other suspicious
04/19/2023 C BITS 2003. All rights reserved. 37
Trojans
5 0.00Trojans
5 0.00Trojans
5 0.00Trojans
5 0.00Trojans
5 0.00Trojans
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
Communications and Operations Management
Business Disruption and System Failures
Lack of a comprehensive virus protection policy.
A virus protection policy including a virus protection process and response team is in place and communicated internally. Communications
and Operations Management
Business Disruption and System Failures
Anti-virus software is not used or is not effective.
Antivirus software is deployed, updated and maintained.
Communications and Operations Management
Business Disruption and System Failures
Anti-virus software is able to be circumvented .
Restrictions on end-user override capabilities are in place with antivirus software.Communications
and Operations Management
Business Disruption and System Failures
Remote and laptop users do not have virus protection.
Virus protection applies to remote and laptop users.
Communications and Operations Management
Business Disruption and System Failures
Code scanning is performed, inconsistently performed or not adequately performed.
A code scanning policy is in place and includes the types of security issues to be scanned for (e.g., malicious code, worms, Trojan horses, back doors, form input
Communications and Operations Management
Business Disruption and System Failures
Firewalls are not used or are used ineffectively.
Firewalls are used appropriately within the overall network architecture. Communications
and Operations Management
Internal Fraud
Unauthorized network or system access
No formal change control process is in place.
A formal change control process is in place detailing: testing (including regression and security testing as appropriate), assessment, formal approval, back out or contingency plans, separation of development and production software and systems, separation of development and
Communications and Operations Management
External Fraud
Unauthorized network or system access
No formal change control process is in place.
A formal change control process is in place detailing: testing (including regression and security testing as appropriate), assessment, formal approval, back out or contingency plans, separation of development and production software and systems, separation of development and
Communications and Operations Management
Internal Fraud
Unauthorized network or system access
System and network changes are not documented.
All system and network operating changes are documented and incorporated back into system manuals. Communications
and Operations Management
External Fraud
Unauthorized network or system access
System and network changes are not documented.
All system and network operating changes are documented and incorporated back into system manuals. Communications
and Operations Management
External Fraud
Unauthorized network or system access
Security incidents and suspicious activities are not monitored.
Security incidents are monitored including security breaches, internal fraud, unauthorized/unacceptable employee activity and other suspicious
04/19/2023 C BITS 2003. All rights reserved. 38
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
Communications and Operations Management
Internal Fraud
Unauthorized network or system access
Security incidents and suspicious activities are not monitored.
Security incidents are monitored including security breaches, internal fraud, unauthorized/unacceptable employee activity and other suspicious
Communications and Operations Management
Internal Fraud
Unauthorized network or system access
Incident response teams are not accessible in the event of an incident.
Incident response teams are accessible and available as needed.
Communications and Operations Management
External Fraud
Unauthorized network or system access
Incident response teams are not accessible in the event of an incident.
Incident response teams are accessible and available as needed.
Communications and Operations Management
Internal Fraud
Unauthorized network or system access
Logs are aren't available for audits, forensics or prosecution.
Operator use logs are retained for an appropriate period of time. Communications
and Operations Management
External Fraud
Unauthorized network or system access
Logs are aren't available for audits, forensics or prosecution.
Operator use logs are retained for an appropriate period of time. Communications
and Operations Management
External Fraud
Unauthorized network or system access
Network management and security / control domains aren't in place.
Network management security/control domains (perimeter, DMZ, etc.) and perimeters have been designed, applied and implemented on all networks.
Communications and Operations Management
Internal Fraud
Unauthorized network or system access
Network management and security / control domains aren't in place.
Network management security/control domains (perimeter, DMZ, etc.) and perimeters have been designed, applied and implemented on all networks.
Communications and Operations Management
External Fraud
Unauthorized network or system access
Non secure configuration of network devices.
Network devices are securely configured according to their function within security/control zones (i.e., public/untrusted networks, semi-private networks, DMZs) and
Communications and Operations Management
Internal Fraud
Unauthorized network or system access
Non-secure configuration of network devices.
Network devices are securely configured according to their function within security/control zones (i.e., public/untrusted networks, semi-private networks, DMZs) and
Communications and Operations Management
External Fraud
Unauthorized network or system access
Remote access is uncontrolled and unmanaged.
Remote access management utilities or tools are used for remote access to networks and servers (administrator as well as “user” dial-in/dial-out, maintenance dial-in) appropriate to each
Communications and Operations Management
Internal Fraud
Unauthorized network or system access
Remote access is uncontrolled and unmanaged.
Remote access management utilities or tools are used for remote access to networks and servers (administrator as well as “user” dial-in/dial-out, maintenance dial-in) appropriate to each
04/19/2023 C BITS 2003. All rights reserved. 39
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
Communications and Operations Management
Internal Fraud
Unauthorized network or system access
No network penetration testing is performed.
Regular, periodic vulnerability and penetration testing is performed on all networks in accordance with the risk of each security/control domain
Communications and Operations Management
External Fraud
Unauthorized network or system access
No network penetration testing is performed.
Regular, periodic vulnerability and penetration testing is performed on all networks in accordance with the risk of each security/control domain
Communications and Operations Management
External Fraud
Unauthorized network or system access
Network activities are not monitored.
Network activities are monitored (manually and/or using automated tools) through log reviews on a frequent, periodic basis.Communications
and Operations Management
Internal Fraud
Unauthorized network or system access
Network activities are not monitored.
Network activities are monitored (manually and/or using automated tools) through log reviews on a frequent, periodic basis.Communications
and Operations Management
External Fraud
Unauthorized network or system access
Logs are aren't available for audits, forensics or prosecution.
Network activities are logged such as: access failures, logon patterns, allocation and use of privileged access accounts, selected transactions, sensitive resources, remote dial-up activity, firewall activity, failed operating system and application access
Communications and Operations Management
Internal Fraud
Unauthorized network or system access
Logs are aren't available for audits, forensics or prosecution.
Network activities are logged such as: access failures, logon patterns, allocation and us of privileged access accounts, selected transactions, sensitive resources, remote dial-up activity, firewall activity, failed operating system and application access
Communications and Operations Management
External Fraud
Unauthorized network or system access
Intrusion detection systems are not used or used ineffectively.
Intrusion detection systems are used appropriately within the overall network Communications
and Operations Management
External Fraud
Unauthorized network or system access
Tools to detect rogue network devices are not used.
Tools are used to detect rogue network devices and services.
Communications and Operations Management
External Fraud
Unauthorized network or system access
Loss or compromise of data related to audits, forensics or prosecution
Network security related event logs are secured against unauthorized access, change and deletion for an adequate period of time.Communications
and Operations Management
Internal Fraud
Unauthorized network or system access
Loss or compromise of data related to audits, forensics or prosecution
Network security related event logs are secured against unauthorized access, change and deletion for an adequate period of time
04/19/2023 C BITS 2003. All rights reserved. 40
5 0.00
5 0.00
5 0.00
5 0.00Unauthorized scans
5 0.00Unauthorized scans
5 0.00Unauthorized scans
5 0.00Unauthorized scans
5 0.00Unauthorized scans
5 0.00Unauthorized scans
5 0.00Unauthorized scans
5 0.00
Communications and Operations Management
External Fraud
Unauthorized network or system access
Lack of strong authentication and authorization to e-commerce applications.
Online registration, authentication and authorization are required before e-commerce information and data exchanges are made. Communications
and Operations Management
Internal Fraud
Unauthorized network or system access
Lack of strong authentication and authorization to e-commerce applications.
Online registration, authentication and authorization are required before e-commerce information and data Communications
and Operations Management
External Fraud
Unauthorized network or system access
Access codes are able to be read in the clear while in storage or transmission.
Access codes are encrypted in storage and transmission.
Communications and Operations Management
Internal Fraud
Unauthorized network or system access
Access codes are able to be read in the clear while in storage or transmission.
Access codes are encrypted in storage and transmission.
Communications and Operations Management
External Fraud
Security incidents and suspicious activities are not monitored.
Security incidents are monitored including security breaches, internal fraud, unauthorized/unacceptable employee activity and other suspicious
Communications and Operations Management
Internal Fraud
System monitoring does not have current signature files.
The security event monitoring system has current signature files.
Communications and Operations Management
External Fraud
System and data backups are able to be accessed freely.
On and off-site system and data backups are protected from unauthorized access and tampering.Communications
and Operations Management
External Fraud
Network management and security / control , domains aren't in place.
Network management security/control domains (perimeter, DMZ, etc.) and perimeters have been designed, applied and implemented on all networks.
Communications and Operations Management
External Fraud
Non secure configuration of network devices.
Network devices are securely configured according to their function within security/control zones (i.e., public/untrusted networks, semi-private networks, DMZs) and
Communications and Operations Management
External Fraud
Remote access is uncontrolled and unmanaged.
Remote access management utilities or tools are used for remote access to networks and servers (administrator as well as “user” dial-in/dial-out, maintenance dial-in) appropriate to each
Communications and Operations Management
External Fraud
Network activities are not monitored.
Network activities are monitored (manually and/or using automated tools) through log reviews on a frequent, periodic basis.
04/19/2023 C BITS 2003. All rights reserved. 41
Unauthorized scans
5 0.00Unauthorized scans
5 0.00Unauthorized scans
5 0.00Unauthorized scans
5 0.00Unauthorized scans
5 0.00Virus hoaxes
5 0.00Viruses
5 0.00Viruses
5 0.00Viruses
5 0.00Viruses
5 0.00Viruses
5 0.00Viruses
5 0.00Viruses
5 0.00War dialing
5 0.00
Communications and Operations Management
External Fraud
Logs are aren't available for audits, forensics or prosecution.
Network activities are logged such as: access failures, logon patterns, allocation and use of privileged access accounts, selected transactions, sensitive resources, remote dial-up activity, firewall activity, failed operating system and application access
Communications and Operations Management
External Fraud
Intrusion detection systems are not used or used ineffectively.
Intrusion detection systems are used appropriately within the overall network Communications
and Operations Management
External Fraud
Tools to detect rogue network devices are not used.
Tools are used to detect rogue network devices and services.
Communications and Operations Management
Internal Fraud
Loss or compromise of data related to audits, forensics or prosecution
Network security related event logs are secured against unauthorized access, change and deletion for an adequate period of time.Communications
and Operations Management
External Fraud
Access codes are able to be read in the clear while in storage or transmission.
Access codes are encrypted in storage and transmission.
Communications and Operations Management
Business Disruption and System Failures
Lack of procedures for handling external communications in the event of an incident.
Procedures are in place to notify or handle inquiries from external stakeholders, customers or clients, news media, government offices, outside investigators,
Communications and Operations Management
Business Disruption and System Failures
Security incidents and suspicious activities are not monitored.
Security incidents are monitored including, security breaches, internal fraud, unauthorized/unacceptable employee activity and other suspicious
Communications and Operations Management
Business Disruption and System Failures
Lack of a comprehensive virus protection policy.
A virus protection policy including a virus protection process and response team is in place and communicated internally. Communications
and Operations Management
Business Disruption and System Failures
Anti-virus software is not used or is not effective.
Antivirus software is deployed, updated and maintained.
Communications and Operations Management
Business Disruption and System Failures
Anti-virus software is able to be circumvented .
Restrictions on end-user override capabilities are in place with antivirus software.Communications
and Operations Management
Business Disruption and System Failures
Remote and laptop users do not have virus protection.
Virus protection applies to remote and laptop users.
Communications and Operations Management
Business Disruption and System Failures
Backup or recovery processes aren't working and no one is aware of it.
Testing of backup systems and timely restoration of data is performed at regular intervals.Communications
and Operations Management
Business Disruption and System Failures
Firewalls are not used or are used ineffectively.
Firewalls are used appropriately within the overall network architecture. Communications
and Operations Management
External Fraud
Lack of strong authentication and authorization to e-commerce applications.
Online registration, authentication and authorization are required before e-commerce information and data exchanges are made.
04/19/2023 C BITS 2003. All rights reserved. 42
Worms
5 0.00Worms
5 0.00Worms
5 0.00Worms
5 0.00Worms
5 0.00Worms
5 0.00Worms
5 0.00Worms
5 0.00Compliance DDoS or DoS attacks
5 0.00Compliance Human error
5 0.00Compliance Human error
5 0.00Compliance Human error
5 0.00
Communications and Operations Management
Business Disruption and System Failures
Security incidents and suspicious activities are not monitored.
Security incidents are monitored including security breaches, internal fraud, unauthorized/unacceptable employee activity and other suspicious
Communications and Operations Management
Business Disruption and System Failures
Lack of a comprehensive virus protection policy.
A virus protection policy, including a virus protection process and response team, is in place and communicated internally. Communications
and Operations Management
Business Disruption and System Failures
Anti-virus software is not used or is not effective.
Antivirus software is deployed, updated and maintained.
Communications and Operations Management
Business Disruption and System Failures
Anti-virus software is able to be circumvented .
Restrictions on end-user override capabilities are in place with antivirus software.Communications
and Operations Management
Business Disruption and System Failures
Remote and laptop users do not have virus protection.
Virus protection applies to remote and laptop users.
Communications and Operations Management
Business Disruption and System Failures
System and data backups aren't available for standard or disaster recovery purposes.
Regular system and data backups are performed at appropriate intervals by specific or dedicated units. Communications
and Operations Management
Business Disruption and System Failures
Backup or recovery processes aren't working and no one is aware of it.
Testing of backup systems and timely restoration of data is performed at regular intervals.Communications
and Operations Management
Business Disruption and System Failures
Firewalls are not used or are used ineffectively.
Firewalls are used appropriately within the overall network architecture. Business
Disruption and System Failures
Failure to review standard security configurations for networks, operating systems, applications, desktops and other system components.
Standard security configurations for networks, operating systems, applications, desktops and other system components are implemented and regularly reviewed for compliance. Security configurations may include security patches, vulnerability management, default
Execution , Delivery and Process Management
Lack of clearly defined roles and responsibilities.
Responsibility for legal and regulatory compliance has been clearly assigned.
Execution , Delivery and Process Management
Lack of procedures to avoid using material that would infringe on the copyright or intellectual property of others.
Procedures have been implemented to avoid using material that would infringe on the copyright or intellectual property of others. Execution ,
Delivery and Process Management
Lack of policy to protect the organization's intellectual property rights and ownership of information systems, source code that is developed (including escrowing issues with third parties) and business processes or
There is a policy in place to protect the organization's intellectual property rights and ownership of information systems, source code that is developed (including escrowing issues with third parties) and business processes or
04/19/2023 C BITS 2003. All rights reserved. 43
Compliance Human error
5 0.00Compliance Human error
5 0.00Compliance Human error
5 0.00Compliance Human error
5 0.00Compliance Human error
5 0.00Compliance Human error
5 0.00Compliance Human error
5 0.00Compliance Human error
5 0.00Compliance Lawsuits/ litigation
5 0.00Compliance Lawsuits/ litigation
5 0.00Compliance Lawsuits/ litigation
5 0.00
Execution , Delivery and Process Management
Failure to register software products with the proper authority to afford appropriate
Software products developed internally or by others on behalf of the organization, are
Execution , Delivery and Process Management
Failure to register internet domain names with the proper authority.
Internet domain names are registered with the proper authority.
Execution , Delivery and Process Management
Lack of procedures to protect against the use of information processing facilities for unauthorized purposes.
Procedures are in place to protect against the use of information processing facilities for unauthorized purposes.
Execution , Delivery and Process Management
Lack of process to ensure interoperability, compliance with international law when transferring encrypted information or
When transferring encrypted information or cryptographic controls to another country, there is a process in place to ensure interoperability,
Execution , Delivery and Process Management
Lack of procedures to aid in collecting adequate evidence in support of a legal action against a person (either internal or external) or
Procedures are in place to aid in collecting adequate evidence in support of a legal action against a person (either internal or external) or organization
Execution , Delivery and Process Management
Lack of compliance of information systems with published standards or codes of practice for the production of admissible evidence in court.
Information systems are compliant with published standards or codes of practice for the production of admissible evidence in court.
Execution , Delivery and Process Management
Failure to review standard security configurations for networks, operating systems, applications, desktops and other system components.
Standard security configurations for networks, operating systems, applications, desktops and other system components are implemented and regularly reviewed for compliance. Security configurations may include security patches, vulnerability management, default
Execution , Delivery and Process Management
Failure to conduct security policy compliance reviews that include a review of information systems, system providers, owners of information assets, users and
Security policy compliance reviews are conducted and include a review of information systems, system providers, owners of information assets, users and management.
Execution , Delivery and Process Management
Lack of clearly defined roles and responsibilities.
Responsibility for legal and regulatory compliance has been clearly assigned.
Clients, Products and Business Practices
Lack of clearly defined roles and responsibilities.
Responsibility for legal and regulatory compliance has been clearly assigned. Clients,
Products and Business Practices
Lack of procedures to avoid using material that would infringe on the copyright or intellectual property of others.
Procedures have been implemented to avoid using material that would infringe on the copyright or intellectual property of others.
04/19/2023 C BITS 2003. All rights reserved. 44
Compliance Lawsuits/ litigation
5 0.00Compliance Lawsuits/ litigation
5 0.00Compliance Lawsuits/ litigation
5 0.00Compliance Lawsuits/ litigation
5 0.00Compliance Lawsuits/ litigation
5 0.00Compliance Lawsuits/ litigation
5 0.00Compliance Lawsuits/ litigation
5 0.00Compliance Lawsuits/ litigation
5 0.00
Execution , Delivery and Process Management
Lack of procedures to avoid using material that would infringe on the copyright or intellectual property of others.
Procedures have been implemented to avoid using material that would infringe on the copyright or intellectual property of others. Execution ,
Delivery and Process Management
Legal and compliance obligations may effect the execution, delivery and processes to be provided.
All third party relationships must identify all obligations from current, past and future litigation, lawsuits, breaches of contract, regulatory fines, and proceedings against the company, its officers and
Execution , Delivery and Process Management
Lack of policy to protect the organization's intellectual property rights and ownership of information systems, source code that is developed (including escrowing issues with third parties) and business processes or
There is a policy in place to protect the organization's intellectual property rights and ownership of information systems, source code that is developed (including escrowing issues with third parties) and business processes or
Execution , Delivery and Process Management
Failure to register software products with the proper authority to afford appropriate patent, trademark or copyright protection in a timely manner.
Software products developed internally or by others on behalf of the organization are registered in a timely manner with the proper authority to afford appropriate patent,
Execution , Delivery and Process Management
Failure to register internet domain names with the proper authority.
Internet domain names are registered with the proper authority.
Execution , Delivery and Process Management
Lack of process to ensure interoperability, compliance with international law when transferring encrypted information or cryptographic controls to another country.
When transferring encrypted information or cryptographic controls to another country, there is a process in place to ensure interoperability, compliance to international law and
Execution , Delivery and Process Management
Lack of procedures to aid in collecting adequate evidence in support of a legal action against a person (either internal or external) or organization such as information systems that are compliant with published standards or codes of practice and strong trail of documents and computer media.
Procedures are in place to aid in collecting adequate evidence in support of a legal action against a person (either internal or external) or organization, such as information systems that are compliant with published standards or codes of practice and a strong trail of documents and computer media.
Execution , Delivery and Process Management
Lack of compliance of information systems with published standards or codes of practice for the production of admissible evidence in court.
Information systems are compliant with published standards or codes of practice for the production of admissible evidence in court.
04/19/2023 C BITS 2003. All rights reserved. 45
Compliance Network spoofing
5 0.00Compliance Sabotage
5 0.00Compliance
5 0.00Compliance
5 0.00Compliance
5 0.00Compliance
5 0.00Compliance Unauthorized scans
5 0.00Compliance Viruses
5 0.00Compliance Viruses
5 0.00
External Fraud
Failure to review standard security configurations for networks, operating systems, applications, desktops and other system components.
Standard security configurations for networks, operating systems, applications, desktops and other system components are implemented and regularly reviewed for compliance. Security configurations may include security patches, vulnerability management, default
Execution , Delivery and Process Management
Lack of procedures to protect against the use of information processing facilities for unauthorized purposes.
Procedures are in place to protect against the use of information processing facilities for unauthorized purposes. External
FraudUnauthorized network
accessFailure to review standard security configurations for networks, operating systems, applications, desktops and other system components.
Standard security configurations for networks, operating systems, applications, desktops and other system components are implemented and
External Fraud
Unauthorized network access
Failure to use security tools for vulnerability or penetration testing, monitoring, policy compliance, anti-virus, firewall, application gateways and guards.
Security tools are used for vulnerability or penetration testing, monitoring, policy compliance, antivirus, firewall, application gateways and guards.
External Fraud
Unauthorized network access
Failure to correct deficiencies noted in third party audits/assessments.
Deficiencies noted in third party audits/assessments are corrected.
External Fraud
Unauthorized network or system access
Failure to perform annual third party audit/assessment to test controls and perform on-site validation.
An annual third party audit/assessment is performed including testing of controls and on-site validation. External
FraudFailure to use security tools for vulnerability or penetration testing, monitoring, policy compliance, anti-virus, firewall, application gateways and guards.
Security tools are used for vulnerability or penetration testing, monitoring, policy compliance, antivirus, firewall, application gateways and guards.
Business Disruption and System Failures
Failure to review standard security configurations for networks, operating systems, applications, desktops and other system components.
Standard security configurations for networks, operating systems, applications, desktops and other system components are implemented and regularly reviewed for compliance. Security configurations may include security patches, vulnerability management, default
Business Disruption and System Failures
Failure to use security tools for vulnerability or penetration testing, monitoring, policy compliance, anti-virus, firewall, application gateways and guards.
Security tools are used for vulnerability or penetration testing, monitoring, policy compliance, antivirus, firewall, application gateways and guards.
04/19/2023 C BITS 2003. All rights reserved. 46
Compliance Viruses
5 0.00Compliance Viruses
5 0.00Compliance Worms
5 0.00Compliance Worms
5 0.00Compliance Worms
5 0.00Compliance Worms
5 0.00Human error
5 0.00
5 0.00Sabotage
5 0.00
5 0.00
Business Disruption and System Failures
Failure to perform annual third party audit/assessment to test controls and perform on-site validation.
An annual third party audit/assessment is performed including testing of controls and on-site validation. Business
Disruption and System Failures
Failure to correct deficiencies noted in third party audits/assessments.
Deficiencies noted in third party audits/assessments are corrected.
Business Disruption and System Failures
Failure to review standard security configurations for networks, operating systems, applications, desktops and other system components.
Standard security configurations for networks, operating systems, applications, desktops and other system components are implemented and regularly reviewed for compliance. Security configurations may include security patches, vulnerability management, default
Business Disruption and System Failures
Failure to use security tools for vulnerability or penetration testing, monitoring, policy compliance, anti-virus, firewall, application gateways and guards.
Security tools are used for vulnerability or penetration testing, monitoring, policy compliance, antivirus, firewall, application gateways and guards.
Business Disruption and System Failures
Failure to perform annual third party audit/assessment to test controls and perform on-site validation.
An annual third party audit/assessment is performed including testing of controls and on-site validation. Business
Disruption and System Failures
Failure to correct deficiencies noted in third party audits/assessments.
Deficiencies noted in third party audits/assessments are corrected.
Organizational Security
Business Disruption and System Failures
External actor exceeds level of authorized access to the system. External source implements change to the system with out going through proper change control.
A written and comprehensive information security program that includes administrative and technical standards, procedures and policies is in place to protect
Organizational Security
External Fraud
Network/application backdoor
External actor exceeds level of authorized access to the system. External source implements change to the system with out going through proper change control.
Procedures and policies are in place to control and document third-party physical and logical access to information and information systems.
Organizational Security
Business Disruption and System Failures
Weak security controls implemented at the third party, increasing the risk of compromise of information assets.
All third party relationships and dependent service providers are identified -- including the services being performed and the clients affected by the services -- and appropriate due diligence
Organizational Security
External Fraud
Unauthorized network or system access
External actor exceeds level of authorized access to the system. External source implements change to the system with out going through proper change control.
Procedures and policies are in place to control and document third-party physical and logical access to information and information systems.
04/19/2023 C BITS 2003. All rights reserved. 47
5 0.00Malicious code
5 0.00Computer crime
5 0.00Computer crime
5 0.00Computer crime
5 0.00Computer crime
5 0.00DDoS or DoS attacks
5 0.00
5 0.00
Organizational Security
External Fraud
Unauthorized network or system access
Weak security controls implemented at the third party, increasing the risk of compromise of information assets.
All third party relationships and dependent service providers are identified -- including the services being performed and the clients affected by the services -- and appropriate due diligence
Organizational Security
Business Disruption and System Failures
External actor exceeds level of authorized access to the system. External source implements change to the system with out going through proper change control.
Procedures and policies are in place to control and document third-party physical and logical access to information and information systems.
Personnel Security
External Fraud
Incomplete, nonexistent, or insufficient background checks performed on employees and externals. Background checks are not done or a periodic basis.
Perform pre-employment and periodic background checks for all administrators and employees and contractors with access to critical information assets. Background checks encompass criminal checks at local, state, national and international level, credit
Personnel Security
Internal Fraud
Incomplete, nonexistent, or insufficient background checks performed on employees and externals. Background checks are not done or a periodic basis.
Perform pre-employment and periodic background checks for all administrators and employees and contractors with access to critical information assets. Background checks encompass criminal checks at local, state, national and international level, credit
Personnel Security
Internal Fraud
There is a lack of disciplinary action taken for policy violation.
A clearly defined and understood disciplinary process is in place for employees who violate the information security policy. Personnel
SecurityExternal Fraud
There is a lack of awareness on how to report a security incident.
Procedures for reporting security incidents and malfunctions are clearly defined and include detailed actions, reporting hierarchy, escalation triggers relative to the type of incident and potential impact and special provisions related to the
Personnel Security
Business Disruption and System Failures
Procedures for reporting incidents are not current or complete.
Procedures for reporting security incidents and malfunctions are communicated to all Personnel
SecurityExternal Fraud
Discussing sensitive matters in open
Confidential discussions take place in open unsecured areas.
Employment provisions include nondisclosure or agreement of confidentiality and a clear statement of information security responsibilities.
04/19/2023 C BITS 2003. All rights reserved. 48
5 0.00Human error
5 0.00Human error
5 0.00Human error
5 0.00Human error
5 0.00Lawsuits/ litigation
5 0.00
Personnel Security
Internal Fraud
Discussing sensitive matters in open
Confidential discussions take place in open unsecured areas.
Employment provisions include nondisclosure or agreement of confidentiality and a clear statement of information security responsibilities. Personnel
SecurityBusiness Disruption and System Failures
Lack of trained security staff.
Comprehensive information security training commensurate with the position and access role is provided to all new employees and contractors and is
Personnel Security
Execution , Delivery and Process Management
Employees and externals are not aware of security probes. How to protect, detect, and report.
Information security awareness resources (website, brochure-ware, training modules, etc.) are made available to all employees and Personnel
SecurityExecution , Delivery and Process Management
Lack of formal Security certification oversight can lead to deteriorated knowledge.
Oversight of employee’s security certifications (e.g., CISA, CISSP, TISCA) requirements and maintenance is Personnel
SecurityExecution , Delivery and Process Management
Incident reports procedures are not tested regularly. "People not prepared to report".
Execution of the procedures for reporting security incidents is tested.
Personnel Security
Execution , Delivery and Process Management
Lack of trained security staff.
Comprehensive information security training commensurate with the position and access role, is provided to all new employees and contractors and is conducted on a recurring basis.
04/19/2023 C BITS 2003. All rights reserved. 49
Lawsuits/ litigation
5 0.00Social engineering
5 0.00Social engineering
5 0.00Social engineering
5 0.00Social engineering
5 0.00Social engineering
5 0.00Social engineering
5 0.00
5 0.00
Personnel Security
Clients, Products and Business Practices
Lack of internal and vendor intrusion detection, logging, and security controls.
Information security incidents from internal operations and with third parties are tracked, analyzed and reported for appropriate regulatory requirements and process improvement.
Personnel Security
Internal Fraud
Confidential discussions take place in open unsecured areas.
Employment provisions include nondisclosure or agreement of confidentiality and a clear statement of information security responsibilities.
Personnel Security
External Fraud
Confidential discussions take place in open unsecured areas.
Employment provisions include nondisclosure or agreement of confidentiality and a clear
Personnel Security
External Fraud
Lack of trained security staff.
Comprehensive information security training commensurate with the position and
Personnel Security
External Fraud
Employees and externals are not aware of security probes. How to protect, detect, and report.
Information security awareness resources (website, brochure-ware, training modules, etc.) are made available to all employees and Personnel
SecurityExternal Fraud
Employees may be manipulated into giving out sensitive system information.
All employees are specifically made aware of “social engineering” risks. Personnel
SecurityExternal Fraud
Procedures for reporting incidents are not current or complete.
Procedures for reporting security incidents and malfunctions are communicated to all Personnel
SecurityExternal Fraud
Tailgating to gain unauthorized access
Proximity badges are the only physical access control in place. "Proximity badges lost or stolen."
Employee and contractor access to physical location and information assets is controlled by biometric devices (fingerprint, retinal scans,
04/19/2023 C BITS 2003. All rights reserved. 50
5 0.00
5 0.00
5 0.00Unauthorized scans
5 0.00
Personnel Security
Internal Fraud
Tailgating to gain unauthorized access
Proximity badges are the only physical access control in place. "Proximity badges lost or stolen."
Employee and contractor access to physical location and information assets is controlled by biometric devices (fingerprint, retinal scans, other).
Personnel Security
Internal Fraud
Unauthorized network access
Lack of internal and vendor intrusion detection, logging, and security controls.
Information security incidents from internal operations and with third parties are tracked, analyzed and reported for appropriate regulatory requirements and process improvement.
Personnel Security
External Fraud
Unauthorized network access
Lack of internal and vendor intrusion detection, logging, and security controls.
Information security incidents from internal operations and with third parties are tracked, analyzed and reported for appropriate regulatory requirements and process improvement.
Personnel Security
External Fraud
Employees and externals are not aware of security probes. How to protect, detect, and report.
Information security awareness resources (website, brochure-ware, training modules, etc.) are made available to all employees and contractors.
04/19/2023 C BITS 2003. All rights reserved. 51
Unauthorized scans
5 0.00Unauthorized scans
5 0.00Virus hoaxes
5 0.00Virus hoaxes
5 0.00CPU malfunction/failure
5 0.00
Personnel Security
External Fraud
There is a lack of awareness on how to report a security incident.
Procedures for reporting security incidents and malfunctions are clearly defined and include detailed actions, reporting hierarchy, escalation triggers relative to the type of incident and potential impact, and special provisions related to the time of day or non-business hour scenario, if any.
Personnel Security
External Fraud
Procedures for reporting incidents are not current or complete.
Procedures for reporting security incidents and malfunctions are communicated to all employees.
Personnel Security
Business Disruption and System Failures
Employees and externals are not aware of security probes. How to protect, detect, and report.
Information security awareness resources (website, brochure-ware, training modules, etc.) are made available to all employees and contractors.
Personnel Security
External Fraud
There is a lack of awareness on how to report a security incident.
Procedures for reporting security incidents and malfunctions are clearly defined and include detailed actions, reporting hierarchy, escalation triggers relative to the type of incident and potential impact, and special provisions related to the time of day or non-
Physical and Environmental Security
Business Disruption and System Failures
Environmental protection not being tested regularly
Environmental protection equipment (fire suppression, water flooding, heat/air conditioning, power supply, etc.) is installed, tested and monitored at appropriate intervals.
04/19/2023 C BITS 2003. All rights reserved. 52
Fire
5 0.00Floods
5 0.00Gas leaks
5 0.00Hardware failure
5 0.00
5 0.00HVAC failure
5 0.00
Physical and Environmental Security
Damage to Physical Assets
Environmental protection not being tested regularly
Environmental protection equipment (fire suppression, water flooding, heat/air conditioning, power supply, etc.) is installed, tested and monitored at appropriate intervals.
Physical and Environmental Security
Damage to Physical Assets
Environmental protection not being tested regularly
Environmental protection equipment (fire suppression, water flooding, heat/air conditioning, power supply, etc.) is installed, tested and monitored at appropriate intervals.
Physical and Environmental Security
Damage to Physical Assets
Lack of disaster recovery and surveying of physical location.
Premises where business information processing occurs is assessed for environmental hazards (e.g., exposure to hazardous facilities, natural gas, petroleum or other pipelines) and the likelihood of natural disasters (e.g., flooding,
Physical and Environmental Security
Business Disruption and System Failures
Remote maintenance is not done securely and too many administrators.
Maintenance of equipment can be performed remotely through secure and controlled access.
Physical and Environmental Security
Damage to Physical Assets
Hazardous waste exposure
Lack of disaster recovery and surveying of physical location.
Premises where business information processing occurs is assessed for environmental hazards (e.g., exposure to hazardous facilities, natural gas, petroleum or other pipelines) and the likelihood of natural disasters (e.g., flooding, tornadoes or earthquakes).
Physical and Environmental Security
Business Disruption and System Failures
Environmental protection not being tested regularly.
Environmental protection equipment (fire suppression, water flooding, heat/air conditioning, power supply, etc.) is installed, tested and monitored at appropriate intervals.
04/19/2023 C BITS 2003. All rights reserved. 53
5 0.00
5 0.00
5 0.00Leaving doors unlocked
5 0.00Leaving doors unlocked
5 0.00
5 0.00
5 0.00
Physical and Environmental Security
External Fraud
Leaving computer screen exposed or
unlocked
Visitors are not being escorted at all times.
Visitors to the physical premise are escorted as necessary.
Physical and Environmental Security
Internal Fraud
Leaving computer screen exposed or
unlocked
Assets are not properly classified nor are control procedures. Users not following procedures.
Procedures to secure information (e.g., locked cabinets, document control, and clear screen/screen timeout policies) are established based on asset classification.
Physical and Environmental Security
External Fraud
Leaving computer screen exposed or
unlocked
Assets are not properly classified nor are control procedures. Users not following procedures.
Procedures to secure information (e.g., locked cabinets, document control, and clear screen/screen timeout policies) are established based on asset classification.
Physical and Environmental Security
External Fraud
There is a lack of physical operating security policies company wide or they are not followed and enforced.
Policies for operational security within the work space (e.g., utilization of shredding equipment, secure storage, and "clean desk" principles) are defined.
Physical and Environmental Security
External Fraud
Lack of monitoring and control at non-employee entrances. "No guards, video, access control".
Non-employee physical premise access is controlled and monitored.
Physical and Environmental Security
Internal Fraud
Leaving sensitive documents exposed
There is a lack of physical operating security policies company wide or they are not followed and enforced.
Policies for operational security within the work space (e.g., utilization of shredding equipment, secure storage, and "clean desk" principles) are defined.
Physical and Environmental Security
External Fraud
Leaving sensitive documents exposed
There is a lack of physical operating security policies company wide or they are not followed and enforced.
Policies for operational security within the work space (e.g., utilization of shredding equipment, secure storage, and "clean desk" principles) are defined.
04/19/2023 C BITS 2003. All rights reserved. 54
5 0.00
5 0.00Lost or stolen laptops
5 0.00Power failure
5 0.00Power failure Lack of fail over power.
5 0.00Power failure
5 0.00Power fluctuation
5 0.00Power fluctuation Lack of fail over power.
5 0.00
Physical and Environmental Security
Internal Fraud
Leaving sensitive documents exposed
Assets are not properly classified nor are control procedures. Users not following procedures.
Procedures to secure information (e.g., locked cabinets, document control, and clear screen/screen timeout policies) are established based on asset classification.
Physical and Environmental Security
External Fraud
Leaving sensitive documents exposed
Assets are not properly classified nor are control procedures. Users not following procedures.
Procedures to secure information (e.g., locked cabinets, document control, and clear screen/screen timeout policies) are established based on asset classification.
Physical and Environmental Security
External Fraud
There is a lack of physical operating security policies company wide or they are not followed and enforced.
Policies for operational security within the work space (e.g., utilization of shredding equipment, secure storage, and "clean desk" principles) are defined.
Physical and Environmental Security
Business Disruption and System Failures
Environmental protection not being tested regularly
Environmental protection equipment (fire suppression, water flooding, heat/air conditioning, power supply, etc.) is installed, tested and monitored at appropriate intervals.
Physical and Environmental Security
Business Disruption and System Failures
Hot swaps or hot fail over capabilities are employed for critical power supply equipment.Physical and
Environmental Security
Business Disruption and System Failures
Exposed wiring in ceilings, closets, floor not secure.
Safeguards are in place to prevent unauthorized interception or damage to network, power, telecommunications cabling or other on and off-site equipment necessary for business or backup activities, (e.g., continuous power supply equipment is installed and maintained for critical systems, phone/cable
Physical and Environmental Security
Business Disruption and System Failures
Environmental protection not being tested regularly.
Environmental protection equipment (fire suppression, water flooding, heat/air conditioning, power supply, etc.) is installed, tested and monitored at appropriate intervals.
Physical and Environmental Security
Business Disruption and System Failures
Hot swaps or hot fail over capabilities are employed for critical power supply equipment.
04/19/2023 C BITS 2003. All rights reserved. 55
Robbery
5 0.00Robbery
5 0.00Robbery
5 0.00Robbery
5 0.00Robbery
5 0.00Robbery
5 0.00Robbery
5 0.00Robbery
5 0.00Sabotage
5 0.00Sabotage
5 0.00Seismic activity
5 0.00Shoulder surfing
5 0.00
Physical and Environmental Security
External Fraud
Lack of monitoring control at loading and delivery points. "Blind spots with no video camera."
Loading and delivery area access to key data centers or buildings where information processing or storage is performed is controlled and monitored.
Physical and Environmental Security
External Fraud
Access is not promptly removed or not scrutinized before being granted.
Physical premise access authority (sites, buildings, rooms, etc.) is defined and limited to authorized personnel only using appropriate controls and/or dual controls (badge, reception desk, guards, escorts, locks, biometrics, etc.).
Physical and Environmental Security
External Fraud
Cameras or motion detectors not in place or contain blind spots.
Physical premise access is monitored using logs, cameras, motion detectors, etc. at appropriate intervals.Physical and
Environmental Security
External Fraud
Lack of monitoring and control at non-employee entrances. "No guards, video, access control."
Non-employee physical premise access is controlled and monitored.
Physical and Environmental Security
External Fraud
Visitors are not being escorted at all times.
Visitors to the physical premise are escorted as necessary.
Physical and Environmental Security
External Fraud
Physical security of data center is not routinely tested.
Penetration tests are performed to verify data center physical security.
Physical and Environmental Security
External Fraud
Property is removed without being challenged.
Procedures are in place to prevent the authorized removal of property.
Physical and Environmental Security
Internal Fraud
Property is removed without being challenged.
Procedures are in place to prevent the authorized removal of property.
Physical and Environmental Security
External Fraud
Lack of monitoring and control at non-employee entrances. "No guards, video, access control."
Non-employee physical premise access is controlled and monitored.
Physical and Environmental Security
External Fraud
Physical security of data center is not routinely tested.
Penetration tests are performed to verify data center physical security.
Physical and Environmental Security
Damage to Physical Assets
Lack of disaster recovery and surveying of physical location.
Premises where business information processing occurs is assessed for environmental hazards (e.g., exposure to hazardous facilities, natural gas, petroleum or other pipelines) and the likelihood of natural disasters (e.g., flooding,
Physical and Environmental Security
Internal Fraud
There is a lack of physical operating security policies company wide or they are not followed and enforced.
Policies for operational security within the work space (e.g., utilization of shredding equipment, secure storage, and "clean desk" principles) are defined.
04/19/2023 C BITS 2003. All rights reserved. 56
Shoulder surfing
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00Terrorist attack
5 0.00Terrorist attack
5 0.00Terrorist attack
5 0.00Terrorist attack
5 0.00
Physical and Environmental Security
External Fraud
Visitors are not being escorted at all times.
Visitors to the physical premise are escorted as necessary.
Physical and Environmental Security
External Fraud
Tailgating to gain unauthorized access
Lack of monitoring control at loading and delivery points. "Blind spots with no video camera."
Loading and delivery area access to key data centers or buildings where information processing or storage is performed is controlled Physical and
Environmental Security
External Fraud
Tailgating to gain unauthorized access
Cameras or motion detectors not in place or contain blind spots.
Physical premise access is monitored using logs, cameras, or motion detectors, etc. at appropriate intervals.Physical and
Environmental Security
External Fraud
Tailgating to gain unauthorized access
Visitors are not being escorted at all times.
Visitors to the physical premise are escorted as necessary.
Physical and Environmental Security
Business Disruption and System Failures
Telecommunications failure
Exposed wiring in ceilings, closets, floor not secure.
Safeguards are in place to prevent unauthorized interception or damage to network, power, telecommunications cabling or other on and off-site equipment necessary for business or backup activities, (e.g., continuous power supply equipment is installed and maintained for critical systems, phone/cable
Physical and Environmental Security
Damage to Physical Assets
Lack of monitoring control at loading and delivery points. "Blind spots with no video camera."
Loading and delivery area access to key data centers or buildings where information processing or storage is performed is controlled Physical and
Environmental Security
Damage to Physical Assets
Access is not promptly removed or not scrutinized before being granted.
Physical premise access authority (sites, buildings, rooms, etc.) is defined and limited to authorized personnel only using appropriate controls and/or dual controls (badge, reception desk, guards, escorts, locks,
Physical and Environmental Security
Damage to Physical Assets
Cameras or motion detectors not in place or contain blind spots.
Physical premise access is monitored using logs, cameras, or motion detectors, etc. at appropriate intervals.Physical and
Environmental Security
External Fraud
Physical security of data center is not routinely tested.
Penetration tests are performed to verify data center physical security.
04/19/2023 C BITS 2003. All rights reserved. 57
Tornados
5 0.00
5 0.00Unauthorized scans
5 0.00Vandalism
5 0.00Vandalism
5 0.00Vandalism
5 0.00Security Policy Human error
5 0.00Security Policy
5 0.00Security Policy
5 0.00
Physical and Environmental Security
Damage to Physical Assets
Lack of disaster recovery and surveying of physical location.
Premises where business information processing occurs is assessed for environmental hazards (e.g., exposure to hazardous facilities, natural gas, petroleum or other pipelines) and the likelihood of natural disasters (e.g., flooding,
Physical and Environmental Security
External Fraud
Unauthorized network or system access
Lack of Tempest or other measures to protect against electronic interception.
Emissions (wire in conduit, monitors, wireless broadcasts) are shielded to prevent compromise of network security.
Physical and Environmental Security
External Fraud
Lack of Tempest or other measures to protect against electronic interception.
Emissions (wire in conduit, monitors, wireless broadcasts) are shielded to prevent compromise of network security.Physical and
Environmental Security
Damage to Physical Assets
Lack of monitoring control at loading and delivery points. "Blind spots with no video camera."
Loading and delivery area access to key data centers or buildings where information processing or storage is performed is controlled Physical and
Environmental Security
Damage to Physical Assets
Access is not promptly removed or not scrutinized before being granted.
Physical premise access authority (sites, buildings, rooms, etc.) is defined and limited to authorized personnel only using appropriate controls and/or dual controls (badge, reception desk, guards, escorts, locks,
Physical and Environmental Security
Damage to Physical Assets
Cameras or motion detectors are not in place or contain blind spots.
Physical premise access is monitored using logs, cameras, motion detectors, etc. at appropriate intervals.
Business Disruption and System Failures
Insiders/employees are unaware of proper security practices. Proper controls are not applied or if applied not done consistently for protection of information assets.
A written and comprehensive information security program that includes administrative and technical standards, procedures and policies is in place to protect
External Fraud
Leaving sensitive documents exposed
Insiders/employees are unaware of proper security practices. Proper controls are not applied or if applied not done consistently for protection of information assets.
A written and comprehensive information security program that includes administrative and technical standards, procedures and policies is in place to protect
Internal Fraud
Leaving sensitive documents exposed
Insiders/employees are unaware of proper security practices. Proper controls are not applied or if applied not done consistently for protection of information assets.
A written and comprehensive information security program that includes administrative and technical standards, procedures and policies is in place to protect
04/19/2023 C BITS 2003. All rights reserved. 58
Security Policy Sabotage
5 0.00Security Policy Social engineering
5 0.00
5 0.00Application software failure
5 0.00Application software failure
5 0.00Computer crime
5 0.00Computer crime
5 0.00DDoS or DoS attacks
5 0.00Human error
5 0.00
External Fraud
Insiders/employees are unaware of proper security practices. Proper controls are not applied or if applied not done consistently for protection of information assets.
A written and comprehensive information security program that includes administrative and technical standards, procedures and policies is in place to protect
External Fraud
Insiders/employees are unaware of proper security practices. Proper controls are not applied or if applied not done consistently for protection of information assets.
A written and comprehensive information security program that includes administrative and technical standards, procedures and policies is in place to protect
Systems Development
Business Disruption and System Failures
Unauthorized network or system access
Inappropriate or weak access control procedures result in authorized modifications, and/or data integrity issues.
Application access control procedures are in place to protect source code, the binaries or actual database or data.
Systems Development
Business Disruption and System Failures
Lack of tools that provide documentation of data alterations during the application production process.
Tools are available in production application environment to produce an audit trail of all data alterations.
Systems Development
Business Disruption and System Failures
Loss or modification of audit trails and/or activity logs can impede investigation into inappropriate application or human activities.
Audit trails and activity logs are handled and stored in a secure manner.
Systems Development
Internal Fraud
A lack of host-based IDS control eliminates the possibility of collecting evidence of malicious or suspicious application activity in real time and decreases the ability to monitor key system files for evidence of tampering.
Host-based intrusion detection system is employed.
Systems Development
External Fraud
A lack of host-based IDS control eliminates the possibility of collecting evidence of malicious or suspicious application activity in real time and decreases the ability to monitor key system files for evidence of tampering.
Host-based intrusion detection system is employed.
Systems Development
Business Disruption and System Failures
Software patches not tested and applied in a timely manner can allow application vulnerability and render it susceptible to attack.
A process is in place to allow for the prompt testing and application of up-to-date security patches from vendors.
Systems Development
Business Disruption and System Failures
Lack of a consistently applied methodology can result in security exposures, potential loss of data integrity, and performance issues.
A formal application development process/methodology is in place.
04/19/2023 C BITS 2003. All rights reserved. 59
Application software failure
5 0.00Lawsuit/litigation
5 0.00
5 0.00Application software failure
5 0.00Application software failure
5 0.00Human error
5 0.00Human error
5 0.00Lawsuits/ litigation
5 0.00Malicious code
5 0.00Malicious code
5 0.00
5 0.00
Systems Development
Business Disruption and System Failures
Lack of independent risk assessment of applications can result in the oversight of security holes built into the application.
Applications are independently evaluated or certified.
Systems Development
Execution , Delivery and Process Management
Lack of strong non-repudiation controls can result in the tampering of message from origin to recipient; integrity issues and loss of potential legal evidence of crime.
Appropriate non-repudiation methods are used, (e.g., time stamping, voice recording, digital signatures).
Systems Development
Execution , Delivery and Process Management
Unauthorized network or system access
Unauthorized access to files and libraries can result in modifications, or inappropriate access to files and libraries.
Authorized access to critical system files and source code libraries is established, controlled and maintained.
Systems Development
Execution , Delivery and Process Management
Lack of backup policy and procedures prevents recovery during a system problem.
System libraries are backed up on a regular basis so that they are available to be recovered in the event of a system problem.
Systems Development
Business Disruption and System Failures
Lack of change control policy and procedures can result in security exposures during changes or modifications.
There is a documented change control process including a review of code changes by information security.
Systems Development
Execution , Delivery and Process Management
Non-system segregation may result in data integrity issues.
The development/test system is segregated from the operational system.
Systems Development
Business Disruption and System Failures
Developers are not directed on the techniques to program applications in a secure fashion.
A programmer’s development manual guides the creation of safe and secure code. Developers have been trained in programming techniques that provide for more secure
Systems Development
Execution , Delivery and Process Management
Lack of encryption policy can result in data exposure of sensitive or other types of information and can have regulatory or legal ramifications.
An encryption policy is in place that includes an end-to-end transaction (e.g., origination, storage, network path, backups, recovery and legally mandated provisions).
Systems Development
Business Disruption and System Failures
Lack of independently risk assessment of applications can result in the oversight of security holes built into the application.
Applications are independently evaluated or certified.
Systems Development
Business Disruption and System Failures
Lack of quality assurance procedures to test third party provided code.
For application code that is provided by a third party, procedures are in place for ensuring that the code is free from malicious code. Systems
DevelopmentBusiness Disruption and System Failures
Network/Application backdoors
Lack of code review and assurance procedures .
Application code has been reviewed for security flaws, backdoors and malicious code.
04/19/2023 C BITS 2003. All rights reserved. 60
Malicious code
5 0.00Malicious code
5 0.00Network spoofing
5 0.00Network spoofing
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
Systems Development
Business Disruption and System Failures
Lack of change control policy and procedures can result in security exposures during changes or modifications.
There is a documented change control process including a review of code changes by information security.
Systems Development
Business Disruption and System Failures
Developers are not directed on the techniques to program applications in a secure fashion.
A programmer’s development manual guides the creation of safe and secure code. Developers have been trained in programming Systems
DevelopmentExternal Fraud
Failure to protect the confidentially and integrity of sensitive information.
Internationally or nationally accepted cryptographic methods and key management techniques are employed.
Systems Development
External Fraud
Lack of encryption policy can result in data exposure of sensitive or other types of information that has a regulatory or legal ramification.
There is an encryption policy in place that includes an end-to-end transaction (e.g., origination, storage, network path, backups, recovery and legally
Systems Development
Business Disruption and System Failures
Network/application backdoor
Lack of independent risk assessment of applications can result in the oversight of security holes built into the application.
Applications are independently evaluated or certified.
Systems Development
Business Disruption and System Failures
Network/application backdoor
Lack of quality assurance procedures to test third party provided code.
For application code that is provided by a third party, procedures are in place for ensuring that the code is free from malicious code. Systems
DevelopmentBusiness Disruption and System Failures
Network/application backdoor
A lack of host-based IDS control eliminates the possibility of collecting evidence of malicious or suspicious application activity in real time and decreases the ability to monitor key system files for evidence of tampering.
Host-based intrusion detection system is employed.
Systems Development
Internal Fraud
Network/application backdoor
Inappropriate or weak access control procedures result in authorized modifications, and/or data integrity issues.
Application access control procedures are in place to protect source code, the binaries, or actual database or data. Systems
DevelopmentExternal Fraud
Network/application backdoor
Lack of tools that provide documentation of data alterations during the application production process.
Tools are available in the production application environment to produce an audit trail of all data alterations.
Systems Development
Internal Fraud
Network/application backdoor
Lack of application performance stability and integrity of data.
Application access control procedures are in place to protect source code, the binaries or actual database or data.
Systems Development
Internal Fraud
Network/application backdoor
Lack of proper review of application code for security flaws.
Application code has been reviewed for security flaws, backdoors and malicious code.
04/19/2023 C BITS 2003. All rights reserved. 61
5 0.00
5 0.00
5 0.00
5 0.00Software defects
5 0.00Software defects
5 0.00System software failure
5 0.00System software failure
5 0.00System software failure
5 0.00
Systems Development
Internal Fraud
Network/application backdoor
Lack of documentation of data alterations during the application development process.
Development tools used in the production application environment produce an audit trail of all data alterations. Systems
DevelopmentBusiness Disruption and System Failures
Network/application time bomb
Lack of independent risk assessment of applications can result in the oversight of security holes built into the application.
Applications are independently evaluated or certified.
Systems Development
Business Disruption and System Failures
Network/application time bomb
Lack of quality assurance procedures to test third party provided code.
For application code that is provided by a third party, procedures are in place for ensuring that the code is free from malicious code. Systems
DevelopmentBusiness Disruption and System Failures
Network/application time bomb
A lack of host-based IDS control eliminates the possibility of collecting evidence of malicious or suspicious application activity in real time and decreases the ability to monitor key system files for evidence of tampering.
Host-based intrusion detection system is employed.
Systems Development
Business Disruption and System Failures
Lack of tools that provide documentation of data alterations during the application production process.
Tools are available in production application environment to produce an audit trail of all data alterations.
Systems Development
Business Disruption and System Failures
Developers are not directed on the techniques to program applications in a secure fashion.
A programmer’s development manual guides the creation of safe and secure code. Developers have been trained in programming techniques that provide for more secure
Systems Development
Business Disruption and System Failures
Lack of interoperability testing may result in security exposures, performance issues, loss of productivity, and loss of availability.
Interoperability testing of new and existing applications is a feature of the change control policy.
Systems Development
Business Disruption and System Failures
Lack of tested compatibility between solutions can result in security exposures, performance issues, loss of productivity, and loss of availability .
The use of digital certificates or other public key technology has been tested for interoperability between solutions.
Systems Development
Business Disruption and System Failures
Lack of accountability of actions for systems developers.
Appropriate non-repudiation methods are used, (e.g., time stamping, voice recording, digital signatures).
04/19/2023 C BITS 2003. All rights reserved. 62
System software failure
5 0.00System software failure
5 0.00System software failure
5 0.00System software failure
5 0.00System software failure
5 0.00Trojans
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
Systems Development
Business Disruption and System Failures
Lack of accessibility to critical system file and system source libraries.
Critical system files and system source libraries are documented and maintained under controlled access.
Systems Development
Business Disruption and System Failures
System files are not controlled.
Access to system files is controlled and maintained.
Systems Development
Business Disruption and System Failures
System libraries are not available for recovery.
System libraries are backed-up on a regular basis so that they are available to be recovered in the event of a system Systems
DevelopmentBusiness Disruption and System Failures
Lack of change control policy and procedure that includes review and testing of all changes can result in security exposures, performance issues, loss of productivity, and loss of availability.
All proposed system changes are reviewed and tested to ensure that the security of either the system or the operating environment is not compromised.
Systems Development
Business Disruption and System Failures
System tests do not accurately reflect the impacts and results of changes.
The development/test system is segregated from the operational system.
Systems Development
Business Disruption and System Failures
Software patches not tested and applied in a timely manner can allow application vulnerability and render the application susceptible to attack.
A process is in place to allow for the prompt testing and application of up-to-date security patches from vendors.
Systems Development
External Fraud
Leaving sensitive documents exposed
Weak or unauthorized encryption algorithms can result in the exposure of sensitive or confidential information.
The strength and integrity of proprietary encryption algorithms have been certified by an authorized evaluation agency.
Systems Development
Internal Fraud
Unauthorized network or system access
Lack of risk assessment for encryption methodology can result in the exposure of sensitive or confidential information.
A risk assessment methodology is employed to determine the level of encryption necessary for environment.
Systems Development
External Fraud
Unauthorized network or system access
Lack of risk assessment for encryption methodology can result in the exposure of sensitive or confidential information.
A risk assessment methodology is employed to determine the level of encryption necessary for environment.
Systems Development
Internal Fraud
Unauthorized network or system access
Failure to protect sensitive information confidentiality.
Internationally or nationally accepted cryptographic methods and key management techniques are employed. Systems
DevelopmentExternal Fraud
Unauthorized network or system access
Failure to protect sensitive information confidentiality.
Internationally or nationally accepted cryptographic methods and key management techniques are employed.
04/19/2023 C BITS 2003. All rights reserved. 63
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00
5 0.00Unauthorized scans
5 0.00
Systems Development
External Fraud
Unauthorized network or system access
Lack of a policy to ensure end-to-end data transaction protection.
There is an encryption policy in place that includes an end-to-end transaction (e.g., origination, storage, network path, backups, recovery and legally
Systems Development
Internal Fraud
Unauthorized network or system access
Lack of a policy to ensure end-to-end data transaction protection.
There is an encryption policy in place that includes an end-to-end transaction (e.g., origination, storage, network path, backups, recovery and legally
Systems Development
External Fraud
Unauthorized network or system access
Lack of customization in the strength of protection for system and user defined sensitive information.
Algorithms and the strength of encryption used for securing authentication credentials (e.g., passwords and PINs) and other data during transmission/storage have been determined based on a risk assessment methodology.Systems
DevelopmentInternal Fraud
Unauthorized network or system access
Lack of customization in the strength of protection for system and user defined sensitive information.
Algorithms and the strength of encryption used for securing authentication credentials (e.g., passwords and PINs) and other data
Systems Development
Internal Fraud
Unauthorized network or system access
Weak or unauthorized encryption algorithms can result in the exposure of sensitive or confidential information.
The strength and integrity of proprietary encryption algorithms have been certified by an authorized evaluation agency.
Systems Development
External Fraud
Unauthorized network or system access
Weak or unauthorized encryption algorithms can result in the exposure of sensitive or confidential information.
The strength and integrity of proprietary encryption algorithms have been certified by an authorized evaluation agency.
Systems Development
Internal Fraud
Unauthorized network or system access
Lack of strong non-repudiation controls can result in the tampering of message from origin to recipient; integrity issues and loss of potential legal evidence of crime.
Appropriate non-repudiation methods are used, (e.g., time stamping, voice recording, digital signatures).
Systems Development
External Fraud
Unauthorized network or system access
Lack of strong non-repudiation controls can result in the tampering of message from origin to recipient; integrity issues and loss of potential legal evidence of crime.
Appropriate non-repudiation methods are used, (e.g., time stamping, voice recording, digital signatures).
Systems Development
Internal Fraud
Unauthorized network or system access
System files are not controlled.
Access to system files is controlled and maintained.
Systems Development
External Fraud
Unauthorized network or system access
System files are not controlled.
Access to system files is controlled and maintained.
Systems Development
External Fraud
Failure to protect sensitive information confidentiality.
Internationally or nationally accepted cryptographic methods and key management techniques are employed.
04/19/2023 C BITS 2003. All rights reserved. 64
Unauthorized scans
5 0.00Viruses
5 0.00Viruses
5 0.00War dialing
5 0.00Worms
5 0.00Worms
5 0.00
Systems Development
External Fraud
Lack of strong non-repudiation controls can result in the tampering of message from origin to recipient; integrity issues and loss of potential legal evidence of crime.
There is an encryption policy in place that includes an end-to-end transaction (e.g., origination, storage, network path, backups, recovery and legally mandated provisions).
Systems Development
Business Disruption and System Failures
Applications are not developed with the appropriate security features and functions.
Applications are independently evaluated or certified.
Systems Development
Business Disruption and System Failures
Software patches not tested and applied in a timely manner can allow application vulnerability and render the application susceptible to attack.
A process is in place to allow for the prompt testing and application of up-to-date security patches from vendors.
Systems Development
External Fraud
Lack of customization in the strength of protection for system and user defined sensitive information.
Algorithms and the strength of encryption used for securing authentication credentials (e.g., passwords and PINs) and other data during transmission/storage have been determined based on a risk assessment
Systems Development
Business Disruption and System Failures
Applications are not developed with the appropriate security features and functions.
Applications are independently evaluated or certified.
Systems Development
Business Disruption and System Failures
Software patches not tested and applied in a timely manner can allow application vulnerability and render the application susceptible to attack.
A process is in place to allow for the prompt testing and application of up-to-date security patches from vendors.
ISO DomainAccess Control Asset Classification & Control Business Continuity Management Communications & Operations Management ComplianceOrganizational Security Personnel Security Physical and Environmental Security Security PolicySystems Development
Basel I CategoryInternal FraudExternal FraudEmployee Practices and Workplace SafetyClients, Products and Business PracticesDamage to Physical AssetsBusiness Disruption and System FailuresExecution , Delivery and Process Management
Impact if Not Implemented0 1 2 3 4 5
0 5 6 7 8 9 101 4 4 6 7 8 92 3 3 3 6 7 83 2 2 2 2 6 74 1 1 1 1 1 65 0 0 0 0 0 0
Unknown012345
0.10.20.30.40.50.60.70.80.9
1
Control Implemen
ted
Airplane crashApplication software failureAutomobile crashBiological agent attackBomb attacksBomb threatsChemical spill
Civil disorder
Computer crime
CPU malfunction/failure
DDoS or DoS attacks
Discussing sensitive matters in open
DNS failure
Dumpster diving
Dust/sand
Embezzlement
Epidemic
Extortion
Fire
Floods
Gas leaks
Hardware failure
Hazardous waste exposure
Heat
High winds
Human error
Hurricane
HVAC failure
Lawsuits/ litigation
Leaving computer screen exposed or unlocked
Leaving doors unlocked
Leaving sensitive documents exposed
Lightning
Lost or stolen laptops
Malicious code
Network spoofing
Network/application backdoor
Network/application time bomb
Power failure
Power fluctuation
Radiation contamination
Robbery
Sabotage
Seismic activity
Shoulder surfingSnow/ice stormsSocial engineeringSoftware defectsSolar flaresSystem software failureTailgating to gain unauthorized accessTerrorist attackTelecommunications failureTidal WaveTornadosTrojansTyphoonUnauthorized network or system accessUnauthorized scansUnintentional DDoSUnintentionally bad legislationVandalismVirus hoaxesVirusesVolcanic eruptionWarWar dialingWeb defacementsWork stoppage/ strikeWorms