iso/iec 27001 workbook certifications. the head of the it services division also has an information...
TRANSCRIPT
ISO/IEC27001WORKBOOKPuttingtheoryintopractice
Version1.0
The APMG International ISO/IEC 27001 and Swirl Device logo is a trademark of The APM Group Limited, used under permission of The APM Group Limited |
Thispageisintentionallyblank
ISO27001PractitionerWorkbookIntroductionWelcometotheISO/IEC27001practitionerworkbook.ThisworkbookhasbeendesignedtopracticeandtestyourapplicationandanalyticalskillsbasedonspecificscenariosthatyoumaybefacedwithinanISO/IEC27001environment.ThisworkbookisadditionaltotheISO/IEC27001e-learningcourse,andshouldbeusedwithinthecoursemoduleswhenprompted.HowtousethisworkbookThisworkbookisfocusingonyourprofessionalskillsthatgobeyondmemoryoftheISO/IEC27001standardorthee-Learning,inthisworkbookyouwillbeintroducedtosimplescenariosthatmaybesimilartowhatyoucouldfaceintherealworld.Withthis,analyseeachscenarioandthinkaboutwhatyouhavelearnt–therecouldbefundamentalissueswithinthem,thatyoushouldnowbeabletoidentify.Thisworkbookisnotmarkedorevaluated,butitshouldnotbeignoredasitwillhelpyouapplywhatyouhavelearnt,andthuswillhelpyouinternalisetheinformationforbothyourexam,andreallifeprojectsyoumaybeworkingon.Anapproachtousethisbookisthefollowing1. Takethee-Learningmodule2. Readthescenario3. Readtheadditionalinformationforthequestion4. Tacklethequestionsinthisworkbook5. Refertoyoure-learningforguidanceifneeded6. FillintheanswerandcheckifyouarerightAsaguide,eachquestionshouldtakeyounomorethan30minutestocomplete.AnswerstoquestionsYes,thereareanswerstoeachquestionorproblem.Thesearelocatedatthebackofyourworkbook.Wewouldhighlyencourageyoutonotgostraighttotheseanswerswhenyoumaybelostwithaquestionasthisdefeatsthepoint.Thequestionsareopenended,inthisyouneedtoanalyse,analyse,analysethencompareagainsttheIOS/IEC27001andfinallycomeupwithyourconclusion.
ScenarioNote:thiscasestudyhasbeentakendirectlyfromthepracticeexamguideyoutodepthtoexpectonyourfinalexam–ThiscasestudyisownedbyAPMGCaseStudy:EquitableProducts(Theorganisationandpeoplewithinthescenarioarefictional.)BackgroundEquitableProductsareafoodprocessingandsupplycompanytosupermarkets.Theysupplyfoodpackagedundertheirownbrandnametogeneralretailersand‘supermarketbrand’packagedgoodstosupermarketchains.Inaddition,theyhaverecentlybegunsupplyingfrozen'readymeal'productstoamajorrestaurantchain.Tosupporttheirbusiness,EquitableProductshasfoodprocessingplantsattwosites.Onesitedealswiththeprocessingandre-packagingofbulkfoodstuffsintobrandedpackages(ownbrandandsupermarket).Theothersiteproducesreadymealswhicharesuppliedasfrozenproductstogeneralretailcustomersandtherestaurantchain.OrganisationTherearethreemarketingdivisionswithintheorganisationtoservicetheseparateretail,supermarketandrestaurantmarkets.Eachofthemarketingdivisionshastheirownbusinesstargets,objectivesandprocesses.AninternalITunitisresponsiblefortheprovisionofITserviceswithinEquitableProducts.Eachdivisionusessomespecific,dedicatedITservices,togetherwithacoresetofsharedcorporateITservicestosupporttheirbusinessoperations.Forexample,theEquitableProducts'ITsystemsnowinterfacedirectlywiththesupermarkets’ITsystemstoenable'justintime're-orderinganddelivery.Therestaurantchain'sITsystemsarealsonowconnectedtotheEquitableProducts'ITsystems.AllthenewRestaurantReadyMealproductsaremicrochippedwithaRadioFrequencyIdentificationDevice(RFID).Allrestaurantproductsmustbeconsumedwithinfivedaysofproduction.TheRFIDtechnologyenablestheindividualrestaurants’usagetobemonitoredbyEquitableProducts.Aproductionscheduleisproducedfortherestaurantreadymealproductsinordertoreducewastage.CurrentStatus
Asaresultofinternationalconcernovercontaminationofproducts,EquitableProductsdecidedthattheyshouldtakemorecontroloftheirsupplychain.Theyhaverecentlyacquiredanestablishedchainofdairyfarmswhichwill,inthefuture,providemostoftheirfreshdairyproducts.Thiswillbetterenablethemtotrackingredientsfrom'fieldtoplate'.Theotherproductsandingredientsusedintheprocessingplantsaresourcedfromavarietyofthirdpartysuppliers.WhereverpossiblethecontractswiththosesuppliersrequirethesupplierstomaintainISO/IEC27001certification.ThediagrambelowshowstheinteractionbetweenthevariouspartiesandEquitableProducts’divisions.
Diagram1-TheinteractionbetweenthevariouspartiesandEquitableProducts’divisionsThecontractswiththemajorsupermarketsrequireEquitableProductstomaintainISO/IEC27001certificationandthereisanestablishedISMSinplace.However,thedairyfarmchainhasneverhadISO/IEC27001certificationandneedstobebroughtintothescopeofcertification.EquitableProducts’corporateclientsaresupportiveofthereasonsandobjectivesofacquiringthedairyfarmchain.However,theyrequiretheISO/IEC27001certificationtobeextendedtoincludethisnewbusinessdivision.InformationSecurityManagementStructureTheEquitableProductsChiefFinancialOfficerhastheroleofDirectorofInformationManagement.InthisrolehehasbeengiventheorganisationalresponsibilitytoensurethatISO/IEC27001conformanceismaintained.TheChiefInformationOfficerreportsdirectlytotheDirectorofInformationManagementandhastwoInformationSecurityOfficerswhoworkforhim.TheyareresponsibleforensuringthatthecompanyanditsthirdpartysuppliersmaintaintherequiredISO/IEC
27001certifications.TheHeadoftheITServicesDivisionalsohasanInformationSecuritySpecialistwithinhisteam.ThespecialistisresponsibleforensuringthattheITserviceisdeliveredinaccordancewithISO/IEC27001.InformationSecurityObjectivesInformationsecurityrisksmustbemanagedeffectively,collectivelyandproportionatelyinacosteffectiveway.Asecureandconfidentialworkingenvironmentshouldalsobemaintained.Toachievethis,theinformationsecurityobjectivesofEquitableProductsincludethefollowing:a) Tomaintaintheconfidentiality,integrityandavailabilityofcorporateandcustomer
informationb) TomaintainISO/IEC27001certificationc) Toensurecompliancewithlegalandregulatoryrequirementsd) Tosupporteffectiveandresilientprocessestorespondto,investigateandrecoverfromany
informationsecurityincidentswithnecessarycontrols,identifiedbyformalriskassessment.©TheAPMGroupLtd2014.ThiscasestudyremainsthepropertyofTheAPMGroup(APMG).Thisdocumentisnottobereproducedorre-soldwithoutexpresspermissionfromTheAPMGroupLtd.2.TheAPMG-InternationalISO/IEC27001logoisaTradeMarkofTheAPMGroupLimited.TheAPMG-InternationallogoisaTradeMarkoftheAPMGroupLtd.
1. LeadershipLeadershipScenarioAdditionally,reviewthesupplementarypaperforthisexerciseTheEquitableProductsChiefFinancialOfficerhasjustcompletedanexecutiveboardmeetingandashasbeenappointedtopromoteandco-ordinatetheinformationsecurityprocessaspartofhisroleastheITDirector.Hisfirstactionwastodefinethesecuritystakeholdersofeachdepartmentthatwouldbewiththescopeofthecertification.Themainconsensuswasthatsecurityresponsibilitieswouldbedelegatedtotheindividualroleswiththeorganisationassecurityiseveryone’sresponsibility.TherolesandresponsibilitiesweredecidedasbelowRole BriefDescriptionofresponsibilitySeniorManagement Forvision,strategicdecisionsandcoordinatesactivitiestodirect
andcontroltheorganisation.LineManagers Hasthetopresponsibilityfororganisationalfunctions.LocalITstaff HasoverallresponsibilityoftheforthesecuritytasksSystemAdministrator HasfullaccountabilityofallsecuritybreechesHumanResources Theperson/personswithoverallresponsibilityforthestaff.TheLineManagershavestatedthattheydonotneedtodiscusstheirsecurityissueswithotherdepartments,asthiswouldbeasecurityweaknessandassuchwouldprefertoworkalonewithintheirareaofconcern.1.1 Havetherolesandresponsibilitiesbeendefined?(LE03-01,04-01)
1.2Doyouthinkthattherolesandresponsibilitiesareappropriaterequiredforinformationmanagementandoperation?(LE03-02,04-02)
1.3Doyouthinkthattheconcepts,responsibilitiesandrequirementsaboutthecontextleadershipsupportanISMSperClauses4,5,and7(Contextoftheorganisation,Leadershipandsupport)oftheISO/IEC27001?(LE03-03,04-03)
2. PlanningandOperationoftheISMSPlanningandoperationscenarioTheCFOunderstandsthattheyneedarisktreatmentplanandhaddecidedthatheneededtodefineandestablishthesecurityriskprocessesandthecriteriaforriskacceptance,howtoperformriskassessments,whowouldbetheriskownersandwhowouldanalysetheinformationsecurityrisks.Additionally,theCFOwasverykeentounderstandwhatinformationsecurityrisktreatmentoptionswereavailableandrequiresaStatementofApplicability(SoA)toproduceforcriticalrisks.TheCFOwasalsoadamantthattherehastobeoperationalplanningandcontrolwithintheplanwhichistoincludecontrolplannedchanges.Allrisksandchangesoftheirstatusshouldbemonitored,measured,analysed,andevaluated,additionally,documentationaboutinformationriskassessmentsandinformationrisktreatmentwouldbestoredinlinewiththeinformationpolicies.2.1Whenapplyingtheconcepts,responsibilities,requirementsandprocessesrelatingtoplanningandoperationofanISMSwithinclauses6,8,9and10oftheISO/IEC27001whatareimportantconsiderationstomake?(PL03-07)
2.2Lookingattheplanningandoperationscenario-Doyouthinkthatapplicationoftheconcepts,responsibilities,requirementsandprocessesrelatingtoplanningandoperationofanISMSwithinclauses6,8,9and10oftheISO/IEC27001wherecarriedout,ifnotwhatwasmissingornotcompleted?(PL04-07)
3. InformationSecurityControlObjectivesandControlsInformationsecuritycontrolobjectivesandcontrolsscenarioTheCFOhadrequestedthatareporttobecreateddetailingtheactionscompletedandanyoutstandingareasinrelationtothecontrolswithinISO/IEC27001.Thereportfindingsarebelow:
ISO/IEC27001ControlsReportControl Status
Informationsecuritypolicies
Theboardofdirectorshaveagreedthatinformationsecurityisofthehighestpriorityandsecuritypoliciesmustbedefined,howevertheyalsounderstandthatthesecuritypoliciesshouldnothinderbusinessgrowthorbecomeabusinessdisabler–assuchtheyhavecommissionedafullassessmentonwhatthebusinesssecurityrequirementsandrequiredpolicesareandwillthenrequiretheITsecuritypolicies(including,highlevelgeneralpolicies,highleveltopic-specificpoliciesanddetailspolicies)tobebroughtin-linewiththebusinesssecuritypolicies.
Organisationofinformationpolices
TheCFOactingastheITDirectorhasbeenmadeaccountableofITSecurity,andassuchhasputinplaceapoliceregardingtheorganisationofinformationsecurity.Thisincludesthefollowing• Definingowners,producersandusersofinformation,withthe
associatedRACImatrixhighlightingresponsibilitiesforeachrole
• Asthereallemployeeshavemultipleroleshedoesnotseethevalueinsegregationofduties,andtrustshisteamnottoshareinformation
• Thereisafullcommunicationplaninplacetoensurethatifthereisasecurityincidentthecorrectauthoritiesarenotifiedwithintheagreedtimeframes
• IntergroupcommunicationbetweenEquitableProducts,theretailersandsupermarketshavebeendefinedwithapolicystatingwhatinformationandhowitshouldbepassedbetweenthespecialinterestgroups
• Therehasbeenclearpoliciesandproceduresputinplacethathighlightthemeasuresthatshallbeusedformobiledevicesinclusiveofanyteleworkingequipmentandemployees
Humanresourcessecurity
ThehumanresourcepolicyissplitintothreemaincategoriesasfollowsPriortoemployment:• Allpotentialemployeesarerequiredtogothroughascreen
processofthreeinterviewsandafullbackgroundcheckdependentontheirrole
• Termsandconditionsshouldbetailoredforeachemploymentgradesothatitensurethattheminimumandrequiredinformationsecuritysafeguardsareapplied
Duringemployment• Aninitialorientationsessionshallbeconductedforallnew
employeesthatdefinestheinformationsecurityindividualandmanagementresponsibilities
• Yearlyrefresherinformationsecuritytrainingshallbeconductedtoallemployees,withadditionalspecialisedtrainingconductedalignedwiththeemployees/skill/function/role
• Thepolicydefinesandcommunicatesaformaldisciplinaryprocesstoallemployees
Terminationandchangeofemployment• Thereisadefinedprocessforchangeofroles,including
terminationofaccounts,monitoringofaccessactivitiesandaeducationabouttheemployeestermsandconditions.
Assetmanagement
ThereisasingleinventoryregisterwithinEquitableProductswhichdefinedtheownersofalltheassets.Eachownerofeachassethasdefinedtheacceptableuseoftheirassociatedasset.TheassetpolicystatesthattheassetsandanydataheldwithinthembelongtotheEquitableProducts,andthatuponanemployee/contractorleavingthefirmshouldhandbacktheassetsintact,additionallythepolicystateshowassetsshouldbehandledandstored.Informationassetshaveadefinedclassificationdependentonthecriticalityoftheinformationwithdefinedproceduresforhandlingatthedefinedlevel,whichisasfollows.Alldocumentationisrequiredtohavetheclassificationlabelintheheaderandfooter.
Accesscontrol
TheorganisationusestheITILAccessManagementprocesswhichhasbeendefinedonAccessManagementPolicy,thisincludesdirectionon:• Userregistrationandderegistration• Useraccessprovisioning• Managementofprivilegedaccessrights• Managementofsecretauthenticationinformationofusers• Reviewofusersaccessrights
• Removaloradjustmentofaccessrights• Useofsecretauthenticationinformation• Informationaccessrestriction• Securelogonprocedures• Passwordmanagementsystem• Useofprivilegedutilitysystems• Accesscontroltoprogramsourcecode
Cryptography
Thereisahigh-levelcryptographicpolicythatwasproducedfromanofftheshelftemplatekit.Itcoversallthegenericitemssuchascryptographiccontrolsandkeymanagement
Physicalandenvironmentalsecurity
Thereisamaturepolicythatcoversphysicalandenvironmentalsecuritycontrolsincluding:• Secureareas(allcontrols)• Equipment(allcontrols)Thispolicywaslastupdatedthreeyearsago
Operationssecurity
Ataprocessgovernancelevel,therearemultipleprocessesandproceduresavailablebasedChange,Capacity,AvailabilityIncidentandITServiceContinuitywhicharealignedtoITIL.Thesehavebeentailoredtofocusoninformationsecuritymatters.Atanoperationallevel,thereareestablishedandwelladoptedpolicies,processesandproceduresthatcover• Separationofdutiesandenvironments• Definedcontrolsagainstmalware(basedonchangingrisk
assessments• Grandfather/Father/Soninformationbackuppolicy• Loggingandmonitoringprocedures• DefinitiveMediaLibrary(DML)thatcontrolsoperation
softwareandrestrictionsoninstallation• Patchandtechnicalvulnerabilitiesmanagement• Ahigh-levelpolicyonauditrolesandresponsibilitiesandrule
toconductauditsincludingprocessinganddataretention.Communicationssecurity
Thereisacommunicationpolicythatcoversthefollowingareas• Ensuresthatthereisasegregationofusers,information
systemsandnetworks• Allemployeesandcontractorsareheldtoanondisclosure
agreementthatwillremainineffectfor12monthsaftertheycompleteworkwiththecompany
• Alldigitaldeviceshavetheabilitytoberemotelywiped• Thereareformalpoliciesandproceduresforthetransferof
sensitivematerial• Networkcontrolsareinplacetoprotectsystemsand
applications
Systemacquisitionanddevelopment
ThereisanoldSystemAcquisition,DevelopmentandMaintenancepolicy,whichneedstobeupdatedinlinewiththecurrentorganisationalstrategies.Currentlythepolicycontainsthefollowingcontrols• Securedevelopmentpolicy• Systemchangecontrolprocedures• Technicalreviewofapplicationsafteroperatingplatform
changes• Restrictioninchangestosoftwarepackages• Restrictionsonchangestosoftwarepackages• Outsourcedenvironment• Systemssecuritytesting
Supplierrelationships
ThereisasupplierrelationshippolicythathasbeentailoredinlinewiththeITILsuppliercategories,itishoweverunsurewhetherthisisstillrelevanttothenewvision.Thepolicyincludes:• Anoverarchingpolicyforallsupplierrelationshipsincluding
howsuppliersareallowedaccesstotheorganisationsassets• Detailedprocedureshowthemanagementofinformationwill
bemanagedwithinthesupplier’senvironmentincluding,storage,access,process,andcommunicationofinformation
• Ownershipofinformationthecommunicationtechnologyusedtowithinthesupplychain
• HowsupplierauditsandreviewsareconductedIordertomonitorandreviewsupplierservices
• Contractmanagement,andhowtomanagechangestosupplier’scontractsandservices
Securityincidentmanagement
ITILIncidentManagementprocesshasbeenadopted,andthereisnofurtherrequirementfortailoringtowardsSecurityincidents
Businesscontinuitymanagement
Thereisadisasterrecoveryplaninplacethatcoverstherestorationofbusinessapplicationsandhardwareintheeventofadisaster.Inlinewiththelegislationandcontractualrequirements,thisconsistsofusingamixofhostedservicesfromawell-knownhostingproviderandsomein-houseservices,bothoptionsneedupto24hourstoinstallthelatestbackupwhichiskeptintheparentlocation.Thereisalsoahighavailabilitysolutioninplaceswithfocusonensuringthereisredundancyinplaceformissioncriticalservices.
Compliance
Thereisacompliancepolicywhichcoversallofthecontrolshoweverthisisappliedinanad-hocmanner,andthereislittlegovernancetoshowitisapplied.
3.1Thisquestionisbrokendownintototwoparts–Analysethereportandanswerthefollowing.1. Doyouthinkthatthefollowingaspectshavebeenappliedandtailoredtothesituation
correctly?2. AnalysethereasonstosupportyourdecisionAspect Applied/Tailored ReasonsforyourdecisionInformationsecuritypolices
Organisationofinformationpolices
Humanresourcessecurity
Assetmanagement
Accesscontrol
Cryptography
Physicalandenvironmentalsecurity
Operationssecurity
Communicationssecurity
Systemacquisition,developmentandmaintenance
Supplierrelationships
Informationsecurityincidentmanagement
Informationsecurityaspectsofbusinesscontinuitymanagement
Compliance
AnswersHerearesomehigh-levelanswersfortheexercises,pleasenotethatthisisnotsomucharightorwrongtypeofexercise,butmoreofapracticalwayforyoutointernalisesomeoftheconceptstaughtinthiscourse.LeadershipQuestion1Pointsyoushouldhavenoticedare:
1. TheCFOhasbeenappointedtopromotetheinformationsecurityprocess2. Thestakeholdershavebeendefined(representativesofeachdepartmenthavebeen
identifiedwiththescope3. Roleshavebeenallocatedwithintheorganisation
Question2Pointsyoushouldhavenoticedare:
1. TheSystemadministratorshouldnothavefullaccountabilityofallsecuritybreaches2. TheLocalITstaffshouldnothaveoverallresponsibilityofthetasks,asthisremains
theresponsibilityatthemanagementlevelQuestion3Pointsyoushouldhavenoticedare:Concepts–Theconceptshavebeenad-hocapplied,howeverthereislittlestructureevidencedwiththestructure.Requirements–themostimportantconsiderationsasdefinedinthesupplementarypaperhavebeenaddressedb) Overallresponsibilityforthetasksremainsatthemanagementlevel,c) Oneperson(usuallytheChiefInformationSecurityOfficer)isappointedtopromoteandco-
ordinatetheinformationsecurityprocess,d) Eachemployeeisequallyresponsibleforhisorheroriginaltaskandformaintaining
informationsecurityintheworkplaceandintheorganisation.Leadership–
TheCFOhasbeenappointedtopromoteandcoordinateactivitiestheinformationsecurityprocesses.However,thereseemstobelittlemiddlemanagementleadershipwhichcanbeseenbytheLocalITstaffbeingmadeoverallresponsibleforthetasks–whichshouldremainatmanagementlevel.Additionally,theCFOshouldensurethatthereiscollaborationwiththeappropriatebusinessspecialists(thislookstobeabsentwiththesoiledworkingoftheLinemanagersPlanningandOperationsoftheISMSQuestion1Importantconsiderationstomakewouldinclude• Actionstoaddressrisksandopportunities
o Informationsecurityriskassessmento Informationsecurityrisktreatment
• Informationsecurityobjectivesandplanningtoachievethem• Operationplanningandcontrol• Informationsecurityriskassessment• Informationsecurityrisktreatment• Monitoring,measurement,analysisandevaluation• Internalaudits• Managementreview• Non-conformityandcorrectiveaction• ContinualimprovementQuestion2Concepts-Planning–TheCFOhasdecidedtoestablishriskmanagementprocessesbyplanningthecriteriaforhowriskisdefined,acceptedandwhatrisktreatmentoptionsareavailablewithaviewofformulatingarisktreatmentplan.Therewasnoevidencetoseehoweverthattheriskplanandactionswerealignedwiththeorganisationssecuritypolicy–thishowevermayhavebeenassumed.Additionally,therewaslittleornoevidenceshownofhowtherequirementsandresultsoftheassessmentandrisktreatmentwouldbecommunicated.Responsibilities–Fromtheinformationshowntherewasnoapparentdelegationofresponsibilitiesgivenwithinthisscenario.Requirements–Planning–TheCFOhadshownthattherehadtobeplanningacontrol,andhighlightedthatchangecontrolandcontrolofdocumentationwasimportant.
Performanceevaluation–Planning–TheCFOdidstateatahighlevelthatallrisksandchangestotheirstatusshouldbemonitored,measured,analysedandevaluated.Processes–Planning–TheCFOdiddiscusstheChangeProcessandthatalldocumentationshouldhavebeenstoredin-linewiththeinformationpolicies.Improvement–Planning–Noimprovementactivitieswerediscussed.InformationSecurityControlObjectivesandControlsQuestion1Aspect Applied/Tailored ReasonsforyourdecisionInformationsecuritypolices
Yes
A.5.1.1ThebusinesshasrequestedthattheITsecuritypoliciesarebroughtinlinewiththebusinesspolicies(tailoring).A.5.1.2Thebusinesshasaskedforreviewoftheinformationsecuritypoliciesagainstthebusinesspolicies
Organisationofinformationpolices
Partially
A.6.1.1Informationroleshavebeendefined(atahighlevel),andaRACImatrixshowingtheresponsibilitieshasbeendevelopedA.6.1.2Segregationofduties,hasnotbeenapproached,andwillbeariskA.6.1.3Thereisacommunicationplanhighlightwhenandhowcontactswithauthoritiesshouldtakeplace.A.6.1.4GroupshavebeensetupthataregovernedbycommunicationpoliciesA.6.1.5NothingismentionedregardinginformationsecurityisprojectmanagementA.6.2.1&A.6.2.2Thereisapolicythatsupportstheuseofmobiledevicesandteleworkers
Humanresourcessecurity
Yes
A.7.1.1EmployeesarescreenedA.7.1.2Therearedefinedtermsandconditionsofemployment
A.7.2.1BothmanagementandemployeesresponsibilitiesaredefinedandcommunicatedA.7.2.2thereisperiodicgenericandspecialisedtraininggivenA.7.2.3ThereisadefineddisciplinaryprocessA.7.3.1Thereisadefinedterminationprocedure
Assetmanagement
Partially
A.8.1.1ThereisaninventoryofassetsA.8.1.2ThereareownersfortheassetsA.8.1.3Eachassetownerdefinestheacceptableuseoftheasset–thismaycauseconflictandareasofweakinformationsecurityA.8.1.4ThereisadefinedreturnofassetpolicyA.8.2.1thereisadefinedclassificationforinformationA.8.2.2AllinformationshouldbelabelledwithitsclassificationA.8.2.3ThereisinformationabouthandlingandstorageThereisnoinformationshownregardingmediahandlingA.8.3.1,A.8.3.2,A.8.3.3
Accesscontrol Yes
Atahighlevel–theaccesspolicydirectsalltheA.9Accessmanagementclauses
Cryptography No
Thereisacryptographicpolicybasedonagenerictemplate,howeverthishasnotbeentailoredtotheorganisationandmaynotbealignedtotheregulationsandnationalrestrictionsthatmightapply.
Physicalandenvironmentalsecurity
Partially
ThereisamaturepolicythatdoescoverallofthecontrolsstatedwithinA.11physicalandenvironmentalsecurity.However,thishasnotbeenupdatedforthreeyears,whichcouldmeanthatitisnotalignedtothechangingbusinessneeds.Additionally,thishighlightsalackofgovernanceoverthecontrols.
Operationssecurity
Yes
AllofthecontrolswithinA.12OperationsSecurityhavebeencovered,withvariouslevelsofdetail
Communicationssecurity
Partially
A.13CommunicationsecuritycontrolsareaddressedapartfromA.13.1.2Securityofnetworkservices
Systemacquisition,developmentandmaintenance
Partially
Thereisapolicyhere,butitisoutofdateandisalsomissingthefollowingcontrols• A.14.2.5Securesystemengineeringprinciples• A.14.2.6Securedevelopmentenvironment• A.14.2.9Systemsacceptancetesting• A.14.3.1Protectionoftestdata
Supplierrelationships
Yes
AllthecontrolswithinA.15Supplierrelationshipsareshown.However,wouldrecommendedthatthecontrolsareassessedtodefineiftheyarestillalignedwiththebusinessobjectives.
Informationsecurityincidentmanagement
No
EventhoughtheITILIncidentManagementprocesshasbeenadopted,thereisnoevidenceseentoshowthatthefollowingcontrolsareinplace:• A.16.1.1Responsibilitiesandprocedures• A.16.1.2Reportinginformationsecurityevents• A.16.1.3Reportinginformationsecurity
weaknesses• A.16.1.4Assessmentofanddecisionon
informationsecurityevents• A.16.1.5Responsetoinformationsecurity
incidents• A.16.1.6Learningfrominformationsecurity
incidents• A.16.1.7Collectionofevidence
Informationsecurityaspectsofbusinesscontinuitymanagement
Thisstatementhasthefollowingpositiveelements• Thereisadisasterrecoveryplaninplace• Thereisredundancyformissioncritical
services.• Thereisalignmentwithlegislationand
contractualagreementsThereishowevernomentionof• Intellectualpropertyrightsasthereisa
hostingserviceusedwithinthesolution• Availabilityofinformationprocessingfacilities
• Verify,reviewandevaluateinformationsecuritycontinuity
Compliance No
Eventhoughthereisacompliancepolicythatdoescoverallthestatedcontrols,thereisalsoconcernaboutthegovernanceandapplicationofthecontrols