Reposting is not permited without express, written permission. Author: Val Thiagarajan B. No further reproduction is permitted without prior written approval from Standards Council of Canada. Documents can be purchased at www. Table of Contents Security Policy User Access Management
|Published (Last):||22 September 2015|
|PDF File Size:||2.7 Mb|
|ePub File Size:||11.18 Mb|
|Price:||Free* [*Free Regsitration Required]|
This checklist is not a replacement for any Standard. But this checklist can be used in conjunction with standard to review and evaluate IT security of the organisation. SlideShare Explore Search You. Submit Search. Successfully reported this slideshow. We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads.
You can change your ad preferences anytime. Iso checklist. Upcoming SlideShare. Like this document? Why not share! Audit Checklist for Information Sys Embed Size px. Start on. Show related SlideShares at end. WordPress Shortcode. Published in: Technology. Full Name Comment goes here. Are you sure you want to Yes No. Be the first to like this. No Downloads. Views Total views. Actions Shares. Embeds 0 No embeds. No notes for slide.
Iso checklist 1. Interested in learning more about security management? Reposting is not permited without express, written permission. Information Security Management BS Tel : 44 0 20 Whether the process ensures that a review takes place in response to any changes affecting the basis of the original assessment, example: significant security incidents, new vulnerabilities or changes to Author: Val Thiagarajan Approved by: Algis Kibirkstis Owner: SANS Institute Page - 9 Organisational Security2.
This is to review of provide assurance that organisational practices properly reflect the policy, and that it is feasible and information effective.
Whether security risks with third party contractors working onsite was identified and appropriate controls are implemented. Whether each asset identified has an owner, the security classification defined and agreed and the location identified.
Whether this agreement covers the security of the information processing facility and organisation assets. Where appropriate, these responsibilities might continue for a defined period after the end of the employment employment.
Such a process can act as a deterrent to employees who might otherwise be inclined to disregard security procedures. Physical and Environmental Security5. Perimeter Some examples of such security facility are card control entry gate, walls, manned reception etc.
Whether there is any potential threat from neighbouring premises. Working in Whether there exists any security control for third Secure Areas parties or for personnel working in secure area. Whether there is a policy towards eating, drinking and smoking on in proximity to information processing services. Whether environmental conditions are monitored which would adversely affect the information processing facilities. Whether there are any additional security controls in place for sensitive or critical information.
Whether the maintenance is carried out only by authorised personnel. Whether appropriate controls are implemented while sending equipment off premises. If the equipment is covered by insurance, whether the insurance requirements are satisfied.
This would lock the screen when the clear screen computer is left unattended for a period. Whether individuals are aware of these types of spot checks or regular audits. Communications and Operations Management6. Whether audit logs are maintained for any change made to the production programs. Whether the procedure addresses different types of incidents ranging from denial of service to breach of confidentiality etc.
Where necessary development and operational production network should be separated from each other. Whether necessary approval is obtained from business and application owners.
Planning This is to ensure that adequate processing power and storage are available. Whether there exists any Procedure to verify all warning bulletins are accurate and informative with regards to the malicious software usage.
Whether Antivirus software is installed on the computers to check and isolate or remove any viruses from computer and media. Whether this software signature is updated on a regular basis to check any latest viruses.
Whether all the traffic originating from un-trusted network in to the organisation is checked for viruses. Example: Checking for viruses on email, email attachments and on the web, FTP traffic. Whether the backup media along with the procedure to restore the backup are stored securely and well away from the actual site.
Whether the backup media are regularly tested to ensure that they could be restored within the time frame allotted in the operational procedure for recovery. This Fault Logging includes corrective action being taken, review of the fault logs and checking the actions taken6.
Whether responsibilities and procedures for management of remote equipment, including equipment in user areas were established. Whether there exist any special controls to safeguard confidentiality and integrity of data processing over the public network and to protect the connected systems.
Example: Virtual Private Networks, other encryption and hashing mechanisms etc. Media Whether disposal of sensitive items are logged where necessary in order to maintain an audit trail.
Does this procedure address handling issues such as information protection from unauthorised disclosure or misuse. Example: System documentation need to be kept on a shared drive for specific purposes, the document need to have Access Control Lists enabled to be accessible only by limited users. Media in Whether the media is well protected from unauthorised transit access, misuse or corruption.
Whether electronic commerce arrangements between trading partners include a documented agreement, which commits both parties to the agreed terms of trading, including details of security issues.
Electronic office systems Whether there are any guidelines in place to effectively control the business and security risks associated with the electronic office systems. This might include controls such as firewalls, Operating system hardening, any Intrusion detection type of tools used to monitor the system etc.
Policy Whether the Access control policy does address the rules and rights for each user or a group of user. Whether the users and service providers were given a clear statement of the business requirement to be met by access controls. Management Whether the users are asked to sign a statement to keep the password confidential. Example: Special privilege access rights review every 3 months, normal privileges every 6 moths. Example: Logoff when session is finished or set up auto log off, terminate sessions when finished etc.
Node authentication can serve as an alternate means of authenticating groups of remote users where they are connected to a secure, shared computer facility. Example: electronic mail, web access, file transfers, etc.
This is often essential for networks shared with non-organisations users. Whether the routing controls are based on the positive source and destination identification mechanism. This is to minimise the opportunity of unauthorised access. Additional controls may be necessary to maintain accountability. Whether the authentication method used does substantiate the claimed identity of the user; commonly used method: Password that only the user knows. You just clipped your first slide!
Clipping is a handy way to collect important slides you want to go back to later. Now customize the name of a clipboard to store your clips. Visibility Others can see my Clipboard. Cancel Save.
ISO 17799 Checklist
ISO 17799 implementation: Do your homework first
Author: Val Thiagarajan B. Tel : 44 0 20 Table of Contents Security Policy Organisational Security
CheckList ISO 17799
SCORE: Checklists & Step-by-Step Guides