Information Security Checklist for IS Professionals

We list below exhaustive checklist for Information Security Professionals. Same can customized as per your organisation’s requirement.

Sno.DomainSub DomainControl Checkpoints
1Information security policyPolicy for information securityIs the information security policy defined, published, approved by management and communicated to employees & relevant external parties ?
2Information security policyPolicy for information securityDoes it state the management commitment and set out the organizational approach in managing information security?
3Information security policyPolicy for information securityHas the role of CISO with responsibilities for implementation of the Security Policy been assigned?
4Information security policyPolicy for information securityDoes the information security policy include system acceptance policy ?
5Information security policyPolicy for information securityDoes the information security policy include operation security policy ?
6Information security policyPolicy for information securityDoes the information security policy include physical and environmental security
7Information security policyPolicy for information securityDoes the information security policy include end user oriented topics such as: 1) acceptable use of assets 2) clear desk and clear screen 3) information transfer 4) mobile devices and teleworking 5) restrictions on software installations and use
8Information security policyPolicy for information securityDoes the information security policy include backup requirement?
9Information security policyPolicy for information securityDoes the information security policy include protection from malware?
10Information security policyPolicy for information securityDoes the information security policy include management of technical vulnerabilities?
11Information security policyPolicy for information securityDoes the information security policy include cryptographic controls requirements?
12Information security policyPolicy for information securityDoes the information security policy include communications of security guidelines?
13Information security policyPolicy for information securityDoes the information security policy include protection of personally identifiable information?
14Information security policyPolicy for information securityDoes the information security policy include vendor relationships requirements?
15Information security policyReview of policy for information securityIs the Information security policy reviewed at plan interval by management?
16Information security policyPolicy for information securityDoes information security Policy contain Responsibilities for information security management?
17Information security policyPolicy for information securityDoes information security Policy contain Application security controls to ensure access to program that can bypass the security of the system ?
18Information security policyPolicy for information securityIs the Information (data) classification criteria identified?
19Information security policyPolicy for information securityIs the information (data) been classified accordingly?
20Information security policyPolicy for information securityAre network security controls documented in the Information Security Policy?
21Information security policyPolicy for information securityIs there a policy documented for Information security incident management?
22Information security policyPolicy for information securityIs there a process to approve exceptions to the defined information security policy?
23Information security policyPolicy for information securityIs the information security policy communicated to Part time users, Contractors, Temporary workers?
24Organization of information securityInformation security roles & responsibilitiesAre the key roles and responsibility identified in Information security process for everyone in organization/ BU/ Territory/ Concept?
25Organization of information securityContact with authoritiesIs there an information security incident procedure documented and are the information security incidents reported in a timely manner?
26Organization of information securityContact with special interest groupAre organization/ BU/ Territory/ Concept receive early warnings of Alerts, advisories and patches pertaining to attacks and vulnerabilities?
27Organization of information securityContact with special interest groupIs the risk assessment performed on third parties / vendors who involved in providing various services to organization/ BU/ Territory/ Concept? Are the third party audits conducted regularly within the organization?
28Organization of information securitySegregation of dutiesIs the process in place for notification and reporting of unauthorized disclosure or confidential information breaches?
29Organization of information securitySegregation of dutiesIs there any authorization required for an Individual to access, modify or use <> information asset?
30Organization of information securitySegregation of dutiesIs the person's activity monitored or maintain any audit trails or logs while accessing the <> information asset?
31Organization of information securityInformation security in project managementIs change management defined and followed for any changes in third party contract?
32Organization of information securityInformation security in project managementAre Confidentiality requirements mentioned in third party agreement?
33Organization of information securityInformation security in project managementDoes the third party agreements include the Dispute resolution?
34Organization of information securityInformation security in project managementIs the Data ownership Criteria mentioned in third party agreements?
35Organization of information securityInformation security in project managementHas ownership of intellectual property addressed in the third party agreements?
36Organization of information securityInformation security in project managementHas the sub-contracting clause included for projects which are subcontracted?
37Organization of information securityInformation security in project managementDoes the third party agreement include Termination/exit clause and right to audit clause?
38Organization of information securityInformation security in project managementIs their any Contingency plan in case either party wishes to terminate the relationship before the end of the agreements?
39Organization of information securityInformation security in project managementAre the information security requirements assessed before and during the project execution?
40Organization of information securityInformation security in project managementIs the provision for Renegotiation of agreements if the requirements of the organization change in between a running contract?
41Organization of information securityMobile device policyAre any mobile computing devices (notebooks, PDA, smart cards, etc.) used for accessing / processing / storing any business data?
42Organization of information securityMobile device policyAre mobile devices are registered and approve by <> Management before use?
43Organization of information securityMobile device policyAre mobile devices are restricted of software installation?
44Organization of information securityMobile device policyAre mobile devices restricted for access to critical systems ?
45Organization of information securityMobile device policyIs the remotely disabling the mobile device, erasure or lockout features are configured?
46Organization of information securityTeleworkingIs there an access restriction on visitor/employee personal devices to <> assets or network?
47Human resource securityPrior to employment - Roles and responsibilitiesAre security roles and responsibilities of users defined and documented in accordance with the organization’s information security policy?
48Human resource securityPrior to employment - Roles and responsibilitiesWere the roles and responsibilities defined and clearly ?communicated to job candidates during joining/induction ?
49Human resource securityPrior to employment - Terms and conditions of employmentWhether employee, contractors and third party users ?are asked to sign confidentiality or non-disclosure ?agreement as a part of their initial terms and conditions ?of the employment contract ? If yes, does it include: Acceptable Use, Code of Conduct / Ethics, Non-Disclosure Agreement, Confidentiality Agreement?
50Human resource securityPrior to employment - Terms and conditions of employmentWhether the above mentioned agreement covers the information ?security responsibility of the organization and the ?employee, third party users and contractors. ?
51Human resource securityDuring Employment - Management ResponsibilitiesWhether the management requires employees, contractors and third party users to apply security in accordance with the established policies and procedures of the organization.
52Human resource securityDuring Employment - Information security awareness, education and trainingWhether all employees in the organization and relevant, contractors and third party users; receive appropriate security awareness training or regular updates in organizational policies and procedures as it pertains to their job function.
53Human resource securityDuring Employment - Disciplinary processWhether there is a formal disciplinary process for the ?employees who have committed a security breach.?
54Human resource securityTermination and change of employment - Termination responsibilitiesIs there a employee termination or change of status process?
55Human resource securityTermination and change of employment - Termination responsibilitiesWhether responsibilities for performing employment termination, or change of employment, are clearly defined and assigned ?
56Human resource securityTermination and change of employment - Termination responsibilitiesDoes HR notify security / access administration of employee termination / change of Status. For access rights removal?
57Human resource securityTermination and change of employment - Return of assetsWhether there is a process in place that ensures all employees, contractors and third party users surrender all of the organization’s assets in their possession upon termination of their employment, contract or agreement ?
58Human resource securityTermination and change of employment - Termination responsibilitiesAlso are employee required to return organisational assets (laptop, desktop, PDA, cell phones, access cards, tokens, smart cards, keys, proprietary documentation) upon: Termination / Change of Status.
59Human resource securityTermination and change of employment - Removal of Access RightsWhether access rights of all employees, contractors and third party users, to information and information processing facilities, removed upon termination of their employment, contract or agreement, or will be adjusted upon change.
60Human resource securityTermination and change of employment - Removal of Access RightsAre Information security responsibilities and duties that remain valid after termination or change of employment are defined, communicated to the employee or contractor and enforced?
61Asset ManagementInventory of assetsIs an inventory of all information assets maintained?
62Asset ManagementInventory of assetsIs the asset register completed with all the required information as per the template provided by Information Security team?
63 Asset ManagementInventory of assetsAre all the system configurations properly documented?
64 Asset ManagementInventory of assetsIs the configuration document regularly updated as per a fixed schedule?
65Asset ManagementInventory of assetsAre user devices configured to lockout after a defined number of failed logon attempts? Is there a time period set for unlocking locked out accounts?
66Asset ManagementOwnership of assetAre the assets appropriately classified in asset register ?
67Asset ManagementOwnership of assetAre the IT assets disposed / destroyed as per organization destruction policy?
68Asset ManagementAcceptable use of assetsIs there an acceptable usage policy?
69Asset ManagementAcceptable use of assetsIs sign off obtained from employees, contractors and third party users for the acceptable usage policy?
70Asset ManagementReturn of assetIs there any procedure in place to ensure the return of <> information assets like Laptop, Portable device etc. upon employee termination or retirement?
71Asset ManagementLabelling of informationAre the IT assets appropriately labeled (bar code) / tag?
72Asset ManagementManagement of removable mediaIs there any process to make contents of any re-usable media unrecoverable if no longer required by organization?
73Asset ManagementManagement of removable mediaIs authorization required for media removed from the organization?
74Asset ManagementHandling of assetAre critical user data encrypted wherever required based on the criticality of data ?
75Asset ManagementManagement of removable mediaIf the stored data required to retain for a longer time, are the data transferred to new or fresh media?
76Asset ManagementManagement of removable mediaIs the transfer of information to and from removable media being monitored?
77Asset ManagementDisposal of mediaIs there any procedure in place to identify the assets that require secure disposal?
78Asset ManagementDisposal of mediaAre record/details maintained for disposal of sensitive items ?
79Asset ManagementPhysical media transferAre the offsite media movement happening?
80Access ControlAccess Control PolicyWhether an access control policy is developed and ?reviewed based on the business and security ?requirements.?
81Access ControlAccess Control PolicyWhether both logical and physical access control are ?taken into consideration in the policy
82Access ControlAccess Control PolicyWhether the users and service providers are given access as per the access control matrix if any approved by Business.?
83Access ControlAccess Control PolicyIs there an access control (including remote access) policy that has been approved by management, communicated to the users?
84Access ControlUser Access Management - User RegistrationWhether there is any formal user registration and de-registration procedure for granting access to all information systems and services.
85Access ControlUser Access Management - User RegistrationIs authorization from information owner taken before assigning user access to the information system?
86Access ControlUser Access Management -Privilege ManagementWhether the allocation and use of any privileges in information system environment are restricted and controlled i.e., Privileges are allocated on need-to-use basis, privileges are allocated only after formal authorization process.
87Access ControlUser Access Management -Privilege ManagementAre unique user IDs used for access to Information systems such as server, desktops, network devices etc.?
88Access ControlUser Access Management -User Password ManagementIs there a process to communicate userid and password (temporary) in a secure manner? Is the initial user password unique?
89Access ControlOperating system access control - Secure log-on proceduresAre logon banners configured for all systems access ? Also whether access to operating system is controlled by secure log-on procedure.
90Access ControlUser Responsibilities - Password useWhether there are any security practice in place to guide users in selecting and maintaining secure passwords
91Access ControlPassword Management systemWhether there exists a password management system that enforces various password controls such as: individual password for accountability, enforce password changes, password storage in encrypted form, masking of passwords on screen etc.,
92Access ControlUser Access Management -Review of user access rightsIs there a password vault to store critical user credentials (e.g. system master credentials) for use in an emergency? Is there an approval process for use of these credentials? Is there a process to update the credentials periodically? Are the password updated after every checkout and use?
93Access ControlUser Access Management -Review of user access rightsWhether there exists a process to review user access rights at regular intervals.
94Access ControlUser Access Management -Review of user access rightsIs allocation and use of privileged access rights restricted and controlled (logged and reviewed)?
95Access ControlOperating system access control - User Identification and authenticationWhether unique identifier (user ID) is provided to ?every user such as operators, system administrators and ?all other staff including technical. ?
96Access ControlOperating system access control - User Identification and authenticationWhether generic user accounts are supplied only under ?exceptional circumstances where there is a clear ?business benefit.
97Access ControlApplication access Control - Error Message handlingUpon logon failure, does the error message describe the cause of the failure to the user (Invalid password, invalid user ID, etc.)?
98Access ControlApplication access Control -Login Time stampUpon successful logon, does a message indicate the last time of successful logon for Portals?
99Access ControlApplication access ControlIs two factor authentication deployed for “high-risk” environments?
100Access ControlAccess control to Program source codeAccess to program source code shall be restricted
101Access ControlApplication access ControlIs there a process to temporarily disable or suspend user access for users are on temporary leave ?
102Access ControlOperating system access control - Use of system utilitiesIs the use of system utilities (administrative and troubleshooting tools) restricted to authorized users only)
103Access ControlUser Responsibilities - Unattended user equipmentWhether the users and internal contractors are made aware of ?the security requirements and procedures for protecting ?unattended equipment. Example: Logoff when session is finished or set up ?auto log off, terminate sessions when finished etc.,?
104Access ControlApplication access Control - Unattended user equipmentDo inactive workstation lock within 15 minutes?
105Access ControlApplication access Control - Session time-outWhether inactive session is disconnected after a defined ?period of inactivity.?
106Access ControlUser Responsibilities - Clear desk and clear screen policyWhether the organization has adopted clear desk policy ?with regards to papers and removable storage media
107Access ControlUser Responsibilities - Clear desk and clear screen policyWhether the organization has adopted clear screen ?policy with regards to information processing facility
108Access ControlApplication and Information access control - Information access restrictionWhether access to information and application system ?functions by users and support personnel is restricted ?in accordance with the defined access control policy.?
109Access ControlApplication access ControlDevelopers are provided read access for debugging.
Is the Release manager and Developer role segregated?
110Access ControlPassword Management SystemAre strong passwords required on Information systems?
111Access ControlPassword Management SystemAre new users issued random initial single use passwords and user ID and passwords communicated/distributed via separate media (e-mail and phone)?
112Access ControlPassword Management SystemAre vendor default passwords removed, disabled or changed prior to placing the device or system into production?
113Access ControlCommunication securityIs Remote access to the Organization’s infrastructure shall be highly restricted and controlled to prevent unauthorized access to the Organization’s infrastructure from untrusted networks
114Access ControlCommunication securityIs two factor authentication required for remote access such as VPN?
115Access ControlMobile computing and communicationsWhether a formal policy is in place, and appropriate ?security measures are adopted to protect against the ?risk of using mobile computing and communication ?facilities.?
116Access ControlMobile computing and communicationsWhether risks such as working in unprotected ?environment is taken into account by Mobile ?computing policy.?
117Access ControlTeleworkingWhether policy, operational plan and procedures are ?developed and implemented for teleworking activities.?
118Access ControlTeleworkingWhether teleworking activity is authorized and ?controlled by management and does it ensure that ?suitable arrangements are in place for this way of ?working.?
119cryptographyPolicy on use of cryptographic controlsAre all passwords rendered unreadable during transmission and storage on all system components using strong cryptography for Portals?
120Physical Access and Environmental controlsSecure areasAre there sufficient controls in place for physical protection against damage from fire, earthquake, explosion, civil unrest and other forms of natural or man-made disaster ?
121Physical Access and Environmental controlsSecure areasAre Security perimeter defined and used to protect areas that contain either sensitive or critical information processing facilities.
122Physical Access and Environmental controlsSecuring the offices, room and facilityAre Smoke detectors and fire alarms installed ? Do they undergo a periodic preventive maintenance @ DC?
123Physical Access and Environmental controlsSecuring the offices, room and facilityAre the fire extinguishers installed at easily visible and accessible locations? Are they adequate in number for the area to be covered
124Physical Access and Environmental controlsSecure areasAre the physical security personnel trained in use of fire extinguishers and basic first aid ?
125Physical Access and Environmental controlsSecure areasAre any Mock Fire Evacuation Drills/Emergency Evacuation Drills conducted ?
126Physical Access and Environmental controlsSecure areasAre Emergency telephone numbers (Ambulance, Hospital, Police Station, Fire Brigade) put up at critical locations ?
127Physical Access and Environmental controlsWorking in secure areaIs the overall diagram of the floor layout and safe assembly point kept put up at appropriate places @DC ?
128Physical Access and Environmental controlsSecure areasAre the Emergency exits made visible and properly labeled ?
129Physical Access and Environmental controlsSecure areasAir conditioning systems shall be implemented to ensure that the operational environmental conforms to the equipment manufacturer’s specifications.
130Physical Access and Environmental controlsSecure areasAre there procedures in place to monitor humidity and temperature levels in the data center/server room remain within the limits prescribed by the manufacturer/OEMs etc. ? Ensure that water alarm system is configured to detect water in high risk areas of the data center
131Physical Access and Environmental controlsCabling securityAre cables clearly labeled and documented to minimize handling errors such as accidental patching of wrong network cables or electrical power surges@ DC?
132Physical Access and Environmental controlsSecure areasIs Physical access to the datacenter controlled using two-factor authentication ?
133Physical Access and Environmental controlsSecure areasAre visitors required to make entry in visitor register ?
134Physical Access and Environmental controlsSecuring the offices, room and facilityAre continuous monitoring systems (viz. CCTV’s) installed to monitor critical facilities on a 24 x 7 basis ?
135Physical Access and Environmental controlsSecure areasAre critical system, service, or infrastructure, or any physical location areas such as Datacenter post a sign to indicate that only authorized personnel are allowed ?
136Physical Access and Environmental controlsPhysical SecurityIs the access to restricted zone granted on the principle of need-to-access basis ?
137Physical Access and Environmental controlsPhysical SecurityIs the Periodic access rights review conducted for access granted to employees, contractors and third parties for <>?
138Physical Access and Environmental controlsPhysical SecurityAre visitors accompanied by organization staff when entering/working in critical systems, service, or infrastructure, or any physical location facilities such as Data Centre ?
139Physical Access and Environmental controlsPhysical SecurityIs there an access control register maintained at entry point of Data Centre ? Is date and time of entry and departure recorded for all visitors?
140Physical Access and Environmental controlsPhysical SecurityAre the racks in server room locked and access to these racks restricted to authorized personnel only ?
141Physical Access and Environmental controlsPhysical SecurityIs identification card for contractors, visitors or temporary employees physically different from regular employees?
142Physical Access and Environmental controlsPhysical SecurityAre the visitors always escorted @ DC?
143Physical Access and Environmental controlsSecure areasAre access rights to secure areas regularly reviewed and updated? Like DC, critical office area
144Physical Access and Environmental controlsSecure areasAre Access points such as delivery and loading areas and other points where unauthorised person could enter the premises shall be controlled and if possible isolated from information processing facilities' to avoid unauthorised access.
145Physical Access and Environmental controlsPhysical SecurityIs there a designated site owner and backup site owner?
146Physical Access and Environmental controlsPhysical SecurityDo access request require approval of the site owner?
147Physical access and Environmental controlsUnattended user equipmentAre incoming and outgoing mail points and unattended fax, telex and Xerox machines protected?
148Physical access and Environmental controlsSecure disposal or re-use of equipmentAre printers cleared of sensitive information immediately?
149Physical access and Environmental controlsEquipment MaintenanceIs the maintenance of equipment done by authorized personnel only?
150Physical access and Environmental controlsSecurity of equipment off-premisesIs the use of any information equipment outside an organization’s premises authorized by the management?
151Physical access and Environmental controlsSecurity of equipment off-premisesIs there adequate insurance cover for critical equipment ?
152Physical access and Environmental controlsSecure disposal or re-use of equipmentIs sensitive data and licensed software securely erased from equipment prior to disposal? Is the erasure mechanism secure ?
153Physical access and Environmental controlsRemoval of assetsWhether procedures exist for management of ?removable media, such as tapes, memory cards, and reports ? Whether equipment, information or software are taken off-site with prior authorisation ?
154Physical access and Environmental controlsDisposal of mediaWhether the media that are no longer required are disposed of securely and safely, as per formal procedures ?
155Operations securityOperating ProceduresWhether operating procedures are documented and made available to all users who need it
156Operations securityChange managementWhether changes to the organisation's business processes, information processing facilities and systems that affect information security are controlled ?
157Operations securityCapacity ManagementIs there procedure for decommissioning of applications, systems, databases or environments etc.?
158Operations securityCapacity ManagementAre capacity requirements monitored to ensure that adequate resources are available?
159Operations securityControl against malwareAre the Anti-virus agents configured to scan all removable disks, agents, devices before use?
160Operations securityControl against malwareAre the Anti-virus agents configured to scan all BO servers, store servers and store manager machines ?
161Operations securityControl against malwareIs the Anti-virus software configured to scan all internet and email traffic for viruses or mobile codes ? Is the software configured to scan the system periodically?
162Operations securityControl against malwareDo all desktops, laptops, mobile device and server in the organization having an anti-virus software / agent installed which is periodically updated with the latest signatures ?
163Operations securityControl against malwareIs the Anti-Virus servers configured as per the latest secure configuration document (hardening policy) ?
164Operations securityControl against malwareDo the critical changes regarding the anti-virus application and configuration settings follow the organization's Change Management policy ?
165Operations securityControl against malwareAre the incidents related to anti-virus software non-functioning or virus outbreak reported to appropriate team for taking remedial actions ?
166Operations securityControl against malwareAre appropriate management procedures and responsibilities exist for the reporting of, and recovering from, virus attacks?
167Operations securityControl against malwareAre Service Level Agreements maintained with the vendor for software upgrade and technical support for the anti-virus software ?
168Operations securityControl against malwareIs there a formal policy requiring compliance with software licenses and prohibiting the use of unauthorized software?
169Operations securityControl against malwareDo the end users of laptops/desktops have rights/privileges to change anti virus agent settings or turn off the anti virus ?
170Operations securityInformation backupIs there a documented backup policy and procedure ?
171Operations securityInformation backupIs the Back-up schedule of business applications documented ?
172Operations securityInformation backupIs there a defined retention period of backup to ensure backup data is retained for the period necessary to satisfy business, regulatory and legal requirements ?
173Operations securityInformation backupIs the backup data encrypted ?
174Operations securityInformation backupIs the backup media stored in fire resistant cabinet in line with the OEM specifications and accessible to only authorized personnel ?
175Operations securityInformation backupAre all backup media properly labeled for identification and information classification ?
176Operations securityInformation backupIs a copy of the backup stored offsite, for critical business applications ?
177Operations securityInformation backupIs media transported securely to offsite location and the media is protected from unauthorized tampering or information disclosure during transportation to offsite location ?
178Operations securityInformation backupIf back up sent in any external removable media ? If yes is there an NDA signed with the courier service ? Also is the data in external removable media encrypted ?
179Operations securityInformation backupIs the backup media securely disposed?
180Operations securityInformation backupIs there a tape movement register maintained to track the movement of backup media i.e. incoming and outgoing tapes?
181Operations securityInformation backupAre there any procedures to review the backup tape inventory periodically ?
182Operations securityInformation backupIf backup software is used to take data backup, are there security measures in place to protect the backup software ?
183Operations securityInformation backupIs the access to the backup software and systems restricted only to authorized personnel ?
184Operations securityInformation backupIs recovery testing done periodically for Critical systems where synchronized data backup at DR site is not available to ensure that data can be recovered from the backup media.
185Operations securityInformation backupHow regularly are the data restorations done for the backed up data and its frequency ?
186Operations securityEvent loggingAre Event logs enabled and record the user activities, exceptions, faults and information security events produced, kept and regularly reviewed? (viz. access control devices)
187Operations securityEvent loggingAre Event logs are enable and record the user activities, exceptions, faults and information security events produced, kept and regularly reviewed for all database system servers?
188Operations securityEvent loggingAre Event logs are enable and record the user activities, exceptions, faults and information security events produced, kept and regularly reviewed for network devices?
189Operations securityProtection of log informationAre logging facilities and log information protected against tampering and unauthorized access for access control devices? - Are there mechanism to detect and prevent, - alterations to the message types that are recorded - log files being edited or deleted - storage capacity of the log file media being exceeded
190Operations securityProtection of log information - Operating System ServersAre logs enabled for all the operating system servers? Also are logging facilities and log information protected against tampering and unauthorized access at operating system level? - Are there mechanism to detect and prevent, - alterations to the message types that are recorded - log files being edited or deleted - storage capacity of the log file media being exceeded
191Operations securityProtection of log informationAre logs enabled for all the networking devices? Also are logging facilities and log information protected against tampering and unauthorized access at network level? - Are there mechanism to detect and prevent, - alterations to the message types that are recorded - log files being edited or deleted - storage capacity of the log file media being exceeded
192Operations securityAdministrator and operator logsAre the all Critical systems activities carried out by system administrator and system operator are logged and protected?
193Operations securityAdministrator and operator logsAre the all Critical systems activities carried out by system administrator and system operator reviewed on regular basis?
194Operations securityAdministrator and operator logsDo logs include following information, - the time at which an event (success or failure) occurred - information about the event - which account and which administrator or operator was involved
195Operations securityClock synchronizationIs there an NTP server in use ?
196Operations securityClock synchronizationAre all information systems in sync with the NTP server ?
197Operations securityClock synchronizationIs the NTP server maintained in High Availability mode?
198Operations securitySeparation of development, testing & operational environmentsAre all critical changes to operational systems and applications tested in a testing or staging environment prior to being applied to operational systems?
199Operations securitySeparation of development, testing & operational environmentsIs there a defined process for source code movement from development, test to production environment ?
200Operations securityChange managementDoes the change management process require identification and recording of significant changes?
201Operations securityChange managementDoes the change management process include planning and testing of changes?
202Operations securityChange managementIs the change management process do an assessment of the potential impacts, including information security impacts, of such changes?
203Operations securityChange managementDo the change management process follow formal approval procedure for proposed changes?
204Operations securityChange managementDo the change management process verify that information security requirements have been met?
205Operations securityChange managementAre change details are communicated to all relevant persons?
206Operations securityChange managementDoes fallback procedures, including procedures and responsibilities for aborting and recovering from unsuccessful changes and unforeseen events?
207Operations securityChange managementIs there a provision of an emergency change process to enable quick and controlled implementation of changes?
208Operations securityChange managementWhether all changes to any system, service, infrastructure and physical location facilities are controlled ?
209Operations securityChange managementWhether procedures were included within the organisations change management programme to ensure that Business continuity matters are appropriately addressed.
210Operations securityInstallation of software on operating systemAre the version control methods implemented for any changes / modification in software?
211Operations securitySeparation of development, testing & operational environmentsWhether the testing of security functionality is carried out during the development ?
212Operations securityManagement of technical vulnerabilitiesAre timeline been defined to react on notifications of potentially relevant technical vulnerabilities?
213Operations securityManagement of technical vulnerabilitiesIs the evaluation of risks relating to the known vulnerability and define appropriate detective and corrective actions?
214Operations securityRestrictions on software installationIs the list of permitted software or type of software which allowed to installed on desktop, laptop or servers is maintain?
215Communication SecurityNetwork Security Management- Network ControlsAre appropriate network controls implemented for the security of information and information in transit?
216Communication SecurityNetwork Security Management - Security of network servicesWhether controls were implemented to ensure the security of the information in networks, and the protection of the connected services from threats, such as unauthorized access.
217Communication SecurityNetwork Security Management - Security of network servicesAre Security mechanisms, service levels and management requirements of all network services identified and included in network services agreements ?
218Communication SecurityNetwork Security Management - Security of network servicesIs there an Intruder Detection System (IDS)/Intruder Prevention System (IPS) implemented? Does it cover all external connections?
219Communication SecurityNetwork Security Management - Segregation in networksAre the responsibilities and procedures defined for the managing of networking equipment ?
220Communication SecurityNetwork Security Management - Segregation in networksAre firewalls in use for both internal and external connections?
221Communication SecurityNetwork Security Management - Segregation in networksIs every connection to an external network terminated at a firewall?
222Communication SecurityExchange of information -Information Transfer Policies and ProceduresDo the firewalls have any rules that permit 'any' network, sub network, host, protocol or port on any of the firewalls (internal or external)?
223Communication SecurityExchange of information -Information Transfer Policies and ProceduresIs the Firewall rule base treated as a sensitive information and is knowledge of the same restricted to only authorized officials in the IT / Computer operations department?
224Communication SecurityExchange of information -Information Transfer Policies and ProceduresWhether there is a formal transfer (exchange) policy, procedure ?and control in place to ensure the protection of ?information.?
225Communication SecurityExchange of information -Information Transfer Policies and ProceduresIs there a policy or guidelines available outlining acceptable use of communication facilities?
226Communication SecurityExchange of information -Information Transfer Policies and ProceduresAre there any procedures designed to protect transferred information from interception, copying, modification, misrouting and destruction.
227Communication SecurityExchange of information - Exchange AgreementsWhether agreements are established concerning ?exchange of information and software between the ?organization and external parties.
228Communication SecurityExchange of information - Electronic MessagingWhether media containing information is protected against unauthorized access, misuse or corruption during transportation beyond the organization’s physical boundary.
229Communication SecurityExchange of information - Business Information systemsWhether the information involved in electronic ?messaging is well protected. ?
230Communication SecurityConfidentiality or Non Disclosure agreementsWhether policies and procedures are developed and enforced to protect information associated with the interconnection of business information systems.
231Communication SecurityConfidentiality or Non Disclosure agreementsIs there a process to ensure that Confidentiality and non-disclosure agreements comply with all applicable laws and regulations?
232System acquisition, development and maintenanceSecuring application services on public networksIs there a process to review requirements for confidentiality and non-disclosure agreements periodically and when changes occur?
233System acquisition, development and maintenanceSecurity Requirements Analysis And SpecificationDoes information involved in application services passing over public networks are protected from fraudulent activity, contract dispute and unauthorized disclosure and modification? For e.g. authentication, cryptographic controls etc.
234System acquisition, development and maintenanceSecurity Requirements Analysis And SpecificationWhether security requirements for new information ?systems and enhancement to existing information ?system specify the requirements at time of implementation/ design for security controls. ?
235System acquisition, development and maintenanceCorrect processing in applications - Input data validationWhether system requirements for information security and processes for implementing security is integrated in the early stages of information system projects.
236System acquisition, development and maintenanceCorrect processing in applications - Input data validationWhether data input to application system is validated ?to ensure that it is correct and appropriate. ?
237System acquisition, development and maintenanceCorrect processing in applications - Control of internal processingWhether the controls such as: Different types of inputs ?to check for error messages, Procedures for responding ?to validation errors, defining responsibilities of all ?personnel involved in data input process etc., are ?considered.?
238System acquisition, development and maintenanceCorrect processing in applications - Control of internal processingWhether validation checks are incorporated into ?applications to detect any corruption of information ?through processing errors or deliberate acts. ?
239System acquisition, development and maintenanceCorrect processing in applications - Output data validationWhether an security risk assessment was carried out to ?determine if message integrity is required, and to ?identify the most appropriate method of ?implementation. ?
240System acquisition, development and maintenanceSecurity In Development And Support ProcessesIs there a formal Software Development Life Cycle (SDLC) process?
241System acquisition, development and maintenanceSecurity In Development And Support ProcessesIs change management process followed for the application changes and are the change records maintained?
242System acquisition, development and maintenanceSecurity In Development And Support ProcessesAre secure system engineering principles followed for development and implementation of software applications ?
243System acquisition, development and maintenanceSecurity In Development And Support ProcessesAre there access controls to protect source code and test data? Does the version management system provide segregation of code, data and environments?
244System acquisition, development and maintenanceSecurity In Development And Support ProcessesDo changes to applications or application code go through a risk assessment including application testing?
245System acquisition, development and maintenanceSystem change control procedures.Whether changes to systems within the development lifecycle are controlled by the use of formal change control procedures.
246System acquisition, development and maintenanceTechnical review of applications after operating platform changes.When operating platforms are changed, whether business critical applications are reviewed and tested to ensure there is no adverse impact to organizational operations or security.
247System acquisition, development and maintenanceOutsourced development.Whether the organization supervise and monitor the activity of out sourced system development.
248System acquisition, development and maintenanceSystem security testing.Whether testing of security functionality are carried out during development.
249System acquisition, development and maintenanceSystem acceptance testing.Whether Acceptance testing programs and related criteria are established for new information systems, upgrades and new versions.
250Information security in supplier relationshipsAddressing security within supplier agreements - Service deliveryIs there a policy available to address information security requirements for mitigating risks associated with suppliers?
251Information security in supplier relationshipsAddressing security within supplier agreementsAre there processes and procedures established for information security requirements for each type of vendor and type of access based on the organization’s business needs and the risk profile?
252Information security in supplier relationshipsInformation and communication technology supply chainDoes the supplier agreements include legal and regulatory requirements, data protection, intellectual property rights and copyright, and a description of how it will be ensured that they are met?
253Information security in supplier relationshipsMonitoring and review of supplier servicesDo the supplier agreements include organization’s security requirements throughout the supply chain; if suppliers subcontract for parts of information and communication technology ?
254Information security in supplier relationshipsMonitoring and review of supplier servicesWhether the services, reports and records provided by ?third party are regularly monitored and reviewed.?
255Information security in supplier relationshipsManaging changes to supplier servicesWhether audits are conducted on the above third party ?services, reports and records, on regular interval.?
256Information security incident managementInformation security incident management - Responsibilities and proceduresDoes it take into account criticality of business ?systems, processes involved and re-assessment of risks
257Information security incident managementInformation security incident managementIs there an Incident Management program?
258Information security incident managementReporting Information Security EventsIs there a documented policy for incident management that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
259Information security incident managementReporting Information Security EventsWhether information security events are reported ?through appropriate management channels as quickly ?as possible. ?
260Information security incident managementReporting security weaknessesWhether formal information security event reporting ?procedure, Incident response and escalation procedure ?is developed and implemented. ?
261Information security incident managementReporting Information Security EventsWhether there exists a procedure that ensures all ?employees of information systems and services are ?required to note and report any observed or suspected ?security weakness in the system or services. ?
262Information security incident managementReporting Information Security EventsIs there a formal Incident Response Plan ? If yes, does it include: Is Incident Management team with defined roles and response available 24x7x365. - Procedures to collect and maintain a chain of custody for evidence during incident investigation. - Feedback process to ensure that the person reporting information security events are notified of the results after the issue has been dealt with and closed. Does it consider incidents when running from DR facilities
263Information security incident managementManagement of information security incidents and improvements - Responsibilities and proceduresIs there an identification of incident process? If yes, does it include: - Unauthorized physical access. - Information system failure or loss of service. - Malware activity (anti-virus, worms, Trojans). - Denial of service. - System exploit. - Feedback and lessons learned.
264Information security incident managementManagement of information security incidents and improvements - Responsibilities and proceduresWhether management responsibilities and procedures ?are established to ensure quick, effective and orderly ?response to information security incidents. ?
265Information security incident managementResponse to information security incidentsAre the Information security events assessed and decided if they are to be classified as information security incidents?
266Information security incident managementCollection of evidenceWhether the information gained from the evaluation of ?the past information security incidents are used to ?identify recurring or high impact incidents. ?
267Compliance with legal requirementsCompliance with legal and contractual requirementsAre processes and procedures for identification, collection, acquisition and preservation of evidence are defined including:
268Compliance with legal requirementsIntellectual property rights (IPR)Are audits performed to ensure compliance with any legal, regulatory or industry requirements?
269Compliance with legal requirementsProtection Of Organizational RecordsWhether controls such as: publishing intellectual ?property rights compliance policy, procedures for ?acquiring software, policy awareness, maintaining ?proof of ownership, complying with software terms ?and conditions are considered. ?
270Compliance with legal requirementsProtection Of Organizational RecordsIs there records retention policy covering paper and electronic records, including email, in support of applicable regulations, standards and contractual requirements?
271Compliance with legal requirementsProtection Of Organizational RecordsWhether data storage systems were chosen so that ?required data can be retrieved in an acceptable ?timeframe and format, depending on requirements to ?be fulfilled (viz. data retention time frame basis as per local legal requirement). ?
272Compliance with legal requirementsProtection Of Organizational RecordsWhether important records of the organization is ?protected from loss destruction and falsification, in ?accordance with statutory, regulatory, contractual and ?business requirement.?
273Compliance with legal requirementsProtection Of Organizational RecordsWhether consideration is given to possibility of ?deterioration of media used for storage of records.?
274Compliance with legal requirementsPrevention of misuse of information processing facilitiesWhether data protection and privacy is ensured as per ?relevant legislation, regulations and if applicable as per ?the contractual clauses. ?
275Compliance with legal requirementsPrevention of misuse of information processing facilitiesWhether a log-on a warning message is presented on ?the computer screen prior to log-on. Whether the user ?has to acknowledge the warning and react ?appropriately to the message on the screen to continue ?with the log-on process.
276Business Continuity ManagementPlanning of information securityWhether internal procedures are developed and followed when collecting and presenting evidence for the purpose of disciplinary action within the organization
277Business Continuity ManagementPlanning of information securityIs there a IT Disaster Recovery Management (IT DR) framework to improve the resiliency of the organization and ensure availability of the IT systems supporting the business operations ?
278Business Continuity ManagementImplementing the information continuityAre there any processes, procedures and controls in place to ensure the required level of continuity for critical services and processes during a disaster / disruptive events ?
279Business Continuity ManagementBusiness Continuity RisksIs Business Impact Analysis and Business Continuity Risk Assessment done for the BU / Department / Concept / Corporate in consideration with RTO & RPO?
280Business Continuity ManagementBusiness Continuity RisksWhether Business continuity plans are tested regularly to ensure that they are up to date and effective.
281Business Continuity ManagementBusiness Continuity RisksWhether Business continuity plans were maintained by regular reviews and updates to ensure their continuing effectiveness
282Business Continuity ManagementVerify & review & evaluate information security continuityHas any third party evaluated DR Program in the past 12 months?
283Business Continuity ManagementVerify & review & evaluate information security continuityIs there a DR test plan
284Business Continuity ManagementPlanning of information securityHas Annual management review of the DR program for adequacy of resources (people, technology, facilities, and funding) conducted?
285Business Continuity ManagementAvailability of information processing facilityIs the disaster recovery site located in a different geographical location?
286Business Continuity ManagementImplementing the information continuityIs the incident response personnel identified with necessary responsibility, authority & competence to manage an incident & are the same communicated to the concerned personnel?
287Business Continuity ManagementPlanning of information securityAre there detailed recovery procedures (applications, Infrastructure components) documented for an effective recovery of the business applications ?
288ComplianceInformation security co-ordinationIs there an internal audit, risk management or compliance department with responsibility for identifying and tracking resolution of outstanding regulatory issues?
289ComplianceCompliance with legal and contractual requirementsAre audits performed to ensure compliance with any legal, regulatory or industry requirements?
290ComplianceIntellectual Property Rights (Pier)Are there procedures to ensure compliance with legislative, regulatory, and contractual requirements on the use of material where intellectual property rights may be applied and on the use of proprietary software products?
291ComplianceProtection Of Organizational RecordsIs there a records retention policy covering paper and electronic records, including email, in support of applicable regulations, standards and contractual requirements?
292ComplianceCompliance With Security Policies And StandardsWhether managers ensure that all security procedures ?within their area of responsibility are carried out ?correctly to achieve compliance with security policies ?and standards.
293ComplianceCompliance With Security Policies And StandardsDo managers regularly review the compliance of ?information processing facility within their area of ?responsibility for compliance with appropriate security ?policy and procedure
294ComplianceTechnical Compliance CheckingWhether information systems are regularly checked for ?compliance with security implementation standards. ?
295ComplianceInformation systems audit considerations - Information systems audit controlIs there an independent audit function within the organization?
296ComplianceInformation systems audit considerations - Information systems audit controlWhether audit requirements and activities involving ?checks on operational systems should be carefully ?planned and agreed to minimize the risk of disruptions ?to business process. ?
297ComplianceInformation systems audit considerations - Information systems audit controlWhether the audit requirements, scope are agreed with ?appropriate management.?
298ComplianceInformation systems audit considerations - Protection Of Information Systems Audit ToolsAre any information systems audit tools (e.g., software or data files) accessible to any users in any unprotected area?
299ComplianceInformation systems audit considerations - Protection Of Information Systems Audit ToolsWhether access to information system audit tools such ?as software or data files are protected to prevent any ?possible misuse or compromise.
300CompliancePrivacy and protection of personally identifiable informationIs there a policy implemented for privacy and protection of personally identifiable information developed and implemented? IS this policy communicated to all persons involved in the processing of personally identifiable information?
301ComplianceCompliance with security policies and standardsIs regular compliance review of any system, service, or infrastructure, or any physical location and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements done? Has a review of security policies, standards, procedures, and/or guidelines been performed within the last 12 months?
302ComplianceTechnical compliance reviewAre Information systems regularly reviewed for compliance with the organization’s information security policies and standards? Has a network penetration test been conducted within the last 12 months?
303Compliance with legal requirementsIdentification of applicable legislationWhether all relevant statutory, regulatory, contractual ?requirements and organizational approach to meet the ?requirements were explicitly defined and documented ?for each information system and organization.
304Compliance with legal requirementsIdentification of applicable legislationWhether specific controls and individual ?responsibilities to meet these requirements were ?defined and documented.?
305Cloud SecurityDoes the cloud hosting policy ensure that critical business records are maintained within India
306Cloud SecurityDoes the policy cover security requirements for data and systems hosted on cloud services?
307Cloud SecurityDo changes to cloud-based systems follow the change management policy?
Share

Leave a Reply

Your email address will not be published. Required fields are marked *