t2944683

1 Security Policy

1.1) Is your Information Security Policies aligned with one or more industry standards, such as ISO 27001/2, NIST, HIPAA Security, etc.?*

	Yes	Planned to Implement	No

1 Security Policy
1.2) Is your Company-wide Computers, Network and Information Security policy been approved by the Board of Directors (industry regulation such as GLBA) and/or by executive management? *

	I am sure	I think so	May be	No idea	Not at all
1.2

1 Security Policy

1.3) Is the Information Security Policy specify "Acceptable Use" of Computers , Network resources, E-mail and Internet?*

	Well defined , highlighting mandatory prohibitions / unauthorized distribution of confidential material	Most defined	Somewhat defined	Not at all	Not sure

1 Security Policy
1.4) Is your Information Security Policy supported with set of :

1. Approved standards

2. Guidelines and procedures *

	Well-developed with periodic review	Mostly designed to facilitate compliance	Somewhat defined	Not at all	Not sure
1.4

2 Security Organization
2.1) Is there a documentation describing the following:

Report (A-B) Publish the Documents ( C - D)

A. Inventory of assets

B. Identifies the owner and prioritizes information classification program

C. Corporate Intranet

D. Employee handbook *

	Fully Identified / documented	Mostly Identified	Somewhat Identified	Not at all	Not sure
2.1

2 Security Organization

2.2) Who is responsible for Enterprise-Wide Info Security Strategy and Operational Compliance?*

	Assigned Full-time Senior Manager	Assigned Part-time Senior Manager	When required	Not assigned	Not sure

2 Security Organization

2.3) Who assists the Information Security Manager in carrying out the Compliance operations?*

	Departments with dedicated Information Security employees	Departments with dedicated/Non-dedicated Information Security employees	Departments with Non-dedicated Information Security employees	Not assigned	Not sure

3 Information Asset and Classification Control

	Well defined	Mostly defined	Somewhat defined	Not sure
3.1) Is there a program focusing on Information classification at different levels of Security: Business critical or data sensitivity of a given asset?
3.2) Is there a effective procedures for: 1 Labeling and handling 2 Data transmission 3 Storage and destruction of information assets?

4 Personal Security

4.1) All prospective new hires are checked to identify the existence of criminal records, satisfactory credit, proof of education and past employment?*

	A through formal background checks are conducted on proof submitted by an Individual	Well established Procedure in Place , but there is room for improvement in the policy	Somewhat established	Adhoc / Inconsistent	Not Sure

6 Communication and Operation Management
6.1) Is firewall technology used to prevent unauthorized access to and from internal networks and external networks?*
6.2) Is sensitive customer information encrypted when it is transmitted over networks and when stored within local databases or files? *
6.3) Does your Organization conducts an operational change control process to systems, applications, network components, telecommunication facilities, and accessibility to/from Internet?*
6.4) Does IT management carry out capacity planning and system acceptance procedures for systems and applications, and do these tasks incorporate Info Security team/management participation?*
6.5) Are documentation available for System backup and recovery procedures and performed according to a timely manner ?*
6.6) Is at least one complete set of backups stored off site and in a secure location?*
6.7) Are anti-virus and malware prevention solutions utilized on internal servers, workstations, and laptops?*

7 Access Control
7.1) Is documentation of access control policy/standard in place for all production computer systems and applications?*
7.2) Are documentation and procedures in place for User account registration, access rights, password management, with effective enforcement by business/IT managers?*
7.3) Do you enforce a password composition and change standards that requires at least 8 characters, with alphanumeric and special characters ?*
7.4) Are access controls monitored through event-log with manual or automated reviews for audit compliance and detection of unauthorized/inappropriate access activity?*
7.5) Are remote workstation/laptop users properly authenticated before being connecting to internal networks and systems via (VPNs) ?*
7.6) If employees access systems/applications through mobile/smart devices from remote locations, is there an effective mobile device management (MDM) policy , and enforcement solutions in place?*

User Type*
Organization type*
Name*

First NameLast Name
Email*
example@example.com
Phone Number*
Matayo_email
Should be Empty:

	Regular and Consistent	Well established but room for improvement	Somewhat established	Adhoc / Inconsistent	Not sure
2.4) Does the Organization conduct regular Information Security audits?
2.5) Does the team assume responsibility for conducting proactive research on evolving threats that may impact the Organization?

	All employees are formally trained and instructed	Mostly defined both upon hire and again on a periodic basis thereafter	Somewhat defined	Not at all	Not sure
4.2) Is the responsibilities with respect to reporting security incidents and other “due care” tasks?
4.3) Is there disciplinary process that may be enforced against them because of disregarding the Security policies and procedures?

	Extensively Protected	Slightly Protected	May be Protected	Unprotected	Not sure
5.1) Does the Organization maintain a physical security perimeter around all IT processing: 1 Minimize the opportunity for unauthorized entry? 2 Records the entry/exit of employees and authorized visitors?
5.2) Is the servers, network components protected by uninterruptible power supply( UPS ), fire suppression equipment

	Periodically Tested	Tested ( Gaps Exits)	Adhoc	Not followed timeline	Not sure
5.3) Are all servers, core network components are covered under maintenance plans ?
5.4) Has Risk Assessment been performed on all IT Infrastructure facility to take into account of unforeseen events?

	Regular and Consistent	Well established but room for improvement	Somewhat established	Adhoc / Inconsistent	Not sure
8.1) Does your application development process make use of multi-stage, code promotion procedures in order to segregate development from production facilities?
8.2) Does your organization make use of applications for source code version control, quality assurance testing, and/or bug tracking for development activities?
8.3) Do in-house developers and their managers receive training on secure coding practices, through the Open Web Application Security Project (OWASP)

1 Security Policy

1 Security Policy

1 Security Policy

1 Security Policy

2 Security Organization

2 Security Organization

2 Security Organization

2 Security Organization

3 Information Asset and Classification Control

4 Personal Security

4 Personal Security

5 Physical & Environment Security

5 Physical & Environment Security

6 Communication and Operation Management

7 Access Control

8 System Development and Maintenance

9 Disaster Recovery and BCP

10 Privacy

	Annually	Semi-Annually	Adhoc	When required	Not sure
9.1) Are emergency business continuity plans and disaster recovery plans are fully documented and updated?
9.2) Are the disaster recovery plans for data centers, servers, applications, and services tested ?
9.3) Do you conduct or engage qualified vendors to perform regular vulnerability scanning and penetration testing(Firewalls, external routers, remote access servers, etc.)?

	Internal Employees	3rd Party Service Providers	External Customers
10.1) Signed Forms
10.2) Orientation Training
10.3) CBTP & Quiz
10.4) Personal Identification Information PII/PCI/PHI
10.5) Signature of Confidentiality and non-disclosure agreements
10.6) Agreements on disciplinary penalties and/or possible civil/criminal prosecution for violations