Self Assessment MASTER v7.0

Primary Security Domain COBIT 4.0 Control Objective ISO 27001/17799 ISO 20000/ITIL ReferenceQuestion

NumberQuestion (Control Objective) Business Staff

Question

Number

I. Security Policy PO6 Communicate Management Aims and Direction

PO4.14 Contracted Staff Policies and Procedures

3.1 Information Security Policy

4.1 Information Security Infrastructure

6.6 Information Security Management

6.6.1 General (See ISO Mapping for additional

details)

6.6.6 Controls c)

1 Are you and members of your department aware of information

security policies and have you been provided with any type of

awareness training or ongoing communications?

1

I. Security Policy PO6 Communicate Management Aims and Direction

PO4.14 Contracted Staff Policies and Procedures

3.1 Information Security Policy




details)

6.6.6 Controls c)

2 For policies that have been provided, are the supported and

enforced by your department's leadership?

2

I. Security Policy M1 Monitor the Processes

1.1 Collecting Monitoring Data

1.2 Assessing Performance

1.3 Assessing Customer Satisfaction

1.4 Management Reporting

M2 Assess Control Adequacy

2.1 Internal Control Monitoring

12.2 Reviews of Security Policy and

Technical Compliance



details)

6.6.6 Controls (a,c,e)

3 Is there a process in place to review employee compliance with

organizational policies?

3











details)


3.1












details)


4 Has your department or employees ever requested an exception

from policy items?

4












details)


4.1 Are you familiar with the University's Risk Acceptance Process? 4.1

I. Security Policy 11.18 Protection of Disposed Sensitive Information,

11.26 Archiving

5.2.2 Information labeling and handling 6.6 Information Security Management


details)

5 Do policies and procedures exist for the handling of paper copy

documents?

I. Security Policy 11.27 Protection of Sensitive Messages 3 Security Policy

6.2.1 Information security education

and training



6 Are you aware of email and Internet acceptable usage policies?

II. Organizational Security PO1 Define a Strategic IT Plan

PO4.11 IT Staffing

4.1 Information Security Infrastructure 4 Planning and Implementing Service

Management

7 Does your department collaborate with the IT department for

purposes of strategic planning?

5

II. Organizational Security 4.2 Organizational Placement of the IT Function

4.4 Roles and Responsibilities

4.6 Responsibility for Logical and Physical Security


6.11 Including Security in

Responsibilities

8.1 Operational procedures and

responsibilities



details)

6.6.6 Controls (a,c,d)

8 Are members of your department assigned responsibilities for

information security and if so do they have specific directives for

protecting critical information?

6

Fusion Alliance, Inc. , University of Cincinnati Confidential 11/22/2014 Page 1



Question

Number

II. Organizational Security PO7 Manage Human Resources

7.1 Personnel Recruitment and Promotion

7.2 Personnel Qualifications

7.5 Cross-training or Staff Backup

7.6 Personnel Clearance Procedures

6.1 Personnel Security 3.3.2 Professional Development a)

Recruitment

9 Are background and reference checks performed and verified

during the recruiting hiring and processes?

7






6.1 Personnel Security 3.3 Competence, Awareness, and Training 8





6.1 Personnel Security 6.6 Information Security Management


details)

9

II. Organizational Security DS2 Manage Third-party Services

2.4 Third-party Qualifications

2.5 Outsourcing Contracts

4.3 Outsourcing

4.3.1 Security requirements in

outsourcing contracts

7.3 Supplier Management (See ISO 27001

mapping for additional details)

10

II. Organizational Security DS2 Manage Third-party Services

2.6 Continuity of Services

2.7 Security Relationships

4.3 Outsourcing


outsourcing contracts

4.2, 4.3, 6.1, 6.3, 8.1, 8.7, 10.5

7.3 Supplier Management

6.6.3 Security Risk Assessment Practices

10 Does your department include information security requirements

in contracts with third parties that handle or change sensitive data

or systems?

11

II. Organizational Security DS5 Ensure Systems Security

5.13 Counterparty Trust

4.2.2 Security requirements in third

party contracts

4.3 Outsourcing


7 Relationship Process

7.3 Supplier Management

7.3.2 Contract Management

12

III. Asset Classification and

Control

PO2.3 Data Classification Scheme

PO4.7 Ownership and Custodianship

PO4.8 Data and System Ownership

5.2 Information Classification 6.62 Identifying and Classifying Information

Assets

11 Do you know which of the data items in your department need

protected? Do you have a way of identifying this data that is

different than the words and vocabulary you use to identify data

that does not need secured?

13


Control

PO2.3 Data Classification Scheme 5.2 Information Classification 6.62 Identifying and Classifying Information

Assets

12 Do you know which computer systems in your department are

used to process or store critical or private data? Are you aware of

any mechanism to document any such systems?

14


Control

PO4.8 Data and System Ownership 3 Security Policy

7.2.5 Security of equipment off-

premises

8.7.2 Security of media in transit

9.8.1 Mobile computing



details)

13 Have you worked with members of the IT department to map out

information flows into and out of the organization?

15


Control

PO8 Ensure Compliance with External Requirements

8.4 Privacy, Intellectual Property and Data Flow

3 Security Policy


premises





details)

13.1 Have you worked with members of the IT department to map out

systems movement (such as mobile devices) into and out of the

organization?

15.1


Control

PO7 Manage Human Resources

7.8 Job Change and Termination

PO4.8 Data and System Ownership


premises





details)

14 Do you have the ability to track information, mobile or storage

devices in the possession of employees and ensure safe return of

those items upon employee termination?


Control

DS9 Manage the Configuration

9.1 Configuration Recording

9.3 Status Accounting

9.4 Configuration Control

9.8 Software Accountability

10.4.1 Control of operational software

10.5.2 Technical review of operating

system changes

7.2 Equipment Security

9.1 Configuration Management

9.1.4 Configuration Status Accounting and

Reporting

16

IX. Access Control DS5 Ensure Systems Security

5.3 Security of Online Access to Data

5.4 User Account Management

9.1 BUSINESS REQUIREMENT FOR

ACCESS CONTROL

9.1 Business Requirement for Access

Control


6.6.7 Documents and Records d) control over

access to information, assets, and systems

15 Do you provide IT with access requirements to information, data,

and applications in use by your department?

17



5.5 Management Review of User Accounts

5.21 Protection of Electronic Value

9.2 User Access Management

9.2.1 User registration

9.2.4 Review of user access rights


6.6.7 Documents and Records d) control over

access to information, assets, and systems

16 Is a new employee or terminated employee process in place to

add or remove employees access to key systems and data?

18




Question

Number


5.2 Identification, Authentication and Access



5.6 User Control of User Accounts

9.2.3 User password management 6.6 Information Security Management


details)

6.6.7 Documents and Records

d) control over access to information,

assets, and systems

17 Are you aware of requirements for the complexity or length of

your password?






9.2.3 User password management 6.6 Information Security Management


details)



assets, and systems

18 Do you change you password often?






5.2.2 Information labeling and handling




details)



19 Do you ever utilize a password or userID that is shared between

multiple employees?






5.2.2 Information labeling and handling




details)



assets, and systems

20 Use accounts that have system administrator rights only in

special situations, such as when installing software or configuring

your system?

V. Physical and Environmental

Security

DS12 Manage Facilities

12.1 Physical Security

7.1 Secure Areas

7.2 Equipment Security



details)

21 Is access controlled, monitored, and recorded to your work areas

or facilities?

19

VI. Equipment Security PO6 Communicate Management Aims and Direction

6.3 Communication of Organization Policies

6.6 Compliance with Policies, Procedures and

Standards

6.11 Communication of IT Security Awareness



DS7 Educate and Train Users

9.8.1 Mobile computing 6.6 Information Security Management


details)

22 Do employees in your department understand requirements to

protect mobile devices that contain sensitive or critical data?

20

VII. General Controls PO9 Assess Risks

9.1 Business Risk Assessment

9.3 Risk Identification

DS5 Ensure Systems Security

5.8 Data Classification

4.2.1 Identification of risks from third

party access

12.3 System Audit Considerations

12.3.1 System audit controls


6.6.4 Risks to Information Assets

23 Has your department worked with the IT or Information Security

department to identify risks to key systems and data for your

department?

21

VII. General Controls PO9 Assess Risks

9.5 Risk Action Plan

AI1 Identify Automated Solutions

1.9 Cost-effective Security Controls


4.2.1 Identification of risks from third

party access




6.6.4 Risks to Information Assets

22

VII. General Controls AI1 Identify Automated Solutions

1.1 Definition of Information Requirements

No direct mapping (See COBIT

mapping for additional details)


6.6.1 General (See COBIT Mapping for

additional details)

23

VII. General Controls DS11 Manage Data

11.1 Data Preparation Procedures

11.2 Source Document Authorization Procedures

11.3 Source Document Data Collection

11.4 Source Document Error Handling

11.7 Accuracy, Completeness and Authorization Checks

11.8 Data Input Error Handling

11.9 Data Processing Integrity

11.10 Data Processing Validation and Editing

11.11 Data Processing Error Handling

11.14 Output Balancing and Reconciliation

11.15 Output Review and Error Handling

11.27 Protection of Sensitive Messages

11.29 Electronic Transaction Integrity

8.7.3 Electronic commerce security

10.2 Security in Application Systems

10.3 Cryptographic Controls

9.1.3 Configuration Control

10.1.5 Design, Build and Configure Release

b) ensure the integrity is maintained during

build, installation, packaging, and delivery

24 Are automated or manual processes in place to ensure the

accuracy, validity, and non-repudiation of transactions in your

department?

24




Question

Number

VII. General Controls M1 Monitor the Processes











details)


25

VII. General Controls M3 Obtain Independent Assurance

3.3 Independent Effectiveness Evaluation of IT Services

3.4 Independent Effectiveness Evaluation of Third-party

Service Providers

3.5 Independent Assurance of Compliance with Laws

and Regulatory Requirements and Contractual

Commitments

3.6 Independent Assurance of Compliance with Laws

and Regulatory Requirements by Third-party Service

Providers

3.7 Competence of Independent Assurance Function

No relevant mapping 6.6 Information Security Management


details)

6.6.6 Controls

f) Expert help on risk assessment and control

implementation

26

VII. General Controls 11.18 Protection of Disposed Sensitive Information 5.2.2 Information labeling and handling 6.6 Information Security Management


details)

25 Does your organization have a secure disposal process for

dispose of paper copy documents containing sensitive

information?

27

VII. General Controls 11.18 Protection of Disposed Sensitive Information 5.2.2 Information labeling and handling 6.6 Information Security Management


details)

6.6.5 Security and Availability of Information

a) disclosure of sensitive information to

unauthorized parties

6.6.6 Controls

f) Expert help on risk assessment and

control implementation

26 Have you ever had to disclose a loss or leak of sensitive

information to a student?

28

VII. General Controls 11.26 Archiving, 11.27 Protection of Sensitive Messages 8.7.4 Security of electronic mail 6.6 Information Security Management


details)

27 Do you know how long your email is retained?

VII. General Controls 11.26 Archiving, 11.27 Protection of Sensitive Messages 8.7.4 Security of electronic mail 6.6 Information Security Management


details)

28 Do you archive email and if so, where do you store the archive?

VIII. Communications &

Operations Management

PO9 Assess Risks

AI3-3.6 Acquire and Maintain Technology Infrastructure

PO11 Manage Quality

10 Systems Development and

Maintenance

8.1.5 Separation of development and

operational facilities



details)

29



AI4 Develop and Maintain Procedures

4.2 User Procedures Manual

4.3 Operations Manual

4.4 Training Materials


7.1 Identification of Training Needs

6.2 User Training 3.3 Competence, Awareness, and Training

3.3.1 General

3.3.2 Professional Development

29 Are information security related procedures integrated into work

procedures and are employees in your department provided any

security awareness training?

30




5.19 Malicious Software Prevention, Detection and

Correction

8.3 Protection against Malicious

Software



details)

30 Do your systems all have antivirus and antispyware software and

do employees ever disable or remove the software?

31




5.19 Malicious Software Prevention, Detection and

Correction

8.3 Protection against Malicious

Software



details)

30.1 If you answered yes to question 30, do employees ever disable or

remove the software?

31.1

X. Systems Development and

Maintenance

AI3 Acquire and Maintain Technology Infrastructure

3.1 Assessment of New Hardware and Software

DS8 Assist and Advise Customers

PO11 Manage Quality

11.9 Acquisition and Maintenance Framework for the

Technology Infrastructure

10.1 Security Requirements of

Systems

10.1.1 Security requirements analysis

and specification

7.3 Supplier Management 32




Question

Number


Maintenance

PO9 Assess Risks




11.9 Acquisition and Maintenance Framework for the

Technology Infrastructure

8.1.2 Operational change control

10.5.1 Change control procedures

10.1 Security Requirements of

Systems

10.1.1 Security requirements analysis

and specification


6.6.3 Security Risk Assessment Practices 33


Maintenance

PO9 Assess Risks


PO11 Manage Quality

10 Systems Development and

Maintenance



details)

34


Maintenance

AI5 Install and Accredit Systems

5.7 Testing of Changes

5.11 Operational Test

5.12 Promotion to Production

8.2 System Planning and Acceptance

8.1.5 Separation of development and

operational facilities

10 Release Process

10.1.2 Release Policy c) authority of release

into acceptance test and production

environments

35


Maintenance


5.9 Final Acceptance Test

5.13 Evaluation of Meeting User Requirements

5.14 Management’s Post-implementation Review

8.2.2 System acceptance 10 Release Process

10.1.2 Release Policy g) verification and

acceptance of release

32 Does you department review and accept new technology system

functionality and is information security a component of the review

and acceptance process?

36


Maintenance



AI6 Manage Changes

6.4 Emergency Changes


10.5 Security in Development and

Support Processes



system changes

10.5.3 Restrictions on changes to

software packages

10 Release Process

10.1.2 Release Policy c) authority of release

into acceptance test and production

environments g) verification and acceptance

of release

9.2 Change Management

33 Do you review or test any changes to your systems and

applications prior to the IT department implementing those

changes?

37


Maintenance



AI6 Manage Changes



10.5 Security in Development and

Support Processes



system changes

10.5.3 Restrictions on changes to

software packages

9.2 Change Management

9.2.4 Change management reporting,

analysis, and actions

38

XI. Business Continuity DS4 Ensure Continuous Service

4.2 IT Continuity Plan Strategy and Philosophy

4.4 Minimizing IT Continuity Requirements

4.10 Critical IT Resources

DS10 Manage Problems and Incidents

10.1 Problem Management System

10.2 Problem Escalation


12.6 Uninterruptible Power Supply

11 Business Continuity Management

11.1.2 Business continuity and impact

analysis

6.3 Service Continuity and Availability

Management

6.3.4 Service Continuity Planning and Testing

34 Has your department worked with the IT or Information Security

department to identify the core systems, applications, and

information in order to determine the impact to the department in

the event of un-availability, loss, theft, or disclosure?

39











11.1.3 Writing and implementing

continuity plans

11.1.4 Business continuity planning

framework


Management


40


4.3 IT Continuity Plan Contents

4.9 User Department Alternative Processing Backup

Procedures



continuity plans


Management

6.3.3 Service Continuity Strategy a) maximum

acceptable period of lost service

35 Does your department have requirements for timeframes to

recover each of the core systems, applications, or information

that affect the departments operations?

41







11.1 Aspects of Business Continuity

Management


continuity plans


Management


36 Are you aware of procedures or contact listings in the event of a

disaster involving your facility and IT systems?

42




Question

Number



4.9 User Department Alternative Processing Backup

Procedures


Management

11.1.5 Testing, maintaining and re-

assessing business continuity plans


Management


37 Has your department been involved with any testing of disaster

plans?

43


4.6 Testing the IT Continuity Plan

4.12 Offsite Backup Storage

DS11 Manage Data

11.23 Backup and Restoration

11.24 Backup Jobs

11.25 Backup Storage

8.4 Housekeeping

8.4.1 Information back-up


Management


Management


38 Do employees in your department have access to store files on

network folders that are backed up on a daily basis? If so, have

you been able to successfully restore data when required?

44

XII. Compliance PO8 Ensure Compliance with External Requirements

8.1 External Requirements Review

8.2 Practices and Procedures for Complying with

External Requirements

8.3 Safety and Ergonomic Compliance


8.5 Electronic Commerce

8.6 Compliance With Insurance Contracts

12.1 Compliance With Legal

Requirements

6.6.5 Security and Availability of Information 39 Are any regulatory requirements relevant to information your

department creates or stores? Examples of potential legal or

regulatory requirements are; PCI Compliance (Visa, MasterCard),

HIPAA (Healthcare), GLB (Insurance, Financial), software

licensing, intellectual property rights, contractual obligations, etc.

45

XII. Compliance DS5 Ensure Systems Security

5.7 Security Surveillance

5.11 Incident Handling

12.1 Compliance with Legal

Requirements


9.7 Monitoring System Access and

Use

12.2.1 Compliance with security policy

12.2.2 Technical compliance checking

6.3 Responding to Security Incidents

and Malfunctions

6.6.6 Controls c) See ISO 27001 mapping for

additional detail

40 Does your department have the ability to monitor employee

behavior with regard to compliance to organizational policies

and/or identify illegal activities?

46

XII. Compliance DS9 Manage the Configuration

9.5 Unauthorized Software


5.1.1 Inventory of assets

12.1 Compliance with Legal

Requirements

12.1.2 Intellectual property rights

9.1 Configuration Management

9.1.2 Configuration Identification e) licenses

9.1.4 Configuration Status Accounting and

Reporting

47

XII. Compliance DS11 Manage Data

11.5 Source Document Retention

11.19 Storage Management

11.20 Retention Periods and Storage Terms

11.26 Archiving

8.6 Media Handling and Security

12 Compliance

12.1.3 Safeguarding of organizational

records

12.1.4 Data protection and privacy of

personal information



details)

41 Are you aware of legal or organization policy or requirements to

retain data? (note: Examples could include financial, health, or

transaction history / information)

48


Question (Control Objective) IT Staff

Has an information security policy framework been developed including who is

responsible for development, review, and approval of policies?

Has the policy framework been implemented resulting in creation of information

security policies that are supported in the highest levels of the organization?

Does internal staff regularly monitor security controls to measure performance

and adequacy?

If you answered yes to question 3, is effectiveness measured against security

policy, regulatory/contract compliance?

Is there a current process for defining and ongoing review of policy exceptions?

Are you familiar with the University's Risk Acceptance Process?

Is strategic IT planning performed to determine business requirements that

could have an impact on technologies, staffing, and information security

requirements?

Has a security organizational structure been created that defines information

security roles and responsibilities?



Are background and reference checks performed and verified during the

recruiting and hiring and processes?

Are security skill requirements reviewed and mapped to current security staff

capabilities and evaluated against organizational security requirements?

Are security skills redundant within staff members so that no critical security

functions are dependent on a single employee?

Are there specific criteria that a business partner or vendor must meet for

security requirements?

When partnering with a third party or contracting services, is a risk review

performed to determine risks such as handling sensitive data and sharing

proprietary information or intellectual property?

Are business associate agreements or similar contracts required for third party

partners that contain expected levels of security? Are those contracts typically

included and signed for all partner access to systems?

Has a data and/or asset classification scheme been developed and

implemented and does it map handling requirements to the classification levels?

Has an asset inventory system been implemented that includes asset criticality

and/or classification ratings?

Have information flows and systems moves into and out of systems and

facilities been identified? Is there a policy that defines this flow of data, systems,

and information?

Is there a policy that defines acceptable flow of data, systems, and information

between third parties?

Is there a document or system that contains hardware, software, application, or

operating system configurations for your department?

Are there defined procedures for granting access levels to staff and third parties

based on there job requirement to access the information?

Have employees been identified that add/remove user accounts and is account

creation/removal logged so that information can be audited or reviewed?



Are physical security controls implemented for key IT systems such as the data

center and has a third party assessed those controls for the level of

effectiveness?

Has a policy been defined and implemented that outlines security for mobile

devices such as laptops and PDA's, and mobile storage such as flash drives?

Have you worked with departments in the organization to assess risks to critical

data or systems and the resulting impact to the business should those risks be

realized?

Have high risk areas identified through risk assessment activities been

prioritized and a plan to prioritize the remediation of these risks been

developed?

Does automation of businesses processes through IT systems cause additional

risk to the security of information and have you worked to the identify automated

processes that might contain those risks?

Have integrity controls been implemented in systems that process transactions

to verify accuracy, validity, and non-repudiation?



Is regular security assessment and testing performed that includes things such

as penetration testing, vulnerability scanning, policy and configuration review?

Does your organization provision the services of a trusted advisor to assess

information security controls and provide guidance for areas of weakness or

vulnerability?

If you answered yes to question 17, do you prioritize patches and perform

testing to determine suitability to be implemented on production systems?

Are specific work procedures either documented or provided verbally? If so, is

security integrated into the procedures?

Do all systems in your department have current anti-virus software installed and

are definition files updated on a regular basis (preferably every day)?

If you answered yes to question 32, are definition files updated on a regular

basis (preferably every day)?

Is security an integrated component of the evaluation and selection of

Information Technology solutions?



Is a risk review performed prior to the implementation of new infrastructure

(routers, switches, servers, firewalls, etc)?

Is there a defined process for monitoring vendors for software patches or

vulnerabilities that impact the infrastructure systems in production?

Are changes to existing systems or new implementations performed in a test

environment separate from production systems?

Is acceptance testing a part of the pre-production testing process and does

acceptance include both key IT and Business personnel?

Is a formal or informal change management function practiced for changes to

systems? Does it include changes to configuration including patching and

functionality.

Is there a log or document that outlines all changes including who reviewed the

changes, testing performed, back out plans, acceptance/denial, and who

performed the changes?

Has a business impact analysis been performed with regard to identifying

critical or sensitive information?

If you answered yes to question 26, have provisions been made to ensure

critical information is available for mission critical business processes in the

event of a security incident?

Does your department have the ability to identify and resolve such incidents in a

timeframe consistent with business operational requirements?

Has your department developed business continuity or disaster recovery plans

that include maintaining or restoring basic IT resources during a disaster or

outage?



Are these plans tested on a recurring basis and updated as required depending

on the outcome of tests?

Has the IT staff collaborated with key business users to make sure that

business critical information is backed up and available offsite? If so, have

restore operations been tested successfully?

Does an employee responsible for information security review requirements for

regulatory compliance and legal obligations and collaborate with executive

leadership and legal counsel to determine which issues are relevant to the

organization? Examples include PCI Compliance (Visa, MasterCard), HIPAA (Healthcare), GLB

(Insurance, Financial), software licensing, intellectual property rights, contractual obligations, etc.

Have you deployed processes and/or automated alerts so that policy violations

and intrusive behavior can be identified? This includes things such as account

lockout alerts, intrusion detections systems, virus alerting, intellectual property

violations, etc.

Is there a software licensing inventory that provides the ability to effectively

review and manage for license compliance and is there an ongoing process to

review licenses?

Is there a policy and/or standard that defines data retention requirements?


Answer

Yes/No/Somewhat/N

ot Applicable

Describe Existing Key Security

Controls Supporting This

Question

Describe Key Weaknesses

Relative to This Question

Describe any Current Projects


Current Maturity Rating

(Please read FAQ for definitions)

0 - Non Existent

1 - Initial / Ad-Hoc

2 - Repeatable but Intuitive

Primary Security Domain

Not

Applicable 1I. Security Policy

I. Security Policy

I. Security Policy

I. Security Policy

I. Security Policy

I. Security Policy

I. Security Policy

I. Security Policy

II. Organizational Security



Answer

Yes/No/Somewhat/N

ot Applicable



Question







0 - Non Existent











Control


Control


Control


Control


Control


Control

IX. Access Control

IX. Access Control


Answer

Yes/No/Somewhat/N

ot Applicable



Question







0 - Non Existent




IX. Access Control

IX. Access Control

IX. Access Control

IX. Access Control

V. Physical and Environmental

Security

VI. Equipment Security

VII. General Controls





Answer

Yes/No/Somewhat/N

ot Applicable



Question







0 - Non Existent



















Maintenance


Answer

Yes/No/Somewhat/N

ot Applicable



Question







0 - Non Existent





Maintenance


Maintenance


Maintenance


Maintenance


Maintenance


Maintenance

XI. Business Continuity





Answer

Yes/No/Somewhat/N

ot Applicable



Question







0 - Non Existent






XII. Compliance

XII. Compliance

XII. Compliance

XII. Compliance


0 - Non Existent 1 - Initial / Ad-Hoc 2 - Repeatable but Intuitive 3 - Defined Process 4 - Managed and Measurable 5 - Optimized

I. Security Policy


III. Asset Classification and Control

IV. Personnel Security

V. Physical and Environmental Security

VI. Equipment Security


VIII. Communications & Operations Management

IX. Access Control

X. Systems Development and Maintenance


XII. Compliance

Information Security Domains

Security Control Maturity Rating

0 - Non-existent Complete lack of any recognizable processes. The enterprise has not even recognized that there is an issue to be addressed.

1 - Initial

There is evidence that the enterprise has recognized that the issues exist and need to be addressed. There are, however, no standardized processes;

instead there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized.

2 - Repeatable

Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or

communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and,

therefore, errors are likely.

3 - Defined

Procedures have been standardized and documented, and communicated through training. It is, however, left to the individual to follow these processes,

and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.

4 - Managed

It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are

under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.

5 - Optimized

Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modeling with other enterprises. IT is

used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt

.

PO1 Define a Strategic IT Plan

1.1 IT as Part of the Organization’s Long and Short Range Plan

1.2 IT Long-range Plan

1.3 IT Long-range Planning—Approach and Structure

1.4 IT Long-range Plan Changes

1.5 Short-range Planning for the IT Function

1.6 Communication of IT Plans

1.7 Monitoring and Evaluating of IT Plans

1.8 Assessment of Existing Systems

PO2 Define the Information Architecture

2.1 Information Architecture Model

2.2 Corporate Data Dictionary and Data Syntax Rules

2.3 Data Classification Scheme

2.4 Security Levels

PO3 Determine Technological Direction

3.1 Technological Infrastructure Planning

3.2 Monitor Future Trends and Regulations

3.3 Technological Infrastructure Contingency

3.4 Hardware and Software Acquisition Plan

3.5 Technology Standards

PO4 Define the IT Organization and Relationships

4.1 IT Planning or Steering Committee

4.2 Organizational Placement of the IT Function

4.3 Review of Organizational Achievements


4.5 Responsibility for Quality Assurance

4.6 Responsibility for Logical and Physical Security

4.7 Ownership and Custodianship

4.8 Data and System Ownership

4.9 Supervision

4.10 Segregation of Duties

4.11 IT Staffing

4.12 Job or Position Descriptions for IT Staff

4.13 Key IT Personnel

4.14 Contracted Staff Policies and Procedures

4.15 Relationships

PO5 Manage the IT Investment

5.1 Annual IT Operating Budget

5.2 Cost and Benefit Monitoring

5.3 Cost and Benefit Justification

PO6 Communicate Management Aims and Direction

6.1 Positive Information Control Environment

6.2 Management’s Responsibility for Policies

6.3 Communication of Organization Policies

6.4 Policy Implementation Resources

6.5 Maintenance of Policies

6.6 Compliance with Policies, Procedures and Standards

6.7 Quality Commitment

6.8 Security and Internal Control Framework Policy

6.9 Intellectual Property Rights

6.10 Issue-specific Policies

6.11 Communication of IT Security Awareness

PO7 Manage Human Resources




7.4 Personnel Training



7.7 Employee Job Performance Evaluation

7.8 Job Change and Termination


8.1 External Requirements Review

8.2 Practices and Procedures for Complying with External Requirements

8.3 Safety and Ergonomic Compliance


8.5 Electronic Commerce

8.6 Compliance With Insurance Contracts

PO9 Assess Risks


9.2 Risk Assessment Approach


9.4 Risk Measurement

9.5 Risk Action Plan

9.6 Risk Acceptance

9.7 Safeguard Selection

9.8 Risk Assessment Commitment

PO10 Manage Projects

10.1 Project Management Framework

10.3 Project Team Membership and Responsibilities

10.4 Project Definition

10.5 Project Approval

10.6 Project Phase Approval

10.7 Project Master Plan

10.8 System Quality Assurance Plan

10.9 Planning of Assurance Methods

10.10 Formal Project Risk Management

10.11 Test Plan

10.12 Training Plan

10.13 Post-implementation Review Plan

PO11 Manage Quality

11.1 General Quality Plan

11.2 Quality Assurance Approach

11.3 Quality Assurance Planning

11.4 Quality Assurance Review of Adherence to IT Standards and Procedures

11.5 System Development Life Cycle Methodology

11.6 System Development Life Cycle Methodology for Major Changes to Existing Technology

11.7 Updating of the System Development Life Cycle Methodology

11.8 Coordination and Communication

11.9 Acquisition and Maintenance Framework for the Technology Infrastructure

11.10 Third-party Implementer Relationships

11.11 Program Documentation Standards

11.12 Program Testing Standards

11.13 System Testing Standards

11.14 Parallel/Pilot Testing

11.15 System Testing Documentation

11.16 Quality Assurance Evaluation of Adherence to Development Standards

11.17 Quality Assurance Review of the Achievement of IT Objectives

11.18 Quality Metrics

11.19 Reports of Quality Assurance Reviews

AI1 Identify Automated Solutions

1.1 Definition of Information Requirements

1.2 Formulation of Alternative Courses of Action

1.3 Formulation of Acquisition Strategy

1.4 Third-party Service Requirements

1.5 Technological Feasibility Study

1.6 Economic Feasibility Study

1.7 Information Architecture

1.8 Risk Analysis Report

1.9 Cost-effective Security Controls

1.10 Audit Trails Design

1.11 Ergonomics

1.12 Selection of System Software

1.13 Procurement Control

1.14 Software Product Acquisition

1.15 Third-party Software Maintenance

1.16 Contract Application Programming

1.17 Acceptance of Facilities

1.18 Acceptance of Technology

AI2 Acquire and Maintain Application Software

2.1 Design Methods

2.2 Major Changes to Existing Systems

2.3 Design Approval

2.4 File Requirements Definition and Documentation

2.5 Program Specifications

2.6 Source Data Collection Design

2.7 Input Requirements Definition and Documentation

2.8 Definition of Interfaces

2.9 User-machine Interface

2.10 Processing Requirements Definition and Documentation

2.11 Output Requirements Definition and Documentation

2.12 Controllability

2.13 Availability as a Key Design Factor

2.14 IT Integrity Provisions in Application Program Software

2.15 Application Software Testing

2.16 User Reference and Support Materials

2.17 Reassessment of System Design

AI3 Acquire and Maintain Technology Infrastructure

3.1 Assessment of New Hardware and Software

3.2 Preventive Maintenance for Hardware

3.3 System Software Security

3.4 System Software Installation

3.5 System Software Maintenance

3.6 System Software Change Controls

3.7 Use and Monitoring of System Utilities

AI4 Develop and Maintain Procedures

4.1 Operational Requirements and Service Levels

4.2 User Procedures Manual

4.3 Operations Manual

4.4 Training Materials


5.1 Training

5.2 Application Software Performance Sizing

5.3 Implementation Plan

5.4 System Conversion

5.5 Data Conversion

5.6 Testing Strategies and Plans


5.8 Parallel/Pilot Testing Criteria and Performance

5.9 Final Acceptance Test

5.10 Security Testing and Accreditation

5.11 Operational Test

5.12 Promotion to Production

5.13 Evaluation of Meeting User Requirements

5.14 Management’s Post-implementation Review

AI6 Manage Changes

6.1 Change Request Initiation and Control

6.2 Impact Assessment

6.3 Control of Changes


6.5 Documentation and Procedures

6.6 Authorized Maintenance

6.7 Software Release Policy

6.8 Distribution of Software

DS1 Define and Manage Service Levels

1.1 Service Level Agreement Framework

1.2 Aspects of Service Level Agreements

1.3 Performance Procedures

1.4 Monitoring and Reporting

1.5 Review of Service Level Agreements and Contracts

1.6 Chargeable Items

1.7 Service Improvement Program

DS2 Manage Third-party Services

2.1 Supplier Interfaces

2.2 Owner Relationships

2.3 Third-party Contracts

2.4 Third-party Qualifications

2.5 Outsourcing Contracts

2.6 Continuity of Services

2.7 Security Relationships

2.8 Monitoring

DS3 Manage Performance Capacity

3.1 Availability and Performance Requirements

3.2 Availability Plan

3.3 Monitoring and Reporting

3.4 Modeling Tools

3.5 Proactive Performance Management

3.6 Workload Forecasting

3.7 Capacity Management of Resources

3.8 Resources Availability

3.9 Resources Schedule

DS4 Ensure Continuous Service

4.1 IT Continuity Framework




4.5 Maintaining the IT Continuity Plan

4.6 Testing the IT Continuity Plan

4.7 IT Continuity Plan Training

4.8 IT Continuity Plan Distribution

4.9 User Department Alternative Processing Backup Procedures


4.11 Backup Site and Hardware

4.12 Offsite Backup Storage

4.13 Wrap-up Procedures


5.1 Manage Security Measures


5.3 Security of Online Access to Data




5.7 Security Surveillance

5.8 Data Classification

5.9 Central Identification and Access Rights

5.10 Management Violation and Security Activity Reports

5.11 Incident Handling

5.12 Reaccreditation

5.13 Counterparty Trust

5.14 Transaction Authorization

5.15 Nonrepudiation

5.16 Trusted Path

5.17 Protection of Security Functions

5.18 Cryptographic Key Management

5.19 Malicious Software Prevention, Detection and Correction

5.20 Firewall Architectures and Connections with Public Networks

5.21 Protection of Electronic Value

DS6 Identify and Allocate Costs

6.1 Chargeable Items

6.2 Costing Procedures

6.3 User Billing and Chargeback Procedures


7.1 Identification of Training Needs

7.2 Training Organization

7.3 Security Principles and Awareness Training

DS8 Assist and Advise Customers

8.1 Help Desk

8.2 Registration of Customer Queries

8.3 Customer Query Escalation

8.4 Monitoring of Clearance

8.5 Trend Analysis and Reporting

DS9 Manage the Configuration

9.1 Configuration Recording

9.2 Configuration Baseline

9.3 Status Accounting

9.4 Configuration Control

9.5 Unauthorized Software

9.6 Software Storage

9.7 Configuration Management Procedures





10.3 Problem Tracking and Audit Trail

10.4 Emergency and Temporary Access Authorization

10.5 Emergency Processing Priorities

DS11 Manage Data

11.1 Data Preparation Procedures

11.2 Source Document Authorization Procedures

11.3 Source Document Data Collection

11.4 Source Document Error Handling

11.5 Source Document Retention

11.6 Data Input Authorization Procedures

11.7 Accuracy, Completeness and Authorization Checks

11.8 Data Input Error Handling

11.9 Data Processing Integrity

11.10 Data Processing Validation and Editing

11.11 Data Processing Error Handling

11.12 Output Handling and Retention

11.13 Output Distribution

11.14 Output Balancing and Reconciliation

11.15 Output Review and Error Handling

11.16 Security Provision for Output Reports

11.17 Protection of Sensitive Information During Transmission and Transport

11.18 Protection of Disposed Sensitive Information

11.19 Storage Management

11.20 Retention Periods and Storage Terms

11.21 Media Library Management System

11.22 Media Library Management Responsibilities

11.23 Backup and Restoration

11.24 Backup Jobs

11.25 Backup Storage

11.26 Archiving

11.27 Protection of Sensitive Messages

11.28 Authentication and Integrity

11.29 Electronic Transaction Integrity

11.30 Continued Integrity of Stored Data


12.1 Physical Security

12.2 Low Profile of the IT Site

12.3 Visitor Escort

12.4 Personnel Health and Safety

12.5 Protection Against Environmental Factors


DS13 Manage Operations

13.1 Processing Operations Procedures and Instructions Manual

13.2 Start-up Process and Other Operations Documentation

13.3 Job Scheduling

13.4 Departures from Standard Job Schedules

13.5 Processing Continuity

13.6 Operations Logs

13.7 Safeguard Special Forms and Output Devices

13.8 Remote Operations

M1 Monitor the Processes







2.2 Timely Operation of Internal Controls

2.3 Internal Control Level Reporting

2.4 Operational Security and Internal Control Assurance

M3 Obtain Independent Assurance

3.1 Independent Security and Internal Control Certification/Accreditation of IT Services

3.2 Independent Security and Internal Control Certification/Accreditation of Third-party Service Providers

3.3 Independent Effectiveness Evaluation of IT Services

3.4 Independent Effectiveness Evaluation of Third-party Service Providers

3.5 Independent Assurance of Compliance with Laws and Regulatory Requirements and Contractual Commitments

3.6 Independent Assurance of Compliance with Laws and Regulatory Requirements by Third-party Service Providers

3.7 Competence of Independent Assurance Function

3.8 Proactive Audit Involvement

M4 Provide for Independent Audit

4.1 Audit Charter

4.2 Independence

4.3 Professional Ethics and Standards

4.4 Competence

4.5 Planning

4.6 Performance of Audit Work

4.7 Reporting

4.8 Follow-up Activities

3 SECURITY POLICY

3.1 INFORMATION SECURITY POLICY

3.1.1 Information security policy document

3.1.2 Review and evaluation

4 ORGANIZATIONAL SECURITY

4.1 INFORMATION SECURITY INFRASTRUCTURE

4.1.1 Management information security forum

4.1.2 Information security co-ordination

4.1.3 Allocation of information security responsibilities

4.1.4 Authorization process for information processing facilities

4.1.5 Specialist information security advice

4.1.6 Co-operation between organizations

4.1.7 Independent review of information security

4.2 SECURITY OF THIRD PARTY ACCESS

4.2.1 Identification of risks from third party access

4.2.2 Security requirements in third party contracts

4.3 OUTSOURCING

4.3.1 Security requirements in outsourcing contracts

5 ASSET CLASSIFICATION AND CONTROL

5.1 ACCOUNTABILITY FOR ASSETS

5.1.1 Inventory of assets

5.2 INFORMATION CLASSIFICATION

5.2.1 Classification guidelines

5.2.2 Information labelling and handling

6 PERSONNEL SECURITY

6.1 SECURITY IN JOB DEFINITION AND RESOURCING

6.1.1 Including security in job responsibilities

6.1.2 Personnel screening and policy

6.1.3 Confidentiality agreements

6.1.4 Terms and conditions of employment

6.2 USER TRAINING

6.2.1 Information security education and training

6.3 RESPONDING TO SECURITY INCIDENTS AND MALFUNCTIONS

6.3.1 Reporting security incidents

6.3.2 Reporting security weaknesses

6.3.3 Reporting software malfunctions

6.3.4 Learning from incidents

6.3.5 Disciplinary process

7 PHYSICAL AND ENVIRONMENTAL SECURITY

7.1 SECURE AREAS

7.1.1 Physical security perimeter

7.1.2 Physical entry controls

7.1.3 Securing offices, rooms and facilities

7.1.4 Working in secure areas

7.1.5 Isolated delivery and loading areas

7.2 EQUIPMENT SECURITY

7.2.1 Equipment siting and protection

7.2.2 Power supplies

7.2.3 Cabling security

7.2.4 Equipment maintenance

7.2.5 Security of equipment off-premises

7.2.6 Secure disposal or re-use of equipment

7.3 GENERAL CONTROLS

7.3.1 Clear desk and clear screen policy

7.3.2 Removal of property

8 COMMUNICATIONS AND OPERATIONS MANAGEMENT

8.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES

8.1.1 Documented operating procedures


8.1.3 Incident management procedures

8.1.4 Segregation of duties

8.1.5 Separation of development and operational facilities

8.1.6 External facilities management

8.2 SYSTEM PLANNING AND ACCEPTANCE

8.2.1 Capacity planning

8.2.2 System acceptance

8.3 PROTECTION AGAINST MALICIOUS SOFTWARE

8.3.1 Controls against malicious software

8.4 HOUSEKEEPING

8.4.1 Information back-up

8.4.2 Operator logs

8.4.3 Fault logging

8.5 NETWORK MANAGEMENT

8.5.1 Network controls

8.6 MEDIA HANDLING AND SECURITY

8.6.1 Management of removable computer media

8.6.2 Disposal of media

8.6.3 Information handling procedures

8.6.4 Security of system documentation

8.7 EXCHANGES OF INFORMAT ION AND SOFTWARE

8.7.1 Information and software exchange agreements


8.7.3 Electronic commerce security

8.7.4 Security of electronic mail

8.7.5 Security of electronic office systems

8.7.6 Publicly available systems

8.7.7 Other forms of information exchange

9 ACCESS CONTROL

9.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL

9.1.1 Access control policy

9.2 USER ACCESS MANAGEMENT

9.2.1 User registration

9.2.2 Privilege management

9.2.3 User password management

9.2.4 Review of user access rights

9.3 USER RESPONSIBILITIES

9.3.1 Password use

9.3.2 Unattended user equipment

9.4 NETWORK ACCESS CONTROL

9.4.1 Policy on use of network services

9.4.2 Enforced path

9.4.3 User authentication for external connections

9.4.4 Node authentication

9.4.5 Remote diagnostic port protection

9.4.6 Segregation in networks

9.4.7 Network connection control

9.4.8 Network routing control

9.4.9 Security of network services

9.5 OPERATING SYSTEM ACCE SS CONTROL

9.5.1 Automatic terminal identification

9.5.2 Terminal log-on procedures

9.5.3 User identification and authentication

9.5.4 Password management system

9.5.5 Use of system utilities

9.5.6 Duress alarm to safeguard users

9.5.7 Terminal time-out

9.5.8 Limitation of connection time

9.6 APPLICATION ACCESS CONTROL

9.6.1 Information access restriction

9.6.2 Sensitive system isolation

9.7 MONITORING SYSTEM ACCESS AND USE

9.7.1 Event logging

9.7.2 Monitoring system use

9.7.3 Clock synchronization

9.8 MOBILE COMPUTING AND TELEWORKING


9.8.2 Teleworking

10 SYSTEMS DEVELOPMENT AND MAINTENANCE

10.1 SECURITY REQUIREMENTS OF SYSTEMS

10.1.1 Security requirements analysis and specification

10.2 SECURITY IN APPLICATION SYSTEMS

10.2.1 Input data validation

10.2.2 Control of internal processing

10.2.3 Message authentication

10.2.4 Output data validation

10.3 CRYPTOGRAPHIC CONTROLS

10.3.1 Policy on the use of cryptographic controls

10.3.2 Encryption

10.3.3 Digital signatures

10.3.4 Non-repudiation services

10.3.5 Key management

10.4 SECURITY OF SYSTEM FILES

10.4.1 Control of operational software

10.4.2 Protection of system test data

10.4.3 Access control to program source library

10.5 SECURITY IN DEVELOPMENT AND SUPPORT PROCE SSES


10.5.2 Technical review of operating system changes

10.5.3 Restrictions on changes to software packages

10.5.4 Covert channels and Trojan code

10.5.5 Outsourced software development

11 BUSINESS CONTINUITY MANAGEMENT

11.1 ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

11.1.1 Business continuity management process

11.1.2 Business continuity and impact analysis

11.1.3 Writing and implementing continuity plans

11.1.4 Business continuity planning framework

11.1.5 Testing, maintaining and re-assessing business continuity plans

12 COMPLIANCE

12.1 COMPLIANCE WITH LEGAL REQUIREMENTS

12.1.1 Identification of applicable legislation

12.1.2 Intellectual property rights (IPR)

12.1.3 Safeguarding of organizational records

12.1.4 Data protection and privacy of personal information

12.1.5 Prevention of misuse of information processing facilities

12.1.6 Regulation of cryptographic controls

12.1.7 Collection of evidence

12.2 REVIEWS OF SECURITY P OLICY AND TECHNICAL COMPLIANCE

12.2.1 Compliance with security policy

12.2.2 Technical compliance checking

12.3 SYSTEM AUDIT CONSIDERATIONS


12.3.2 Protection of system audit tools

3 The management system

3.1 Management and Responsibility

3.2 Documentation requirements

3.3 Competence, awareness and training

3.3.1 General

3.3.2 Professional development

3.3.3 Approaches to be considered

4 Planning and implementing service management

4.1 Plan service management (Plan)

4.1.1 Scope of service Management

4.1.2 Planning approaches

4.1.3 Events to be considered

4.1.4 Scope and contents of the plan

4.2 Implement service management and provide the services

4.3 Monitoring, measuring and reviewing (Check)

4.4 COntinual improvement (Act)

4.4.1 Policy

4.4.2 Planning for service improvements

5 Planning and implementing new or changed services

5.1 Topics for consideration

5.2 Change records

6 Service delivery process

6.1 Service level management

6.1.1 Service catalogue

6.1.2 Service level agreements (SLAs)

6.1.3 Service level management (SLM) process

6.1.4 Supporting service agreements

6.2 Service reporting

6.2.1 Policy

6.2.2 Purpose and quality checks on service reports

6.2.3 Service reports

6.3 Service continuity and availability management

6.3.1 General

6.3.2 Availability monitoring and activities

6.3.3 Service continuity strategy

6.3.4 Service continuity planning and testing

6.4 Budgeting and accounting for IT services

6.4.1 General

6.4.2 Policy

6.4.3 Budgeting

6.4.4 Accounting

6.5 Capacity management

6.6 Information security management

6.6.1 General

6.6.2 Identifying and classifying information assets

6.6.3 Seruciry risk assessment practices

6.6.4 Risks to information assets

6.6.5 Security and availability of information

6.6.6 Controls

6.6.7 Documents and records

7 Relationship processes

7.1 General

7.2 Business relationship management

7.2.1 Service reviews

7.2.2 Service complaints

7.2.3 Customer satisfaction measurement

7.3 Supplier management

7.3.1 Introduction

7.3.2 Contract management

7.3.3 Service definition

7.3.4 Manageing multiple suppliers

7.3.5 Contractual disputes management

7.3.6 Contract end

8 Resolution processes

8.1 Background

8.1.1 Setting priorities

8.1.2 Workarounds

8.2 Incident management

8.2.1 General

8.2.2 Major incidents

8.3 Problem management

8.3.1 Scope of problem management

8.3.2 Initiation of problem management

8.3.3 Known errors

8.3.4 Problem resolution management

8.3.5 Communication

8.3.6 Tracking and escalation

8.3.7 Incident and problem record closure

8.3.8 Problem reviews

8.3.9 Topics for reviews

8.3.10 Problem prevention

9 Control processes

9.1 Configuratin management

9.1.1 Configuration management planning and implementation

9.1.2 Configuration identification

9.1.3 Configuration control

9.1.4 Configuration status accounting and reporting

9.1.5 Configuration verification and audit

9.2 Change management

9.2.1 Planning and implementation

9.2.2 Closing and reviewing the change request

9.2.3 Emergency changes

9.2.4 Change management reporting, analysis and actions

10 Release process

10.1 Release management process

10.1.1 General

10.1.2 Release policy

10.1.3 Release and roll-out planning

10.1.4 Developing or acquiring software

10.1.5 Design, uild and configure release

10.1.6 Release verification and acceptance

10.1.7 Documentation

10.1.8 Roll-out, distribution and installation

10.1.9 Post release and roll-out