Standardized Information Gathering (SIG) · XLS file · Web view · 2016-05-12Formula Notes Version History Overview Glossary N. Additional Questions M. SIG Lite L. Compliance K

Shared Assessments Program Standardized Information Gathering Questionnaire Version 3.1, January 14, 2008

Cover Page Page 1 of 174 Page(s)

Shared Assessments Program Index: % CompThe Sante Fe Group and BITS 0%Standardized Information Gathering (SIG) Questionnaire N/AVersion 3.1 0%

0%Released: January 22, 2008 0%

0%0%0%0%

Questionnaire Instructions: 0%There are two parts to this questionnaire: the SIG (High Level Questions 0%tab and tabs A - L) and the SIG Lite (tab M). One of the many benefits of 0%Shared Assessments is the reduction in the number of audits and 0%questionnaires that service providers must undergo. If this 0%questionnaire was provided with instructions to complete the SIG Lite only, 0%or no instructions were provided, it is strongly recommended that you 0%complete the entire SIG, since it may be leveraged across a wider N/Acustomer base. N/A N/ADepending on whether you were instructed to fill out the SIG or the SIG N/ALite, please follow the instructions below: N/A SIG: Sheet Protection1) Complete the Business Information tab. All tabs are protected with the password: password2) Compile all documentation requested on the Documentation tab.3) Answer all of the questions on the High Level Questions tab and tabsA through L by selecting either Yes, No or N/A from the drop-down listprovided.4) Use the "Additional Information" space to provide any pertinentinformation. An explanation is required in this space if the response is N/A.5) Answer questions on the Additional Questions tab (N) only if additionalQuestions have been inserted. SIG Lite: 1) Complete the Business Information tab.2) Compile all documentation requested on the Documentation tab.3) The questions on the SIG Lite tab are multipart questions. If any partof the multipart question is No or N/A, then the response should be No orN/A. Answer questions by selecting either Yes, No or N/A from the drop-down list provided.4) If No or N/A has been chosen, then you must explain in the "AdditionalInformation" field to the right of the question.

Business InformationDocumentation Request ListHigh Level QuestionsA. Risk ManagementB. Security PolicyC. Organizational Security

http://www.bitsinfo.org/fisap D. Asset [email protected] E. Human Resources Security

F. Physical and EnvironmentalG. Communications and Ops ManagementH. Access ControlI. Information Systems Application Development and MaintenanceJ. Information Security Incident ManagementK. Business ContinuityL. ComplianceM. SIG LiteN. Additional QuestionsGlossaryOverviewVersion HistoryFormula Notes

http://www.bitsinfo.org/fisap

mailto:[email protected]


Business Information Page 2 of 174 Page(s)

Business Information20 Total Questions to be Answered 0% Percent Complete

Question/Request ResponseResponder Name: ###Responder Job Title: ###Responder Contact Information: ###Date of Response: ###

###Company Profile

What is the name of the holding or parent company? ###What is the company/business name? ###

Is this a publicly or privately held company? ###

If Public, what is the name of the Exchange?If public, what symbol(s) are you trading under?

Type of legal entity and state of incorporation? ###

How long has the company been in business? ###

Are there any material claims or judgments against the company? ###

###

- Federal Reserve ###- OCC ###

- FDIC ###

- Federal Reserve Bank ###- OTS ###

- NCUA ###

- SEC ###

- Other, Explained ###- None ###

List the names and titles of any contributors that assisted in the formulation of the responses:

If Yes, please describe, including any impact it may have on the service being provided to the institution.

Which regulator supervises or examines the company? Indicate all that apply:



###Service Profile

###

###- Shared: ###

- Dedicated: ###

- Other: Please explain ###Are any aspects of the service outsourced? ###

###

- Privacy ###

- Information Security ###- Disaster Recovery ###

- Operations ###

- Technology ###- Other: ###

###If no, has another type of assessment or audit been performed? Explain.

If yes, please provide details: Provide an explanation of what you are considering target data. ###

Computer Equipment Details (relative to scope of services provided)What is the production site physical address? ###

Does the company have an internal audit, risk management or compliance department with responsibility for identifying and tracking resolution of outstanding internal, external or regulatory issues?

What is the name and description(s) of service(s) to be reviewed under shared assessment?Is this a shared service? (A shared service is provided to multiple clients vs. a dedicated service, which is provided only to one client.)

If yes, describe what is outsourced, name of the contracted party, whether the outsourced service involves customer information and the country of operation.

Has the service been audited in the past year for any of the following?

Does the company hire an external audit firm to produce a SAS 70 report on the operations under review?

Have any of the audits addressed above resulted in any exceptions or findings?



What is the backup site physical address?Are there any additional location(s) where target data is stored?

If so, provide locations (address, city, state, country). Please provide details in the following areas: ###

- Operating system(s) ###

- Workstations # of devices ###

- Servers # of devices ###- List Applications in scope. ###

###- Number of employees by function (e.g., development, systems operations, information security)


Documentation Page 5 of 174 Page(s)

Documentation

Document Request

* Copy of internal or external information security audit report

* Physical Security policy and procedures (building and/or restricted access)* Third-party security reviews/assessments/penetration tests Legal clauses and confidentiality templates for third partiesTopics covered in the security training program* Security incident handling and reporting process

* System and network configuration standards* Systems Backup policy and procedures* Offsite Storage policy and procedures* Vulnerability and Threat Management Scan policy and procedures* Application security policy

Type of information provided (e.g., document, summary, table of contents)

* Information Security Policies and Procedures. This should include the following (if not provide the individual documents as necessary): a) Hiring policies and practices and employment application b) User Account administration policy and procedures for all supported platforms where target data is processed and network/LAN access. c) Supporting documentation to indicate completion of User Entitlement reviews d) Employee Non-disclosure agreement document e) Information Security Incident Report policy and procedures, including all contract information f) Copy of Visitor Policy and procedures g) Security Log Review Policies and Procedures

Information technology and security organization charts (including where information security resides in the organization and the composition of any information security steering committees). Note - Actual names of employees is not required.

Network configuration diagrams for internal and external networks defined in scope. Note - Sanitized versions of the network diagram are acceptable.


Documentation Page 6 of 174 Page(s)

* Change control policy/procedures* Problem Management policy/proceduresCertifications of proprietary encryption algorithms* Internal vulnerability assessments of systems, applications, and networks* System Development and Life Cycle (SDLC) process document* Business Continuity Plan (BCP) and / or Disaster Recovery Plan* Most recent BCP/DR test dates and resultsMost recent SAS 70 audit report

*If your organization's policy prohibits the distribution of any of these document, please provide the document title, the table of contents, the executive summary, revision history, and evidence of approval.


High_Level_Questions Page 7 of 174 Page(s)

High Level Questions ###122 Total Questions to be Answered 0% Percent Complete

Ques # Question/Request Response Additional InformationA. Risk Management 0% of Section Completed

A.1 Does your company have a risk assessment program? ###B. Security Policy 0% of Section Completed

B.1 Does your company have an information security policy? ###C. Organizational Security 0% of Section Completed

C.1 ###

C.2 ###

C.3 ###

C.4 ###C.5 Are all constituents required to sign confidentiality agreements? ###

C.6 ###C.7 Do you contract with third party service providers? ###

D. Asset Management 0% of Section CompletedD.1 Does your company have an asset management program? ###D.2 Is an inventory of hardware/software assets maintained?D.3 Is ownership assigned for information assets?

D.4Does your organization have an information classification policy in place?

D.5

D.6

Questionnaire Instructions: For each of the questions provided choose either Yes, No or N/A from the drop-down list provided. If N/A has been chosen then it is mandatory to supply additional explanation. Use the "Additional Information field to the right of the question. Click on the instruction pop-up box and drag if necessary.

Is there an information security oversight function that provides clear direction and visible management support for security initiatives within the organization?

Is there an individual or group with responsibility for security within the organization? Is an individual or group responsible for the implementation / execution of security processes in support of policies?Is an individual or group responsible for ensuring compliance with security policies.

Has there been an independent 3rd party review of the information security program? (If so, note the firm in the "Additional Information" column.)

Are documented procedures in place for the disposal and/or destruction of physical media (e.g.: Paper documents, CDs, DVDs, tapes, disk drives, etc.)?

Are documented procedures in place for the reuse of physical media (e.g.: Tapes, disk drives, etc.)?



E. Human Resource Security 0% of Section CompletedE.1 Does your company have a pre-screening policy?

E.2

E.3E.4 Does your organization have a security awareness training program?

E.5

E.6

E.7

E.8E.9 Does your company have termination policy?

E.10

E.11

E.12Does your organization have Asset return procedures or policies in place?

F. Physical and Environmental Security (Some numbers are missing) 0% of Section CompletedF.1 Does your company have a Physical Security policy?F.3 Does the building that contains the target data reside on a campus?F.5 Is the building shared with other tenants?F.6 Is the building more than one floor?

F.7F.8 Is the roof rated to withstand wind speeds of at least 100 mi/hr?

F.9F.10 Does the building have a single point of entry?F.11 Are windows located along the outside of the building?

Do you perform any background screening of applicants? This would include criminal, credit, professional/academic, references and drug screening.

Are new hires required to sign any agreements that pertain to non/disclosure, confidentiality, acceptable use or code of ethics upon hire?:

Are information security personnel required to obtain professional security certifications (e.g., GSEC, CISSP)?Do you communicate Information Security Policies and procedures to constituents?Are your constituents required to re-read and re-accept policies, code of conduct, non-disclosure or confidentiality agreements?Is there a disciplinarily process in place for non-compliance with Corporate Policy?

Does your HR department notify security / access administration of termination of constituents?Does your HR department notify security/access administration of a constituent's change of status?

Is the construction of the building rated to withstand wind speeds greater then 100 mil/hr?

Is the roof rated to withstand loads greater than 200 Pounds per square foot?



F.12 Do the windows have contact alarms that will trigger if opened?

F.13Do all windows located outside of the building have glass break detection?

F.14 Is external lighting used for all windows?F.15 Are any windows concealed?F.16 Does the outside of the building have glass walls or doors?F.17 Do all outside glass walls or doors have glass break detection?F.18 Is external lighting used for all doors?F.19 Are external hinge pins used on any external doors?F.20 Do you have a CCTV system monitoring your facility?F.21 Are all entry and exit points alarmed?F.22 Do you use security guards?F.23 Do emergency-specific doors only permit egress?F.24 Do you restrict access to your facility?F.25 Do you allow visitors in your facility?F.26 Do the target systems reside in a data center?F.27 Do you have or use a loading dock at your facility?F.28 Does your facility contain a Battery/UPS Room?F.29 Do you operate or maintain a call center as part of you business?F.30 Does your facility contain a Generator or Generator Area?F.31 Does your facility contain a IDF Closets?F.32 Do you have a mailroom that stores or processes target data?F.33 Does your organization use a media library to store target data?F.34 Does your organization use a printer room to print target data?

F.35Do you have a secured work area where employees access target data?

F.36Does your facility have a separate room for telecom equipment i. e. PBX?

G. Communications and Operations Management 0% of Section Completed

G.1

G.2

G.3

Does you organization have a formal change management / change control process?Does your organization segregate duties between individuals granting access and those who access target data?Does your Organization outsource to any third party vendors who will have access to target data (consider backup vendors, service providers, equipment support vendors, etc)?



G.4 Does your organization use anti-virus products?G.5 Do you perform system backups of target data?G.6 Does your organization have any external network connections?

G.7

G.8

G.9Is there a list of authorized analog lines within the organization's facilities?

G.10

G.11

G.12G.13 Does your company use Instant Messaging?G.14 Does your organization use e-mail either internally or externally?

G.15

G.16

G.17

G.18

G.19

G.20Does the company use a mainframe for storing or processing target data?

G.21Does the company use an AS400 for storing or processing target data?

G.22G.23 Does the company provide Web services?G.24 Does your organization use desktop computers?

Do you allow the use of wireless networking technology in your organization?Do you regularly scan your organization's facilities for rogue wireless access points?

Are any modems used or installed in your environment (dial modem, cable modem, DSL, etc.)? This would include "Phone Home" modems attached to systems.

Does your organization use any removable media (e.g.: CDs, DVD, tapes, disk drives, USB devices, etc)?Do you send or receive (physical or electronic) data into our out of you environment?

Does your organization use application Servers for processing or storing confidential data?Are logs generated for security relevant activities on network devices, operating systems, and applications?Do systems and network devices utilize a common time synchronization service?Does your company use UNIX or Linux operating systems for storing or processing target data?Does the company use Windows systems for storing or processing confidential data?

Does the company use Open VMS (VAX or Alpha) system for storing or processing target data?



G.25G.26 Does your company use, manage or maintain any encryption tools?G.27 Do you require data encryption for confidential data in transit?G.28 Do you require data encryption for confidential data at rest?G.29 Does your company utilize Digital Certificates?

H. Access Control 0% of Section CompletedH.1 Is an access control policy in place?

H.2H.3 Is multi-factor authentication deployed for “high-risk” environments?

H.4Does your company utilize unique user IDs to access company systems?

H.5

H.6

H.7

H.8H.9 Does your company perform any type of application development?H.10 Is a remote access solution present in the environment?H.11 Is a teleworking policy in place?

I. Information Systems Acquisition Development and Maintenance 0% of Section CompletedI.1 Does your company perform any type of application development?I.2 Do you perform any type of application testing?

I.3

I.4

I.5I.6 Do you have a documented change control process?

Does your company use mobile computing devices (laptops, PDA, etc.) to store, process or access target data?

Is access to all systems and applications based on defined roles and responsibilities or job functions?

Are there formal processes in place to grant and approve access to systems holding, processing, or transporting target data?Do you use password to access systems holding, processing, or transporting target data?Are there formal processes in place to regularly review access to ensure that only those people with a need-to-know currently have access?

Do you use electronic systems to store, process, transport, etc. target data?

Does the company have an internal organization that provides project management oversight?Does the company have an independent quality assurance function responsible for the testing of software and infrastructure prior to implementation?

Does your organization support or maintain a development, test, staging, QA or production environment?



I.7 Does your organization patch systems and applications?I.8 Are systems and networks periodically assessed for vulnerabilities?

I.9Do you support, host, maintain, etc. a web site with access to target data?

I.10J. Information Security Incident Management 0% of Section Completed

J.1 Does your company have an Incident Management policy?

J.2

J.3J.4 Is an Incident Response contact list or calling tree maintained?

J.5K. Business Continuity Management 0% of Section Completed

K.1L. Compliance 0% of Section Completed

L.1L.2 Is your organization required to comply with any SEC regulations?

L.3L.4 Has a network penetration test been conducted within the last year?

L.5

Do you use or have installed on any system penetration, threat or vulnerability assessment tools?

Does your company have a formal information security Incident Response Program / Plan?Does your company have a security incident response team with clearly defined and documented roles and responsibilities?

Is documentation maintained on previous incidents, outcomes and issues and their remediation?

Does your company have a written policy for business continuity and disaster recovery.

Is your organization required to comply with any legal, regulatory or industry, requirements, etc. (GLBA, SOX, PCI)?

Within the last year, has there been an independent review of the company’s security policies, standards, procedures, and/or guidelines?

Does the organization undergo a SAS 70 Type II examination at least annually?


A. Risk Management Page 13 of 174 Page(s)

A. Risk Management5 Total Questions to be Answered 0% Percent Complete

AUP/ISO/PCI Reference Question # Question/Request Response Additional Information4.1 Risk Assessment4.1.1 Risk Mitigation Process

A.1 ###

A.1.1 ###

###A.1.2.1 Risk mitigation process? ###A.1.2.2 Risk transfer process? ###A.1.2.3 Risk acceptance process? ###

A.1.3 ###

A.1.4 ###


Does your company have a risk assessment program?

Is an owner assigned who is responsible for the maintenance and review of the Risk Management program?Does this individual or group have the following responsibilities:

Is accepted risk reviewed on a periodic basis to ensure continued disposition? Are controls in place to assure risk is addressed appropriately?


B. Security_Policy Page 14 of 174 Page(s)

B. Security Policy14 Total Questions to be Answered 0% Percent Complete

AUP/ISO/PCI Reference Question # Question/Request Response Additional Information5.1 Information Security Policy

B.1 ###

###B.1.1.1 Board of directors? ###B.1.1.2 CEO? ###B.1.1.3 C-level executive? ###B.1.1.4 Senior leader? ###B.1.1.5 Other? ###

B.1.2 ###5.1.2 Review of Security Policy

B.1.3 ###

B.1.3.1 ###

B.1.4 ###AUP A.1

###B.1.5.1 Acceptable use? ###B.1.5.2 Access control? ###B.1.5.3 Application security? ###B.1.5.4 Business Continuity? ###B.1.5.5 Change control? ###B.1.5.6 Clean Desk? ###


5.1.1 Information Security Policy Document

Does your company have an information security policy?

AUP A.25.1.2 Review of Security Policy

Which of the following leadership level(s) is/are the security policy approved by?

5.1.1 Information Security Policy Document

Has the security policy been published?

Is an owner assigned who is responsible for the maintenance and review of the policy?

Does security own the content of the policy?

5.1.1 Information Security Policy Document Has the security policy been

communicated to all constituents?Are the following topics covered by your policies:



B.1.5.7 ###B.1.5.8 Data handling? ###B.1.5.9 Desktop computing? ###B.1.5.10 Disaster Recovery? ###B.1.5.11 Email? ###B.1.5.12 Employee accountability? ###B.1.5.13 Encryption? ###B.1.5.14 Exception process? ###B.1.5.15 Information classification? ###

B.1.5.16 ###B.1.5.17 Mobile computing? ###B.1.5.18 Network security? ###B.1.5.19 Operating system security? ###

B.1.5.20 ###B.1.5.21 Physical access? ###B.1.5.22 Policy maintenance? ###B.1.5.23 Privacy? ###B.1.5.24 Remote access? ###B.1.5.25 Risk management? ###B.1.5.26 Secure Disposal? ###B.1.5.27 Security awareness? ###B.1.5.28 Security incident management? ###B.1.5.29 Use of personal equipment? ###B.1.5.30 Vulnerability management? ###

B.1.6 ###

B.1.6.1 ###

B.1.6.2 ###

Computer and communications systems access and use?

Internet / Intranet access and use?

Personnel security and termination?

AUP A.35.1.2 Review of Security Policy

Is there a process in place to review published policies?

Is there a process in place to assess the risk presented by exceptions to the policy?

Is there a formal process to approve exceptions to the policy?



B.1.6.2.1 ###

B.1.7 ###

B.1.7.1 ###

B.1.7.2 ###

Does security own the approval process?

AUP A.55.1.1 Information Security Policy Document

Does your company have an Acceptable Use Policy?

AUP A.45.1.2 Review of Security Policy Has the Acceptable Use Policy been

reviewed within the last 12 months?

Are there penalties in place for non-compliance with corporate policies?


C. Organizational_Security Page 17 of 174 Page(s)

C. Organizational Security14 Total Questions to be Answered 0% Percent Complete

AUP/ISO/PCI Reference Question # Question/Request Response Additional Information6.1 Internal Organization

C.1 ###

C.2 ###

###

C.2.1.1 ###

C.2.1.2 ###

C.2.1.3 ###

C.2.1.4 ###

C.2.1.5 ###

C.3 ###


6.1.1 Management Commitment to Info Security Is there an information security

oversight function that provides clear direction and visible management support for security initiatives within the organization?

Is there an individual or group with responsibility for security within the organization?

Does this individual or group have the following responsibilities:

Review/Approve Information Security Policies and overall responsibilities

Monitor significant changes in the exposure of information assetsReview & monitor information security incidentsApprove major initiatives to enhance information security Develop and maintain an overall security plan

6.1.3 Allocation of Information Security Responsibilities

Is an individual or group responsible for the implementation / execution of security processes in support of policies?



C.4 ###

C.5 ###

C.6 ###

C.6.1 ###

C.7 ###

###C.7.1.1 Confidentiality agreement ###C.7.1.2 Non-Disclosure Agreement ###

C.7.1.3 ###C.7.1.4 Audit reporting ###C.7.1.5 On-site review ###C.7.1.6 Right to audit ###

C.7.1.7 ###C.7.1.8 Notification of change ###C.7.1.9 Breach Notification ###C.7.1.10 SLAs ###C.7.1.11 Data ownership ###C.7.1.12 Insurance requirements ###C.7.1.13 Indemnification/liability ###C.7.1.14 Termination/exit clause ###C.7.1.15 Privacy requirements ###C.7.1.16 Media handling ###

Is an individual or group responsible for ensuring compliance with security policies.

AUP B.16.1.5 Confidentiality Agreements

Are all constituents required to sign confidentiality agreements?

6.1.8 Independent review of information security Has there been an independent 3rd

party review of the information security program? (If so, note the firm in the "Additional Information" column.)

If so, is there a remediation plan to address findings?

6.2.3 Addressing security in third party agreements

Do you contract with third party service providers?

Do your contracts with third party service providers who may have access to target data include the following:

Compliance with security standards

Right to inspect by relevant regulators



C.7.1.17 Media disposal ###C.7.1.18 Dispute resolution ###

C.7.1.19 ###C.7.1.20 Ongoing monitoring ###

C.7.1.21 ###C.7.1.22 Choice of law ###

C.7.1.23 ###

C.7.1.24 ###

C.7.1.25 ###6.2 External Parties

C.7.2 ###

C.7.2.1 ###

C.7.3 ###

C.7.5 ###

Problem reporting and escalation procedures

Requirements for dependent service providers located outside of the United States

Ownership of intellectual property Business resumption responsibilitiesEmployee and contractor screening practices

Is a process in place to regularly monitor your 3rd party service providers to ensure compliance with security standards?

Is there a process in place to address any identified issues?

Is an awareness program in place to communicate your security standards and expectations to 3rd party service providers?

6.2.1 Identification of risk related to external parties

Do you have an independent audit performed on your dependent third parties?


D. Asset Management Page 20 of 174 Page(s)

D. Asset Management16 Total Questions to be Answered 0% Percent Complete

AUP/ISO/PCI Reference Question # Question/Request Response Additional Information7.1 Responsibility for assets

D.1 ###

D.1.1 ###

D.1.2 ###

D.1.3 ###

D.2 ###

###D.2.1.1 asset control tag ###D.2.1.2 business function supported ###

D.2.1.3 ###D.2.1.4 host name ###D.2.1.5 IP address ###D.2.1.6 operating system ###D.2.1.7 physical location ###D.2.1.8 serial number ###D.2.1.9 system class ###D.2.1.10 system owner ###D.2.1.11 system steward ###


Does your company have an asset management program?

Has it been approved by executive management?Has it been communicated to all constituents?

Is an owner(s) assigned who is (are) responsible for the maintenance and review of the program?

AUP C.17.1.1 Inventory of assets Is an inventory of hardware/software

assets maintained?

If so, does the hardware/software inventory record the following attributes:

environment (i.e. development, test, etc.)



D.2.1.12 ###7.1.2 Ownership of assets

D.3 ###

D.3.1 ###7.2.1 Information classification

D.4 ###

D.4.1 ###D.4.2 Has it been published? ###

D.4.3 ###

D.4.4 ###7.2.2 Information labeling and handling

###D.4.5.1 Data access controls? ###D.4.5.2 Data destruction? ###D.4.5.3 Data disposal? ###D.4.5.4 Data encryption? ###D.4.5.5 Data in storage? ###D.4.5.6 Data in transit? ###D.4.5.7 Data labeling? ###D.4.5.8 Data on removable media? ###D.4.5.9 Data ownership? ###D.4.5.10 Data reclassification? ###

Is there a detailed description of software licenses, (i.e. number of seats, concurrent users, etc.) ?

Is ownership assigned for information assets?

If so, is the owner responsible for approving and reviewing access to those information assets?

Does your organization have an information classification policy in place?

Has it been approved by management?

Has it been communicated to all constituents?


For each of the following, do documented procedures exist for the treatment and handling of information assets in accordance with its classification:



D.4.5.11 Data retention? ###

D.5 ###

D.6 ###

Are documented procedures in place for the disposal and/or destruction of physical media (e.g.: Paper documents, CDs, DVDs, tapes, disk drives, etc.)?

Are documented procedures in place for the reuse of physical media (e.g.: Tapes, disk drives, etc.)?


E. Human Resource Security Page 23 of 174 Page(s)

E. Human Resource Security51 Total Questions to be Answered 0% Percent Complete

AUP/ISO/PCI Reference Question # Question/Request Response Additional Information8.1 Prior to Employment

E.1 ###

E.1.1 ###E.1.2 Has the policy been published? ###

E.1.3 ###

E.1.4 ###

E.2 ###8.1.2 Screening

E.2.1 ###

###E.2.2.1 Full Time Employees ###E.2.2.2 Part Time Employees ###E.2.2.3 Contractors ###E.2.2.4 Temporary Workers ###E.2.2.5 Information Security Employees ###E.2.2.6 Physical Security Personnel ###


Does your company have a pre-screening policy?


Has it been communicated to appropriate constituents?


Do you perform any background screening of applicants? This would include criminal, credit, professional/academic, references and drug screening.

Does the company use an external background screening agency?

Do the following types of employees undergo criminal background checks?







Do the following types of employees undergo credit background check?

Do the following types of employees undergo Academic / Professional certification check?

Do the following types of employees undergo reference checks?

Do the following types of employees undergo drug screen?



E.3 ###




###E.3.4.1 Full Time Employees ###

Are new hires required to sign any agreements that pertain to non/disclosure, confidentiality, acceptable use or code of ethics upon hire?:

Are the following new hires required to accept and sign an Acceptable Use Policy?

Are the following new hires required to accept and sign a Code of Conduct / Ethics?

Are the following new hires required to accept and sign a Non-Disclosure Agreement?

Are the following new hires required to accept and sign a Confidentiality Agreement?



E.3.4.2 Part Time Employees ###E.3.4.3 Contractors ###E.3.4.4 Temporary Workers ###E.3.4.5 Information Security Employees ###E.3.4.6 Physical Security Personnel ###

8.2 During Employment

E.4 ###

E.4.1 ###

E.4.2 ###

E.4.3 ###

E.4.4 ###

E.4.5 ###

E.4.6 ###

E.4.7 ###

Does your organization have a security awareness training program?

AUP D.18.2.2 Information Security Awareness Education and Training

Do constituents participate in security awareness training?

Does your organization's security awareness training include a review of security policies, procedures and processes?

Does your organization's security awareness training include a testing component?

Are constituents required to undergo information security awareness training upon hire?

Are constituents required to undergo information security awareness training at least annually?Is the security training commensurate with levels of responsibilities and access?

Do constituents responsible for information security undergo additional training?



E.5 ###

E.6 ###



###E.6.3.1 Full Time Employees ###E.6.3.2 Part Time Employees ###E.6.3.3 Contractors ###

Are information security personnel required to obtain professional security certifications (e.g., GSEC, CISSP)?

Do you communicate Information Security Policies and procedures to constituents?

Are information security policies and procedures communicated via email to the following types of employees?

Are information security policies and procedures communicated via Intranet or bulletin board to the following types of employees?

Are information security policies and procedures communicated via documentation repository to the following types of employees?



E.6.3.4 Temporary Workers ###E.6.3.5 Information Security Employees ###E.6.3.6 Physical Security Personnel ###




Are information security policies and procedures communicated via instructor lead training to the following types of employees?

Are information security policies and procedures communicated via web based training to the following types of employees?

Are information security policies and procedures communicated via Physical media (e.g.: paper, CD, etc.) to the following types of employees?



E.7 ###




Are your constituents required to re-read and re-accept policies, code of conduct, non-disclosure or confidentiality agreements?

Do following types of constituents reaffirm acceptance of the :Acceptable Use Policy at least annually?

Do following types of constituents reaffirm acceptance of a Code of Conduct / Ethics policy at least annually?

Do following types of constituents reaffirm acceptance of a Non-Disclosure Agreement at least annually?




8.2.3 Disciplinary Process

E.8 ###8.3 Termination or Change of Employment

E.9 ###

E.9.1 ###E.9.2 Has the policy been published? ###

E.9.3 ###

E.9.4 ###8.3.1 Termination Responsibility

E.10 ###

###

E.10.1.1 on the actual date of termination? ###

E.10.1.2 ###

Do following types of constituents reaffirm acceptance of a Confidentiality Agreement at least annually?

Is there a disciplinarily process in place for non-compliance with Corporate Policy?

Does your company have termination policy?




Does your HR department notify security / access administration of termination of constituents?

Is this notification of terminations provided:

less than one week of termination date?



E.10.1.3 ###

E.11 ###

###

E.11.1.1 ###

E.11.1.2 ###

E.11.1.3 ###

E.12 ###8.3.2 Return of Assets

E.12.1 ###

E.12.2 ###

one week or greater than termination date?

Does your HR department notify security/access administration of a constituent's change of status?

Is this notification of constituent status change provided:

on the actual date of change of status?less than one week of change of status date?one week or greater than change of status date?

Does your organization have Asset return procedures or policies in place?

Is there a process in place for the return of assets (laptop, desktop, PDA, cell phones, access cards, tokens, smart cards, keys, proprietary documentation) for terminated constituents?

Is there a process in place for the return of assets (laptop, desktop, PDA, cell phones, access cards, tokens, smart cards, keys, proprietary documentation) for constituents with a change in status?


F. Physical and Environmental Page 32 of 174 Page(s)

F. Physical and Environmental Security344 Total Questions to be Answered 0% Percent Complete

Enter Address this tab refers to:

AUP/ISO/PCI Reference Question # Question/Request Additional Information9.1 Secure Areas

F.1 ###

F.1.1 ###F.1.2 Has the policy been published? ###

F.1.3 ###

F.1.4 ###

F.1.5 ###

F.1.5.1 ###

###F.2.1 Nuclear power facilities ###

F.2.2 ###

F.2.3 ###


Does your company have a Physical Security policy?




Does you policy contain a right to search visitors or constituents while in you facility?

Is the right to search posted for all visitors and constituents to see?

Indicate whether the primary facility that stores target data is 20 miles or less form the following:

Chemical plants or other hazardous manufacturing or processing facilitiesNatural gas, petroleum, or other pipelines



F.2.4 Tornado zones ###F.2.5 Airport ###F.2.6 Railroads ###F.2.7 Active fault lines ###F.2.8 Government building ###F.2.9 Military base or facility ###F.2.10 Hurricane prone area ###F.2.11 Volcanoes ###F.2.12 Gas / Oil refinery ###F.2.13 Coast, harbor, port ###F.2.14 Forest fire zone ###F.2.15 Flood zone ###

F.2.16 ###

F.2.17 ###

F.3 ###

F.3.1 ###

F.3.2 ###

F.3.3 ###

###

F.4.1 ###

F.4.2 ###

Emergency response services e.g. fire, police, etc.Is the facility located in an urban center or major city?

Does the building that contains the target data reside on a campus?

Is the campus shared with other tenants?Is the campus surrounded by a physical barrier?Is that barrier monitored e.g. guards, technology, etc?

Does the perimeter of the building that contains the target data have the following attributes:

Is the building itself wholly contained within a physical perimeter e.g. fence? Is that perimeter monitored e.g. guards, technology, et c?



###F.4.3.1 Adjacent roads ###

F.4.3.2 ###

F.4.3.3 ###

F.4.3.4 ###

F.4.4 ###

###

F.5 ###F.6 Is the building more than one floor? ###

F.7 ###

F.8 ###

F.9 ###

F.10 ###

F.11 ###

F.12 ###

Can vehicles come into close proximity to the facility where target data is stored through any of the following:

Adjacent parking lots/garage to the campusAdjacent parking lots/garage to the building

Parking garage connected to the building e.g. underground parking

Are bollards or similar technology used to protect the building?

Does the building that contains the target data have the following attributes:Is the building shared with other tenants?

Is the construction of the building rated to withstand wind speeds greater then 100 mile per hour?Is the roof rated to withstand wind speeds of at least 100 mi/hr?

Is the roof rated to withstand loads greater than 200 Pounds per square foot?Does the building have a single point of entry?Are windows located along the outside of the building?Do the windows have contact alarms that will trigger if opened?



F.13 ###

F.14 ###F.15 Are any windows concealed? ###

F.16 ###

F.17 ###

F.18 Is external lighting used for all doors? ###

F.19 ###

F.20 ###

F.20.1 ###

F.20.2 ###F.20.3 Is the CCTV a digital system? ###

F.20.4 ###

F.21 Are all entry and exit points alarmed? ###

F.21.1 ###F.21.2 Are there door prop alarms used? ###F.22 Do you use security guards? ###F.22.1 Are your guards your employees? ###

F.22.2 ###

F.22.3 ###

Do all windows located outside of the building have glass break detection?Is external lighting used for all windows?

Does the outside of the building have glass walls or doors?Do all outside glass walls or doors have glass break detection?

Are external hinge pins used on any external doors?Do you have a CCTV system monitoring your facility?

Is the facility(ies) that contain the target systems monitored 24x7x365?Are closed circuit cameras pointed at entry points?

Are CCTV images stored for at least 90 days?

Are the alarm systems monitored 24x7x365?

Do the security guards monitor security systems and alarms? Do security guards patrol the facility?



F.22.4 ###

F.22.5 ###

F.23 ###

F.24 Do you restrict access to your facility? ###

F.24.1 ###

F.24.1.1 ###

F.24.2 ###

F.24.2.1 ###

F.24.3 ###

F.24.4 ###

F.24.5 ###

F.24.6 ###

Do security guards check doors/alarms during rounds?Do guards complete a guard report at the end of rounds?

Do emergency-specific doors only permit egress?

Is there a process in place for requesting access to the facility?

Is there a segregation of duties between those responsible for issuing and those responsible for approving access to the facility via the use of badges/keys...?

Do you have a process in place to periodically review who has access to the facility?

Are user access rights reviewed at least every six months?

Do you have a process of collecting access devices (badges/keys) when a constituent terminates?

Do you use an electronic system (key card, token, fob, etc.) to control access to the facility?Do you use a biometric reader at the points of entry to the facility?

Do you have a process of collecting access devices (badges/keys) when a constituent's role changes and no longer requires access?



F.24.7 ###

F.24.8 ###

F.24.8.1 ###

F.24.8.2 ###

F.24.8.3 ###

F.24.9 ###

F.25 Do you allow visitors in your facility? ###

F.25.1 ###

F.25.2 ###

F.25.3 ###

F.25.4 ###

F.26 ###

F.26.1 ###

F.26.2 ###

Is a process in place to report lost or stolen access cards / keys?

Do you use cipher locks (electronic or mechanical) to control access to the facility?

Do you have a process of changing codes at least every 90 days?

Do you have a process of changing codes when an constituent terminates?

Do you have a process of changing codes when a constituent's role changes and no longer requires access?

Are mechanisms in place to prevent tailgating / piggybacking into the facility?

Are visitors required to sign in and out?Are visitors required to provide a government issued ID?Are visitors escorted through secure areas within the facility?Are visitor logs maintained for at least 90 days?

Do the target systems reside in a data center?

Is the data center (where target data resides) shared with other tenants?Is access to the data center restricted?



F.26.2.1 ###

F.26.2.1.1 ###

F.26.2.1.2 ###

F.26.2.2 ###

F.26.2.2.1 ###

F.26.2.3 ###

F.26.2.4 ###

F.26.3 ###

F.26.4 ###

F.26.5 ###

Is there a process in place for requesting access to the data center?

Is there a segregation of duties between those responsible for issuing and those responsible for approving access to the data center via access devices?

Is there segregation of duties issuing and approving access to the data center?

Is there a process in place to review access to the data center?


Is there a process in place to collect any access equipment such as badges, keys and/or change pin numbers when a constituent terminates?

Is there a process in place to collect any access equipment such as badges, keys and/or change pin numbers when a constituent's role changes?

Are badge readers used at points of entry to the data center?Are biometric readers used at points of entry to the data center?

Are locked doors requiring a key or PIN used at points of entry to the data center?



F.26.6 ###

F.26.7 ###

F.26.8 ###

F.26.9 ###

F.26.9.1 ###

F.26.9.2 ###

F.26.10 ###

F.26.11 ###

F.26.11.1 ###

F.26.11.2 ###

F.26.11.3 ###

F.26.12 ###

F.26.13 ###

F.26.13.1 ###F.26.13.2 Are CCTV images stored? ###

F.26.13.3 ###

Are there security guards at points of entry?Do the security guards monitor security systems and alarms? Is a process in place to report lost access cards / keys?Are visitors allowed in the data center?

Are visitors required to sign in and out of the data center?Are visitors escorted within the data center?

Is there a mechanism in place to thwart tailgating / piggybacking into the data center?Are all entry and exit points to the data center alarmed?

Are there alarm motion sensors monitoring entry points to the data center?

Are there alarm contact sensors on the data center doors?Are there prop alarms on data center doors?

Do emergency-specific doors only permit external egress?

Are there closed circuit cameras pointed at entry points to the data center?

Is the data center monitored 24x7x365?

Is the retention schedule for these images 90 days or greater?



F.26.14 ###

F.26.15 ###

F.26.16 ###

###F.26.17.1 Air conditioning unit? ###F.26.17.2 Fluid or water sensor? ###F.26.17.3 Heat detector? ###

F.26.17.4 ###F.26.17.5 Raised floor? ###F.26.17.6 Smoke detector? ###

F.26.17.7 ###F.26.17.8 Vibration alarm / sensor? ###F.26.17.9 Fire alarm? ###F.26.17.10 Wet fire suppression? ###F.26.17.11 Dry fire suppression? ###

F.26.17.12 ###F.26.17.13 Fire extinguishers? ###F.26.17.14 Multiple power feeds? ###F.26.17.15 Multiple communication feeds? ###F.26.17.16 Emergency power off button? ###F.26.17.17 Water pumps? ###

F.26.18 ###

F.26.19 ###

Do the data center walls extend from true floor to true ceiling?

Are the data center walls, doors and windows at least one hour fire rated?

Are there any windows or glass walls along the perimeter of the data center itself?

Does the data center have the following physical/environmental attributes:

Plumbing above ceiling (excluding fire suppression system)?

Uninterruptible Power Supply (UPS)?

Chemical Fire Suppression System?

Is your data center serviced by redundant power sources?Is your data center serviced by separate power substations?



F.26.20 Do you have a UPS system? ###

F.26.20.1 ###F.26.21 Do you have a generator(s) ###

F.26.21.1 ###

F.26.22 ###

F.26.22.1 Is access to the cage restricted? ###

F.26.22.2 ###

F.26.22.3 ###

F.26.22.4 ###

F.26.22.5 ###

F.26.22.5.1 ###

F.26.22.5.2 ###

F.26.22.6 ###

F.26.22.7 ###

Does your UPS system support N+1?

Does your generator system support N+1?

Does the target data reside in a caged environment within a data center?

Are badge readers used at points of entry to the cage?

Are biometric readers used at points of entry to the caged environment?

Are locks requiring a key or PIN used at points of entry to the caged environment?Is there a process in place for requesting access to the cage?

Is there a segregation of duties between those responsible for the storage and the granting of cage access devices (e.g.: badges, keys, etc.)?

Is there segregation of duties in granting and approving access to the caged environment?

Is there a maintained list all personnel possessing cards / keys to the caged environment?Is a process in place to report lost access cards / keys?



F.26.22.8 ###

F.26.22.9 ###

F.26.22.10 ###

F.26.22.11 ###

F.26.22.12 ###

F.26.22.12.1 ###

F.26.22.12.2 ###

F.26.22.13 ###

F.26.22.13.1 ###

F.26.22.13.2 ###

F.26.23 ###F.26.23.1 Are cabinets shared? ###

F.26.23.2 ###

F.26.23.3 ###

Is there a process in place to review access to the cage?



Is there a process in place to collect any access equipment such as badges, keys and/or change pin numbers when a constituent's role changes?Are visitors allowed in the caged environment?

Are visitors required to sign in and out of the caged off area?Are visitors escorted within the cage?

Are closed circuit cameras used to monitor entry points to the caged environment?

Is the caged environment monitored 24x7x365?Are CCTV images stored for 90 days or greater?

Does the target data reside in a locked cabinet?

Is access to the cabinet restricted?

Is there a process in place for requesting access to the cabinet?



F.26.23.3.1 ###

F.26.23.3.2 ###

F.26.23.4 ###

F.26.23.5 ###

F.26.23.6 ###

F.26.23.7 ###

F.26.23.8 ###

F.26.23.8.1 ###

F.26.23.8.2 ###

F.26.24 ###

Is there a segregation of duties between those responsible for the storage and the granting of cabinet access devices (e.g.: badges, keys, etc.)?

Is there segregation of duties in granting and approving access to the cabinet(s)?

Is there a maintained list all personnel possessing cards / keys to the cabinet?Is a process in place to report lost access cards / keys?


Is there a process in place to collect any access equipment such as badges, keys and/or change pin numbers when a constituent's role changes?Are closed circuit cameras used to monitor the cabinets?

Are the cabinets that store target data monitored 24x7x365?Are CCTV images stored for 90 days or greater?

Is there a policy on using locking screensavers or locks on unattended system displays and consoles within the data center?



F.26.25 ###Loading Dock

F.27 ###

F.27.1 ###

F.27.2 ###

F.27.2.1 Security guards at points of entry? ###

F.27.2.2 Badge readers at points of entry? ###

F.27.2.3 ###

F.27.2.4 ###

F.27.2.5 ###

F.27.2.5.1 ###

F.27.2.5.2 ###

F.27.2.5.3 ###

F.27.3 ###

Do you have a procedure for equipment removal from the data center?

Do you have or use a loading dock at your facility?

Do tenants share the use of the loading dock?Is entry to the loading dock restricted?

Biometric readers at points of entry?Locked doors requiring a key or PIN at points of entry?

Do you use cipher locks (electronic or mechanical) to control access the loading dock?

Do you have a documented process in place to periodically change codes?Are the codes changed at least every 90 days?

Are the codes changed when a constituent that knows the code is terminated or changes roles?

Is there a process in place for approving access to the loading dock from inside the facility?



F.27.4 ###

F.27.5 ###

F.27.6 ###

F.27.7 ###

F.27.8 ###F.27.8.1 Is the CCTV System digital? ###

F.27.8.2 ###

F.27.8.3 ###

###F.27.9.1 Smoke detector? ###F.27.9.2 Fire alarm? ###F.27.9.3 Wet fire suppression? ###F.27.9.4 Fire extinguishers? ###

Secured Areas

F.28 ###

F.29 ###

F.30 ###

Is a process in place to periodically review access to the loading dock at least every 6 months?

Is there a segregation of duties between those responsible for issuing and those responsible for approving access to the loading dock via the use of badges/keys...?Is a process in place to report lost access cards / keys?

Is a process in place to periodically review physical access to the loading dockDo you have a CCTV system monitoring the loading dock area?

Are CCTV images stored for 90 days are greater?Is the loading dock area monitored 24x7x365?

Does the loading dock area contain the following physical elements:

Does your facility contain a Battery/UPS Room?Do you operate or maintain a call center as part of you business?Does your facility contain a Generator or Generator Area?



F.31 ###

F.32 ###

F.33 ###

F.34 ###

F.35 ###

F.36 ###

###F.37.1 UPS Systems? ###F.37.2 Security systems? ###F.37.3 Generators? ###F.37.4 Batteries? ###F.37.5 Fire detection systems? ###F.37.6 Fire suppression systems? ###F.37.7 HVAC? ###

Are the following tested: ###F.38.1 UPS Systems at least annually? ###F.38.2 Security alarm systems annually? ###F.38.3 Fire alarms annually? ###

F.38.4 Fire suppression systems annually? ###

F.38.5 ###

F.38.6 ###Battery/UPS Room

Does your facility contain a IDF Closets?Do you have a mailroom that stores or processes target data?Does your organization use a media library to store target data?Does your organization use a printer room to print target data?

Do you have a secured work area where employees access target data?

Does your facility have a separate room for telecom equipment i. e. PBX?

Indicate if there is a preventive maintenance process or current maintenance contracts in place for the following?

Are generators with run tested at least monthly?Are generators with full load tested at least monthly?



F.28 ###

###F.28.2 Hydrogen sensors? ###

F.28.3 ###

F.28.4 ###

F.28.5 ###

F.28.5.1 ###

F.28.5.2 ###

F.28.5.3 ###

F.28.5.4 ###

F.28.5.5 ###

F.28.5.6 ###

F.28.5.7 ###

F.28.5.8 ###

Does your facility contain a Battery/UPS Room?

Does the battery room contain the following elements:

Windows/glass walls along perimeter?Walls extending from true floor to true ceiling?Is access to the battery/UPS room restricted?

Is there a process in place for approving access to the battery/UPS room ?

Is a process in place to periodically review access to the battery/UPS room at least every 6 months?

Is there a segregation of duties between those responsible for issuing and those responsible for approving access to the battery/UPS room via the use of badges/keys...?Is a process in place to report lost access cards / keys?Are badge readers used at points of entry?Are biometric readers used at points of entry?Are there locked doors requiring a key or PIN at points of entry?

Do you use cipher locks (electronic or mechanical) to control access to the battery/UPS room?



F.28.5.8.1 ###

F.28.5.8.2 ###F.28.5.9 Prop alarms on points of entry? ###

F.28.5.10 ###

F.28.5.11 ###

F.28.6 ###

F.28.6.1 ###F.28.6.2 Is the CCTV System digital? ###

F.28.6.3 ###


F.28.7.4 ###F.28.7.5 Smoke detector? ###F.28.7.6 Fire alarm? ###F.28.7.7 Wet fire suppression? ###F.28.7.8 Dry fire suppression? ###F.28.7.9 Chemical fire suppression? ###F.28.7.10 Fire extinguishers? ###

Call Center

F.29 ###

Are the codes changed at least every 90 days?


Do emergency-specific doors only permit egress?Do you permit Visitors into the battery/UPS room?

Do you have a CCTV system monitoring your battery/UPS room?

Is the battery/UPS room monitored 24x7x365?

Are CCTV images stored for 90 days are greater?

Does battery/UPS room contain the following physical elements:


Do you operate or maintain a call center as part of you business?



F.29.1 Do you randomly monitor calls? ###

F.29.2 ###

F.29.2.1 ###

F.29.3 ###F.29.4 Do you have a clean desk policy? ###

F.29.5 ###

F.29.6 ###How often? ###

F.29.6.1.1 daily ###F.29.6.1.2 Weekly ###F.29.6.1.3 monthly ###F.29.6.1.4 Semi-annually ###F.29.6.1.5 Annually ###

F.29.7 ###

F.29.8 ###How long? ###

F.29.8.1.1 5 minutes ###F.29.8.1.2 10 minutes ###F.29.8.1.3 15 minutes ###F.29.8.1.4 30 minutes ###F.29.8.1.5 Never ###F.29.8.1.6 other (Please explain) ###

F.29.9 ###

Do you record calls for Compliance reasons?

Does your recording solution indicate whether or not recordings have been tampered with? (to be court evidence admissible)

Do you utilize paper records or electronic ones?

Do you retain an audit trail of all calls?Do you conduct "Secret Caller" penetration tests?

Are separate access rights required to gain access to the call center?Are terminals set to lock after a specified amount of time?

Are your representatives allowed access to the internet?



F.29.10 Are they allowed access to email? ###

F.29.10.1 ###

F.29.11 ###

F.29.12 ###

F.29.13 ###

F.29.14 ###

###F.29.15.1 Wintel Desktop ###F.29.15.2 Dumb Terminal ###F.29.15.3 Wintel Laptop ###

F.29.16 ###F.29.17 Is your call center using VOIP? ###

###F.29.17.1.1 H.323 ###F.29.17.1.2 SCCP ###F.29.17.1.3 MGCP ###F.29.17.1.4 MEGACO/H.348 ###F.29.17.1.5 SIP ###F.29.17.1.5.1 Is SIP authentication used? ###

F.29.17.1.5.2 ###

Is an email monitoring system in place to check for outgoing confidential information?

Are visitors required to sign in and out of the call center?Is your call center included in your disaster recovery plan?

SIRT instructions for representatives? (Escalation Procedures for Incident Reporting)

Administrator access to CRM system not allowed to view data? (config and entitlements only)What type of systems does your call center utilize?

Can your representatives make personal calls from their telcom systems?

Which Protocol does your VoIP solution set up calls with?

Is encryption done with IPSec or TLS (SSL)?



F.29.18 ###

F.29.19 ###Generator Area

F.30 ###

F.30.1 ###

F.30.1.1 ###

F.30.1.2 ###

F.30.2 ###

F.30.3 ###

F.30.4 ###

F.30.5 ###

F.30.6 ###

F.30.6.1 ###

Are any of your call center representatives home based?Do you outsource your call center operations?

Does your facility contain a Generator or Generator Area?

Do you have more than one generator?

Are there multiple generator areas that supply backup power to systems that contain target data?

Are the physical security and environmental controls the same for all of the generator areas?

Is the generator area contained within a building?

If the generator is not contained within a building is it surrounded by a physical barrier?

Are fuel supplies for the generator readily available to ensure uninterrupted service?

Does the generator have the capacity to supply power to the systems that contain target data for at least 48 hours?Is access to the generator area restricted?

Is there a process in place for approving access to the generator area?



F.30.6.2 ###

F.30.6.3 ###

F.30.6.4 ###

F.30.6.5 ###

F.30.6.6 ###

F.30.6.7 ###

F.30.6.8 ###

F.30.6.8.1 ###

F.30.6.8.2 ###

F.30.7 ###


F.30.7.3 ###IDF Closets

Is a process in place to periodically review access to the generator area at least every 6 months?

Is there a segregation of duties between those responsible for issuing and those responsible for approving access to the generator area via the use of badges/keys...?Is a process in place to report lost access cards / keys?Are badge readers used at points of entry?Are biometric readers used at points of entry?Are there locked doors requiring a key or PIN at points of entry?

Do you use cipher locks (electronic or mechanical) to control access to the generator area?



Do you have a CCTV system monitoring your generator area?

Is the generator area monitored 24x7x365?




F.31 ###

F.31.1 ###

F.31.1.1 ###

F.31.1.2 ###

F.31.1.3 ###

F.31.1.4 ###

F.31.1.5 ###

F.31.1.6 ###

F.31.1.7 ###

F.31.1.8 ###

F.31.1.8.1 ###

F.31.1.8.2 ###Mailroom

Does your facility contain a IDF Closets?

Is access to the IDF closets restricted?

Is there a process in place for approving access to the IDF closets?

Is a process in place to periodically review access to the IDF closets at least every 6 months?

Is there a segregation of duties between those responsible for issuing and those responsible for approving access to the IDF closets via the use of badges/keys...?Is a process in place to report lost access cards / keys?Are badge readers used at points of entry?Are biometric readers used at points of entry?Are there locked doors requiring a key or PIN at points of entry?

Do you use cipher locks (electronic or mechanical) to control access to the IDF closets?





F.32 ###

###F.32.1.1 Motion sensors? ###

F.32.1.2 ###

F.32.2 ###

F.32.2.1 ###

F.32.2.2 ###

F.32.2.3 ###

F.32.2.4 ###

F.32.2.5 ###

F.32.2.6 ###

F.32.2.7 ###

F.32.2.8 ###

F.32.2.8.1 ###

Do you have a mailroom that stores or processes target data?

Does the mailroom contain the following elements:

Closed circuit camera pointed at entry points?

Is access to the mailroom restricted?

Is there a process in place for approving access to the mailroom?

Is a process in place to periodically review access to the mailroom at least every 6 months?

Is there a segregation of duties between those responsible for issuing and those responsible for approving access to the mailroom via the use of badges/keys...?Is a process in place to report lost access cards/keys?Are badge readers used at points of entry?Are biometric readers used at points of entry?Are there locked doors requiring a key or PIN at points of entry?

Do you use cipher locks (electronic or mechanical) to control access to the mailroom?




F.32.2.8.2 ###

F.32.2.9 ###

F.32.2.10 ###

F.32.2.11 ###

F.32.3 ###


F.32.3.3 ###

###F.32.4.1 Smoke detector? ###F.32.4.2 Fire alarm? ###F.32.4.3 Wet fire suppression? ###F.32.4.4 Dry fire suppression? ###F.32.4.5 Chemical fire suppression? ###F.32.4.6 Fire extinguishers? ###

Media Library

F.33 ###


F.33.1.2 ###

F.33.1.3 ###F.33.1.4 Windows along perimeter? ###


Are there prop alarms on points of entry?Do emergency-specific doors only permit egress?Do you permit Visitors into the mailroom?

Do you have a CCTV system monitoring your mailroom?

Is the mailroom monitored 24x7x365?


Does mailroom contain the following physical elements:

Does your organization use a media library to store target data?

Does the Media Library contain the following elements:

Closed circuit camera pointed at entry points?Mechanisms that thwart tailgating/piggybacking?



F.33.1.5 Alarms on windows? ###F.33.1.6 Glass walls? ###

F.33.1.7 ###

F.33.2 ###

F.33.2.1 ###

F.33.2.2 ###

F.33.2.3 ###

F.33.2.4 ###

F.33.2.5 ###

F.33.2.6 ###

F.33.2.7 ###

F.33.2.8 ###

F.33.2.8.1 ###

Walls extending from true floor to true ceiling?

Is access to the media library restricted?

Is there a process in place for approving access to the media library?

Is a process in place to periodically review access to the media library at least every 6 months?

Is there a segregation of duties between those responsible for issuing and those responsible for approving access to the media library via the use of badges/keys...?Is a process in place to report lost access cards / keys?Are badge readers used at points of entry?Are biometric readers used at points of entry?Are there locked doors requiring a key or PIN at points of entry?

Do you use cipher locks (electronic or mechanical) to control access to the media library?





F.33.2.10 ###

F.33.2.11 ###

F.33.3 ###


F.33.3.3 ###


F.33.4.4 ###F.33.4.5 Raised floor? ###F.33.4.6 Smoke detector? ###F.33.4.7 Fire alarm? ###F.33.4.8 Wet fire suppression? ###F.33.4.9 Dry fire suppression? ###F.33.4.10 Chemical fire suppression? ###F.33.4.11 Fire extinguishers? ###

Printer Room

F.34 ###

###


Do emergency-specific doors only permit egress?Do you permit Visitors into the media library?

Do you have a CCTV system monitoring your media library?

Is the media library monitored 24x7x365?


Does media library contain the following physical elements:


Does your organization use a printer room to print target data?

Does the printer room contain the following elements:



F.34.1.1 Motion sensors? ###

F.34.1.2 ###

F.34.1.3 ###

F.34.1.4 ###

F.34.2 ###

F.34.2.1 ###

F.34.2.2 ###

F.34.2.3 ###

F.34.2.4 ###

F.34.2.5 ###

F.34.2.6 ###

F.34.2.7 ###

F.34.2.8 ###

F.34.2.8.1 ###

Closed circuit camera pointed at entry points?Mechanisms that thwart tailgating/piggybacking?Walls extending from true floor to true ceiling?

Is access to the printer room restricted?

Is there a process in place for approving access to the printer room?

Is a process in place to periodically review access to the printer room at least every 6 months?

Is there a segregation of duties between those responsible for issuing and those responsible for approving access to the printer room via the use of badges/keys...?Is a process in place to report lost access cards / keys?Are badge readers used at points of entry?Are biometric readers used at points of entry?Are there locked doors requiring a key or PIN at points of entry?

Do you use cipher locks (electronic or mechanical) to control access to the printer room?





F.34.2.10 ###

F.34.2.11 ###

F.34.3 ###


F.34.3.3 ###Secured Work Areas

F.35 ###


F.35.1.2 ###

F.35.1.3 ###

F.35.1.4 ###

F.35.1.4.1 Alarms on windows/glass walls? ###

F.35.2 ###


Do emergency-specific doors only permit egress?Do you permit Visitors into the printer room?

Do you have a CCTV system monitoring your printer room?

Is the printer room monitored 24x7x365?


Do you have a secured work area where employees access target data?

Do secured work area(s) within the facility contain the following elements:

Closed circuit camera pointed at entry points?Mechanisms that thwart tailgating/piggybacking?Windows or glass walls along perimeter?

Is access to the secured work area(s) restricted?



F.35.2.1 ###

F.35.2.2 ###

F.35.2.3 ###

F.35.2.4 ###

F.35.2.5 ###

F.35.2.6 ###

F.35.2.7 ###

F.35.2.8 ###

F.35.2.8.1 ###


F.35.2.10 ###

F.35.2.11 ###

Is there a process in place for approving access to the secured work areas?

Is a process in place to periodically review access to the secured work area(s) at least every 6 months?

Is there a segregation of duties between those responsible for issuing and those responsible for approving access to the secured work area(s) via the use of badges/keys...?Is a process in place to report lost access cards / keys?Are badge readers used at points of entry?Are biometric readers used at points of entry?Are there locked doors requiring a key or PIN at points of entry?

Do you use cipher locks (electronic or mechanical) to control access to the secured work area(s)?



Do emergency-specific doors only permit egress?Do you permit Visitors into the secured work area(s)?



F.35.3 ###


F.35.3.3 ###

F.35.4 ###

F.35.5 ###

F.35.6 ###

F.35.6.1 ###

F.35.7 ###Telecom Closets/Rooms

F.36 ###


F.36.1.2 ###

F.36.1.3 ###F.36.1.4 Windows along perimeter? ###

Do you have a CCTV system monitoring the entry points into the secured work area(s)?

Are the secured work areas monitored 24x7x365?

Are CCTV images stored for 90 days are greater?Is a clean desk review performed at least every 6 months?

Do the secured work area(s) contain secured disposal containers, shred bins or shredders?

Are physical locks required on portable computers within secured work areas?

Are reviews performed to ensure that portable computers locks are being used at least every 6 months?

Do you have procedures on equipment removal from secured work areas?

Does your facility have a separate room for telecom equipment i. e. PBX?

Does the telecom closet/room contain the following elements:

Closed circuit camera pointed at entry points?Mechanisms that thwart tailgating/piggybacking?



F.36.1.5 Alarms on windows? ###

F.36.1.6 ###

F.36.2 ###

F.36.2.1 ###

F.36.2.2 ###

F.36.2.3 ###

F.36.2.4 ###

F.36.2.5 ###

F.36.2.6 ###

F.36.2.7 ###

F.36.2.8 ###

F.36.2.8.1 ###

F.36.2.8.2 ###

Walls extending from true floor to true ceiling?

Is access to the telecom closet/room restricted?

Is there a process in place for approving access to the telecom closet/room?

Is a process in place to periodically review access to the telecom closet/room at least every 6 months?

Is there a segregation of duties between those responsible for issuing and those responsible for approving access to the telecom closet/room via the use of badges/keys...?Is a process in place to report lost access cards / keys?Are badge readers used at points of entry?Are biometric readers used at points of entry?Are there locked doors requiring a key or PIN at points of entry?

Do you use cipher locks (electronic or mechanical) to control access to the telecom closet/room?





F.36.2.8 Prop alarms on points of entry? ###

F.36.2.9 ###

F.36.2.10 ###

F.36.3 ###


F.36.3.3 ###


F.36.4.4 ###F.36.4.5 Raised floor? ###F.36.4.6 Smoke detector? ###F.36.4.7 Fire alarm? ###F.36.4.8 Wet fire suppression? ###F.36.4.9 Dry fire suppression? ###F.36.4.10 Chemical fire suppression? ###F.36.4.11 Fire extinguishers? ###

Do emergency-specific doors only permit egress?Do you permit Visitors into the telecom closet/room?

Do you have a CCTV system monitoring the entry point of the telecom closet/room?

Is the telecom closet/room monitored 24x7x365?


Does telecom closet/room contain the following physical elements:



G. Communications and Ops Mgmt Page 64 of 174 Page(s)

G. Communications and Operations Management517 Total Questions to be Answered 0% Percent Complete

AUP/ISO/PCI Reference Question # Question/Request Response Additional Information10.1 Operational Procedures and Responsibilities10.1.2 Change Management

G.1 ###

G.1.1 ###

G.1.1.1 ###

G.1.1.2 ###

G.1.1.3 ###

G.1.1.4 ###

###

G.1.2.1 ###

G.1.2.2 ###G.1.2.3 Security approval? ###

G.1.2.4 ###

G.1.2.5 ###G.1.2.6 Documentation of changes? ###


Does you organization have a formal change management / change control process?

Is a change management / change control policy in place?

Has it been approved by management?Has the policy been internally published?Has it been communicated to appropriate constituents?


Does your change management / change control process require the following:

Request, review and approval of proposed changes?Review for potential security impact?

Review for potential operational impact?Customer / client approval (when applicable)?



G.1.2.7 Pre-implementation testing? ###G.1.2.8 Post-implementation testing? ###G.1.2.9 Rollback procedures? ###

###G.1.3.1 Network? ###

AUP F.13 G.1.3.2 Systems? ###AUP F.12 G.1.3.3 Application updates? ###

G.1.3.4 Code changes? ###

G.1.4 ###

G.1.5 ###

G.1.6 ###

G.1.7 ###

G.1.8 ###10.1.3 Segregation of Duties

G.2 ###

G.2.1 ###

Are the following changes to the production environment subject to your change control process:

Does your change control process require code reviews by information security prior to the implementation of internally developed applications and / or application updates?

Is the requestor of the proposed change separate from the approver?

Is information security's approval required prior to the implementation of changes?

Is a separation of duties enforced between those approving a change and those implementing the change?

Are change control logs maintained?

Does your organization segregate duties between individuals granting access and those who access target data?

Is the user of a system also responsible for reviewing its security audit logs?



G.2.2 ###

G.2.3 ###

G.2.4 ###

G.2.4.1 ###

###G.2.4.2.1 Logically ###G.2.4.2.2 Physically ###G.2.4.2.3 Both ###G.2.4.2.4 No segregation ###

10.2 Third Party Services Delivery Management

G.3 ###

###

G.3.1.1 ###G.3.1.2 Site Management? ###G.3.1.3 Network Services - Data? ###G.3.1.4 Network Services - Telephony? ###G.3.1.5 Firewall management? ###G.3.1.6 IDS (Intrusion Detection)? ###

Is the segregation of duties established to prevent the user of a system from modifying or deleting its security audit logs?

Is a segregation of duties enforced between those approving access requests and those implementing the request?

10.1.4 Separation of Development and Operations Facilities

Does you organization perform software development?

Are there different source code repositories for production and non-production?

How are the production, testing, and development environments segregated:

10.2.2 Monitoring and Review of Third Party Services

Does your Organization outsource to any third party vendors who will have access to target data (consider backup vendors, service providers, equipment support vendors, etc)?

Are any of the following outsourced to a 3rd party:

Physical Site(s) (co-location, etc.)?



G.3.1.7 ###G.3.1.8 Anti-Virus? ###

G.3.1.9 ###G.3.1.10 Security Administration? ###G.3.1.11 Development? ###G.3.1.12 Managed Host? ###

G.3.1.13 ###G.3.1.14 Physical Security? ###

G.3.1.15 ###

G.3.1.16 ###

G.3.1.17 ###G.3.1.18 Other, please explain. ###

Third Parties

G.3.2 ###

G.3.3 ###

G.3.4 ###

G.3.5 ###

G.3.6 ###

Router Configuration & Management?

Sys. Admin. (Server Management & Support)?

Media vaulting (offsite media storage)?

Vulnerability Assessment (Ethical Hack Testing)?Security Infrastructure Engineering?Business Continuity Management?

Do you have a process in place to review the security of a third party vendor prior to engaging their services?

Do you have a process in place to review the security of a third party vendor on an ongoing basis?

Are risk assessments or reviewed conducted on your third parties?

Have your third party vendors undergone a security audit in the last 12 months?

Do you require your third parties to adhere to your policies and standards?



G.3.7 ###

G.3.8 ###

###G.3.9.1 Physical Site(s)? ###G.3.9.2 Site Management? ###G.3.9.3 Network Services - Data? ###G.3.9.4 Network Services - Telephony? ###G.3.9.5 Firewall? ###G.3.9.6 IDS (Intrusion Detection)? ###

G.3.9.7 ###G.3.9.8 Anti-Virus? ###

G.3.9.9 ###G.3.9.10 Security Administration? ###G.3.9.11 Development? ###G.3.9.12 Database Host? ###G.3.9.13 Other, please explain. ###

10.4 Protection Against Malicious and Mobile Code10.4.1 Controls Against Malicious Code

G.4 ###

G.4.1 ###

G.4.1.1 ###

G.4.1.2 ###

Are confidentiality agreements and/or Non Disclosure Agreements in place with all of your third party vendors?

Are your third party vendors required to notify you of any changes that might effect services rendered?

Are any of the following outsourced to an offshore third party vendor:

Router Configuration & Management?

Sys. Admin. (Server Management & Support)?

Does your organization use anti-virus products?

Is an anti-virus / malware policy in place?

Has it been approved by management?Has the policy been internally published?



G.4.1.3 ###

G.4.1.4 ###

###G.4.2.1 All workstations? ###

G.4.2.2 ###G.4.2.3 All Windows servers? ###

G.4.2.4 ###G.4.2.5 Email servers? ###

G.4.3 ###

###G.4.4.1 Every hour or less? ###G.4.4.2 Every day or less? ###G.4.4.3 Every week or less? ###G.4.4.4 Never? ###

###G.4.5.1 Every hour or less? ###G.4.5.2 Every day or less? ###G.4.5.3 Every week or less? ###G.4.5.4 Every month or less? ###

G.4.6 ###

Has it been communicated to all employees/contractors?


AUP F.6AUP F.7

Has anti-virus software been installed on the following:

All mobile devices? (e.g.: PDAs, Blackberries, Palm Pilots, etc.)

Unix and Unix-based systems? (e.g.: Linux, Sun Solaris, HP-UX, etc.)

Does a process exist to facilitate emergency anti-virus signature updates?

How frequently do systems automatically check for new signature updates?

What is the interval between the availability of the signature update and its deployment:

Is on-access / real-time scanning enabled on all workstations?



G.4.6.1 ###

G.4.7 ###

G.4.7.1 ###

G.4.8 ###10.5 Back-Up10.5.1 Information Back-Up

G.5 ###

G.5.1 ###

G.5.1.1 ###

G.5.1.2 ###

G.5.1.3 ###

G.5.1.4 ###

###G.5.2.1 Real-time? ###G.5.2.2 Daily? ###G.5.2.3 Weekly? ###G.5.2.4 Monthly? ###G.5.2.5 Never? ###G.5.2.6 Other? ###

###G.5.3.1 One day or less? ###G.5.3.2 One week or less? ###

If not, is a full scan scheduled daily?

Is on-access / real-time scanning enabled on all servers?

If not, is a full scan scheduled daily?

Can a non-administrative user disable anti-virus software?

Do you perform system backups of target data?

Do you have a policy surrounding backup of production data?

Has it been approved by management?Has the policy been internally published?

Has it been communicated to appropriate employees/contractors?


How often do you backup target data:

How long is backup data retained (mark all that are applicable):



G.5.3.3 One month or less? ###G.5.3.4 Six months or less? ###G.5.3.5 One year or less? ###G.5.3.6 One to seven years? ###G.5.3.7 Seven years or more? ###

###G.5.4.1 The successful backup of data? ###G.5.4.2 The ability to recover the data? ###

G.5.5 ###

G.5.6 ###

G.5.7 ###

G.5.8 ###

G.5.9 Is access to backup media logged? ###G.5.10 Is backup media stored offsite? ###

###

G.5.10.1.1 ###G.5.10.1.2 Tracking shipments? ###G.5.10.1.3 Verification of receipt? ###

###

G.5.10.2.1 ###

G.5.10.2.2 ###

Are tests performed regularly to determine:

Is target data encrypted on backup media?

Is access to backup media restricted to authorized personnel only?Is access to backup media formally requested?Is access to backup media formally approved?

AUP F.17AUP F.18

If backup media is stored offsite, are there processes in place to address:

Secure transport of backup media?

Is a process in place that addresses:

The destruction of offsite backup media?The rotation of offsite backup media?



###G.5.10.3.1 One day or less? ###G.5.10.3.2 One week or less? ###G.5.10.3.3 One month or less? ###G.5.10.3.4 Six months or less? ###G.5.10.3.5 One year or less? ###G.5.10.3.6 One to seven years? ###G.5.10.3.7 Seven years or more? ###

###

G.5.10.4.1 The successful backup of data? ###

G.5.10.4.2 The ability to recover the data? ###

G.5.10.5 ###

G.5.10.6 ###

G.5.10.7 ###

G.5.10.8 ###

G.5.10.9 ###10.6 Network Security Management10.6.1 Network Controls

G.6 ###

G.6.1 ###

G.6.2 ###

How long is backup data retained offsite (mark all that are applicable:

Are tests performed regularly to determine:

Is target data encrypted on offsite backup media?

Is access to offsite backup media restricted to authorized personnel only?Is access to offsite backup media formally requested?Is access to offsite backup media formally approved?Is access to offsite backup media logged?

Does your organization have any external network connections?

Is every connection to an external network terminated at a firewall?

Are boundary devices configured to prevent communications from unapproved networks?



G.6.3 ###

G.6.4 ###

G.6.5 ###

G.6.6 ###AUP F.5

###G.6.7.1 Source IP address? ###G.6.7.2 Source TCP port? ###G.6.7.3 Destination IP address? ###G.6.7.4 Destination TCP port? ###G.6.7.5 Protocol? ###

###G.6.8.1 Device errors? ###G.6.8.2 Configuration change time? ###

G.6.8.3 ###G.6.8.4 Security alerts? ###

G.6.9 ###

G.6.10 ###

G.6.11 ###

Are routing protocols configured to use authentication?Do boundary devices deny all access by default?

Is a process in place to request, approve, log, and review access to networks across boundary devices?

Are boundary traffic events logged to support historical or incident research?Are the following logged for blocked traffic:

Are the following logged on boundary devices:

User ID making a configuration change?

Are the logs from boundary devices aggregated to a central server?

AUP H.2AUP H.3

Are security patches regularly reviewed and applied to boundary devices as appropriate?

Is there an approval process prior to implementing or installing a network device?



G.6.12 ###

G.6.13 ###

G.6.14 ###

###

G.6.14.1.1 ###

G.6.14.1.2 ###G.6.14.1.3 Changing default passwords? ###

G.6.14.1.4 ###

G.6.14.1.5 ###

G.6.14.1.6 ###G.6.14.1.7 Version management? ###

G.6.14.1.8 ###

G.6.15 ###

G.6.16 ###

G.6.17 ###

Is communication through the boundary device controlled at both the port and IP address level?

Does your company have a documented standard for the ports allowed through the boundary devices?

Does your company have a documented process for securing and hardening boundary devices?

If so, does it address the following items:

Base installation and configuration standards?Establishing strong password controls?

SNMP community strings changed?Establishing and maintaining access controls?Removing known vulnerable configurations?

Disabling unnecessary services?

Are network devices periodically monitored for continued compliance to security requirements?

Do production servers share IP subnet ranges with other networks? Are critical network segments isolated?



G.6.18 ###

G.6.19 ###

G.6.20 ###

G.6.21 ###

G.6.22 ###

G.6.23 ###

###G.6.24.1 Source IP address ###G.6.24.2 Source port ###G.6.24.3 Destination IP address ###G.6.24.4 Destination port ###G.6.24.5 Protocol ###G.6.24.6 Successful logins ###G.6.24.7 Failed login attempts ###G.6.24.8 Configuration changes ###G.6.24.9 Administrative activity ###G.6.24.10 Disabling of audit logs ###G.6.24.11 Deletion of audit logs ###G.6.24.12 Changes to security settings ###G.6.24.13 Changes to access privileges ###

Is a solution in place to prevent unauthorized devices from physically connecting to the internal network?

Are monitoring tools deployed and configured in critical segments to detect compromise of network or boundary device security?

Are internal users required to pass through a content filtering proxy prior to accessing the Internet?

Are internal systems required to pass through a content filtering proxy prior to accessing the Internet?

Is there an approval process to allow the implementation of extranet connections?Do you allow telnet access to boundary devices?Do network device logs contain the following:



###

G.6.25.1 ###

G.6.25.2 ###

G.6.25.3 ###Extranet

###G.6.26.1 Your organization? ###G.6.26.2 The external 3rd party? ###G.6.26.3 Mixed environment? ###

###G.6.27.1 Your organization? ###G.6.27.2 The external 3rd party? ###G.6.27.3 Mixed environment? ###

G.6.28 ###

G.6.29 ###Internet

G.6.30 ###

In the event of a network device audit log failure,

Does the network device generate an alert?Does the network device prevent further connections?Does the network device continue operating normally?

Who owns the boundary devices and termination points in existing extranets?

Who manages the boundary devices and termination points in existing extranets?

Are monitoring tools used to detect compromise security of network or boundary device the extranet?

Are boundary devices not owned by your company segregated from you network via firewall?

Do Internet-facing boundary devices block traffic that would allow for configuration changes from external sources?



G.6.31 ###

G.6.32 ###DMZ

G.6.33 ###

G.6.33.1 ###

G.6.33.2 ###

G.6.33.3 ###

G.6.33.4 ###

G.6.33.5 ###

###

G.6.33.6.1 ###

G.6.33.6.2 ###

Do Internet-facing boundary devices block traffic that would allow for degradation or denial of service from external sources?

Are monitoring tools deployed and configured at the point-of-presence to detect compromise of network or boundary device security?

Is the network on which Internet-facing systems reside segregated from the internal network? (i.e.: DMZ)

Is the DMZ limited to only those servers that require access from the Internet?

Are monitoring tools deployed and configured in the DMZ to detect compromise of network or boundary device security?

Is an administrative relay or intermediary system present to initiate any interactive OS level access into DMZ?Is the DMZ segregated by two physically separate firewalls?

Are the logs for DMZ monitoring tools and DMZ devices stored on the internal network?Are there separate DMZ segments for devices that:

only accept traffic initiated from the Internet?only initiate outbound traffic to the Internet?



G.6.33.6.3 ###

###

G.6.33.7.1 ###

G.6.33.7.2 ###

G.6.33.7.3 ###

G.6.33.7.4 ###

G.6.33.7.5 Removed manually by recipient ###G.6.33.7.6 Never ###

G.6.33.8 ###

G.6.33.9 ###

G.6.33.10 ###Intrusion Detection / Prevention

G.6.34 ###

###G.6.34.1.1 Internet point-of-presence? ###G.6.34.1.2 DMZ? ###G.6.34.1.3 Extranet? ###G.6.34.1.4 Internal production network? ###

both accept and initiate connections to / from the Internet?

For incoming file transfers, how long is data stored on the DMZ:

Removed immediately upon receiptRemoved via an hourly scheduled processRemoved via a daily scheduled processRemoved via a weekly scheduled process

Is there a separate network segment or endpoints for remote access?

Are systems that manage and monitor the DMZ located in a separate network?

Are the IP address associated with DMZ devices Internet routable?

Is a Network Intrusion Detection/Prevention System in place?

If so, is it in place on the following network segments:



G.6.34.1.5 ###

G.6.34.2 ###AUP F.1

G.6.34.3 ###

G.6.34.4 ###

G.6.34.5 ###

G.6.34.6 ###

G.6.34.7 ###

G.6.34.8 ###

###G.6.34.9.1 Internet point-of-presence? ###G.6.34.9.2 DMZ? ###G.6.34.9.3 Extranet? ###G.6.34.9.4 Internal production network? ###

G.6.34.9.5 ###

G.6.34.10 ###

Network segment hosting target data?

Is it configured to generate alerts in case of incidents and values exceeding normal thresholds for your environment?

Is there a formal process in place to regularly update the IDS signatures based on new threats and changes in your environment?Is the system monitored 24x7x365?

In the event of a NIDS functionality failure, is an alert generated?Does the NIDS inspect encrypted traffic?Does NIDS events feed into the Incident Management process?Is a Network Intrusion Prevention System in place?If so, is it in place on the following network segments:

Network segment hosting target data?

Is it configured to generate alerts in case of incidents and values exceeding normal thresholds for your environment?



G.6.34.11 ###

G.6.34.12 ###

G.6.34.13 ###logging

G.6.34.14 ###

G.6.34.15 ###G.6.34.16 Are audit logs backed up? ###

Wireless

G.7 ###

G.7.1 ###

G.7.1.1 ###

G.7.1.2 ###

G.7.1.3 ###

G.7.1.4 ###

Is there a formal process in place to regularly update the IPS signatures based on new threats and changes in your environment

In the event of a NIPS functionality failure, is an alert generated?

Is a host-based intrusion detection system employed in the production application environment?

Are system audit log sizes monitored to ensure availability of disk space?Is the overwriting of audit logs disabled?

Do you allow the use of wireless networking technology in your organization?

Do you have a policy in place for Wireless networking?

Has it been approved by management?Has the policy been internally published?Has it been communicated to employees/contractors?




AUP F.19

G.7.2 ###

###

G.7.3.1 ###

G.7.3.2 ###G.7.3.3 Both ###

G.7.4 ###

G.7.5 ###AUP F.20

G.7.6 ###G.7.6.1 Is authentication two factor? ###

G.7.7 ###AUP F.20

G.7.8 ###

###G.7.8.1.1 WEP ###G.7.8.1.2 WPA ###G.7.8.1.3 WPA2 ###G.7.8.1.4 Other (Explain) ###

G.7.9 ###

G.8 ###

Is an approval process in place to use Wireless network devices in the environment?How are wireless access points deployed in your network?

Logically segregated from your network (VLAN)?Physically segregated from your network?

Is this wireless network segment firewalled from the rest of the network?

Are two active network connections allowed at the same time and are they routable? (i.e., bridged internet connections)Are wireless connections authenticated?

Are logins via wireless connections logged?Are wireless connections encrypted?

If so, what encryption methodology is used?

Are wireless access points SNMP community strings changed?

Do you regularly scan your organization's facilities for rogue wireless access points?



Modems

G.9 ###

G.10 ###

G.10.1 ###

G.10.2 ###If auto-answer is enabled, ###

G.10.2.1.1 ###

G.10.2.1.2 ###

G.10.2.1.3 ###

G.10.2.1.4 Is the modem set to call back? ###G.10.3 Are dial-up connections logged? ###

G.10.3.1 ###

Is there a list of authorized analog lines within the organization's facilities?

Are any modems used or installed in your environment (dial modem, cable modem, DSL, etc.)? This would include "Phone Home" modems attached to systems.

Is approval required prior to connecting any outbound or inbound modem lines, cable modem lines, and/or DSL phone lines to a desktop or other access point directly connected to the company-managed network?Are modems ever set to auto-answer?

Does the modem utilize an authentication or encryption device?

Is the modem attached to a host that is physically and logically isolated from the company network?

Is the modem solely capable of receiving facsimile (fax) transmissions?

If so, do these logs include caller identification?



G.10.4 ###10.7 Media Handling

G.11 ###

G.11.1 ###

G.11.1.1 ###

G.11.1.2 ###

G.11.1.3 ###

G.11.1.4 ###10.7.2 Disposal of Media

G.11.2 ###

G.11.3 ###

G.11.3.1 ###

###G.11.3.2.1 CDs? ###G.11.3.2.2 Paper documents? ###G.11.3.2.3 Hard drives? ###

Does the company regularly perform war-dialing on all analog lines to detect unauthorized modems?

10.7.1 Management of Removable Media Does your organization use any

removable media (e.g.: CDs, DVD, tapes, disk drives, USB devices, etc)?

Is there a policy in place that addresses the use and management of removable media? (e.g.: CDs, DVDs, tapes, disk drives, etc.)



Is sensitive data on removable media encrypted?Is a documented process in place for the disposal of media?

Does the process define the approved method(s) for the disposal of media?Does the process address the following:



G.11.3.2.4 Diskettes? ###G.11.3.2.5 Tapes? ###G.11.3.2.6 Memory sticks? ###G.11.3.2.7 DVDs? ###G.11.3.2.8 Flash cards? ###G.11.3.2.9 USB drives? ###G.11.3.2.10 ZIP drives? ###G.11.3.2.11 Handheld / Mobile devices? ###G.11.3.2.12 Other (Explain) ###

G.11.3.3 ###

G.11.4 ###

G.11.4.1 ###

###G.11.4.2.1 CDs? ###G.11.4.2.2 Paper documents? ###G.11.4.2.3 Hard drives? ###G.11.4.2.4 Diskettes? ###G.11.4.2.5 Tapes? ###G.11.4.2.6 Memory sticks? ###G.11.4.2.7 DVDs? ###G.11.4.2.8 Flash cards? ###G.11.4.2.9 USB drives? ###G.11.4.2.10 ZIP drives? ###G.11.4.2.11 Handheld / Mobile devices? ###G.11.4.2.12 Other (Explain) ###

G.11.4.3 ###

Is the disposal/destruction of media logged in order to maintain an audit trail?Is a documented process in place for the destruction of media?

Does the process define the approved method(s) for the destruction of media?

Does the process address the following:

Is the destruction of media logged in order to maintain an audit trail?



10.7.3 Information Handling ProceduresG.11.5 ###

G.11.5.1 ###

G.11.5.2 ###

G.11.5.3 ###

G.11.5.4 ###10.8 Exchange of Information

G.12 ###Electronic Transmissions

G.12.1 ###

###G.12.1.1.1 Electronic file transfer? ###

G.12.1.1.2 ###G.12.1.1.3 Email? ###G.12.1.1.4 Fax? ###G.12.1.1.5 Paper documents? ###G.12.1.1.6 Peer-to-peer? ###G.12.1.1.7 Instant Messaging? ###G.12.1.1.8 File sharing? ###

G.12.1.2 ###

Is there a policy in place that addresses the reuse of media?



10.8.1 Information Exchange Policies and Procedures

Do you send or receive (physical or electronic) data into our out of you environment?

Do you send/receive target data via electronic transmissions?

Do you have policies and/or procedures in place to protect data for all of the following transmissions:

Transporting on removable electronic media?

Do file transfer requests undergo a review and approval process?



###G.12.1.3.1 Over the Internet? ###

G.12.1.3.2 ###G.12.1.3.3 Within the DMZ? ###

G.12.1.3.4 ###G.12.1.3.5 Within the internal network? ###

G.12.1.4 ###

G.12.1.5 ###

G.12.1.6 ###

G.12.1.7 ###

G.12.1.8 ###G.12.1.9 Are file transfers logged? ###

###G.12.1.9.1.1 Connection attempted? ###G.12.1.9.1.2 Connection established? ###G.12.1.9.1.3 File exchange commenced? ###

Are transmissions of confidential information encrypted:

Over a dedicated line to external parties?

Between the DMZ and internal network?

Are transmissions of target data encrypted end-to-end within the organization?

Is a mutual authentication protocol utilized between your organization and a 3rd party to validate the integrity and origin of the data?

Does the file transfer software send notification to the sender upon completion of the transmission?

Does the file transfer software send notification to the sender upon failure of the transmission?

In the event of transmission failure, does the file transfer software attempt to retry the transmission?

If so, do the logs include the following:



G.12.1.9.1.4 File exchange error occurred? ###G.12.1.9.1.5 File exchange accomplished? ###G.12.1.9.1.6 Connection terminated? ###G.12.1.9.1.7 Authentication attempted? ###G.12.1.9.1.8 Security events? ###

10.8.3 physical media in transitG.12.2 ###

G.12.2.1 ###

###

G.12.2.2.1 ###

G.12.2.2.2 ###G.12.2.2.3 Transport company name? ###

G.12.2.2.4 ###G.12.2.2.5 Destination of media? ###G.12.2.2.6 Source of media? ###G.12.2.2.7 Delivery confirmation? ###

G.12.2.3 ###

###G.12.2.3.1.1 Unique Identifier? ###

G.12.2.3.1.2 The name of your organization? ###

G.12.2.4 ###10.8.4 Electronic MessagingInstant Messaging

G.13 ###Internal Instant Messaging

G.13.1 ###

Do you send/receive target data via physical media?

Is the location of physical media tracked?

Do you record any of the following tracking elements:

Unique media tracking identifier?Date media was shipped or received?

Name/Signature of transport company employee?

Do you label the media being shipped?Does the label include any of the following:

Is a bonded courier used to transport physical media?

Does your company use Instant Messaging?

Do you utilize internal instant messaging solution?



###G.13.1.1.1 File transfer? ###G.13.1.1.2 Video conferencing? ###G.13.1.1.3 Desktop sharing? ###G.13.1.1.4 Are messages encrypted? ###

G.13.1.1.5 ###External Instant Messaging

G.13.2 ###

G.13.2.1 ###

###G.13.2.2.1 File transfer? ###G.13.2.2.2 Video conferencing? ###G.13.2.2.3 Desktop sharing? ###

Internal and External Instant MessagingG.13.3 Are messages encrypted? ###

G.13.4 ###

G.13.5 ###

G.13.6 ###

G.13.7 ###Email

G.14 ###

Are the following functions permitted using internal instant messaging:

Are messages logged and monitored?

Do you utilize external instant messaging?

Do you allow personal communications?

Are any of the following permitted using external instant messaging:

Are messages logged and monitored?

Do you have a policy that prohibits the exchange of target data or confidential information through Instant Messaging?

Do Instant Messaging solutions undergo a security review and approval process prior to implementation?Are all Instant Messaging transmissions encrypted?

Does your organization use e-mail either internally or externally?



G.14.1 ###

G.14.2 ###

G.14.3 ###AUP F.16

G.14.4 ###

G.14.5 ###If so, does it filter for the following: ###

G.14.5.1.1 Content? ###G.14.5.1.2 Spam? ###G.14.5.1.3 Viruses / Malware? ###G.14.5.1.4 Attachment type? ###

10.8.5 Business Information Systems

G.15 ###

G.15.1 ###

G.15.2 ###10.10 MonitoringAudit Logging

Do you have a policy to protect confidential information transmitted through email?Do you prevent the automatic forwarding of email messages?Is confidential data transmitted through email encrypted?

Is email relaying disabled on all email servers for unauthorized systems?

Do you have a content filtering solution that scans incoming/outgoing email for confidential information?

Does your organization use application Servers for processing or storing confidential data?

Do application servers processing confidential data require mutual authentication when communicating with other systems?

Do applications using IBM's MQSeries only use certificate-based mutual authentication?



G.16 ###

G.16.1 ###

G.16.2 ###

###G.16.3.1 Originator User ID ###G.16.3.2 Event / Transaction Time ###G.16.3.3 Event / Transaction Type ###G.16.3.4 Event / Transaction Status ###G.16.3.5 PINs or passwords ###G.16.3.6 Transaction ID ###G.16.3.7 Subject ID ###G.16.3.8 Application ID ###

G.16.3.9 ###

###

G.16.4.1 ###

G.16.4.2 Is application processing halted? ###10.10.6 Clock Synchronization

G.17 ###

###

Are logs generated for security relevant activities on network devices, operating systems, and applications?

Are these logs analyzed in near real-time through an automatic process?

Do incidents and anomalous activity feed into the Incident Management process?Do application audit logs contain the following:

Transaction Specific Elements (e.g.: To / From Account Numbers for Funds Transfer)

In the event of an application audit log failure,

Does the application generate an alert?

Do systems and network devices utilize a common time synchronization service?

Are any of the following systems/devices synchronized off of this central time source?



G.17.1.1 UNIX/Linux Systems ###G.17.1.2 Windows Systems ###G.17.1.3 Routers ###G.17.1.4 Firewalls ###G.17.1.5 Mainframe computers ###G.17.1.6 Open VMS systems ###

G.17.2 ###System Hardening Standards - UNIX

G.18 ###Minimum Requirements

G.18.1 ### User accounts

G.18.2 ###

G.18.3 ###

G.18.4 ###

G.18.5 ###

G.18.6 ###

G.18.7 ###

G.18.8 ###

G.18.9 ###

G.18.10 ###

Are all systems and network devices synchronized off the same time source?

Does your company use UNIX or Linux operating systems for storing or processing target data?

Are UNIX hardening standards documented?Do application accounts share home directories?

Do application accounts share their primary group with non-application groups?

Do application processes run under unique application accounts?Do application processes run under GID 0?Are all user accounts uniquely assigned to a specific individual?Do users own their user account’s home directory?Is file sharing restricted by group privileges?Are user files assigned 777 privileges?Do you require root-level rights to access or modify crontabs?



Superuser accountsG.18.11 ###

G.18.12 ###

G.18.13 ###

G.18.14 ###

G.18.15 ###

G.18.16 ###

G.18.17 ###

G.18.18 ###General System Requirements

G.18.19 ###AUP F.4

G.18.20 ###

G.18.21 ###

G.18.22 ###

Are users required to ‘su’ or ‘sudo’ into root?Is direct root logon permitted from a remote session?

Does remote SU/root access require dual-factor authentication?

Do search paths for superuser contain the current working directory?

Is permission to edit service configuration files restricted to authorized personnel?Are distributed file systems implemented?

Is a process in place to document file system implementations that are different from the standard build?

Are permissions for device special files restricted to the owner?

Is Write access to account home directories restricted to owner and root?

Are remote access tools that do not require authentication (e.g.: rhost, shost, etc.) allowed?

Is access to modify startup and shutdown scripts restricted to root-level users?Are unnecessary services turned off?



G.18.23 ###

G.18.24 ###

G.18.25 ###Logging

###G.18.26.1 Less than 1 day ###G.18.26.2 1 day to 1 week ###G.18.26.3 1 week to 1 month ###G.18.26.4 1 month to 6 months ###G.18.26.5 6 months to 1 year ###G.18.26.6 More than one year ###

G.18.27 ###

G.18.27.1 ###

###G.18.28.1 Successful logins ###G.18.28.2 Failed login attempts ###G.18.28.3 System configuration changes ###G.18.28.4 Administrative activity ###G.18.28.5 Disabling of audit logs ###G.18.28.6 Deletion of audit logs ###G.18.28.7 Changes to security settings ###G.18.28.8 Changes to access privileges ###G.18.28.9 User administration activity ###G.18.28.10 File permission changes ###

Are UNIX servers periodically monitored for continued compliance to security requirements?Are ‘out of compliance’ conditions reported and resolved?

Are UNIX servers periodically spot-checked to ensure they are in compliance with server build standards?How long are operating system logs retained:

Are these logs reviewed at regular intervals using a specific methodology to uncover potential incidents?

If so, is this process documented and maintained?

Do operating system logs contain the following:



G.18.28.11 failed SU / sudo commands ###

G.18.28.12 successful SU / sudo commands ###

###

G.18.29.1 ###

G.18.29.2 ###

G.18.30 ###

G.18.31 ###

G.18.32 ###

###G.18.33.1.1 Access Control Lists? ###G.18.33.1.2 Alternate storage location? ###

G.18.33.1.3 Limited administrative access? ###G.18.33.1.4 Real-time replication? ###G.18.33.1.5 Hashing? ###G.18.33.1.6 Encryption? ###

Password management Is the minimum password length: ###G.18.34.1 Below 6 characters? ###G.18.34.2 6 characters? ###G.18.34.3 7 characters? ###G.18.34.4 8 characters? ###G.18.34.5 Above 8 characters? ###

###G.18.35.1 Uppercase letter? ###G.18.35.2 Lowercase letter? ###G.18.35.3 Number? ###

In the event of an operating system audit log failure,

Does the operating system generate an alert?Does the operating system suspend processing?

Do audit logs trace an event to a specific individual and/or user ID?Are audit logs stored on alternate systems?

Do you protect audit logs against modification, deletion, and/or inappropriate access?

If so, are the following controls in place:

Does the password composition require 3 of the 4 following:



G.18.35.4 Special character? ###

###G.18.36.1 Below 30 days? ###G.18.36.2 Between 30 and 60 days? ###G.18.36.3 Between 60 and 90 days? ###G.18.36.4 Greater than 90 days? ###

###G.18.37.1 Less than 6? ###G.18.37.2 Between 6 and 12? ###G.18.37.3 Greater than 12? ###

###G.18.38.1 Below 3? ###G.18.38.2 Between 3 and 5? ###G.18.38.3 Greater than 5? ###G.18.38.4 No limit? ###

###G.18.39.1 Under 1 hour? ###G.18.39.2 Under 3 hours? ###G.18.39.3 Under 12 hours? ###G.18.39.4 12 hours or more? ###

G.18.39.5 ###

###G.18.40.1 Under 1 hour? ###G.18.40.2 Under 1 day? ###G.18.40.3 1 day or more? ###

G.18.41 ###

Is password expiration requirements:

How many passwords are stored in the password history:

Is the number of invalid attempts prior to lockout:

Is the length of time before failed login attempt count resets to zero?

Never (i.e.: Administrator intervention required)?

Is the length of time before a new password can be changed?

Can PINs or secret questions be used as a stand-alone method of authentication?



G.18.42 ###

G.18.43 ###

G.18.44 ###G.18.45 Is password shadowing enabled? ###

System Hardening Standards - Windows

G.19 ###

G.19.1 ###Minimum Configuration Standards

G.19.2 ###User Rights

G.19.3 ###G.19.4 Are Guest accounts disabled? ###

Security Options

G.19.5 ###

G.19.6 ###

G.19.7 ###

G.19.8 ###

G.19.9 ###

Are all passwords encrypted in transit?Are all passwords encrypted or hashed in storage?Are passwords displayed when entered into a system?

Does the company use Windows systems for storing or processing confidential data?

Are Windows hardening standards documented?Does the OS log attempts to gain access?

Are user rights set to only allow access to those with a need to know?

Are Account options set to minimize unauthorized use or change of account content or status?

Are device options set to minimize unauthorized access or use?

Are domain options set to use encryption, signing, and machine password change management?

Are interactive logon options configured to minimize unauthorized access or use?

Are Microsoft network client and server options set to use encryption and digital signing?



G.19.10 ###

G.19.11.1 ###

G.19.11.2 ###G.19.12 Are unused services turned off? ###


###G.19.14.1 Uppercase letter? ###G.19.14.2 Lowercase letter? ###G.19.14.3 Number? ###G.19.14.4 Special character? ###



###

Is the system configured to restrict anonymous connections (i.e. RestrictAnonymous registry setting)?

Is the server shutdown right only available to system administrators?

Is the recovery console right only available to system administrators?







G.19.17.1 Below 3? ###G.19.17.2 Between 3 and 5? ###G.19.17.3 Greater than 5? ###G.19.17.4 No limit? ###


G.19.18.5 ###


G.19.20 ###

G.19.21 ###

G.19.22 ###

G.19.23 ###

G.19.24 Are LanMan (LM) hashes disabled? ###

G.19.25 ###

G.19.26 ###

G.19.27 ###




Can PINs or secret questions be used as a stand-alone method of authentication?Are all passwords encrypted in transit?Are all passwords encrypted or hashed in storage?Are passwords displayed when entered into a system?

Are systems set to prevent the transmission and reception of LM authentication?Are file and directory permissions strictly applied to groups?

General System Configuration Requirements

Are file partitions other than NTFS used on Windows systems?



G.19.28 ###

G.19.29 ###

G.19.30 ###

G.19.31 ###

G.19.32 ###Logging How long are logs retained: ###

G.19.33.1 Less than 1 day ###G.19.33.2 1 day to 1 week ###G.19.33.3 1 week to 1 month ###G.19.33.4 1 month to 6 months ###G.19.33.5 6 months to 1 year ###G.19.33.6 More than one year ###

G.19.34 ###

G.19.34.1 ###

###G.19.35.1 Successful logins ###G.19.35.2 Failed login attempts ###G.19.35.3 System configuration changes ###G.19.35.4 Administrative activity ###G.19.35.5 Disabling of audit logs ###G.19.35.6 Deletion of audit logs ###

Are systems consistently updated with the latest patches?Are ‘out of compliance’ conditions reported and resolved?

Are Windows servers periodically monitored for continued compliance to security requirements?

Are Windows servers periodically spot-checked to ensure they are in compliance with server build standards?

Are all Windows servers required to join the corporate domain or Active Directory?






G.19.35.7 Changes to security settings ###G.19.35.8 Changes to access privileges ###G.19.35.9 User administration activity ###G.19.35.10 File permission changes ###

###

G.19.36.1 ###

G.19.36.2 ###

G.19.37 ###

G.19.38 ###

G.19.39 ###



G.19.41 ###Mainframe Standards

G.20 ###

###G.20.1.1 Data integrity? ###






Windows / Active Directory policy changes?

External Security Manager system options / RACF: Does the company use a mainframe

for storing or processing target data?

Does the ESM database environment and contents possess:



G.20.1.2 Configuration integrity? ###G.20.1.3 Assured availability? ###

G.20.2 ###

G.20.3 ###Operating systems security options:

G.20.4 ###

G.20.5 ###

G.20.6 ###Network security options:

G.20.7 ###

G.20.8 ###

G.20.9 ###

G.20.10 ###Transaction, database, and data transport

G.20.11 ###

G.20.12 ###

G.20.13 ###

Are installation-written exit routines used for the ESM?

Have installation-written exit routines been verified they do not duplicate ESPM security functions?

Does the ESM control the ability to run a started task to the environment?Does ESM protect the Authorized Program Facility?Is the Job Entry Subsystem protected?Are SNA and TCP/IP mainframe networks protected?Is the transfer of confidential data encrypted?Does network monitoring software use a security interface?

Are transaction, commands, databases, and resources protected?

Is authentication required for access to any transaction or database system?

Is connection security in place for databases and transaction systems?

Does monitoring software for transaction and database systems use a security interface?



G.20.14 ###

G.20.15 ###Infrastructure software:

G.20.16 ###

G.20.17 ###

G.20.18 ###

G.20.19 ###Unix Systems Services:

G.20.20 ###

G.20.21 ###

G.20.22 ###

G.20.23 ###


G.20.25.1 Less than 1 day ###

Are resource access, transmission links, and security interfaces active for data transport systems?

Are job scheduling systems secured to control the submission of production jobs into the environment?

Do storage management personnel have privileged authorities to mainframe systems?Is the use of data transfer products secured?

Does archived data still possess the same controls as it did prior to archival?

Are security interfaces for systems monitoring software always active?Are Unix Systems Services secured on the mainframe?

Are ESM (RACF) and inherent security configuration settings configured to support the Access Control Standards and requirements?Are Mainframe security controls documented?

Are periodic checks performed to validate compliance with documented standards?Are ‘out of compliance’ conditions reported and resolved?



G.20.25.2 1 day to 1 week ###G.20.25.3 1 week to 1 month ###G.20.25.4 1 month to 6 months ###G.20.25.5 6 months to 1 year ###G.20.25.6 More than one year ###

G.20.26 ###

G.20.26.1 ###


###

G.20.28.1 ###

G.20.28.2 ###

G.20.29 ###

G.20.30 ###

G.20.31 ###
















###G.20.37.1 Below 3? ###








G.20.37.2 Between 3 and 5? ###G.20.37.3 Greater than 5? ###G.20.37.4 No limit? ###


G.20.38.5 ###


G.20.40 ###

G.20.41 ###

G.20.42 ###

G.20.43 ###

G.20.44 ###Minimum Security Standards - AS/400 StandardsUser and Group Profile Security Settings

G.21 ###

G.21.1 ###





Are users required to log off mainframe computers when the session is finished?

Does the company use an AS400 for storing or processing target data?

Are group profile assignments based on employee role?



G.21.2 ###

G.21.3 ###

G.21.4 ###network Security

G.21.5 ###

G.21.6 ###System Values

G.21.7 ###

G.21.8 ###Sensitive Commands

G.21.9 ###

G.21.10 ###

G.21.11 ###

G.21.12 ###

Do group profile assignments undergo an approval process?Are user profiles created with the principle of least privilege?

Do users have *SAVSYS Authority to do saves and restores?

Is authority to start and stop TCP/IP and its servers restricted to administrative-level users?

Is authority to run AS/400 configuration commands restricted to administrative-level users?Is the QSYS library the first library in the library list?

Are users restricted from signing on the system from more than one workstation?Is public authority set to *Exclude for Sensitive Commands?

Is access to Library List commands on production AS/400 systems restricted to appropriate users?

Has authority *PUBLIC to the QPWFSERVER authorization list been revoked?

Are Security Exit Programs installed and functioning for server functions that provide an exit?



Resource Security

G.21.13 ###

G.21.14 ###

G.21.15 ###

G.21.16 ###

G.21.17 ###

G.21.18 ###

G.21.19 ###



G.21.22 ###

Are library-level and object-level protections on system libraries (Q-Libraries) shipped from the vendor implemented as to the vendor’s specifications?Is each library list constructed for a community of users?

Are Job Descriptions used to provide application-specific library lists to an application’s user community?

Are objects configured to allow users access without requiring AS/400 Special Authorities?Has the Security Audit Journal (QUADJRN) been created?Is the size of the journal receivers defined in QUADJRN?

Are AS/400 systems periodically monitored to ensure continued compliance with the documented standards?Are ‘out of compliance’ conditions reported and resolved?




G.21.22.1 ###


###

G.21.24.1 ###

G.21.24.2 ###

G.21.25 ###

G.21.26 ###

G.21.27 ###

















###G.21.34.1 Under 1 hour? ###G.21.34.2 Under 3 hours? ###G.21.34.3 Under 12 hours? ###








G.21.34.4 12 hours or more? ###

G.21.34.5 ###


G.21.36 ###

G.21.37 ###

G.21.38 ###

G.21.39 ###Open VMS StandardsSystem Files and Directories

G.22 ###

G.22.1 ###

G.22.2 ###

G.22.3 ###User Accounts G.22.4 Is auto logon permitted? ###

G.22.5 Are duplicate User IDs present? ###

G.22.6 ###




Does the company use Open VMS (VAX or Alpha) system for storing or processing target data?

Do system files and directories prevent the presence of unsecured user mail files?Are UIC protections in place on VMS systems?Are WORLD WRITE permissions ever allowed?

Is a policy in place to require users to activate accounts within 7 days?



G.22.7 ###

G.22.8 ###

G.22.9 ###

G.22.10 ###

G.22.11 ###

G.22.12 ###

G.22.13 ###

G.22.14 ###

G.22.15 ###

G.22.16 ###

###

G.22.17.1 ###G.22.17.2 File access failures? ###

G.22.18 ###

Is administrative privilege restricted to those employees responsible for VMS administration?

Are wildcard characters allowed in the node or user name components of a proxy specification?Are the following Security Auditing Components enabled:the Operator Communication Manager (OPCOM) process?The Audit Server (AUDIT_SERVER) process?

Does open VMS perform auditing and logging to support incident and access research?

Security Auditing alarmsAudit Alarm (SET AUDIT/ALARM) command

Are access attempts to objects that have alarm ACEs monitored and alarmed?Is the SET AUDIT command enabled?Are changes to the System Authorization files audited?

Are unauthorized attempts (Detached, Dial-up, Local, Network, and Remote) alarmed and audited?Are the following Object Access Events alarmed and audited:

File access through privileges BYPASS, SYSPRV?

Is the use of the INSTALL utility to make changes to installed images audited and alarmed?



G.22.19 ###

G.22.20 ###

G.22.21 ###

G.22.22 ###



G.22.25 ###

G.22.25.1 ###

###G.22.26.1 Successful logins ###G.22.26.2 Failed login attempts ###

Are login failures (Batch, Detached, Dialup, Local, Network, Remote, and Subprocess) alarmed and audited?

Are changes to the operating system’s parameters alarmed and audited?

Are accounting events (e.g.: Batch, Detached, Interactive, Login Failure, Message, Network, Print, Process, and Subprocess) audited?

Are VMS systems periodically monitored for continued compliance to documented standards?Are ‘out of compliance’ conditions reported and resolved?






G.22.26.3 System configuration changes ###G.22.26.4 Administrative activity ###G.22.26.5 Disabling of audit logs ###G.22.26.6 Deletion of audit logs ###G.22.26.7 Changes to security settings ###G.22.26.8 Changes to access privileges ###G.22.26.9 User administration activity ###G.22.26.10 File permission changes ###

###

G.22.27.1 ###

G.22.27.2 ###

G.22.28 ###

G.22.29 ###

G.22.30 ###



Password management Is the minimum password length: ###G.22.32.1 Below 6 characters? ###G.22.32.2 6 characters? ###G.22.32.3 7 characters? ###G.22.32.4 8 characters? ###








G.22.32.5 Above 8 characters? ###






G.22.37.5 ###

###










G.22.38.1 Under 1 hour? ###G.22.38.2 Under 1 day? ###G.22.38.3 1 day or more? ###

G.22.39 ###

G.22.40 ###

G.22.41 ###

G.22.42 ###Web ServerConfiguration requirements

G.23 ###IIS Standards

G.23.1 ###IIS User Rights:

G.23.1.1 ###

G.23.1.2 ###IIS Security Options:

G.23.1.3 ###

G.23.1.4 ###IIS Services

G.23.1.5 ###

G.23.1.6 ###


Does the company provide Web services?

Does the company use Windows IIS for these Web services?

Is anonymous access to FTP disabled?

Is membership to the IIS Administrators group restricted to those with web administration roles and responsibilities?

Does each website have its own dedicated virtual directory structure?Are IIS security options restricted to authorized users?Are unused services turned off on IIS servers?Do IIS services run on standard ports?



G.23.1.7 ###IIS File and Directory Content:

G.23.1.8 ###

G.23.1.9 ###

G.23.1.10 ###Apache Standards

G.23.2 ###Configuration requirements

G.23.2.1 ###Apache User Rights:

G.23.2.2 ###

G.23.2.3 ###Apache Security Options:

G.23.2.4 ###

G.23.2.5 ###Apache Services

G.23.2.6 ###Apache File and Directory Content:

G.23.2.7 ###

G.23.2.8 ###User equipment security standards

Is IIS configured to perform logging to support incident investigation?Are all sample applications and scripts removed?Is least privilege used when setting IIS content permissions?

Is the IIS content folder on the same drive as the operating system?

Does the company use Apache for these Web services?

Is Apache configured to perform logging to support incident investigation?Is anonymous access to FTP disabled?

Is membership to the Apache group restricted to those with web administration roles and responsibilities?

Does each website have its own dedicated virtual directory structure?

Are Apache configuration options restricted to authorized users?Do Apache services run on standard ports?Are all sample applications and scripts removed?Is least privilege used when setting Apache permissions?



Workstation securityG.24 ###

G.24.1 ###

G.24.2 ###

G.24.3 ###

G.24.4 ###

G.24.5 ###

G.24.6 ###

G.24.7 ###Mobile device security

G.25 ###

G.25.1 ###

Does your organization use desktop computers?

Are employees required to use an approved standard operating environment?

Do applications that are not in the standard operating environment require an approval from security prior to implementation?

Do freeware or shareware applications require approval from security prior to installation?

Does the use or installation of open source software (e.g.: Linux, Apache, etc.) undergo an information security review and approval process?

Is confidential data ever stored on PCs not managed by your company?

Can PCs not managed by the company connect directly into the company network?

Is the installation of software on company-owned workstations restricted to administrators?

Does your company use mobile computing devices (laptops, PDA, etc.) to store, process or access target data?

Are laptops required to be attended at all times when in public places?



G.25.2 ###

G.25.3 ###

G.25.4 ###

G.25.5 ###

G.25.6 ###Cryptography

G.26 ###G.26.1 Is an encryption policy in place? ###

G.26.1.1 ###

G.26.1.2 ###

G.26.1.3 ###

G.26.1.4 ###

G.26.2 ###

G.26.3 ###

Are laptops required to be secured at all times when either inside or outside the organization's facilities?

Is the installation of software on company-owned mobile computing devices restricted to administrators?

Is confidential or sensitive data (except for email) ever stored on remote mobile devices (such as Blackberry or Palm Pilots)?

Are these devices subject to the same requirements as workstations when applicable?Is encryption used to secure mobile computing devices?

Does your company use, manage or maintain any encryption tools?



Are encryption keys encrypted when transmitted?

Is target data encrypted in storage / at rest within your organization?



G.26.4 ###

###G.26.5.1 Internal resources? ###G.26.5.2 External 3rd party? ###

G.26.5.2.1 ###

G.26.6 ###

###G.26.6.1.1 Key refresh? ###G.26.6.1.2 Key generation? ###G.26.6.1.3 Hard copies? ###G.26.6.1.4 Key escrow? ###G.26.6.1.5 Audit trails? ###G.26.6.1.6 Physical controls? ###G.26.6.1.7 Key storage? ###G.26.6.1.8 Key loading? ###

###G.26.6.2.1 Under 1 hour ###G.26.6.2.2 Between 1 hour and 1 day ###G.26.6.2.3 Between 1 day and 1 week ###G.26.6.2.4 Between 1 week and 1 month ###G.26.6.2.5 Between 1 month and 1 year ###G.26.6.2.6 Indefinitely ###

###G.26.6.3.1 Under 1 hour ###G.26.6.3.2 Between 1 hour and 1 day ###G.26.6.3.3 Between 1 day and 1 week ###G.26.6.3.4 Between 1 week and 1 month ###

Is a centralized key management system in place?Is the administration of key management handled by:

Is a process in place to review and approve Key Management systems used by 3rd parties?

Does the company use public/private keys

Do Key Management controls address the following:

What is the encryption lifetime of symmetric keys?

What is the encryption lifetime of asymmetric keys?



G.26.6.3.5 Between 1 month and 1 year ###G.26.6.3.6 Indefinitely ###

Where are encryption keys stored: ###G.26.6.4.1 Server hard drive ###G.26.6.4.2 Server memory ###G.26.6.4.3 Diskettes ###G.26.6.4.4 CDs / DVDs ###G.26.6.4.5 Smart cards ###G.26.6.4.6 USB drive ###G.26.6.4.7 Paper ###G.26.6.4.8 Corporate workstation ###G.26.6.4.9 Other (Explain) ###

###G.26.6.5.1 Software ###G.26.6.5.2 Hardware ###G.26.6.5.3 FIPS 140-compliant device ###

G.26.7 ###

G.26.8 ###

G.26.9 ###

###G.26.9.1.1 0 - 64 ###G.26.9.1.2 65 - 128 ###G.26.9.1.3 129 - 256 ###G.26.9.1.4 Greater than 256 ###

G.26.10 ###

Where are encryption keys generated and managed:

Are symmetric keys generated in at least two parts?If so, are parts stored on separate physical media?

Can a single individual have access to both parts of a symmetric key?What is the length of symmetric encryption keys:

Do you allow the same key/certificate to be shared between production and non-production environments?



G.26.11 ###Are certificates used for: ###

G.26.11.1.1 Authentication? ###G.26.11.1.2 Encryption? ###G.26.11.1.3 Non-repudiation? ###

G.27 ###

G.28 ###

G.29 ###

G.29.1 ###

G.29.2 ###

###

G.29.3.1 ###

G.29.3.2 ###

G.29.3.3 ###

G.29.3.4 ###

Are default certificates provided by vendors replaced with the company’s own certificates?

Do you require data encryption for confidential data in transit?Do you require data encryption for confidential data at rest?Does your company utilize Digital Certificates?

Do you use an outside Certificate Authority for your keys?Do you host your own internal Certificate Authority?

Does the Certificate Policy for the solution address the following:

Distribution of keys to intended users, including how keys should be activated when received?

Storage of keys, including how authorized users obtain access to keys

When keys should be changed or updated and the processes to perform these functionsThe process for dealing with compromised keys



G.29.3.5 ###G.29.3.6 Key Recovery ###G.29.3.7 Key Archiving ###G.29.3.8 Key Destruction ###

G.29.3.9 ###G.29.4 Do you utilize a key ring solution? ###

###

G.29.5.1 ###

G.29.5.2 ###

G.29.5.3 ###

G.29.5.4 ###

G.29.5.5 ###G.29.5.6 Key Recovery ###G.29.5.7 Key Archiving ###G.29.5.8 Key Destruction ###

G.29.5.9 ###

The process for key revocation and the process by which they should be withdrawn or deactivated

Logging of Key Management Activity

Does the Key Management policy for the solution address the following:

Distribution of keys to intended users, including how keys should be activated when received?

Storage of keys, including how authorized users obtain access to keys

When keys should be changed or updated and the processes to perform these functionsThe process for dealing with compromised keys

The process for key revocation and the process by which they should be withdrawn or deactivated

Logging of Key Management Activity



G.29.6 ###

G.29.7 ###

G.29.8 ###

G.29.9 ###

G.29.10 ###

G.29.11 ###

Has the Key/Certificate Management Policy been approved by management?

Has the Key/Certificate Management Policy been internally published?

Has the Key/Certificate Management Policy been communicated to employees/contractors?

Is an owner assigned who is responsible for the maintenance and review of the Key/Certificate Management Policy?

Are cryptographic keys, shared secrets and Random Number Generator (RNG) seeds being encrypted in backup or archival when necessary?

Is there a mechanism to enforce segregation of duties between Key management roles and normal operational roles?


H. Access Control Page 124 of 174 Page(s)

H. Access Control69 Total Questions to be Answered 0% Percent Complete

AUP/ISO/PCI Reference Question # Question/Request Response Additional Information11.1 Business requirement for access control11.1.1 Access control policy

H.1 Is an access control policy in place? ###H.1.1 Has it been approved? ###H.1.2 Has the policy been published? ###

H.1.3 ###

H.1.4 ###

H.1.5 ###

H.2 ###

H.3 ###11.2 User Access Management11.2.1 User Registration

H.4 ###


Has it been communicated to constituents?


Does the policy require that access controls are in place on all applications, operating systems, databases, and network devices to ensure that persons only have the minimal privileges they require?

Is access to all systems and applications based on defined roles and responsibilities or job functions?

Is multi-factor authentication deployed for “high-risk” environments?

Does your company utilize unique user IDs to access company systems?



H.4.1 ###

H.4.2 ###

H.4.3 ###H.4.4 Do users share user IDs? ###

H.5 ###AUP G.3

###H.5.1.1 Formal request? ###H.5.1.2 Management approval? ###H.5.1.3 Data owner approval? ###

H.5.1.4 Implementation by administrator? ###

H.5.2 ###If so, does it include the following: ###

H.5.2.1.1 Requestor's name ###H.5.2.1.2 Date and time requested ###H.5.2.1.3 Documented request ###H.5.2.1.4 Approver's name(s) ###H.5.2.1.5 Date and time approved ###H.5.2.1.6 Evidence of approval ###H.5.2.1.7 Administrator's name ###H.5.2.1.8 Date and time implemented ###

Are all user IDs uniquely associated with a specific individual?

Do you allow user IDs to contain data (such as SSN) that could reveal private information regarding the user?

Do you allow user IDs to contain data that could reveal the access level assigned to the user (e.g.: Admin)?

Are there formal processes in place to grant and approve access to systems holding, processing, or transporting target data?

Does your process for approving access requests include any of the following:

Are the approved requests for granting access logged or archived?



###H.5.2.2.1 Under 1 Month ###H.5.2.2.2 Between 1 and 6 months ###H.5.2.2.3 Between 6 months and 1 year ###H.5.2.2.4 Between 1 and 3 years ###H.5.2.2.6 Indefinitely ###H.5.2.2.7 Other - Explain: ###

###H.5.3.1 Time of day ###H.5.3.2 User account lifetime ###H.5.3.3 Privilege lifetime ###H.5.3.4 Physical location ###H.5.3.5 Physical device ###H.5.3.6 Network subnet ###H.5.3.7 IP address ###

H.5.4 ###

H.6 ###

H.6.1 ###H.6.2 Has it been approved? ###H.6.3 Has the policy been published? ###

H.6.4 ###

H.6.5 ###

How long are these approved requests retained:

Do you limit system access using the following criteria:

Is there a process in place to revise and update employee access, during internal moves?

Do you use password to access systems holding, processing, or transporting target data?

Is there formal password policy in place for systems holding, processing, or transporting target data?





11.2.3 User Password Management

###H.6.6.1 Email? ###H.6.6.2 Telephone call? ###H.6.6.3 Instant Messaging? ###H.6.6.4 User selected? ###H.6.6.5 Cell phone text message? ###H.6.6.6 Paper document? ###H.6.6.7 Verbal? ###H.6.6.8 Encrypted communication? ###

H.6.6.9 ###

H.6.7 ###

H.6.8 ###

###H.6.9.1 Email return ###H.6.9.2 Voice recognition ###H.6.9.3 Secret questions ###H.6.9.4 Administrator call return ###H.6.9.5 Identified physical presence ###H.6.9.6 Management approval ###

H.6.9.7 ###11.3 User Responsibilities11.3.1 Password Use

H.6.10 ###

H.6.11 ###

H.6.12 ###

Are initial passwords communicated to users via the following method(s):

Other (Explain in the "Additional Information" column)

Are all new constituents issued random initial passwords?Are users forced to change their password upon first logon?How is a user’s identity verified prior to resetting a password?

Other (Explain in the "Additional Information" column)

Is a policy in place to prohibit users from sharing passwords?

Are users required to select strong passwords to access all systems holding, processing, or transporting target data?Are users prohibited from keeping paper records of passwords?



H.6.13 ###

H.6.14 ###

H.6.15 ###

H.6.16 ###

H.6.17 ###11.2.4 Review of User Access Rights

H.7 ###Are user access rights reviewed: ###

H.7.1.1 Every week or less? ###H.7.1.2 Every month or less? ###H.7.1.3 Every quarter or less? ###H.7.1.4 Every year or less? ###H.7.1.5 More than yearly? ###H.7.1.6 Never? ###

###H.7.2.1 Every week or less? ###H.7.2.2 Every month or less? ###H.7.2.3 Every quarter or less? ###H.7.2.4 Every year or less? ###H.7.2.5 More than annually? ###H.7.2.6 Never? ###

Are users required to change passwords whenever there is any indication of possible system or password compromise?Are users required to change passwords at regular intervals?

Are users prohibited from including passwords in any automated logon processes? (e.g.: Stored in a macro or function key)

AUP G.511.3.2 Unattended User Equipment

Are users required to lock their workstation before leaving it unattended?Are users required to terminate or secure active sessions when finished?

Are there formal processes in place to regularly review access to ensure that only those people with a need-to-know currently have access?

Are privileged user access rights reviewed:



AUP G.4

H.7.3 ###11.5 Operating System Access Control

H.8 ###

###H.8.1.1 Workstations ###H.8.1.2 Production systems ###H.8.1.3 Internet-facing applications ###H.8.1.4 Internet-facing servers ###H.8.1.5 Internal applications ###H.8.1.6 Remote access ###

H.8.2 ###

H.8.3 ###11.5.3 Password Management System

H.8.4 ###11.5.5 Session time-out

###H.8.5.1 Under 15 minutes ###H.8.5.2 Between 15 and 30 minutes ###H.8.5.3 Between 30 and 60 minutes ###H.8.5.4 Over 60 minutes ###

Are requirements in place specifying how long an inactive User ID can remain inactive before it is deleted or disabled?

Do you use electronic systems to store, process, transport, etc. target data?

AUP K.111.5.1 Secure Log-on Procedures

Are logon banners presented at the following points:

Upon logon failure, does the error message presented to the user describe the cause of the failure (e.g.: Invalid password, invalid user ID, etc.)

Upon successful logon, is a message returned indicating the last time of successful logon?

Are password files and application system data stored in different file systems?

How long can a user be inactive on a workstation before the screen locks?



###H.8.6.1 Under 5 minutes ###H.8.6.2 Between 5 and 15 minutes ###H.8.6.3 Between 15 and 30 minutes ###H.8.6.4 Over 30 minutes ###

11.6 Application and Information Access Control

H.9 ###

H.9.1 ###

H.9.2 ###

###H.9.3.1.1 Developer? ###H.9.3.1.2 Production Support? ###H.9.3.1.3 Administrative Users? ###

H.9.3.2 ###

H.9.4 ###11.7 Mobile Computing and Teleworking

H.10 ###

H.10.1 Is a remote access policy in place? ###H.10.2 Has it been approved? ###H.10.3 Has the policy been published? ###

H.10.4 ###

How long can a user be inactive on an interactive server session before the session terminates?

Does your company perform any type of application development?

Are developers permitted access to production environments, including read access?

Does your company have a formal process for emergency access to production systems?Has your company defined any of the following roles:

Have profiles been established for each role?

Does your company have a formal process established when an individual requires access outside of their established role?

11.7.1 Mobile Computing and Communication

Is a remote access solution present in the environment?




H.10.5 ###

###H.10.6.1 Laptops ###H.10.6.2 Desktops ###H.10.6.3 PDAs ###H.10.6.4 Blackberries ###

###H.10.7.1 Current patch levels? ###

H.10.7.2 Anti-virus software? ###H.10.7.3 Current virus signature files? ###H.10.7.4 Personal firewall? ###H.10.7.5 Supported operating system? ###H.10.7.6 Anti-spyware software? ###H.10.7.7 Supported software? ###H.10.7.8 Supported hardware? ###

H.10.7.9 ###11.7.2 Teleworking H.11 Is a teleworking policy in place? ###

H.11.1 Has it been approved? ###H.11.2 Has the policy been published? ###

H.11.3 ###

H.11.4 ###

###H.11.5.1 Equipment security? ###


What type of hardware can users use for remote access into the network?

Are processes in place to ensure that connecting systems have the following:

Is multi-factor authentication required for remote access into the organization's network?


Is an owner assigned who is responsible for the maintenance and review of the policy?Does the policy address the following:



H.11.5.2 Protection of data? ###

H.11.5.3 ###

Is the teleworking policy consistent with the organization's security policy?


I. Info Sys AD&M Page 133 of 174 Page(s)

I. Information Systems Acquisition Development & Maintenance65 Total Questions to be Answered 0% Percent Complete

AUP/ISO/PCI Reference Question # Question/Request Response Additional Information12.1 Security Requirements of Information Systems

I.1 ###

I.1.1 ###

###I.1.2.1 Initiation? ###I.1.2.2 Planning? ###I.1.2.3 Design? ###I.1.2.4 Development? ###I.1.2.5 Testing? ###I.1.2.6 Implementation? ###I.1.2.7 Evaluation? ###I.1.2.8 Maintenance? ###I.1.2.9 Disposal? ###

###I.1.3.1 Under 15 minutes? ###I.1.3.2 Between 15 and 30 minutes? ###I.1.3.3 Between 30 and 60 minutes? ###I.1.3.4 Over 60 minutes? ###I.1.3.5 Never? ###

###

I.1.4.1 ###


12.1.1 Security Requirement Analysis and Specifications

Does your company perform any type of application development?

Does your organization have a documented Software Development Life Cycle (SDLC)?Does your SDLC include the following components:

Are application sessions set to time out:

Do any of the following reside on the same physical system:

Web server and application server?



I.1.4.2 ###

I.1.4.3 Web server and database server? ###

I.1.4.4 ###

###

I.1.5.1 ###

I.1.5.2 ###

I.1.5.3 ###

I.1.5.4 ###I.1.5.5 Are persistent cookies used? ###I.1.5.6 Use random session IDs? ###

###

I.1.6.1 ###

I.1.6.2 Modification by Web page users? ###

I.1.6.3 ###

I.1.6.4 ###

I.1.6.5 ###

I.1.6.6 ###

Application server and database server?

Web server, application server, and database server?

Are web applications configured for the following:

HTTP GET is used only within the context of a safe interaction.

Forms are used to implement unsafe operations with HTTP POST even if the application does not require user input.Is the 'cache-control' setting set to 'no-cache'?Are cookies set with the 'Secure' flag?

Are applications using server-side scripting protected from the following vulnerabilities:

Viewing instructions or code in the server script?

User-entered input used for script code injection?Access via other non-Web-based services?Dynamic generation of other server-side scripts?

Dynamically generating executable content (beyond HTML)?



I.1.6.7 ###

I.1.6.8 ###

I.1.6.9 ###12.2 Correct Processing in Applications12.2.2 Control of Internal Processing

###I.1.7.1 Peer code review? ###

I.1.7.2 Information security code review ###I.1.7.3 System testing? ###I.1.7.4 Integration (end-to-end) testing? ###I.1.7.5 Regression testing? ###I.1.7.6 Load testing? ###I.1.7.7 Installation testing? ###I.1.7.8 Migration testing? ###I.1.7.9 Vulnerability testing? ###I.1.7.10 Acceptance testing? ###

12.2.3 Message Integrity

I.1.8 ###

I.1.9 ###

###I.1.10.1 Invalidated Input? ###I.1.10.2 Broken Access Control? ###I.1.10.3 Broken Authentication? ###I.1.10.4 Replay attacks? ###I.1.10.5 Cross Site Scripting? ###I.1.10.6 Buffer Overflows? ###

Not running as a User ID with least privilege?Running with system level privilege?Running in a system shell context?

Are the following performed during the development lifecycle process?

Is there a method to ensure data input into applications can be validated for accuracy?

Are validation checks performed on applications to detect any corruption of data?

Does the application development process explicitly guard against the following attacks?



I.1.10.7 ###I.1.10.8 Improper Error Handling? ###I.1.10.9 Data under-run / overrun? ###I.1.10.10 Insecure Storage? ###I.1.10.11 Application Denial of Service? ###

I.1.10.12 ###

I.1.10.13 ###

I.1.11 ###

I.1.12 ###

I.1.13 ###

I.1.14 ###

###I.1.15.1 Incomplete transactions? ###I.1.15.2 Hung transactions? ###I.1.15.3 Failed operating system calls? ###I.1.15.4 Failed application calls? ###I.1.15.5 Failed library calls? ###

###I.1.16.1 CMM? ###

Injection Flaws? (e.g.: SQL injection)

Insecure Configuration Management?Improper application session termination?

Is an application’s authenticated state maintained for every data transaction for the duration of that session?

Does the application provide a means for re-authenticating a user?

Do web-facing systems that perform authentication also require session validation for subsequent requests?

Are authorization checks present for all tiers or points in a multi-tiered application architecture?Does application error-handling address the following:

Has your company been awarded any of the following industry certifications for software development:



I.1.16.2 ISO? ###I.1.16.3 Other, please describe ###

12.3 Cryptography Controls

###

I.1.17.1 ###

I.1.17.2 ###

I.1.17.3 ###

I.1.17.4 ###12.4 Security of System Files12.4.1Control of Operational Software

###I.1.18.1 access? ###I.1.18.2 authentication? ###I.1.18.3 target data access? ###I.1.18.4 target data transformations? ###I.1.18.5 target data delivery? ###

###I.1.19.1 By internal developers Onshore ###I.1.19.2 By internal developers Offshore ###

I.1.19.3 ###

I.1.19.4 ###

###I.1.20.1 source code? ###I.1.20.2 binaries? ###

Is a process in place to ensure that application code is digitally signed in the following instances:

Internal applications developed by your organization?

External / client applications developed by your organization?Internal applications developed by a 3rd party?External / client applications developed by a 3rd party?

Does the application log the following:

12.5.5 Outsourced Software Development

Is application development performed in the following environments:

By 3rd party / outsourced developers OnshoreBy 3rd party / outsourced developers Offshore

Are there documented access control procedures in place to protect the following



I.1.20.3 databases? ###I.1.20.4 test data? ###

###I.1.21.1 code? ###I.1.21.2 data? ###

I.1.21.3 ###

###

I.1.22.1 ###I.1.22.2 information security review? ###I.1.22.3 information security approval? ###

12.4.2 Protection of System Test DataI.2 ###

I.2.1 ###

I.2.2 ###

I.2.3 ###

###

I.2.4.1 ###I.2.4.2 information security review? ###I.2.4.3 information security approval? ###

Do you segregate the following components for version management:

environment? (e.g.: Production, Test, QA, etc.)

Do changes to applications or application code go through the following:

formal documented risk assessment process?

Do you perform any type of application testing?

Is target data ever used in the test, development, or QA environments?

Is test data containing sensitive information masked or obfuscated during the testing phase?

Is test data containing sensitive information destroyed following the testing phase?

Prior to implementation do applications go through the following:

formal documented risk assessment process?



I.3 ###

I.4 ###

###

I.4.1.1 ###

I.4.1.2 ###

I.4.1.3 ###

I.5 ###

###I.5.1.1 development? ###I.5.1.2 test? ###I.5.1.3 QA? ###I.5.1.4 staging? ###I.5.1.5 production? ###

###I.5.2.1 logically? ###I.5.2.2 physically? ###

Does the company have an internal organization that provides project management oversight?

Does the company have an independent quality assurance function responsible for the testing of software and infrastructure prior to implementation?

Does the quality assurance testing of software and infrastructure prior to implementation include?

Issue tracking and resolution process?Metrics on software defects and release incidents?

Process for using the metrics to improve the quality of the program?

Does your organization support or maintain a development, test, staging, QA or production environment?

Which of the following environments do you support:

12.4.3 Access Control to Program Source Library

Is the development/test system segregated from the production system:



###I.5.3.1 servers? ###I.5.3.2 database instances? ###I.5.3.3 SAN? ###I.5.3.4 LPAR? ###I.5.3.5 Other, please describe ###

###I.5.4.1 third-party testing lab? ###I.5.4.2 BITS certification? ###I.5.4.3 internal audit? ###I.5.4.4 information security? ###I.5.4.5 Other, please describe? ###

12.5 Security in development and support processes12.5.1Change control procedures

I.6 ###

###I.6.1.1 Testing prior to deployment? ###

I.6.1.2 ###I.6.1.3 Establishment of restart points? ###

I.6.1.4 ###

I.6.2 ###

I.6.3 ###

Is data from multiple clients co-mingled in any of the following areas:

Are applications independently evaluated or certified by the following:

Do you have a documented change control process?

Are policies in place to ensure that change control procedures include:

Management approval prior to deployment?

Management approval for sign off on changes?

Does the change-control process include a review of code changes by information security?

12.5.2Technical review of applications after operating system changes

If system changes occur, are changes reviewed and tested prior to being introduced into production?



I.6.4 ###12.6 Technical Vulnerability Management12.6.1 Control of technical vulnerabilities

I.7 ###

I.7.1 ###

I.7.2 ###

I.7.3 ###

I.7.4 ###

I.7.4.1 ###AUP K.2

I.8 ###I.8.1 Are results reported? ###I.8.2 Are discovered issues resolved? ###

I.8.3 ###

I.8.4 ###

I.8.5 ###

12.5.3Restrictions on changes to software packages Are policies and procedures in place

that ensure modifications and essential changes to software packages are strictly controlled?

Does your organization patch systems and applications?

AUP H.1AUP H.2AUP H.3

Is a formal process in place to patch systems and applications?

Is a process in place to test patches, service packs, and hotfixes prior to installation?

Are 3rd party alert services used to keep up to date with the latest vulnerabilities?Is a process in place to evaluate and prioritize vulnerabilities?

If so, is this initiated immediately upon receipt of 3rd party alerts?

Are systems and networks periodically assessed for vulnerabilities?

Are vulnerabilities prioritized by risk and mitigated accordingly?

Are vulnerability assessments required during a merger / acquisition event?

Has an external company performed a vulnerability assessment of the IT environment within the last year?



###I.8.6.1 during testing? ###I.8.6.2 after implementation? ###I.8.6.3 after application changes? ###I.8.6.4 regularly scheduled? ###

I.9 ###

I.9.1 ###

I.10 ###

I.10.1 ###

I.10.2 ###

I.10.3 ###I.10.4 Is the use of these tools logged? ###

I.10.5 ###

I.10.6 Do any of these tools capture data? ###

I.10.6.1 ###

I.10.6.2 ###

Have vulnerability tests (internal/external)been performed on the application:

Do you support, host, maintain, etc. a web site with access to target data?

Are regular penetration tests executed against web-based applications?

Do you use or have installed on any system penetration, threat or vulnerability assessment tools?

Is a process in place to manage the use of threat and vulnerability assessment tools and the data they collect?

Is a process in place to approve the use of threat and vulnerability assessment tools?Is there a documented process in place for the use of these tools

Are only authorized personnel allowed to use these tools?

If so, do you have a process to purge the captured data?Is there a process to verify that the data is purged?


J. Info Security Incident Mgmt Page 143 of 174 Page(s)

J. Information Security Incident Management17 Total Questions to be Answered 0% Percent Complete

AUP/ISO/PCI Reference Question # Question/Request Response Additional Information13.1 Reporting Information Security Events and Weaknesses

J.1 ###

J.1.1 ###J.1.2 Has the policy been published? ###

J.1.3 ###

J.1.4 ###

J.2 ###

J.2.1 ###

###J.2.2.1 Identification of incident ###J.2.2.2 Notification of stakeholders ###J.2.2.3 Containment ###J.2.2.4 Analysis ###J.2.2.5 Tracking ###J.2.2.6 Repair ###J.2.2.7 Recovery ###J.2.2.8 Remediation ###J.2.2.9 Feedback and lessons learned ###


Does your company have an Incident Management policy?




Does your company have a formal information security Incident Response Program / Plan?

Is the Incident Response Plan tested at least annually?

Does the Incident Response Plan include documented procedures for the following steps:



###

J.2.3.1 ###J.2.3.2 Denial of service attacks ###J.2.3.3 System exploit attacks ###

J.2.3.4 Breaches or loss of confidentiality ###J.2.3.5 Scans or probes ###

J.2.3.6 ###J.2.3.7 Physical asset theft ###J.2.3.8 Unauthorized physical access ###J.2.3.9 Unauthorized logical access ###J.2.3.10 Copyright infringement ###

J.2.3.11 ###J.2.3.12 Loss of equipment /media ###

J.2.3.13 ###J.2.3.14 Suspected breach of systems ###

J.2.4 ###

J.2.5 ###

13.1.2 Reporting Security Weaknesses J.2.6 ###

Have the following types of incidents been considered in the Incident Response Plan:

Information system failures or loss of service

Malware activity (e.g.: anti-virus, worms, Trojans)

Unauthorized use of system resources

Suspected breach of confidentiality

Does the Incident Response Plan require the notification of customers in the event of an incident?

13.1.1 Reporting Information Security Events

Does the plan include a documented process to report security incidents?

Does the plan include a documented process to report security weaknesses?



13.2.1 Responsibilities and Procedures

J.3 ###

J.3.1 ###

J.3.2 ###

J.4 ###

J.5 ###

Does your company have a security incident response team with clearly defined and documented roles and responsibilities?

Does the incident response teams receive any incident-response related training or qualifications?

In the event of an incident, is the incident response team available to respond to an incident 24x7x365?

Is an Incident Response contact list or calling tree maintained?

Is documentation maintained on previous incidents, outcomes and issues and their remediation?


K. Business Continuity Page 146 of 174 Page(s)

K. Business Continuity Management37 Total Questions to be Answered 0% Percent Complete

AUP/ISO/PCI Reference Question # Question/Request Response Additional Information14.1 Information Security Aspects of Business Continuity Management

K.1 ###

K.1.1.1 ###

K.1.1.2 ###

K.1.2 ###

K.1.3 ###

K.1.4 ###

K.1.5 ###

###

K.1.6.1 Conditions for activating the plan ###


Does your company have a written policy for business continuity and disaster recovery?

Has the policy been approved by senior management?

Is there a designated individual or group responsible for oversight and administration of the business continuity policy and program?

Does the company have a formal governance body for business continuity?

Does senior management, an officer in the company or the board approve the business continuity plan(s)?

Is your business continuity / disaster recovery plan reviewed and updated at least annually?

Has an independent audit been completed on the business continuity plan?

Does the Business Continuity and/or Disaster Recovery plan address the following elements:



K.1.6.3 ###

K.1.6.4 ###

K.1.6.5 ###

K.1.6.6 ###

K.1.6.7 ###

K.1.6.8 ###

K.1.6.9 ###

K.1.6.10 ###

K.1.6.11 ###

K.1.6.12 ###

K.1.6.13 ###

Procedures to relocate essential business activities

A maintenance schedule that specifies how / when the plan is to be revised and tested.Awareness and education activities

Roles and responsibilities describing who is responsible for executing all aspects of the planCustomer notification when incidents occur?

Identification of dependencies upon third parties including utilities and service providers?

Identification of escalation procedures for third party service providers and subcontractors?

A change management process to ensure changes are replicated to contingency environments?

Identification of applications, equipment, facilities, personnel, supplies and vital records necessary for recovery?

Regular updates from the inventory of IT and telecom assets?

Procedures to perform backups of all systems, applications and data in a manner designed to insure their availability in an emergency?



K.1.6.14 ###

K.1.6.15 ###K.1.6.16 Recovery site capacity ###

K.1.7 ###

K.1.8 ###

K.1.9 ###

###

K.1.10.1 ###Contact information including: ###

K.1.10.3 cell phone numbers? ###K.1.10.4 office phone numbers? ###K.1.10.5 off-hours phone numbers? ###K.1.10.6 email addresses? ###

K.1.11 ###

###K.1.11.1.1 Regulatory? ###

Provisions for the periodic transfer of backup media to a secure offsite storage facility?Alternative communication strategies?

Do you plan for events of varying scope ranging from a single building outage to a catastrophic regional disruption?

Do your plans include provisions to respond to workforce reduction events like strikes and pandemics?

Do you provide your customers with detailed contact information for use in emergencies?

Does the Plan ensure that the following information for critical vendors and service providers is documented:

List of key personnel and alternates?

Does your company conduct risk assessments for processes to be included in the plan?

Does the risk assessment process address all areas of risk, including:



K.1.11.1.2 Operational? ###K.1.11.1.3 Technological? ###K.1.11.1.4 Legal? ###K.1.11.1.5 Financial? ###

K.1.11.1.6 Information Security? ###K.1.11.1.7 Physical Security? ###K.1.11.1.8 Personnel? ###K.1.11.1.9 Customer? ###

K.1.13 ###

###

K.1.13.1.1 ###K.1.13.1.2 Greater then 12 months? ###

###

K.1.13.2.1 ###

K.1.13.2.2 ###

K.1.13.2.2.1

K.1.13.2.3 ###K.1.13.2.4 Maximum allowable downtime ###

K.1.13.2.5 Costs associated with downtime ###K.1.13.2.6 Recovery site capacity ###

Does your company conduct a Business Impact Analysis?

If yes, how often is the BIA conducted?

Every 12 Months or less or less?

Does the Business Impact Analysis address the following:

Business Process Criticality (i.e., High, Medium, Low or Numerical Rating) that distinguishes the relative importance of each processSpecification of Recovery Time Objective

If yes, provide the numbers of hours to meet your Recovery Time Objective.

Please enter number of hours in the Additional Response column

Specification of Recovery Point Objective



K.1.14 ###

K.1.15 ###Business Continuity Test:

K.1.16 ###

###

K.1.16.1.1 ###

K.1.16.1.2 ###

K.1.16.1.3 ###

K.1.16.1.4 ###

K.1.16.1.5 ###

###K.1.16.2.1 Evacuation drills? ###K.1.16.2.2 Notification tests? ###K.1.16.2.3 Tabletop Exercises? ###

Does your company conduct a periodic review of the business continuity program with senior management to consider changes in organization, technology, processes, environmental and regulatory factors?

Is there a virtual or physical command center where management can meet, organize, and conduct emergency operations?

Does your company prepare an annual test plan?

Does the test plan include the following:

The number and type of tests to be conducted.

Test objectives for a technology outage, loss of facility or personnel

Identification of all parties involved, including contractors and service providers?

A requirement to assess the ability to retrieve vital records?

A process to document and evaluate testing results and remediate deficiencies?

Does your testing program include:



K.1.16.2.4 Application recovery tests? ###K.1.16.2.5 Remote Access tests? ###K.1.16.2.6 Recovery site tests? ###K.1.16.2.7 Full scale exercises? ###K.1.16.3 Are clients involved in testing? ###

K.1.16.4 ###Backup Sites:

K.1.17 ###

K.1.17.1 ###

K.1.17.2 ###

K.1.17.3 ###

K.1.17.4 ###Insurance:

K.1.18 ###

K.1.18.1 ###

Are service providers / vendors included in testing?

Is the backup data center provided internally?(If not, note the service provider in the "Additional Information" column)

If a service provider is used, are the recovery services dedicated?

Does the backup facility(ies) have a UPS system and emergency power generators?

Are communications links with the backup facility(ies) maintained and tested as part of the ongoing disaster recovery testing?

Does the backup facility(ies) use a different power grid and telecommunications grid from those used by the primary site?

Does the company have insurance coverage for business interruptions or general services interruption?

If yes, Are there limitations based on the cause of the interruption?



K.1.19 ###

Does the company have insurance coverage for the specific products and services provided to the Receiving Company?


L. Compliance Page 153 of 174 Page(s)

L. Compliance12 Total Questions to be Answered 0% Percent Complete

AUP/ISO/PCI Reference Question # Question/Request Response Additional Information15.1 Compliance with Legal Requirements

L.1 ###

###L.1.1.1 GLBA? ###L.1.1.2 Sarbanes Oxley? ###L.1.1.3 US Patriot Act? ###L.1.1.4 CFTC? ###L.1.1.5 HIPAA? ###L.1.1.6 21 CFR 11? ###

###L.1.2.1 GLBA? ###L.1.2.2 Sarbanes Oxley? ###L.1.2.3 US Patriot Act? ###L.1.2.4 CFTC? ###L.1.2.5 HIPAA? ###L.1.2.6 21 CFR 11? ###

L.2 ###


15.1.1 Identification of Applicable Legislations

Is your organization required to comply with any legal, regulatory or industry, requirements, etc. (GLBA, SOX, PCI)?

Which of the following legal and/or regulatory requirements is your organization required to comply with:

Is your organization performing independent audits to ensure compliance with the following legal and regulatory requirements:

Is your organization required to comply with any SEC regulations?



L.2.1.1 ###

If so, are the following addressed: ###L.2.1.1.1.1 Email ###L.2.1.1.1.2 Instant Messaging ###L.2.1.1.1.3 Paging ###L.2.1.1.1.4 Webmail ###

L.3 ###

###L.3.1 Internal Audit? ###L.3.2 External Audit? ###L.3.3 Compliance Group? ###

###L.3.4.1 Information security ###

L.3.4.2 ###L.3.4.3 Physical security ###L.3.4.4 Information systems ###L.3.4.5 Human resources ###L.3.4.6 Software development ###

L.3.4.7 ###

L.3.4.8 ###

Are procedures in place to capture clear text messages sent by constituents who are subject to SEC regulations?

Within the last year, has there been an independent review of the company’s security policies, standards, procedures, and/or guidelines?

If so, check which of the following apply:

If so, indicate the scope of the review:

Business continuity / Disaster recovery

Line of business operational procedures and standards

Information technology operational procedures and standards



AUP K.2

L.4 ###

L.5 ###

L.5.1 ###

Has a network penetration test been conducted within the last year?

Does the organization undergo a SAS 70 Type II examination at least annually?

Have remediation plans been developed for all identified exceptions?


M. SIG Lite Page 156 of 174 Page(s)

M. SIG Lite54 Total Questions to be Answered 0% Percent Complete

Question # Question/Request Response Additional InformationA. Risk Management

SL.1 ###B. Security Policy

SL.2 ###C. Organizational Security

SL.3 ###

SL.4 ###

SL.5 ###

Questionnaire Instructions: The following questions are a set of multi-part questions. If any part(s) of the question are no or N/A please fill in No or N/A in the response field. If No or N/A has been chosen then it is mandatory to supply additional explanation. Use the "Additional Information" field to the right of the question. Click on the instruction pop-up box and drag if necessary.

Does your organization have a formal (documented and implemented) risk assessment program with - an owner assigned for maintenance and review of the program and - does the program periodically review accepted risk?

Does your organization have formal (documented and implemented) information security policies and procedures that: - are approved by senior management; - are published so as to be available for reference and use; - have an owner assigned who is responsible for content; - are communicated to staff; - include acceptable use; - have provisions for disciplinary actions for noncompliance and - are reviewed at least annually?

Does your organization have an Information Security Oversight function which:- provides direction with management support?- has an individual or group responsible for the program, who is/are responsible for ensuring compliance with security policies?

Are all constituents required, upon hire, to sign a Code of Ethics or any agreement(s) that require non-disclosure, preservation of confidentiality, and/or acceptable use?

For all Dependent Service Providers with access to target data, is there a process in place to:- regularly monitor compliance with security standards;- address any identified issues;- communicate security standards; and perform an independent audit / review?



D. Asset Management

SL.6 ###

SL.7 ###

SL.8 ###

SL.9 ###E. Human Resource Security

SL.10 ###

SL.11 ###

SL.12 ###

SL.13 ###F. Physical and Environmental Security

SL.14 ###

Does your organization have a formal (documented, approved, published, communicated and implemented) asset management program which:- includes a complete list of all hardware and software assets? - has an owner responsible for approving and reviewing access to the assets?

Does your asset management program address the treatment, handling, disposal, destruction and reuse of media / assets that contain target data?

Does your organization have a formal (documented, approved, published, communicated and implemented) information classification policy?

Is the classification of all target data determined; and are data protection controls implemented in accordance with data classification?

Does your organization perform background screening of applicants to include prior employment, criminal, credit, professional, academic, references and drug screening (unless prohibited by law)?

Are constituents required to undergo information security awareness training upon hire?Does your HR department notify security / access administration of termination or change of status of constituents?Does your organization have a formal (documented, approved, published, communicated and implemented) asset return policy governing all company-owned assets from either terminated constituents or constituents who change status?

Does your organization have a formal (documented, approved, published, communicated and implemented) Physical Security Policy?



SL.15 ###

SL.16 ###

SL.17 ###

SL.18 ###

SL.19 ###

SL.20 ###G. Communications and Operations Management

SL.21 ###

SL.22 ###

SL.23 ###

Are the following requirements in place for all visitors into sensitive facilities (where target data is stored, processed or viewed):- All visitors signed in / logged - All visitors required to provide government issued ID - All visitors escorted at all times and required to wear clearly identifiable visitor credentials?

Is physical access into sensitive facilities (where target data is stored, processed or viewed) protected by all or any of the following:- security guards- electronic access devices - bio-metric access devices- and are access lists periodically reviewed?

Do you have a monitored security alarm system for all sensitive facilities (where target data is stored, processed or viewed)?Do you have a monitored fire / smoke alarm system for the facilities where target data is stored, processed or viewed?Has your organization deployed a CCTV to monitor access to all sensitive areas (where target data is stored, processed or viewed)? and if so, is the CCTV video stored or archived for 90 days or greater?

Is target data stored or processed in a facility that your organization does not own or lease (answer "Yes" if your organization uses a co-location facility or Application Service Provider)?

Does your organization have a formal (documented, approved, published, communicated and implemented) Change Control / Change Management process that contains approval for all changes and logs all changes?

Does your organization require code reviews and approvals of all new or modified applications prior to implementation?Does your organization address segregation of duties for access to application, network or server resources, including:- segregation between those requesting access to resources, those approving access, and those granting access and - does the process require periodic reviews of all access granted?



SL.24 ###

SL.25 ###SL.26 Are any backup archives stored externally / offsite from your facility? ###

SL.27 ###

SL.28 ###

SL.29 ###

SL.30 ###

SL.31 ###

SL.32 ###

SL.33 ###

SL.34 ###

Do all systems and Windows workstations have antivirus software which is: - installed and configured to scan the system- periodically updated (including scan engine and signatures) - configured so users cannot disable the scans?

For all systems where target data is stored: - are backups run on a schedule;- are the archives stored separate from the system and - are restores tested on a regularly scheduled basis?

Do all external network connections terminate on a firewall configured with a 'deny all' rule?Do you allow telnet, FTP or any other unsecured protocol into or out of your network?Are all network and system devices configured so that:- system errors and security events are logged and- logs are protected from alteration by the users?

Are all network and server devices and workstations (that process, store or view target data) built according to a standard configuration process; and are these devices periodically reviewed for deviations to the standard configuration?

Are all servers, workstations, applications, and/or network devices (that process, store or view target data) patched on a regular basis?Are all external network connections monitored by an IPS/IDS or other network monitoring tool that generate alerts when a security event is detected; and are the alerts acted on according to a response time based on severity level?

Does your organization have a formal (documented, approved, published, communicated and implemented) Wireless Network policy / process mandating at minimum:- strong encryption- non-broadcast of SSID and - two factor authentication?

Is your wireless network physically or logically (via VLAN or firewall) segregated from any of your networks where target data is processed or stored?



SL.35 ###SL.36 Is target data encrypted while at rest within your environment? ###

SL.37 ###H. Access Control

SL.38 ###

SL.39 ###

SL.40 ###

SL.41 ###

SL.42 ###I. Information Systems Acquisition Development and Maintenance

Is encryption implemented for all target data, both electronic transmissions and physical electronic media, prior to sending outside of your environment?

Does your organization have a formal (documented, approved, published, communicated and implemented) Physical Media policy / process which includes: - approved access to physical media devices (USB, CDR, DVDR, floppy, backup tape, etc.) - reuse and - disposal of media?

Does your organization have a formal (documented, approved, published, communicated and implemented) Access Control policy/process to include:- role based access to all resources (applications, OS, network devices, etc.) - unique ID for all individuals- restrict or remove the use of generic IDs (guest, administrator, root, etc.) and - prohibition on sharing of IDs?

Does your organization perform annual (or more frequent) reviews of access rights to systems, applications and network devices?Does your organization have a formal (documented, approved, published, communicated and implemented) Password policy / process that includes:- prohibition on sharing passwords- requirement for passwords to be changed at initial logon and - requirement for periodic subsequent password changes?

Does your organization deny developers access to production environments, as well as to any environments containing target data?Does your organization have a formal (documented, approved, published, communicated and implemented) Remote Access / Teleworking policy / process that requires multifactor authentication for access to all systems, applications or network devices from all remote access devices (laptop, home PC, PDA, etc.)?



SL.43 ###SL.44 Is target data ever used in testing? ###SL.45 Are development, testing and production environments segregated? ###

SL.46 ###

SL.47 ###J. Information Security Incident Management

SL.48 ###K. Business Continuity Management

SL.49 ###L. Compliance

Does your organization have a formal (documented, approved, published, communicated and implemented) System Development Lifecycle policy / process that includes application development and testing?

Does your organization have a formal (documented, approved, published, communicated and implemented) Vulnerability Assessment policy / process, and- does it require vulnerability assessments on all systems, applications and network devices that access / process / or store target data; and- does it classify issues according to severity, and - is there a requirement to remediate all issues which are considered high-risk?

Does your organization perform annual (or more frequent) penetration tests of all Internet-facing applications; and if any high risk issues are identified they are corrected within 90 days?

Does your organization have a formal (documented, approved, published, communicated and implemented) Incident Response policy / process / plan that includes:- requirements to report all potential incidents - testing of the plan - notification of clients in the event of a breach and - an incident response team with clearly defined roles?

Does your organization have a formal (documented, approved, published, communicated and implemented) Business Continuity / Disaster Recovery policy / process / plan that includes:- sponsorship and periodic review of the plan by senior management- testing of the plan at least annually - updating the plan with any lessons learned in tests - a BCP / DR team with clearly defined roles and - a requirement to conduct a business impact analysis at least annually?



SL.50 ###

SL.51 ###

SL.52 ###

SL.53 ###

SL.54 ###

Is your organization required to comply with any legal, regulatory or industry, requirements, etc. (GLBA, SOX, PCI, SEC)?Within the last year, has there been an independent review of your organization's security policies, standards, procedures, and/or guidelines?

If an independent review was conducted on your organization's security policies, standards, procedures, and / or guidelines and any concerns were identified, is there a plan in place to correct those concerns?

Does your organization have a formal (documented, approved, published, communicated and implemented) Privacy policy that covers the confidentiality and protection of individuals' non-public personal information?

Does your organization display a privacy notice on the home page of your web site?


N. Additional Questions Page 163 of 174 Page(s)

N. Additional QuestionsThis tab is used to supply any additional questions not covered by this SIG. Questions on this tab will not be analyzed by the analysis tool.

AUP/ISO/PCI Reference Question # Question/Request Response Additional Information


Glossary Page 164 of 174 Page(s)

GlossaryTerm DefinitionAcceptable Use Policy

Acknowledgement of Acceptable Use

Anti-Tailgating / Anti-Piggybacking Mechanism

Asset Classification

Asset Control Tag A unique identification number assigned to all inventoried assets.Attribute A property or field of a particular object.Baseline A benchmark by which subsequent items are measured.Battery

Biometric Reader

Business Continuity Plan (BCP)

Business Impact Analysis (BIA)

Change Initiation Request (CIR)

Climate Control System

Cold Site A remote facility that provides the equipment necessary for data and process restoration.

An acceptable use policy is part of the information security framework, defining what users are and are not allowed to do with the IT systems of the organization. An acceptable use policy should contain a subset of the information security policy, and refer users to the full security policy when relevant. It should also clearly define the sanctions applied if a user violates the policy.A written attestation from a user of an information system indicating the user's acceptance and willingness to comply with the relevant information systems control policies.Two sets of doors whereby access to the second is not granted until the individual has passed through (and closed) the first, often referred to as a "man trap." A controlled turnstile is also considered an anti-tailgating/piggybacking mechanism.The category or type assigned to an asset, which is derived from the asset classification policy. Asset classifications frequently vary from company to company.

An electrochemical cell (or enclosed and protected material) that can be charged electrically to provide a static potential for power or released electrical charge when needed.A device that uses measurable biological characteristics such as finger-prints or iris patterns to assist in authenticating a person to an electronic system.A process that defines exactly how, for which applications and for how long a business plans to continue functioning after a disruptive event. The business continuity plan is usually an overarching plan that includes both operational and technology-related tasks.

This term is applicable across Technology Risk Management, i.e., in both information security and business continuity planning domains. An impact analysis results in the differentiation between critical and non-critical business functions. A function may be considered critical if there is an unacceptable impact to stakeholders from damage to the function. The Perception of the acceptability of disruption may be modified by the cost of establishing and maintaining appropriate business or technical recovery solutions. A function may also be considered critical if dictated by law.

A document (physical or electronic) used to track change requests, including new features, enhancement requests, defects, and changed requirements. The change initiation request document must contain: - Name of the person initiating the change - System(s) affected by the change - A description of the change that includes the file name(s) and file location(s) - The date the change will occur - An approval signature by someone other than the person initiating the change - An approval date"A combination of sensors and equipment that monitors the temperature and humidity in a sensitive environment (such as a data center) and that automatically heats/cools/dehumidifies as needed to keep the atmosphere within acceptable tolerances.



Complex PasswordA password that combines alphabetic and non-alphabetic characters, such as special or numeric characters.

Confidentiality

Constituent An active employee or contractor.Contractor A contracted professional with expertise in a particular domain or area.DMZ (Demilitarized zone)

Enclosed Closed in, surrounded, or included within.Exception A result that deviates from the norm or expectation.External Vulnerability Scan

Externally Facing In network terms, the network entry point that receives inbound traffic.Extranet Refers to an intranet that is partially accessible to authorized outsiders.Facility

Fire Suppression System

Firewall

Firewall Rule

Fluid Sensor

Gateway A node on a network that facilitates the communication of information between two or more nodes.General Perimeter

Generator

Hardware Systems Includes servers and network devices.Heat Detector

A mechanical device that is sensitive to temperature and transmits a signal to a measuring or control instrument.Immediate Perimeter A rack or cage housing the target systems.

The protection of sensitive information from unauthorized disclosure and sensitive facilities from physical, technical, or electronic penetration or exploitation.

A controlled network space, delimited by firewalls or other policy-enforcing devices, which is neither inside an organization's network nor directly part of the Internet. A DMZ is typically used to isolate an organization's most highly secured information assets while allowing pre-defined access to those assets that must provide or receive data outside of the organization. The access and services provided should be restricted to the absolute minimum required.

A systematic review process using software tools designed to search for and map systems for weaknesses in an application, computer or network, which is executed from a network address outside of the target network. The intent is to determine if there are points of weakness in the security control system that can be exploited from outside the network.

A structure, building, or multiple structures or buildings in which operations are conducted for the services provided. These operations include handling, processing and storage of information, data or systems, as well as personnel that support the operations.A combination of sensors and equipment designed to detect the presence of heat/smoke/fire and actuate a fire retardant or fire extinguishing system.

A set of related programs, located at a network gateway server that protects the resources of private networks from other networks. Firewalls can be application/proxy, packet filtering, or stateful based. Examples of firewalls are Cisco PIX, Check Point Firewall, Juniper NetScreen and Cyberguard. Though they contain some firewall functionality, routers are not included in this definition.Information added to the firewall configuration to define the organization's security policy through conditional statements that instruct the firewall how to react in a particular situation.A mechanical device sensitive to the presence of water or moisture that transmits a signal to a measuring or control instrument.

An area with fully enclosed walls that extend from floor to ceiling (beyond raised floors and ceilings) surrounding the secure perimeter. This may be the same floor as the secure perimeter, if shared by other tenants in the facility, or the facility itself.A device that converts mechanical energy to electrical energy; in this sense, an engine (usually fuel-powered) that provides electrical current as input to a power source.



Incident

Incident Severity

Internal Vulnerability Scan

Internet

Internet Protocol (IP)A networking standard that allows messages to be sent back and forth over the Internet or other IP networks.

Intranet

Intrusion Detection Systems (IDS)

Intrusion Protection System (IPS)

Inventory An itemized list of current assets.Local Backup A method for backing up data on the local system such as an attached tape or storage device.Master Change Log

MD5 A one-way cryptographic hash algorithm that produces a unique 128bit alphanumeric fingerprint of its input.Modem A device that allows a computer or terminal to transmit data over an analogue telephone line.NAT

Network Devices

Network Segment

Network time protocol (NTP) A protocol designed to synchronize the clocks of computers over a network.Node Any physical device with a unique network address.

Events outside normal operations that disrupt those operational processes. An incident can be a relatively minor event, such as running out of disk space on a server, or a major disruption, such as a breach of database security and the loss of private and confidential customer information.Incidents should be categorized by severity using, at a minimum, a three-point scale of minor, moderately severe, and severe. For each level of severity, IT organizations should define acceptable resolution times, escalation procedures, and reporting procedures.

A systematic review process using software tools designed to search for and map systems for weaknesses in an application, computer or network, executed from a network address within the target network. The intent is to determine whether points of weakness in the security control system exist that could be exploited by a user with access to the internal network.A global network connecting millions of computers. More than 100 countries are linked into exchanges of data, news and opinions.

An IP network that resides behind a firewall and is accessible only to people who are members of the same company or organization.A security inspection system for computers and networks that can allow for the inspection of systems activity and inbound/outbound network activity. The IDS key function identifies suspicious activity or patterns that may indicate a network or system attack.A more sophisticated Intrusion Detection System (IDS) that allows administrators to configure predefined actions to be taken if suspicious activity is detected.

A document or database that contains a report of each change initiation request (CIR) (approved or rejected). The document or database must contain: - A reference to a CIR - Date submitted - Date of change - Name of affected system - Approval status (approved or rejected)"

Network Address Translation (NAT) involves re-writing the source and/or destination addresses of IP packets as they pass through a network device.Computer networking devices are units that mediate data in a computer network. Computer networking devices are also called network equipment, Intermediate Systems (IS) or InterWorking Unit (IWU).A portion of a computer network that is separated from the remainder of the network by a device such as a repeater, hub, bridge, switch or router. Each segment may contain one or multiple computers or other hosts. Network segments are typically established for throughput and/ or security reasons.



Non-Employees Auditors, consultants, contractors, and vendors.Non-Public Personal Information (NPI)

Ownership A formally assigned responsibility over a given asset.Personal Identification Number (PIN) A secret shared between a user and a system that can be used to authenticate the user to the system.Physical Media

Port Scan

Post-Deployment Test Document

Power RedundancyPre-Deployment Test Document

Privacy Policy

Protocol A set of rules and formats that enable the proper exchange of information between different systems.

Any personally identifiable financial information that is not publicly available. Non-Public Information includes but is not limited to name, address, city, state, Zip code, telephone number, Social Security number, credit card number, bank account number and financial history.

Any portable device or substance (e.g., paper) used to store data for specific and legitimate purposes. Examples of physical media include: - Magnetic tapes and disks - Cartridges, including 9-track, DAT, and VHS - Optical disks in CD and DVD format - Microfilm/fiche - Paper (e.g., computer-generated reports and other printouts) - Static memory devices, such as USB ""memory sticks"""A systematic scan of a computer's ports that identifies open doors. Used in managing networks, port scanning also can be used maliciously to find a weakened access point from which to break into computer.

A document that provides evidence that the change was tested and approved in the production environment. The document must contain: - Reference to a CIR - Identified deployment resources - Deployment start date - Deployment end date - Expected results - Actual results - Approval signature - Approval date"

Any type of power delivery mechanism that provides continuous power to connected systems in the event of a failure in the main delivery mechanism for electricity. Such mechanisms include multiple electric feeds, automatic fail-over generators, and uninterruptible power supplies.

A document (electronic or paper) that provides evidence that the requested changes were tested prior to deployment in the production environment. The document will be inspected for the following items: - Reference to a CIR - Identified testing resources - Testing start date - Testing end date - Expected test results - Actual test results"

An official statement (on a website or communicated by other means) addressing the type of information an entity collects, how the information is used, how the individual may access this data, and the steps for removing data. A privacy statement usually includes information about how the entity protects the information it collects and uses.



Publicly Accessible In networking terms, able to accept a connection originating from the "public domain - e.g., the Internet.Raised Floor

Receiver Company The financial institution that has contracted with a service provider for a specific service.Residual Risk Rating Scoring Method A calculation of the risk that remains after security controls have been applied, typically calculated as:Risk Prioritization Scoring Method

Scoping Meeting

Secure Perimeter

Secure Socket Layer (SSL)

Security PolicyA published document or set of documents defining requirements for one or more aspects of information security.

Sensitive Information

Server

Service Provider

Service Set Identifier (SSID)

Simple Mail Transfer Protocol (SMTP) The de facto standard for email transmissions across the Internet.Smoke Detector

Status changes Changes to employment status that is recorded in HR such as promotions or demotions or departmental changes.Stewardship The act of managing and maintaining a given asset.System Owner The business unit that retains financial ownership or decision rights for the business use of the asset.System Steward

The primary assigned administrator responsible for maintenance and day-to-day tasks that support the business.Target Data

Target System Computer hardware and software in scope for the engagement and containing target data.Threat Impact Calculation Method

Used in data center construction, a raised floor above the "true" floor allows air-conditioning flow and wiring to pass freely under equipment. This space between the true and raised floors is accessed by removable floor tiles.

A systematic approach that quantified risk in terms of loss potential, then sequences the risks in order to determine the order in which compensating controls should be implemented.A meeting held prior to commencement of the Shared Assessments AUP engagement, during which the financial institutions and service providers determine the service providers' target systems.A space fully enclosed by walls that surround the immediate perimeter, extend from floor to ceiling (beyond raised floors and ceilings), is contained, and the points of entry of which are secured.A protocol developed by Netscape for transmitting private documents via the Internet. SSL uses a cryptographic system with two keys to encrypt data: a public key known to everyone and a private or "secret" key known only to the recipient of the message.

Also known as "target data," any customer data stored at the service provider's facility. This data may be stored in the form of physical media, digital media, or any other storage medium.A computer that makes services, such as access to data files, programs, and peripheral devices, available to workstations on a network.An organization that provides outsourced services such as data processing, applications or systems to a financial institution.A 32-character unique identifier attached to the header of packets sent over a wide area network to identify each packet as part of that network.

A mechanical device that is sensitive to the presence of smoke or particulate material in the air that transmits a signal to a measuring or control instrument.

A financial institution's Non-Public Personal Information that is stored, transmitted, or processed by the service provider.

A systematic method of determining the loss potential of a particular threat, based upon the value of assets affected.



Threat Probability Calculation Method

Token

True ceiling

True floor

Unapproved Operating without consent.Unidentified Being or having an unknown or unnamed source.Uninterruptible Power Supply (UPS)

Vibration Alarm Sensor

Virtual Private Network (VPN)

Volumetric Alarm SensorWar Walk

Warm Site A remote facility which replicates production data in set intervals.Water Sensor

Workstations

A systematic method of determining the potential for a particular threat to occur, based on data about likelihood of the occurrence collected from internal staff, past records, and official security records. Threats x Vulnerability x Asset Value = Total Risk (Threats x Vulnerability x Asset Value) x Controls Gap = Residual Risk"A unique identifier generated on both a host and small, user-held device, that allows the user to authenticate to the host.The permanent overhead interior surface of a room, constructed of solid building materials offering resistance to and evidence of unauthorized entry.The permanent bottom interior surface of a room, constructed of solid building materials offering resistance to and evidence of unauthorized entry.

A power supply consisting of a bank of batteries, which is continually charged. When power fails, the UPS becomes the source of electrical current for computer equipment until the batteries are discharged. A UPS is often connected to a generator that can provide electrical power indefinitely.An alarm that responds to vibrations in the surface onto which it is mounted. A normally closed switch momentarily opens when the sensor is subjected to a vibration of sufficiently large amplitude.A communication tunnel running through a shared network, such as the Internet, which uses encryption and other security mechanisms to ensure the data cannot be intercepted and that the data senders and receivers are authenticated.An alarm sensor designed and employed to detect an unauthorized person in a confined space when the space is normally unoccupied. Such alarms would include ultrasonic, microwave, and infrared sensors.Also known as "war drive," using a laptop to "sniff" for wireless access points. War walking may be used to locate a public access point for personal use or as a controls assessment to identify access points that are inadequately secured and may indicate an elevated risk of breach.

A mechanical device sensitive to the presence of water or moisture that transmits a signal to a measuring or control instrument.

(1) Like personal computers, most workstations are single-user computers. However, workstations are typically linked together to form a local-area network, although they can also be used as stand-alone systems. (2) In networking, "workstation" refers to any computer connected to a local area network, and could be an actual workstation or a personal computer.


Overview Page 170 of 174 Page(s)

OverviewStandardized Information Gathering (SIG) OverviewWhen applications, systems and services are outsourced, responsibility for reputation, transaction, regulatory and other risks associated with the outsourcing relationship remains with the financial institution. To develop an appropriate risk-mitigation strategy, the institution must be able to identify and understand the controls upon which the service provider relies to address risks associated with outsourced services.

The Financial Institution Shared Assessments Program was created to develop a standardized approach to obtaining consistent information about a service provider’s information technology practices, processes and controls. The Program consists of two complementary documents: a questionnaire, commonly referred to as the Standardized Information Gathering Questionnaire (SIG) and a set of executable tests, called the Agreed Upon Procedures (AUP). Consistent with ISO 17799:2005*, both documents identify control areas designed to document the service provider’s ability to actively manage information security controls.

Standardized Information Gathering Questionnaire (SIG): Developed by Financial Institution Shared Assessments Program members to leverage the BITS IT Service Providers Expectations Matrix and address the control areas covered in ISO 17799:2005, the SIG used to obtain required documentation and establish a profile on operations and controls for each of the control areas. When used as a standalone document, the questionnaire provides information the financial institution needs to evaluate the security controls in place.

Agreed Upon Procedures (AUP): Developed by the Financial Institution Shared Assessments Program Working Group with the Big 4 accounting firms acting as Technical Advisors, the AUPs gather and report on control areas using objective and consistent procedures. Procedures address control objectives in the following areas: Risk Management, Security Policy, Organization of Information Security, Asset Management, Human Resource Security, Physical and Environmental Security, Communications and Operations Management, Access Control, Information Systems Acquisition, Information Security Incident Management, Business Continuity Management, and Compliance. Procedures attest to the existence of controls without rendering opinions of sufficiency, thus enabling multiple financial institutions to view results in the context of their own risk tolerance and in the context of industry risk management and regulatory requirements.

When the SIG and AUP are combined, financial institutions, service providers, and assessment organizations have an outline for an evaluation program to obtain information and objectively verify selected controls. Financial institutions are then better able to identify risks, comply with regulatory requirements, and reduce inconsistencies in the evaluation of information received from service providers.

Using the SIGThe Standardized Information Gathering Quetionnaire (SIG) is used to obtain required documentation from a service provider and establish a profile on its operations and controls for each control area. The SIG is based on the BITS IT Service Providers Expectations Matrix, ISO 17799:2005, and risk requirements of Shared Assessments Program member institutions.

Update ProcessTechnology, threats and regulations change. The Financial Institution Shared Assessments Program's update process ensures that the SIG and AUP documents continue to meet risk management and regulatory requirements. The documents are updated at least annually. For more information on the latest releases, please visit the Financial Institution Shared Assessments Program website at http://www.bitsinfo.org/FISAP.

*ISO/IEC 17799 can be purchased directly from the American National Standards Institute, 25 West 43rd Street, New York 10036, 212-642-4900http://webstore.ansi.org/ansidocstore/product.asp?sku=ISO%2FIEC+17799%3A2005

http://webstore.ansi.org/ansidocstore/product.asp?sku=ISO%2FIEC+17799%3A2005

http://webstore.ansi.org/ansidocstore/product.asp?sku=ISO%2FIEC+17799%3A2005


Version History Page 171 of 174 Page(s)

Version HistoryDate Version Comments

7/10/2006 2.0b Submitted to steering committee for review7/25/2006 2.0 final Added glossary and version history, locked version

10/1/2007 3.0 WG

10/12/2007 3.0 Final

1/4/2008 3.1 Final

2/22/2008 3.1 Final

Added high level questions, standardized formatting, mapped version 2.Minor changes to formatting, and question changes to BCP sectionFormat and question count changes addition of SIG Lite tab.Fixed formatting error, High Level 'Yes' response format did not carry to low level questions. Changed High Level Question count to percentages.


Formula Notes Page 172 of 174 Page(s)

Formula NotesColumn Note

Blank column, used as a placeholder.

Enter a value in this column to indicate the depth (number of decimal places) the question should have.

Enter a "1" in this cell to indicate the top of a table.

A<No Header>

This is a unique record for a question. This value is sequential starting with one on Tab A to the end of questions on last tab. Any row that is not a question will not have a number. The highest value used as a unique identifier is located on this tab in cell C18 (below).

B<No Header>

FConditional Formatting<Response>

The conditional formatting looks in column I and S to determine the background of the cell. If column I = 1 then the background turns into a checker board indicating the top of a table. If the value in column S = 1 or the value in the local cell is greater than nothing the question is assumed to be answered and will turn light gray. If the value in column S = 0 than the background is light blue.

GConditional Formatting<Additional Information>

This cell will change background color depending on the response to the question. The background will be white if the response is "Yes" or "N/A" and turn gray if the response is "No". The conditional formatting looks at columns H, I and L to determine what the response is.

H<Q Depth>I<Table ID>

J<1>

This formula is used to calculate the first digit of the question number. It looks to see if there is a value in the cell above, if not it assumes the value should be a 1. Next it looks to see if the depth is 1, if so, it will increment by one, if not it pulls down the value from the cell above.

K - N<2 - 5>

This formula is used to calculate the second through fifth digits of the question number. It first looks at the cell above and if blank it assumes a ). If not blank, it looks at it's next highest neighbor above to see if there is a transition, it there is a transition then it resets to 0, Lastly it looks at the question depth to see if it is the same depth as above. If so it increments, if not it will pull down the value from above.

O<HL Ans>

This formula is used to carry over and convert the answer from the High Level Questions tab to a number. If the question depth is 1 (indicating a high level question), the VLOOKUP will search the high level questions table to find the question number and bring back the answer and convert the answer to a number. 1 = "Yes", 2 = "No" and 3 = "N/A".



Column (Cell) FormulaA Unique question number (Rows without questions do not have numbers)B BlankF Conditional FormattingG Conditional FormattingH Manually entered valueI Manually entered valueJ (J(n-1)="",1,IF(Hn=1,J(n-1)+1,J(n-1)))K (L - N) are similar IF(K(n-1)="",0,IF(J(n-1)<>Jn,0,IF($Hn=2,K(n-1)+1,K(n-1))))

OP IF(Hn="","",IF(Fn="Yes",1,IF(Fn="No",2,IF(Fn="N/A Additional Information Provided",3,0))))Q IF(Hn="","",IF(Pn>0,Pn,IF(On>0,On,0)))

RS IF(Hn="",S(n-1),IF(Qn>1,Hn,IF(Hn>S(n-1),S(n-1),0)))T IF(Hn="","",IF(OR(AND(Rn=1,Sn=1),Qn>0,AND(R(n+1)=0,T(n+1)=1)),1,0))U IF(Hn="","",IF(OR(AND(Sn>0,Rn=1),AND(Rn=1,Tn=1)),1,0))

P<Loc Ans>

This formula converts the local answer to a number. It first checks to see if the depth is not blank. If it is then assumes the answer should be blank. If the depth field is not blank the formula converts the local answer to a number. 0 = No answer, 1 = "Yes", 2 = "No" and 3 = "N/A".

Q<Comb Ans>

This formula is used to combine the high level answer and the local answer. If the question depth is blank a blank is assumed.

R<Table Calc (Tot Q#)>

The value in this cell determines if the question is actually a question or if it is part of a response list for a question. The logic looks above, below and in column H to make the determination.

S<Q Carry Dn>

This formula carries parent responses down to it's children. It first looks for a blank in the question depth and if blank will carry down the value from above. If the question has been answered it will bring over the question depth. If the questions not answered it will compare the local question depth to the previous value if the depth is greater the previous value will be carried down, if not it will turn to 0.

T<T Carry Dn>

The value in this cell identifies if a question in a table has been answered. If any value in a response list is answered the result will be rolled up the next cell until it reaches the list identifier.

U<Final Ans>

The result in this cell determines if a question has been answered and is used to count the actual questions answered not answers as part of a response list. This is a simple AND function to combine the values in columns S, R and T.

IF(Hn<>1,0,IF(VLOOKUP(Dn,High_Lvl_Array,3,FALSE)="",0,IF(VLOOKUP(Dn,High_Lvl_Array,3,FALSE)="Yes",1,IF(VLOOKUP(Dn,High_Lvl_Array,3,FALSE)="No",2,IF(VLOOKUP(Dn,High_Lvl_Array,3,FALSE)="N/A Additional Information Provided",3,"Help")))))

IF(Hn="","",IF(OR(Hn=1,R(n-1)=""),1,IF(OR(AND(I(n-1)=1,(Hn-H(n-2)<>0)),AND(R(n-1)=0,H(n-1)=Hn),AND(I(n-1)=1,Hn=H(n-2))),0,1)))



Named Range FormulaHigh_Lvl_Array High_Level_Questions!$A$1:$C$407

Cell Cells with Altered FormulasS58 (Business Continuity) Due to number response, formula must be changed to: =IF(H58="",S57,IF(F58>0,H58,IF(H58>S57,S57,0)))

Documents

Standardized Information Gathering (SIG) · XLS file · Web view · 2016-05-12Formula Notes Version History Overview Glossary N. Additional Questions M. SIG Lite L. Compliance K