Security program assessment iso/iec 27002 example report

[Client]

Security Program Assessment

(ISO/IEC 27002:2013)

March 2014

DRAFT - FOR DISCUSSION PURPOSES ONLY

This document has been provided for reference purposes only. Every slide in this document must be modified and tailored to your client’s specific needs and objectives and reapproved by the Partner and GB&RC as per formal approval processes. The materials contained within the document may have come from a different member firm and may not have relevance, or may have a different meaning, in your jurisdiction.

© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

2

Executive Summary 2

Approach 3

ISO/IEC 27002:2013 Score Summary 5

Risk to the Business 7

Strengths 8

Recommended Action Plans & Prioritization 9

Remediation Roadmap 11

IEC/ISO 27001:2013 Certification Next Steps 12

Other Areas for Consideration 13

Detailed Remediation Projects & Roadmap 14

Detailed Analysis 28

Gaps & Risk to the Business 42

ISO/IEC 27002:2013 ReviewTable of Contents


Executive Summary



4

On behalf of [Client](“[Client]”) KPMG assessed the state and capabilities of [Client]’s security program, using the ISO/IEC 27002:2013 framework. KPMG worked with [Client] to define the scope, develop and execute work plans, generate risk scores, identify business risks, and develop a remediation roadmap.

Executive SummaryApproach

Testing Framework [Client] requested

the ISO 27002 framework

Standard framework enables repeatable benchmarking and trending capabilities

Each domain and associated subdomains were assessed to provide holistic state of security

Scoping Tailored Work Plan

Scorecard & Business Risks

Determined enterprise wide policies and procedures in place

Identified and reviewed previously performed audits and assessments

Identified subdomains not applicable to [Client]

Work plans were tailored based on the preliminary conversations with [Client] to remove procedures not applicable to the organization

KPMG conducted interviews and collected evidence to determine alignment to ISO/IEC 27002:2013 Annex control objectives

KPMG assessed the state of controls within each work plan to calculate overall risk scores

KPMG identified the risk to the business for each noted gap, incorporating compensating controls and additional [Client] processes

KPMG produced recommended action plans and a roadmap to guide future efforts


KPMG reviewed the state of information security at a global level and focused interviews with employees in Canada, UK, and USA, which included the following departments: Application Services, Global Operations, Global IT, Process and Compliance, HR, Cloud Operations, Legal, Project Management and Finance, Internal Audit, Information Architecture and Security.

[Client] and KPMG agreed to the below scope


5

Executive Summary Approach

Gaps determined through comparison of framework objectives to [Client] operations, scores do not reflect the residual business risk to [Client]

Gaps within security frameworks provide areas for consideration but the business risk of these gaps should be understood before undergoing significant operational changes

Gap in Framework Objectives

KPMG took the identified gaps and provided the business risk for each gap

Risks were weighted based on the potential impact to [Client] business operations

Risk levels provide insight into which gaps could negatively impact the business and help to determine remediation priority

Business Risks

How does [Client] compare against a security framework?

How could these gaps impact [Client]’s day to day business?

KPMG assessed [Client] against ISO/IEC 27002:2013 to identify gaps and to calculate scores. KPMG additionally identified the business risk to [Client], to provide an understanding of the business impact of an individual gap.



6

Executive Summary ISO/IEC 27002:2013 Score Summary

FRAMEWORK SCORE SUMMARY

This is a good overall score and represents that [Client]’s control design is strongly aligned to meet ISO/IEC 27002:2013 objectives. [Client] has designed adequate process and procedures to protect the organization from internal and external risks. KPMG noted opportunities to more closer align with the ISO/IEC framework and has provided recommendations for consideration.

OVERALL SCORE CALCULATION

4.05 The framework score across all domains. This score is calculated as the average of all domains and does not take the risk to the business into consideration. Refer to section “Detailed Analysis” for domain and subdomain scoring methodology.

Overall Score

= 4.05=Summation of all Domain Scores

Count of Domains in Scope=

56.79

14

|0.00

|0.25

|0.50

|0.75

|1.00

|1.25

|1.75

|1.50

|2.00

|2.25

|2.50

|2.75

|3.00

|3.25

|3.50

|3.75

|4.00

|4.25

|4.50

|5.00

|4.75

| 4.50

| 4.29

| 4.75| 3.72| 4.80| 3.17| 4.17| 4.72| 4.63| 4.91| 1.83| 3.57| 3.33| 4.40

HighFrameworkAlignment

ModerateFrameworkAlignment

LowFrameworkAlignment

Information Security PoliciesOrganization of Information Security

Human Resource SecurityAsset Management

Access ControlCryptography

Physical and Environmental SecurityOperations Security

Communications SecuritySystem Acquisition, Development and Maintenance

Supplier RelationshipsInformation Security Incident Management

Information Security Aspects of Business ContinuityCompliance



7

Executive Summary ISO/IEC 27002:2013 Score Summary

Moderate ISO 27002 Alignment*

Low ISO 27002 Alignment*

5.1 Management Direction for IS

5. Information Security (IS) Policies

6.1 Internal Organization

6.2 Mobile Devices & Teleworking

6. Organization of IS

7.1 Prior to Employment

7.2 During Employment

7.3 Termination & Change of Employment

7. Human Resources Security

8.1 Responsibility for Assets

8.2 Information Classification

8.3 Media Handling

8. Asset Management

9.1 Business Requirements for Access Control

9.2 User Access Management

9.3 User Responsibilities

9.4 System & Application Access Control

9. Access Control

10.1 Cryptographic Controls

10. Cryptography

11.1 Secure Areas

11.2 Equipment

11. Physical & Environmental Security

12.1 Operational Procedures & Responsibilities

12.2 Protection from

12.3 Backup

12.4 Logging & Monitoring

12.5 Control of Operational Software

12.6 Technical Vulnerability Management

12.7 Information Systems Audit Considerations

12. Operations Security

13.1 Network Security Management

13.2 Information Transfer

13. Communications Security

14.1 Security Requirements of IS

14.2 Security in Development & Support Processes

14.3 Test Data

14. Systems Acquisition, Development & Maintenance

15.1 IS in Supplier Relationships

15.2 Supplier Service Delivery Management

15. Supplier Relationships

17.1 IS Continuity

17.2 Redundancies

17. IS Aspects of Business Continuity Management

18.1 Compliance with Legal & Contractual Requirements

18.2 IS Reviews

18. Compliance

16.1 Management of IS Incidents & Improvements

16. IS Incident Management

* - refer to Detail Analysis section for scoring methodology

High ISO 27002 Alignment*



8

Executive Summary Risk to the Business

BUSINESS RISK SUMMARY BUSINESS RISK BY DOMAIN

Remote Unlikely Possible LikelyAlmost Certain

Sli

gh

tM

ino

rM

od

erat

eM

ajo

rS

ign

ific

ant

Likelihood

Mag

nit

ud

e o

f Im

pac

t

KPMG determined the risk to the business for each domain. KPMG has provided a summary of the business risks with a higher potential impact:

Asset management program is informal and applied inconsistently across the enterprise. Failure to track all assets could lead to incomplete application of security programs (e.g., patch management), inadequate level of security (controls) for sensitive assets, and increased spending on unnecessary assets.

Formal data classification schema does not exist (currently in development). Without a data classification standard in place, [Client] may not fully understand the risk presented by specific data, leading to incomplete labeling and handling of assets (i.e., inadequate security controls).

Incident response (IR) responsibilities are only communicated through training without an overarching IR plan in place. The lack of a formal incident response plan could lead to confusion over management and employee responsibilities during an incident, causing untimely or inappropriate handling of incidents that pose an immediate risk.

Site specific business continuity plans do not include required security controls identified through business impact analysis (BIA) assessments. Failure to identify (BIA) and incorporate security requirements (controls) within site business continuity plans could lead to an inadequate level of security during events that trigger the business continuity program.

8 16

5 – Information security policies 12 – Operations security

6 – Organization of information security 13 – Communications security

7 – Human resource security 14 – System acquisition, development, & maintenance

8 – Asset Management 15 – Supplier relationships

9 – Access Control 16 – Information security incident management

10 – Cryptography 17 – Information security aspects of business continuity

11 – Physical and Environmental Security 18 – Compliance

17

7

12


11 13 14

5 6

9 10 15 18


9

Executive Summary Strengths

[Client] Strengths

During the assessment, KPMG noted several strengths associated with the design of [Client]’s security programs and alignment with IEC/ISO 27002:2013.

9 of the 14 domains were scored between 4.01 and 5.00 (high control design alignment); including 6 domains with a score of 4.50 and higher: Information Security Policies Human Resource Security Access Control Operations Security Communications Security System Acquisition, Development and Maintenance

Change management security procedures within [Client] are mature and well maintained

[Client]’s operations group and datacenter management team exhibited extensive knowledge of their environment and the controls in place to protect business operations

Expectations for a strong information security program are clearly understood globally and [Client] is actively taking steps to address specific gaps that currently exist within their program



10

Executive Summary Recommended Action Plans & Prioritization

Recommendation ISO Gaps Remediated Priority Level of

Effort

Policy Development & RefinementDevelop or revise information security policies to address gaps in the organization of information security, asset management, cryptography, and physical security.

2, 9-10, 12, 25, 29, 33, 40, 44, 45

High Low

Asset Management & ClassificationDeploy an asset management program that centrally tracks IT assets, the asset owner, and data classification information while developing a process to require asset owners to review asset information for accuracy.

1, 8, 13, 32 High High

Business Continuity Management Define information security objectives for business continuity planning while executing site specific business impact analysis assessments to develop site business continuity plans.

4-5, 42 High High

Contractual Compliance Tracking Explicitly outline the regulatory, legal, and contractual obligations that each information system must meet and periodically review these requirements for continued applicability.

7, 23-24 Moderate Moderate

Incident Response Development Develop an incident response program that documents an effective approach to management of information security incidents, including communication of security events and weaknesses.

3, 22, 26, 46-48 Moderate Moderate

Logical Access Control Improvement Develop procedures to enforce and monitor the application of logical access controls for software development, user operations, and the regular review of administrator and user activity logs.

11, 14-16, 34-36, 43 Moderate Moderate

KPMG has provided a list of recommended actions plans to remediate identified gaps. These recommendations are prioritized based on the residual risk to [Client]’s business and the associated level of effort to remediate.



11

Executive Summary Recommended Action Plans & Prioritization

Recommendation ISO Gaps Remediated Priority Level of

Effort

Supplier Management Develop policies and procedures for managing changes in supplier services to communicate and require adherence to [Client] information security requirements while establishing a record of accountability.

17-21, 30 Low High

Embedding Security in Project Management Create project management methodologies that include information security objectives throughout the project lifecycle for all projects.

6 Low Moderate

Physical Security Improvement and Consistency Develop and refine physical access controls and standards to secure offices, rooms, and delivery areas while establishing a process to periodically audit physical security for compliance.

37-39, 41 Low Low

Training Refinement Update training documentation and define required trainings for [Client] personnel and suppliers.

28, 31 Low Low

Consulting External Advisors Define a position that is responsible for maintaining contact with specialist security forums and professionals.

27 Low Low



12

Executive SummaryRemediation Roadmap

KPMG has provided a list of recommended projects to remediate the gaps identified during the Security Program Assessment. Prior to executing these projects, [Client] should consider formal establishment of a strong governance program ( ).

Immediate Short Term Long Term

Recommended Action Plan Mon 1 Mon 2 Mon 3 Mon 4 Mon 5 Mon 6 Mon 7 Mon 8

Policy Development & Refinement

Asset Management & Classification

Business Continuity Management

Contractual Compliance Tracking

Incident Response Development

Logical Access Control Improvement

Supplier Management

Embedding Security in Project Management Physical Security Improvement & Consistency

Training Refinement

Consulting External Advisors


Prior to remediation, [Client] should determine that a strong governance program is in place. KPMG has provided a set of governance program initiatives to review prior to remediation.

=


13

Executive SummaryIEC/ISO 27001:2013 Certification Next Steps

As [Client] plans for 27001 certification, KPMG has provided a list of next steps (in addition to gap remediation) to prepare for certification. Certification is not an easy process, [Client] will have to demonstrate a policy driven approach to data management, security, and risk management, which requires hard evidence that procedures and controls are effective.


1. Senior Management Commitment

Significant effort is required across the organization, senior management is the driving force behind certification for budgeting, allocation of personnel, and enforcement

Senior management is responsible for communicating to users the importance of the Information Security Management System (ISMS) and the implications of not adhering to policies and procedures

2. Project Based Approach

Treating certification as a project helps facilitate the coordination across all required stakeholders

The project manager role is critical to monitoring and assisting with the certification

Identify and assign (nominate) personnel responsible for data governance and risk management, that report to the project manager

3. Define ISMS Scope

Though the scope of ISMS can cover the entire organization, it can also be tailored to a specific service, system, application, or site (location)

Perform a cost benefit analysis of certifying the organization as a whole versus a more tailored approach

Consider who (e.g., customers, third parties) certification is providing assurance to, which is typically the biggest factor in determining the scope of ISMS


14

Executive SummaryOther Areas for Consideration

Through detailed interviews with [Client] stakeholders, KPMG noted other areas for consideration. Those these are not covered by specific ISO requirements, they help support ISO objectives while increasing [Client] capabilities to manage the security program through centralization and automation.


Area for Consideration Description Value to [Client]

Governance, Risk, and Compliance Platform (eGRC)

An eGRC platform provides a centralized means to manage, monitor, and report on the effectiveness of and across multiple security programs and business domains (e.g., finance, legal) at the enterprise level. Many eGRC solutions offer the ability to develop custom applications to tailor the solution to [Client]’s unique business.

Provides [Client] a structure to centrally manage and track security programs, including policy management, vendor management, IT risk management, business continuity, and incident management

Centralized and integrated reporting across the enterprise

Automation of business processes

Vendor Management Program

Develop a formalized vendor management program that manages supplier relationships, agreements, and compliance to [Client]’s security policies.

Designates a team to managing supplier relationships Provides processes for reviewing supplier agreements

and compliance to agreements

Policy Management Program

Establish a centralized program to develop, review, and apply policies across the enterprise (all sites).

Provides authoritative source for all policies Facilities globalization of policies Assigns responsibility to manage policy compliance

Security Program Deployment Strategy

Develop an enterprise strategy for transitioning acquisitions to [Client]’s security programs. Build a process to monitor the transition while providing a framework to determine adherence to [Client] security requirements.

Provides actionable steps to help migrate acquisitions to required level of security

Include 27001 objectives within the strategy to help maintain certification (in future audits) as [Client] continues to expand

Builds foundation for integrating acquisitions within centralized [Client] programs and domains

Detailed Remediation Projects & Roadmap



16

Detailed Remediation Projects & Roadmap Governance Program Review

Objective: Internal review to determine that a robust governance program is in place at [Client] prior to executing projects to remediate gaps. A strong governance program is critical to the development and modification of security policies to determine appropriate coverage and acceptance across the enterprise.


# Activities / Components

1

EstablishmentFormal implementation of a governance program, including specific objectives for security. Governance program acts as the authoritative source for company-wide goals and objectives and as such should be defining and governing [Client]’s requirements (including security).

2

Roles & ResponsibilitiesAssigned and dedicated personnel responsible for governance of core business processes and security programs (e.g., data governance). These defined roles should include explicit responsibilities for personnel, including the determination of adherence to enterprise objectives for their areas of responsibility.

3

Key Performance Indicators (KPI)Identifying, clearly defining, tracking, and reporting on metrics that provide quantifiable insight into the effectiveness and efficiency of core business processes and security programs. A program should be in place to continuously review, refined, and establish new KPIs.

4

Self Assessment & Continuous ImprovementThough the core structure and overall program should remain as consistent as possible, the individual programs supporting the overarching governance program should be more dynamic in nature. This requires the periodic review of individual program objectives and [Client]’s strategy to meet the objectives. As the governance program is a top-down model, [Client] needs to gain assurance over the quality, applicability, and the communication of requirements.


17

Detailed Remediation Projects & Roadmap Policy Development & Refinement

Project objective: Develop or revise information security policies to address gaps in the organization of information security, asset management, cryptography, and physical security.

# Supporting Activities Resources / Departments

Estimated Effort

1

Centralize information security policies within a single framework and apply to the enterprise such that security expectations are consistently documented for all sites. Review standards and procedures to determine reference and adherence to the overarching information security framework.

Information security Senior management 1 - 2 weeks

2

Finalize data classification schema for electronic and physical data while documenting within information security policies, procedures or standards. Update information security policies to include labeling and handling requirements based on the data classification schema.

Data governance team Information security 2 weeks

3Update the information security policy (alternatively update procedures or standards) with a process for transferring physical media (including the identification of physical security controls and establishing a list of approved couriers).

Data governance team Information security 1 week

4Update the information security policy to include the use of cryptographic controls, including approved mechanisms, protocols and algorithms.

Information security 1 week


Priority Effort

High Low


ISO Gaps Remediated Recommended Action Plan Mon 1 Mon 2 Mon 3 Mon 4 Mon 5 Mon 6 Mon 7 Mon 8

2,9-10,12,25, 29,33,40,44,45 Policy Development & Refinement


18

Detailed Remediation Projects & Roadmap Policy Development & Refinement (Continued)


Estimated Effort

5

Update teleworking agreements with employees to include allowed communication channels, expectations for sensitive data handling while teleworking, and defining approved remote access mechanisms. Require all employees to agree to and acknowledge (e.g. sign-off) the updated teleworking agreement.

Information security Senior management 2 weeks

6Update procedures for working in secure areas within information security and/or physical access policies to identify additional controls and expectations for securing areas with sensitive information and systems.


7 Establish a process to annually review and update employee agreements while developing procedures to inform users of changes to agreements.

Compliance Senior management 1 week

8Establish a process to at least annually review the principles for engineering secure systems to include procedures for mitigating new threats to the business as well as industry-wide emerging threats (e.g. vulnerabilities).



Priority Effort

High Low



2,9-10,12,25, 29,33,40,44,45 Policy Development & Refinement

Project objective: Develop or revise information security policies to address gaps in the organization of information security, asset management, cryptography, and physical security.


19

Detailed Remediation Projects & Roadmap Asset Management & Classification

Project objective: Deploy an asset management program that centrally tracks IT assets, the asset owner, and data classification information while developing a process to require asset owners to review asset information for accuracy.


Estimated Effort

1Establish a centralized repository for the tracking and classification of IT assets including PKI certificates (alternatively, develop separate program for certificates).

Data governance team IT management Network management

2 - 3 months

2Assign owners to each asset and document asset owner responsibilities.Dependent on completion of activity #1

Business owners Senior management 1 - 2 months

3Apply data classification schema (developed in information security policy development and refinement project) to assets and data contained within assets (labeling).Dependent on completion of activity #1

Asset owners Business owners 1 - 2 months

4Review assets and data to determine appropriate security controls as defined by classification schema (handling).Dependent on completion of activity #3

Asset owners Business owners 2 - 3 months

5Establish a process for asset owners to review their asset information for accuracy and update asset management information as needed. Dependent on completion of activity #2

Asset owners Business owners Data governance team

1 – 2 weeks


Priority Effort

High High



1,8,13,32 Asset Management & Classification


20

Detailed Remediation Projects & Roadmap Business Continuity Management

Project objective: Define information security objectives for business continuity planning while executing site specific business impact analysis assessments to develop site business continuity plans.


Estimated Effort

1Create and execute business impact analysis (BIA) assessments for each [Client] site to identify and document the required level of security based on the results of BIAs. Establish a program to periodically reassess sites through BIA assessment.

Business owners Information security Senior management

1 month

2

Define and document information security controls, procedures, and processes, while incorporating the results from BIA assessments, within business continuity plans (BCP) for each site.Dependent on completion of activity #1

Business owners Information security 2 months

3Develop a process to review the BCP for each office and revise as necessary to meet the defined information security objectives.Dependent on completion of activities #1 and #2

Business owners Information security 1 - 2 weeks

4Develop a formal process for testing and documenting the results of BCPs (at least annually), including determining the effectiveness of information security controls.Dependent on completion of activity #3

Business owners Global IT Senior Management

1 - 2 weeks


Priority Effort

High High



4-5,42 Business Continuity Management


21

Detailed Remediation Projects & Roadmap Contractual Compliance Tracking

Project objective: Explicitly outline the regulatory, legal, and contractual obligations that each information system must meet and periodically review these requirements for continued applicability.


Estimated Effort

1Define and fully document all regulatory and contractual requirements for [Client]’s information systems. For each information system, identify and document the cryptographic controls required.

Compliance Information security Senior management

3 - 4 weeks

2 Develop procedures to enforce and monitor the proper handling of information obtained during background checks.

Compliance Human resources 1 - 2 weeks


Priority Effort

Moderate Moderate



7,23-24 Contractual Compliance Tracking


22

Detailed Remediation Projects & Roadmap Incident Response Development

Project objective: Develop an incident response program that documents an effective approach to management of information security incidents, including communication of security events and weaknesses.


Estimated Effort

1Develop a documented incident management and response program with clear roles, responsibilities, and processes for reporting (including external contact with authorities) and handling security incidents.

Senior management Information security Global IT

1 - 2 months

2Define and document the process by which employees and suppliers can report information security incidents.Dependent on completion of activity #1

Information security Global IT 1 week

3Establish and communicate expectations that employees and suppliers are required to report security weaknesses and events.Dependent on completion of activity #2

Compliance / internal audit

Business owners1 week

4Develop a process to review and quantify security incidents for the purpose of enterprise risk strategy management. Apply process to recent security incidents for analysis.

Global IT Information security 1 month

5Implement a process to perform periodic tabletop exercises to test both the effectiveness and efficiency of incident response procedures.Dependent on completion of activity #1

Business owners Global IT Information security

1 - 2 weeks

6Establish a program to periodically review technologies supporting incident detection technologies (e.g., advance malware detection). Note: Exceeds ISO guidance.

Global IT Information security 1 - 2 weeks


Priority Effort

Moderate Moderate



3,22,26,46-48 Incident Response Development


23

Detailed Remediation Projects & Roadmap Logical Access Improvement

Project objective: Develop procedures to enforce and monitor the application of logical access controls for software development, user operations, and the regular review of administrator and user activity logs.


Estimated Effort

1Develop procedures to enforce and monitor the segregation of development, test, and production environments.

Information security Network team Senior management

1 - 2 months

2Establish standards for application time-outs taking into consideration the classification of information held within.

Application services 1 - 2 weeks

3Develop procedures to enforce and monitor the application of secure code controls across all applications.Dependent on completion of activity #1

Application services Business owners 2 - 3 months

4Develop a process to enforce policies that prohibit the installation of unauthorized software on user laptops.

Compliance Global IT 1 - 2 months

5Establish a standard timeline for the periodic review of user and administrator activity and logs.

Information security Upper management 1 - 2 weeks

6Develop a standard to require business units and group owners to quarterly review access control policies and user access rights, including access to shared folders.

Compliance Business owners Senior management

2 - 3 months


Priority Effort

Moderate Moderate



11,14-16, 34-36,43 Logical Access Improvement


24

Detailed Remediation Projects & Roadmap Supplier Management

Project objective: Develop policies and procedures for managing changes in supplier services to communicate and require adherence to [Client] information security requirements while establishing a record of accountability.


Estimated Effort

1

Develop a process to identify and include the criticality of information, systems, and processes when making changes to supplier agreements.

Business owners Data governance team Information security Vendor management

2 - 3 weeks

2Define and include information security risks arising from engaging specific suppliers within supply change management, including risk mitigation procedures or controls.

Information security Vendor management 1 month

3Update supplier agreements to include the requirement for notifying [Client] in the case of a security breach.

Vendor management 2 months

4Establish a set of security controls to be adhered to by all suppliers and update supplier agreements to include these requirements.

Information security Global IT Vendor management

1 month

5Develop a process to routinely notify suppliers of changes to [Client]’s information security policies, procedures, and processes.

Vendor management 1 week

6Establish a process to review suppliers for adherence to [Client] information security expectations and consideration of defined security controls. Dependent on completion of activities #1 through #5

Compliance Vendor management 2 - 3 months


Priority Effort

Low High



17-21,30 Supplier Management


25

Detailed Remediation Projects & Roadmap Embedding Security in Project Management

Project objective: Create project management methodologies that include information security objectives throughout the project lifecycle for all projects.


Estimated Effort

1

Develop a process to identify and incorporate information security objectives throughout all project* lifecycles. Establish procedures for identifying and assessing risks at the beginning of projects while documenting how security objectives are adhered to as part of project management documentation.

* - Per IEC/ISO 27002 guidance: Generally applies to any project regardless of its character (e.g., core business process, IT, facility management).

Information security Project management

office

1 - 2 months


Priority Effort

Low Moderate



6 Embedding Security in Project Management


26

Detailed Remediation Projects & Roadmap Physical Access Improvement & Consistency

Project objective: Develop and refine physical access controls and standards to secure offices, rooms, and delivery areas while establishing a process to periodically audit physical security for compliance.


Estimated Effort

1Develop standards for physical security taking into consideration physical entry controls to offices, securing rooms and facilities, and protecting delivery areas for all [Client] locations.

Global IT Senior management 2 weeks

2Apply the physical security policy consistently across all sites, including procedures for documenting visitors. Dependent on completion of activity #1

Compliance Global IT 1 - 2 months

3Establish a process to periodically audit physical security controls.Dependent on completion of activity #2

Compliance Global IT 1 week


Priority Effort

Low Low



37-39,41 Physical Access Improvement & Consistency


27

Detailed Remediation Projects & Roadmap Training Refinement

Project objective: Update training documentation and define required trainings for [Client] personnel and suppliers.


Estimated Effort

1Update security training material to include security for mobile devices. Global IT

Human resources 1 week

2Define training requirements by job profile, supplier relationship, and security professionals to require users to complete and sign-off on approved trainings.

Compliance Information security Senior management

2 weeks

3Establish a process to determine user adherence to training requirements.Dependent on completion of activity #2.

Compliance Human resources Vendor management

1 week

4Develop and deploy a roll-out program for training, specifically to gain assurance that training requirements are fulfilled.Dependent on completion of activities #1 & #2

Global IT Human resources Senior management

1 month


Priority Effort

Low Low



28,31 Training Refinement


28

Detailed Remediation Projects & Roadmap Consulting External Advisors

Project objective: Define a position that is responsible for maintaining contact with specialist security forums and professionals.


Estimated Effort

1Formally assign the responsibility to maintain contact with specialist security forums to a person or team.


2Establish a process for reporting trending and emerging threats to information security and senior management for inclusion within the security policy. Dependent on completion of activity #1



Priority Effort

Low Low



27 Consulting External Advisors

Detailed Analysis



30

KPMG used the below criteria to score the results of ISO/IEC 27002:2013 review. Based on the results of testing, each procedure performed received a score. A description of the scoring approach and criteria has been provided below.

Detailed AnalysisISO/IEC 27002:2013 Scorecard Criteria

Assessment Score CriteriaScore Description

-1 Not observed or out of scope.0 Control is not in place with no mitigating controls.1 Control is not in place but there are other mitigating controls.2 Control is partially in place with other mitigating controls.3 Control is partially in place with minimal residual risk.4 Control is in place with exceptions, but risk is effectively mitigated.5 Control is in place without exceptions.

Risk Ratings LegendScore Description Color

Between 4.01 and 5.00 High framework alignmentBetween 2.01 and 4.00 Moderate framework alignment

Between 0 and 2.00 Low framework alignmentEqual to -1.00 Not observed or out of scope

For controls that were either not observed or out of scope, the following rules apply:

• If all of the controls in a subdomain were not observed, each one is given a score of -1 and the weighting for the subdomain is changed to 0%. All other weightings for the subdomains in the domain are modified to effectively "remove" the out of scope subdomain from calculations

• If at least one control within a subdomain was in scope or observed, then any other control which was not observed or out of scope is scored as the average of all other in-scope controls from that subdomain.



31

Detailed AnalysisISO/IEC 27002:2013 Review Summary

Subdomain scores are based on the cumulative scoring of procedures performed for each subdomain. Overall domain scores are calculated based on the average score of all subdomains.

ISO/IEC 27002:2013 Review SummaryDomains Sub-Domains Ratings

5. Information Security Policies 5.1 Management Direction for Information Security 4.50

6. Organization of Information Security6.1 Internal Organization 4.006.2 Mobile Devices and Teleworking 4.58

7. Human Resource Security7.1 Prior to Employment 4.757.2 During Employment 4.507.3 Termination and Change of Employment 5.00

8. Asset Management8.1 Responsibility for Assets 4.008.2 Information Classification 2.838.3 Media Handling 4.33

9. Access Control

9.1 Business Requirements of Access Control 4.509.2 User Access Management 4.839.3 User Responsibilities 5.009.4 System and Application Access Control 4.86

10. Cryptography 10.1 Cryptographic Controls 3.17

11. Physical and Environmental Security11.1 Secure Areas 3.3311.2 Equipment 5.00

12. Operations Security

12.1 Operation Procedures and Responsibilities 4.7512.2 Protection from Malware 5.0012.3 Backup 4.6712.4 Logging and Monitoring 4.6312.5 Control of Operational Software 5.0012.6 Technical Vulnerability Management 4.0012.7 Information Systems Audit Considerations 5.00



32

ISO/IEC 27002 :2013 Review SummaryDomains Sub-Domains Ratings

13. Access Control13.1 Network Security Management 5.0013.2 Information Transfer 4.25

14. System Acquisition, Development and Maintenance14.1 Security Requirements of Information Systems 5.0014.2 Security in Development and Support Processes 4.7214.3 Test Data 5.00

15. Supplier Relationships15.1 Information Security in Supplier Relationships 1.6715.2 Supplier Service Delivery Management 2.00

16. Information Security Incident Management 16.1 Management of Information Security Incidents and Improvements

3.57

17. Information Security Aspects of Business Continuity Management

17.1 Information Security Continuity 1.6717.2 Redundancies 5.00

18. Compliance18.1 Compliance with Legal and Contractual Requirements 3.8018.2 Information Security Reviews 5.00

Detailed Analysis ISO/IEC 27002:2013 Review Summary



33

Domain / Sub-Domain / Control WeightRisk

ScoreSub-Domain

ScoreDomain Score

5.0 Information Security Policies 100% 4.50

5.1 Management Direction for Information Security 100% 4.50

5.1.1 Policies for Information Security 50% 4.00

5.1.2 Review of the Policies for Information Security 50% 5.00

6.0 Organization of Information Security 100% 4.29

6.1 Internal Organization 50% 4.00

6.1.1 Information Security Roles and Responsibilities 20% 5.00

6.1.2 Segregation of Duties 20% 5.00

6.1.3 Contact with Authorities 20% 3.00

6.1.4 Contact with Special Interest Groups 20% 4.00

6.1.5 Information Security in Project Management 20% 3.00

6.2 Mobile Devices and Teleworking 50% 4.58

6.2.1 Mobile Device Policy 50% 4.67

6.2.2 Teleworking 50% 4.50

7.0 Human Resource Security 100% 4.75

7.1 Prior to Employment 33% 4.75

7.1.1 Screening 50% 4.50

7.1.2 Terms and Conditions of Employment 50% 5.00




34


ScoreSub-Domain

ScoreDomain Score

7.0 Human Resource Security 100% 4.75

7.2 During Employment 33% 4.50

7.2.1 Management Responsibilities 33% 4.50

7.2.2 Information Security Awareness, Education and Training 33% 4.00

7.2.3 Disciplinary Process 33% 5.00

7.3 Termination and Change of Employment 33% 5.00

7.3.1 Termination or Change of Employment Responsibilities 100% 5.00

8.0 Asset Management 100% 3.72

8.1 Responsibility for Assets 33% 4.00

8.1.1 Inventory of Assets 25% 3.00

8.1.2 Ownership of Assets 25% 3.00

8.1.3 Acceptable Use of Assets 25% 5.00

8.1.4 Return of Assets 25% 5.00

8.2 Information Classification 33% 2.83

8.2.1 Classification of Information 33% 2.50

8.2.2 Labeling of Information 33% 3.00

8.2.3 Handling of Assets 33% 3.00




35


ScoreSub-Domain

ScoreDomain Score

8.0 Asset Management 100% 3.72

8.3 Media Handling 33% 4.33

8.3.1 Management of Removable Media 33% 5.00

8.3.2 Disposal of Media 33% 5.00

8.3.3 Physical Media Transfer 33% 3.00

9.0 Access Control 100% 4.80

9.1 Secure Areas 25% 4.50

9.1.1 Access Control Policy 50% 4.00

9.1.2 Access to Networks and Network Services 50% 5.00

9.2 User Access Management 25% 4.83

9.2.1 User Registration and De-registration 17% 5.00

9.2.2 User Access Provisioning 17% 5.00

9.2.3 Management of Privileged Access Rights 17% 5.00

9.2.4 Management of Secret Authentication Information of Users 17% 5.00

9.2.5 Review of User Access Rights 17% 4.00

9.2.6 Removal of Adjustment of Access Rights 17% 5.00

9.3 User Responsibilities 25% 5.00

9.3.1 Use of Secret Authentication Information 100% 5.00




36


ScoreSub-Domain

ScoreDomain Score

9.0 Access Control 100% 4.80

9.4 System and Application Access Control 25% 4.86

9.4.1 Information Access Restriction 20% 5.00

9.4.2 Secure Log-on Procedures 20% 4.80

9.4.3 Password Management System 20% 5.00

9.4.4 Use of Privileged Utility Programs 20% 5.00

9.4.5 Access Control to Program Source Code 20% 4.50

10.0 Cryptography 100% 3.17

10.1 Cryptographic Controls 100% 3.17

10.1.1 Policy on the Use of Cryptographic Controls 50% 3.00

10.1.2 Key Management 50% 3.33

11.0 Physical and Environmental Security 100% 4.17

11.1 Secure Areas 50% 3.33

11.1.1 Physical Security Perimeter 17% 4.00

11.1.2 Physical Entry Controls 17% 3.00

11.1.3 Securing Offices, Rooms and Facilities 17% 3.00

11.1.4 Protecting Against External and Environmental Threats 17% 5.00

11.1.5 Working in Secure Areas 17% 3.00

11.1.6 Delivery and Loading Areas 17% 2.00




37


ScoreSub-Domain

ScoreDomain Score

11.0 Physical and Environmental Security 100% 4.17

11.2 Equipment 50% 5.00

11.2.1 Equipment Sitting and Protection 11% 5.00

11.2.2 Supporting Utilities 11% 5.00

11.2.3 Cabling Security 11% 5.00

11.2.4 Equipment Maintenance 11% 5.00

11.2.5 Removal of Assets 11% 5.00

11.2.6 Security of Equipment and Assets Off-premises 11% 5.00

11.2.7 Secure Disposal or Re-use of Equipment 11% 5.00

11.2.8 Unattended User Equipment 11% 5.00

11.2.9 Clear Desk and Screen Policy 11% 5.00

12. Operations Security 100% 4.72

12.1 Operational Procedures and Responsibilities 15% 4.75

12.1.1 Documents Operating Procedures 25% 5.00

12.1.2 Change Management 25% 5.00

12.1.3 Capacity Management 25% 5.00

12.1.4 Separation of Development, Testing and Operational Environments

25% 4.00




38


ScoreSub-Domain

ScoreDomain Score

12. Operations Security 100% 4.72

12.2 Protection from Malware 15% 5.00

12.2.1 Controls Against Malware 100% 5.00

12.3 Backup 15% 4.67

12.3.1 Information Backup 100% 4.67

12.4 Logging and Monitoring 15% 4.63

12.4.1 Event Logging 25% 4.00

12.4.2 Protection of Log Information 25% 5.00

12.4.3 Administrator and Operator Logs 25% 4.50

12.4.4 Clock Synchronization 25% 5.00

12.5 Control of Operational Software 15% 5.00

12.5.1 Installation of Software on Operational Systems 100% 5.00

12.6 Technical Vulnerability Management 15% 4.00

12.6.1 Management of Technical Vulnerabilities 50% 5.00

12.6.2 Restrictions on Software Installations 50% 3.00

12.7 Information Systems Audit Considerations 15% 5.00

12.7.1 Information Systems Audit Controls 100% 5.00




39


ScoreSub-Domain

ScoreDomain Score

13.0 Communications Security 100% 4.63

13.1 Network Security Management 50% 5.00

13.1.1 Network Controls 33% 5.00

13.1.2 Security of Network Controls 33% 5.00

13.1.3 Segregation in Networks 33% 5.00

13.2 Information Transfer 50% 4.25

13.2.1 Information Transfer Policies and Procedures 25% 5.00

13.2.2 Agreements on Information Transfer 25% 3.00

13.2.3 Electronic Messaging 25% 5.00

13.2.4 Confidentiality or Non-disclosure Agreements 25% 4.00

14.0 System Acquisition, Development and Maintenance 100% 4.91

14.1 Security Requirements of Information Systems 33% 5.00

14.1.1 Information Security Requirements Analysis and Specification 33% 5.00

14.1.2 Securing Application Services on Public Network 33% 5.00

14.1.3 Protecting Application Services Transactions 33% 5.00

14.2 Information Security Aspects of Business Continuity Management 33% 4.72

14.2.1 Secure Development Policy 11% 3.00

14.2.2 System Change Control Procedures 11% 5.00




40


ScoreSub-Domain

ScoreDomain Score

14.0 System Acquisition, Development and Maintenance 100% 4.91

14.2.3 Technical Review of Applications After Operating Platform Changes

11% 5.00

14.2.4 Restrictions on Changes to Software Packages 11% 5.00

14.2.5 Secure System Engineering Principles 11% 4.50

14.2.6 Secure Development Environment 11% 5.00

14.2.7 Outsourced Development 11% 5.00

14.2.8 System Security Testing 11% 5.00

14.2.9 System Acceptance Testing 11% 5.00

14.3 Test Data 33% 5.00

14.3.1 Protection of Test Data 100% 5.00

15.0 Supplier Relationships 100% 1.83

15.1 Information Security in Supplier Relationships 50% 1.67

15.1.1 Information Security Policy for Supplier Relationships 33% 2.00

15.1.2 Addressing Security Within Supplier Agreements 33% 2.00

15.1.3 Information and Communication Technology Supply Chain 33% 1.00

15.2 Supplier Service Delivery Management 50% 2.00

15.2.1 Monitoring and Review of Supplier Services 50% 2.00

15.2.2 Managing Changes to Supplier Services 50% 2.00




41


ScoreSub-Domain

ScoreDomain Score

16.0 Information Security Incident Management 100% 3.57

16.1 Management of Information Security Incidents and Improvements 100% 3.57

16.1.1 Responsibilities and Procedures 15% 2.00

16.1.2 Reporting Information Security Events 15% 4.00

16.1.3 Reporting Information Security Weaknesses 15% 3.00

16.1.4 Assessment of and Decision on Information Security Events 15% 4.00

16.1.5 Response to Information Security Incidents 15% 5.00

16.1.6 Learning from Information Security Incidents 15% 2.00

16.1.7 Collection of Evidence 15% 5.00

17.0 Information Security Aspects of Business Continuity Management 100% 3.33

17.1 Information Security Continuity 50% 1.67

17.1.1 Planning Information Security Continuity 33% 2.00

17.1.2 Implementing Information Security Continuity 33% 2.00

17.1.3 Verify, Review and Evaluate Information Security Continuity 33% 1.00

17.2 Redundancies 50% 5.00

17.2.1 Availability of Information Processing Facilities 100% 5.00




42


ScoreSub-Domain

ScoreDomain Score

18.0 Compliance 100% 4.40

18.1 Compliance with Legal and Contractual Requirements 50% 3.80

18.1.1 Identification of Applicable Legislation and Contractual Requirements

20% 2.00

18.1.2 Intellectual Property Rights 20% 5.00

18.1.3 Protection of Records 20% 5.00

18.1.4 Privacy and Protection of Personally Identifiable Information 20% 5.00

18.1.5 Regulation of Cryptographic Controls 20% 2.00

18.2 Information Security Reviews 50% 5.00

18.2.1 Independent Review of Information Security 33% 5.00

18.2.2 Compliance with Security Policies and Standards 33% 4.00

18.2.3 Technical Compliance Review 33% 5.00



Gaps and Risk to the Business



44

Gaps and Risks to the BusinessApproach

Based on the results of the work plan, KPMG has provided gaps identified and the associated business risks; which go beyond the framework objectives to incorporate [Client]’s business models and processes.

KPMG developed testing procedures (questions) to be performed onsite based on the objectives of domains and subdomains

KPMG worked with local [Client] teams to walkthrough each inquiry

Based on the objectives and the result of testing, KPMG identified framework gaps

Testing Plan Gap

KPMG performed the following for each gap: Understood mitigating

controls Took [Client]’s business

model and processes into consideration

Created recommended action plans based on [Client], not just the framework objectives

BusinessRisk

Domain and subdomain scoring based on objectives

Business risks tailored to [Client]’s business, controls, architecture, and ongoing projects / assessments



45

Gaps and Risks to the BusinessDetailed Gaps with High Risk to the Business

# DomainSub

DomainISO Gap Business Risk

1 8 – Asset management 8.1.1

Asset management and tracking is inconsistent. [Client] uses LanSweeper to track hardware assets and a Llama database to track software assets. Asset classification other than hardware and software does not seem to exist at this point (e.g., information assets). Asset owners are not consistently defined or tracked.

Failure to accurately track hardware, software, and information assets, including asset owner assignment, could lead to increased spending on unnecessary software and hardware.


[Client] uses a classification scheme for electronic data that is not applied consistently across all business functions. Plans are in progress to create a simplified classification scheme for all data that adheres to three categories: controlled, secure, and confidential.

Continuing to operate without an agreed upon and consistently applied classification scheme could lead to mismanagement of data and confusion over the level of required security for sensitive data.

316 – Information security incident management

16.1.1

Management responsibilities for security incidents are communicated in training modules, but at this point there is no documented incident response plan.

The lack of a formal, documented incident response plan could lead to user confusion over response procedures, resulting in the possible mishandling of security incidents.

417 – Information security aspects of business continuity

17.1.1

A business impact analysis (BIA) for information security events has not been performed and information security is not considered within the business continuity plans for each office.

Without the conduction of site specific BIA assessments, it is difficult to appropriately plan for managing information security during an event, which could lead to inadequate security during business continuity events.

517 – Information security aspects of business continuity

17.1.2 & 17.1.3

Information security controls, procedures and processes have not been addressed in relation to an overall business continuity plan and there is no discussion about the review and maintenance of these procedures.

If information security controls are not implemented and established within the business continuity plans, appropriate information security controls may not be in place during the execution of business continuity plans.



46

Gaps and Risks to the BusinessDetailed Gaps with Moderate Risk to the Business

# DomainSub


66 – Organization of information security

6.1.5

Information security is not uniformly addressed in all project management procedures at this time. KPMG was informed that this is an area that [Client] knows about and is planning to address soon. Projects that specifically deal with information security issues do include information security considerations within project management planning.

The lack of information security objectives within all project management procedures could lead to the untimely (retroactive) detection of risks introduced by specific projects.

77 – Human recourses security

7.1.1

[Client] is unable to confirm that information collected as part of the background checks in the Americas is handled in accordance with relevant legislation.

Storing sensitive HR information in potentially unsafe locations could lead to incompliance with regulations or the unauthorized access to personally identifiable information.


As the formal data classification schema has not been defined, [Client] cannot establish a process to periodically review the schema.

Without regularly reviewing the data classification schema, data could be inconsistently classified, which could lead to inadequate security controls for sensitive data.


As the formal data classification schema has not been defined, [Client] does not have procedures in place to label physical or electronic data in accordance with a classification scheme.

If physical and electronic data is not labeled appropriately, then data may not be adequately protected.

10 8 – Asset management 8.2.3 Standards exist for personal and client data handling but at this moment there are no rules for corporate data.

Improper handling of data could lead to the loss or damage of sensitive information.

11 9 – Access control 9.1.1

There is no enforced standard of review by group owners on access control policies and user rights for each business unit.

Failure of group owners to review their access control policies and users rights could lead to inadequate access controls or inappropriate user access to sensitive information.



47

# DomainSub


12 10 - Cryptography 10.1.1

No policy on the use of cryptographic controls exists within [Client].

Not developing and maintaining a policy for cryptographic keys and certificates could lead to inconsistent use or the use of insecure protocols that are susceptible to attack.

13 10 - Cryptography 10.1.2

PKI certificates are applied and revoked without tracking or managing their protection and lifecycle.

The lack of a formal process to protect and track the lifecycle of cryptographic keys within [Client] could result in improper access being allowed for entities who have passed their allowed access time and possible dissemination of key data to unauthorized sources.

14 12 – Operations security 12.1.4

Isolation and segregation of development, testing, and production environments across [Client]'s entire organization is not consistent. Larger environments are stringently controlled while smaller environments do not adhere to these controls.

Failure to maintain consistent standards for development, testing, and production environments could lead to inappropriate access by users to development efforts and developers may be able to migrate code without prior authorization.


Logs of administrator activities are not reviewed on a periodic basis.

Not periodically reviewing administrator activity logs could result in possible malicious or illegal activity going undetected in a timely manner, including large scale system level changes.


Users have the ability to install software on their laptops and workstations without restriction though policies exist stating that software installation must be approved ahead of time.

Uncontrolled installation of software on computing devices could lead to user introduction of vulnerabilities or malware that compromises the security of the device.




48

# DomainSub


1713 – Communications security

13.2.2

Currently, agreements with external parties do not include the provision that [Client] must be notified upon a security breach.

Without formalized agreements with external parties that outline the responsibilities and requirements for reporting security breaches, [Client] may not be able to timely respond to security incidents.

18 15 – Supplier relationships15.1.1 & 15.1.2

[Client] does not have a set of security controls to be adhered to by suppliers. [Client] is in the process of creating a standard document. [Client] currently does not regularly review information security controls as they relate to each supplier's contract. [Client] currently does not regularly review information security controls as they relate to each supplier's contract.

Failure to include a set of security controls to be adhered to by suppliers within agreements could lead to violation of [Client] security policies without supplier accountability.

19 15 – Supplier relationships 15.1.3

Currently information security risks are not addressed in agreements with supply chain management or communication / technology suppliers (e.g. box).

Without considering the risks associated with supply chain management and suppliers providing communication / technology services, effective controls to protect sensitive information or technology may not be in place or tracked.


[Client] does not maintain supplier information security documentation nor define explicit information security requirements (controls). As such, [Client] cannot monitor, review, or audit suppliers against information security policy compliance.

Failure to monitor supplier services to determine information security policies are being followed could lead to untimely detection of supplier incompliance with [Client]'s information security requirements.


[Client] does not address criticality of information, systems, or processes when dealing with changes to supplier agreements.

Failure to consider the criticality of information, systems, and processes affected when supplier agreements change could result in inadequate identification and implement of new controls.




49

# DomainSub



16.1.6

Procedures are not in place to formally review security incidents to identify cost, effort and scope.

Not considering the cost, effort, and scope of past security incidents hinders [Client]'s ability to properly assess its risk environment. This could result in the misappropriation of resources when developing and maintaining an enterprise security program.

23 18 – Compliance 18.1.1

[Client] does not completely document regulatory and contractual requirements for each of the company's information systems.

Failure to document the regulatory and contractual requirements for each information system could result in incompliance (e.g., reputational damage or fines).

24 18 - Compliance 18.1.5

There are no policies concerning the use of cryptographic controls in regards to compliance and regulations.

The lack of policies covering proper use of cryptographic controls in regards to regulation and agreements could result in incompliance (e.g., reputational damage or fines).




50

Gaps and Risks to the BusinessDetailed Gaps with Low Risk to the Business

# DomainSub


255 – Information security policies

5.1.1

Information security policies are not centralized within one document. There are redundant statements across multiple policy documents.

The lack of one single source for organizational information security objectives and management's expectations could cause confusion for employees when adhering to the standards set forth by the organization. This could lead to inadvertent incompliance with information security requirements.


6.1.3 Formal procedures are not in place to govern communication with authorities in the case of a security incident.

Failure to document communication procedures with authorities could result in the mishandling or untimely response to incidents.


6.1.4

The responsibility of maintaining contact with specialist security forums is not mandatory nor assigned to [Client] personnel (position, role, or individual).

Not maintaining contact with security specialist organizations and other security resources could lead to a lowered knowledge of the current information security threat landscape.


6.2.1

Security training does not cover mobile device specific topics or threats.

The lack of detailed training in mobile device security could result in users not understanding the policies and procedures (including their security expectations) for safe and secure use of mobile devices.


6.2.2

Teleworking agreements do not explicitly cover communication security and sensitivity of information passed over outside channels. Acceptable remote access mechanisms and communication protocols are not defined.

Not formally identifying and defining acceptable remote access mechanisms or communication mediums while not at [Client] facilities (e.g., teleworking), could result in the use of insecure protocols.



51

# DomainSub


307 – Human resource security

7.2.1.

Suppliers are not uniformly informed of security policies (including changes) or required to take security trainings.

Not formally communicating [Client] information security requirements, or requiring suppliers to complete [Client] specific security trainings, could lead to suppliers breaching [Client] security policies without the ability to hold suppliers accountable.

317 – Human resource security

7.2.2

There are two information security training courses (light version and longer version specifically for Global IT personnel) but these trainings are not mandatory for units outside of Global IT. [Client] does not define who should be required to complete trainings ([Client] users and suppliers).

Not defining and enforcing security trainings for employees and suppliers could lead to users not understanding their responsibilities to protect systems and data.


Review of asset information (e.g., classification data) is not performed at this time.

Failure to regularly review asset information could result in assets being incorrectly labeled and not properly handled according to the data classification scheme.


[Client] does not maintain a set of formal policies or procedures for the transfer of physical media through courier services.

Not maintaining a formal and documented policy on the transfer of physical media could lead to insecure transport of physical media, possibly resulting in the loss or damage of sensitive data.

34 9 – Access control 9.4.2 Time-outs are not tracked as part of the application portfolio so [Client] is unable to state if all application connections are configured to time-out.

Failure to track time-out thresholds for all applications could result in inappropriate session lengths for sensitive applications.


Central source code libraries for business critical applications are controlled and secured, but these practices are not consistent with all groups.

Failing to have all instances of source code maintained within libraries could lead to inconsistent development techniques and inappropriate access to source code.




52

# DomainSub



Secure folders are reviewed regularly but open data is at the discretion of the group owner and does not follow any defined regular review process.

Failure to review access rights to secure folders could lead to mismanagement of information and misappropriation of rights among users, possibly leading to inappropriate access to sensitive information.

37 11 – Physical security 11.1.1

Physical security measures are not applied consistently across all offices, specifically smaller locations.

The lack of consistently applied and adhered to physical security measures could result in loss of confidential information and confusion among employees on how physical security should be applied.


Sign-in and sign-out procedures are inconsistent between different [Client] offices. Larger offices tend to have more stringent security and controls than smaller offices.

Not standardizing the sign-in and sign-out procedure could lead to inappropriate access by outside individuals, making [Client] more susceptible to physical theft and security breaches.


Physical security within offices and rooms is inconsistent and not formally defined.

The varying levels of physical security at each of [Client]'s offices could result in confusion among employees and inconsistent implementation of procedures (e.g., controls) to protect confidential information.


No procedures or guidelines exist with regard to working in secure areas at [Client].

Without a standard policy for working in secure areas, access is considered the same as general building access, which could lead to inappropriate access to information processing facilities or sensitive data.




53

# DomainSub



Delivery area security is not taken into account currently by [Client].

Failure to assess the security of delivery areas may lead to breaches in physical security and possible mismanagement of incoming and outgoing shipments and packages.


A formal process is not in place for testing system, application, or data restoration (e.g. testing of backup plans).

The lack of a formal process to test and document the results of backup plans could lead to incomplete backup archives and inadequate procedures to timely restore data.

43 12 – Operations security 12.4.1 A process is not in place to formally review user activity logs at a defined frequency.

Inconsistent review of user activity logs could result in possible malicious or illegal activity not being detected in a timely manner.

4413 – Communications security

13.2.4

Employment agreements are not reviewed on a regular basis to determine appropriate coverage of new confidentiality or non-disclosure requirements.

Failing to review and update employment agreements at a defined frequency could lead to new confidentiality or non-disclosure requirements not being communicated; possibly leading to confusion over expectations and responsibilities to protect information.

4514 – System Acquisition, Development and Maintenance

14.2.5

Reviews of the principles for engineering secure systems is not performed on a defined, periodic basis.

Not reviewing the principles for engineering secure systems could result in the untimely inclusion of controls addressing emerging threats, leading to systems designed without proper security controls.

4616 – Information security management

16.1.2

Requirements for reporting information security events are not communicated to all employees and suppliers on a consistent basis.

The lack of defined process to consistently communicate responsibilities for the reporting of information security events could result in the untimely detection or escalation of information security events.




54

# DomainSub



16.1.3

[Client] does not have an explicit requirement for the reporting of security weaknesses.

Failing to explicitly state that employees are required to report security weaknesses could result in potential points of impact going undiscovered in a timely manner.


16.1.4

Procedures for reporting security events are not defined, each office has their own IT and HR contact who can escalate issues to Global IT as needed. Employees are expected to utilize these sources in the event of an incident.

Failure to document the proper process for reporting security incidents could result in the untimely detection or escalation of information security events.




The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.
