You are on page 1of 17

Final Confidential

Standard Framework Security Management

Points to consider (guidance for the scoring of the contro

Every control has 'Points to consider', which can be used as guidance for the scoring of the
maturity levels. Each worksheet contains these Points to consider.
Currently these Points to consider are based on the following sources:
1. Cobit V4.1 (www.isaca.org)
2. SANS Top 20 Critical Security Controls for Effective Cyber Defense (www.sans.org)
3. ISO 27032:2012 Guidelines for Cyber Security (www.iso.org)

The maturity levels are:


0 Control is: Non-existent - No documentation. There is no awareness or attention for certain
control.
1 Control is: Initial/ad hoc - Control is (partly) defined, but performed in an inconsistent way
The way of execution is depending on individuals.
2 Control is: Repeatable but intuitive - Control is in place and executed in a structured and
consistent, but informal way.
3 Control is: Defined - Control is documented, executed in a structured and formalized way.
Execution of the control can be proved.
4 Control is: Managed and measurable - The effectiveness of the control is periodically
assessed an improved when necessary. This assessment is documented.
5 Control is: Optimised - An enterprisewide risk and control programme provides continuous
and effective control and risk issues resolution.
Control is: Not applicable - Control is for this organisation not applicable.

When compensating controls exist for a specific control, apply the score of this compensation
control to this specific control and put a remark in the comments field.

360521017.xlsx
Final Confidential

agement

g of the controls)

e for the scoring of the

www.sans.org)

ss or attention for certain

ed in an inconsistent way.

uted in a structured and

ed and formalized way.

ontrol is periodically
d.
mme provides continuous

cable.

ore of this compensation

360521017.xlsx
Strategy&Policies Confidential Final

Domain SP Strategy & Policies S


P
Provide management direction and support for information security Back to Assessment Overview
in accordance with business requirements, risks and relevant laws
and regulations.

exist
Non

ent
0-
No Standard / Control measure Points to Consider from Cobit V4.1 Points to consider from SANS Critical controls CobiT CobiT 5.0 ISO
and/or ISO27032 4.1 27002:2005

1 Define an information security plan: Provide direction and support for information security in accordance with business, risks and compliance requirements with involvement of Business and IT so priorities can be mutually agreed.

Information Security plan: Business, risk and compliance Determine the effectiveness of the collection and integration of information security Not applicable DS5.2 APO13.02 Define and manage 5.1.1 5.1.2
requirements are translated into an overall IT security plan, taking requirements into an overall IT security plan that is responsive to the changing needs of an information security risk 6.1.2 6.1.5
into consideration the IT infrastructure and the security culture. The the organisation. treatment plan 8.2.2 11.1.1
plan is implemented in security policies and procedures together Verify that the IT security plan considers IT tactical plans (PO1), data classification 11.7.1 11.7.2
with appropriate investments in services, personnel, software and (PO2), technology standards (PO3), security and control policies (PO6), risk management
hardware. Security policies and procedures are communicated to (PO9), and external compliance requirements (ME3).
stakeholders and users. Determine if a process exists to periodically update the IT security plan, and if the
process requires appropriate levels of management review and approval of changes.
Determine if enterprise information security baselines for all major platforms are
commensurate with the overall IT security plan, if the baselines have been recorded in the
configuration baseline (DS9) central repository, and if a process exists to periodically
update the baselines based on changes in the plan.
Determine if the IT security plan includes the following:
A complete set of security policies and standards in line with the established information
security policy framework
1.1
Procedures to implement and enforce the policies and standards
Roles and responsibilities
Staffing requirements
Security awareness and training
Enforcement practices
Investments in required security resources
Determine if a process exists to integrate information security requirements and
implementation advice from the IT security plan into other processes, including the
development of SLAs and OLAs (DS1-DS2), automated solution requirements (AI1),
application software (AI2), and IT infrastructure components (AI3).

IT Policies Management: Develop and maintain a set of policies Enquire whether and confirm that a hierarchical set of policies, standards and procedures Not applicable PO6.3 APO01.03 Maintain the enablers 5.1.1 5.1.2
to support Information security strategy. These policies should have been created and align with the Information seecurity strategy and control of the management system 6.1.1 8.1.1
include policy intent; roles and responsibilities; exception process; environment.
compliance approach; and references to procedures, standards and Enquire whether and confirm that specific policies exist on relevant key topics, such as APO01.08 Maintain compliance
guidelines for development, acquisition, maintenance and support. quality, security (including secure coding), confidentiality, internal controls, ethics and with policies and procedures
Their relevance should be confirmed and approved regularly. intellectual property rights.
Enquire whether and confirm that a policy update process has been defined that requires,
1.2
at minimum, annual reviews.
Enquire whether and confirm that procedures are in place to track compliance and define
consequences of non-compliance.
Enquire whether and confirm that accountability has been defined and documented for
formulating, developing, documenting, ratifying, disseminating and controlling policies to
ensure that all elements of the policy management process have been assigned to
accountable individuals.

2 Define the information architecture: Ensure reliable, secured and reliable information to support business processes and to seamlessly integrate applications into business processes.

Enterprise Information Architecture Model: Establish and Verify whether an enterprise information model exists, based on well-accepted Not applicable PO2.1 APO03.02 Define reference None
maintain an enterprise information model to enable applications standards, and whether it is known by appropriate business and IT stakeholders. architecture
development and decision-supporting activities, consistent with IT Verify whether the model is effectively used and maintained in parallel with the process
plans. The model should facilitate the optimal creation, use and that translates IT strategy into IT tactical plans and tactical plans
2.1 sharing of information by the business in a way that maintains into projects.
integrity and is flexible, functional, cost-effective, timely, secure Assess whether the model considers flexibility, functionality, cost-effectiveness, security,
and resilient to failure. failure resiliency, compliance, etc.

Data classification scheme: Establish a classification scheme that Review the data classification scheme and verify that all significant components are Not applicable PO2.3 APO03.02 Define reference 7.2.1 10.8.1
applies throughout the enterprise, based on the criticality and covered and completed, and that the scheme is reasonable in balancing cost vs. risk. This architecture 10.8.2 10.7.1
sensitivity (e.g., public, confidential, top secret) of enterprise data. includes data ownership with business owners and definition of appropriate security 11.1.1
This scheme should include details about data ownership; definition measures related to classification levels.
of appropriate security levels and protection controls; and a brief Verify that security classifications have been challenged and confirmed with the business
2.2 description of data retention and destruction requirements, owners at regular intervals.
criticality and sensitivity. It should be used as the basis for applying
controls such as access controls, archiving or encryption.

3 Determine technological direction: Provide stable, effective and secure technological solutions enterprise wide to enable timely response to business requirements and changes in law and regulations, industry and technology developments.

Monitor future trends and regulations: A process is established Determine whether, by whom and how current and future trends and regulations are Not applicable PO3.3 EDM01.01 Enterprise 6.1.1
to monitor the business sector, industry, technology, infrastructure, monitored (e.g., technological developments, competitor activities, infrastructure issues, governance guiding principles
legal and regulatory environment trends. The consequences of legal requirements and regulatory environment changes, third-party experts) and whether
these trends are incorporated into the development of the IT related risks or related opportunities for value creation are properly assessed. APO04.03 Monitor and scan the
3.1 technology infrastructure plan. Verify whether the result of the monitoring is consistently passed on to the appropriate technology environment
bodies (e.g., IT steering committee) and to the IT tactical and infrastructure planning
processes for action.

Technology standards: Consistent, effective and secure Verify that the corporate technology standards are being approved by the IT architecture Not applicable PO3.4 APO03.05 Provide enterprise 10.3.2 10.8.2
technological solutions are provided enterprise wide, a technology board. architecture services 11.7.2
forum is established to provide technology guidelines, advice on Assess the effectiveness of the process for communication of technical standards to IT
infrastructure products and guidance on the selection of technology, staff members (e.g., project managers, information architects).
and compliance with these standards and guidelines is measured. Interview relevant IT personnel to determine their understanding of technical standards.
This forum directs technology standards and practices based on Ascertain from IT management that monitoring and benchmarking processes are put in
their business relevance, risks and compliance with external place to confirm compliance to established technology standards and guidelines.
3.2 requirements. Evaluate technical feasibility analysis documentation for selected projects to assess
compliance with corporate technology standards.

360521017.xlsx
Strategy&Policies Confidential Final

No Standard / Control measure Points to Consider from Cobit V4.1 Points to consider from SANS Critical controls CobiT CobiT 5.0 ISO
and/or ISO27032 4.1 27002:2005

4 Assess and manage (IT) risks: Ensure that information security risks are discovered, prioritized and are accepted in a timely and structured manner aligned with the enterprises appetite for IT risk and the organisation's risk management framework.

IT Risk Management framework: An IT risk management Inspect whether the IT risk management framework aligns with the risk management Not applicable PO9.1 EDM03.02 Direct Risk
framework is established and aligned to the organisations framework for the organisation (enterprise) and includes business-driven components for Management
(enterprise) risk management framework. strategy, programmes, projects and operations.
Review the IT risk classifications to verify that they are based on a common set of APO01.03 Maintain the enablers
characteristics from the enterprise risk management framework. fo the management system 4.2 5.1.1
Inspect whether IT risk measurements are standardised and prioritised and whether they 6.2.2 7.1.3
include impact, acceptance of residual risk and probabilities aligned with the enterprise risk 8.2.2 8.3.2
4.1 management framework. 9.1.5 9.2.7
Verify whether IT risks are considered in the development and review of IT strategic 10.8.1 10.7.3
plans. 10.9.3 11.1.1
11.3.1 11.3.2
11.3.3 11.7.1
11.7.2 12.3.1
14.1.1 14.1.2
15.1.5 15.2.1
Risk assessment: The likelihood and impact of all identified risks Walk through the risk management process to determine if inherent and residual risks Control 4: PO9.4 APO12.02 Analyse risk 4.1 5.1.2
are assessed on a recurrent basis, using qualitative and quantitative are defined and documented. 1. Quick wins: Run automated vulnerability 14.1.2
methods. The likelihood and impact associated with inherent and Enquire whether and confirm that the risk management process assesses identified risks scanning tools against all systems on their APO12.04 Articulate risk
residual risk are determined individually, by category and on a qualitatively and/or quantitatively. networks on a weekly or more frequent basis using
portfolio basis. Inspect project and other documentation to assess the appropriateness of qualitative or a SCAP-validated vulnerability scanner that looks
quantitative risk assessment. for both code-based vulnerabilities (CVE) and
Walk through the process to determine if the sources of information used in the analysis configuration-based vulnerabilities (CCE). Where
are reasonable. feasible, vulnerability scanning should occur on a
Inspect the use of statistical analysis and probability determinations to measure the daily basis using an up-to-date vulnerability
likelihood qualitatively or quantitatively. scanning tool. Any vulnerability identified should be
Enquire or inspect whether any correlation between risks is identified. Review any remediated in a timely manner, with critical
correlation to verify that it exposes significantly different likelihood and impact results vulnerabilities fixed within 48 hours.
arising from such relationship(s). 2. Quick wins: Event logs should be correlated with
information from vulnerability scans to fulfill two
goals. First, personnel should verify that the
activity of the regular vulnerability scanning tools
4.2 themselves is logged. Second, personnel should be
able to correlate attack detection events with
earlier vulnerability scanning results to determine
whether the given exploit was used against a target
known to be vulnerable.
3. Quick wins: Utilize a dedicated account for
authenticated vulnerability scans. The scanning
account should not be used for any other
administrative activities and tied to specific IP
addresses. Ensure only authorized employees have
access to the vulnerability management user
interface and that roles are applied to each user.
4. Quick wins: Subscribe to vulnerability
intelligence services in order to stay aware of
emerging exposures.
5. Visibility/Attribution: Deploy automated patch
management tools and software update tools for
operating system and software/applications on all
Maintenance and monitoring of a risk action plan: The control Enquire whether accepted risks are formally recognised and recorded in a risk action Not applicable
systems for which such tools are available and PO9.6 APO12.04 Articulate risk None
activities are prioritised and planned at all levels to implement the plan. safe. Patches should be applied to all systems,
risk responses identified as necessary, including identification of Assess the appropriateness of the elements of the risk management plan. APO12.05 Define a risk
even systems that are properly air gapped.
costs, benefits and responsibility for execution. Approval is obtained Enquire or inspect whether execution, report progress and deviations are monitored. 6. Visibility/Attribution: Carefully monitor logs management action portfolio
for recommended actions and acceptance of any residual risks, and Inspect risk responses for appropriate approvals. associated with any scanning activity and
4.3 ensured that committed actions are owned by the affected process Review actions to verify whether ownership is assigned and documented. associated administrator accounts to ensure that all
owner(s). Execution is monitored of the plans, and any deviations Inspect whether the risk action plan is effectively maintained and adjusted. scanning activity and associated access via the
are reported to senior management. privileged account is limited to the timeframes of
legitimate scans.
7. Configuration/Hygiene: In addition to
unauthenticated vulnerability scanning,
organizations should ensure that all vulnerability
scanning is performed in authenticated mode either
with agents running locally on each end system to
analyze the security configuration or with remote
scanners that are given administrative rights on the
system being tested.
8. Configuration/Hygiene: Compare the results
from back-to-back vulnerability scans to verify that
vulnerabilities were addressed either by patching,
implementing a compensating control, or
documenting and accepting a reasonable business
risk. Such acceptance of business risks for existing
vulnerabilities should be periodically reviewed to
determine if newer compensating controls or
subsequent patches can address vulnerabilities that
were previously accepted, or if conditions have
changed increasing the risk.
9. Configuration/Hygiene: Vulnerability scanning
tools should be tuned to compare services that are
listening on each machine against a list of
authorized services. The tools should be further
tuned to identify changes over time on systems for
both authorized and unauthorized services.
10. Configuration/Hygiene: Measure the delay in
patching new vulnerabilities and ensure that the
delay is equal to or less than the benchmarks set
forth by the organization. Alternative
countermeasures should be considered if patches
are not available.
11. Configuration/Hygiene: Critical patches must be
evaluated in a test environment before being
pushed into production on enterprise systems. If
such patches break critical business applications on
test machines, the organization must devise other
mitigating controls that block exploitation on
systems where the patch cannot be deployed
because of its impact on business functionality.
12. Configuration/Hygiene: Address the most
damaging vulnerabilities first. Prioritize the
vulnerable assets based on both the technical and
organization-specific business risks. An industry-
wide or corporate-wide vulnerability ranking may
be inadequate to prioritize which specific assets to
address first. A phased rollout can be used to
minimize the impact to the organization.

360521017.xlsx
Organization Confidential Final

Domain O Organization

Manage information security within the organization through an


embedded and structure and set of roles and responsibilities.

No Standard / Control measure Points to Consider from Cobit V4.1 Points to consider from SANS Critical CobiT Cobit 5.0 ISO
controls and/or ISO27032 4.1 27002:20
05

5 Information Security Organization: Information Security is managed at the highest appropriate organizational level, so the management of security actions is in line with business, risk and compliance requirements.

Responsibility for risk, security and compliance: Ownership Enquire whether and confirm that: Not applicable PO4.8 N/A 6.1.1
and responsibility are embedded for IT-related risks within the Senior management has established an organisation wide, adequately staffed risk management and information 6.1.2
business at an appropriate senior level. Roles critical for managing security function with overall accountability for risk management and information security. Verify by interviewing key 6.1.3
IT risks are defined and assigned, including the specific personnel that the reporting line of the risk management and information security function is such that it can effectively 8.1.1
responsibility for information security, physical security and design, implement and, in conjunction with line management, enforce compliance with the organisations risk 8.2.1
compliance. Risk and security management responsibility are management and information security policies, standards and procedures. 8.2.3
established at the enterprise level to deal with organisation wide Roles and responsibilities for the risk management and information security function have been formalised and 15.1.1
issues. Additional security management responsibilities may be documented 15.1.2
assigned at a system-specific level to deal with related security Responsibilities have been allocated to appropriately skilled and experienced staff members and, in the case of 15.1.3
issues. From senior management is direction obtained on the information security, under the direction of an 15.1.4
5.1
appetite for IT risk and approval of any residual IT risks. information security officer 15.1.6
The resource requirements in relation to risk management and information security have been regularly assessed by 15.2.1
management to ensure that appropriate resources
are provided to meet the needs of the business
A process is in place to obtain senior management guidance concerning the risk profile and acceptance of significant
residual risks. Verify that it functions properly by examining recent situations.

Management of Information Security: Information security is Determine if a security steering committee exists, with representation from key functional areas, including internal Not applicable DS5.1 APO13.01 Establish and 6.1.1
managed at the highest appropriate organisational level, so the audit, HR, operations, IT security and legal. maintain an ISMS 6.1.2
management of security actions is in line with business Determine if a process exists to prioritise proposed security initiatives, including required levels of policies, standards 6.2.3
requirements. and procedures. APO13.03 Monitor and 8.2.2
Enquire whether and confirm that an information security charter exists. review the ISMS
Review and analyse the charter to verify that it refers to the organisational risk appetite relative to information
security and that the charter clearly includes:
Scope and objectives of the security management function
Responsibilities of the security management function
Compliance and risk drivers
Enquire whether and confirm that the information security policy covers the responsibilities of board, executive
management, line management, staff members and all users of the enterprise IT infrastructure and that it refers to
detailed security standards and procedures.
Enquire whether and confirm that a detailed security policy, standards and procedures exist. Examples of policies,
standards and procedures include:
Security compliance policy
5.2 Management risk acceptance (security non-compliance acknowledgement)
External communications security policy
Firewall policy
E-mail security policy
An agreement to comply with IS policies
Laptop/desktop computer security policy
Internet usage policy
Enquire whether and confirm that an adequate organisational structure and reporting line for information security
exist, and assess if the security management and
administration functions have sufficient authority.
Enquire whether and confirm that a security management reporting mechanism exists that informs the board,
business and IT management of the status of
information security.

6 Data and system ownership: Data and system ownership is established to provide accountability and ensure that data integrity, confidentiality and availability are in line with business and compliance requirements.

Data and system ownership: The business is provided with Enquire whether and confirm that a policy for data classification and system ownership has been developed and Not applicable PO4.9 APO01.06 Define 6.1.3
procedures and tools, enabling it to address its responsibilities for communicated. information (data) and 6.1.4
ownership of data and information systems. Owners make decisions Validate that the policy has been applied to major application systems and enterprise architecture and internal and system ownership 7.1.2
about classifying information and systems and are protecting them external data communication. 9.2.5
in line with this classification. Verify that the policy for data classification and system ownership supports the protection of information assets,
6.1 enables efficient delivery and use of business applications, and facilitates effective security decision making.
Observe the process to register and maintain system ownership and data classification, and assess whether the
process is being consistently applied.

7 Manage segregation of duties: A division of roles and responsibilities is implemented that reduces the possibility for a single individual to compromise a critical process.

Segregation of duties: A division of roles and responsibilities is Enquire whether and confirm that standards have been established to enforce and ensure appropriate segregation of Not applicable PO4.11 APO01.02 Establish roles 8.2.1
implemented that reduces the possibility for a single individual to duties and that these standards are reviewed and changed as needed. and responsibilities 10.1.3
compromise a critical process. Personnel are performing only Assess whether standards have been implemented in assigning roles and responsibilities. 10.1.4
authorised duties relevant to their respective jobs and positions. Enquire whether and confirm that a process exists to identify critical positions and processes that must be subject to
7.1 segregation of duties.

360521017.xlsx
People Confidential Final

Domain PE People P
E
Ensure that all employees, contractors and third party users are Back to Assessment Overview
aware of information security threats and concerns, their
responsibilities and liabilities, and are equipped to support
organizational security policy in the course of their normal work,

existent
0 - Non
and to reduce the risk of human error.

No Standard / Control measure Points to Consider from Cobit V4.1 Points to consider from SANS Critical CobiT Cobit 5.0 ISO
controls and/or ISO27032 4.1 27002:20
05

8 Manage IT human resources: Ensure that functions are staffed properly with reliable people who posses the necessary skills to fulfil their role to reduce the risk of human error.

Personnel recruitment and retention: IT personnel recruitment Enquire whether and confirm that an IT HR management plan exists that reflects the Not applicable PO7.1 APO07.01 Maintain adequate 8.1.1
processes are maintained in line with the overall organisations definition of skill requirements and preferred professional qualifications to meet and appropriate staffing 8.1.2
personnel policies and procedures (e.g., hiring, positive work tactical and strategic IT needs of the organisation. The plan should be updated at least 8.1.3
environment, orienting). Processes are implemented to ensure that annually and should include specific recruitment and retention action plans to APO07.05 Plan and track the
the organisation has an appropriately deployed IT workforce with address current and future requirements. It should also include policies for the usage of IT and business human
the skills necessary to achieve organisational goals. enforcement of uninterrupted holiday policy procedures, as applicable. resources
Enquire whether and confirm that a documented process for the recruitment and
8.1 retention of IT personnel is in place and reflects the needs identified in the IT HR plan.
Confirm that HR professionals regularly review and approve the IT recruitment and
retention process to ensure alignment with organisational policies.

Personnel competencies: Regularly is verified that personnel Inspect a sample of job descriptions for a complete and appropriate description of Not applicable PO7.2 APO07.03 Maintain the skills and 8.2.2
have the competencies to fulfil their roles on the basis of their required skills, competencies and qualifications. competencies of personnel
education, training and/or experience. Core IT competency Verify that processes exist and are conducted on a regular basis to review and refresh
requirements are defined and verified that they are being job descriptions.
8.2 maintained, using qualification and certification programmes where Enquire whether and confirm that management has identified skill needs, including
appropriate. appropriate education, cross-training and certification requirements to address specific
requirements of the organisation.

Dependence upon individuals: Exposure to critical dependency Inspect documentation on key role personnel for reliance on single individuals for critical Not applicable PO7.5 APO07.02 Identify key IT None
on key individuals through knowledge capture (documentation), processes within the IT organisation. personnel.
knowledge sharing, succession planning and staff backup is Enquire whether training programmes incorporate techniques to mitigate the risk of
minimized. overdependence on key resources. Programmes should include cross-training,
8.3 documentation of key tasks, job rotation, knowledge sharing and succession planning for
critical roles within the organisation.

Personnel clearance procedures: Background checks are Inspect selection criteria for performance of security clearance background checks. Not applicable PO7.6 APO07.01 Maintain adequate 8.1.2
included in the IT recruitment process. The extent and frequency of Review for appropriate definition of critical roles, for which security clearance checks are and
periodic reviews of these checks are dependant on the sensitivity required. This should apply to employees, contractors and vendors. appropriate staffing.
and/or criticality of the function and are applied for employees, Enquire whether and confirm that hiring processes include clearance background checks.
contractors and vendors. Inspect hiring documentation for a representative sample of IT staff members to APO07.06 Manage contract staff.
8.4 evaluate whether background checks have been completed and evaluated.

360521017.xlsx
People Confidential Final

Job change and termination: Expedient actions are taken Enquire and inspect whether exit procedures for voluntary termination of employment Not applicable PO7.8 APO07.01 Maintain adequate 8.2.3
regarding job changes, especially job terminations. Knowledge are documented and contain all required elements, such as necessary knowledge and 8.3.1
transfer is arranged, responsibilities are reassigned and access transfer, timely securing of logical and physical access, return of the organisations assets, appropriate staffing. 8.3.2
rights are removed such that risks are minimised and continuity of and conducting of exit interviews. 8.3.3
the function is guaranteed. Enquire whether job change procedures are documented and contain all required
elements to minimise disruption of business processes. Examples include the need for
job mentoring, job hand-over steps and preparatory formal training. Inspect job change
procedures to determine if the procedures are consistently followed.
Acquire through HR a list of terminated/transferred users (for the past six months to one
8.5 year).

9 Ensure operations and use: Ensure that people has the knowledge and skills to allow effective and efficient operations of new or adjusted technology / application functions in line with the security policies and procedures.

Knowledge transfer to end users: Transfer knowledge and skills Interview key staff members about the user groups awareness and knowledge of the ISO - 12.5 control social engineering: AI4.3 BAI08.01 Nurture and facilitate 8.2.2
to allow end users to effectively and efficiently use the system in process to effectively and efficiently use the application system to support business Security awareness and training, a knowledge-sharing culture.
support of business processes. processes (e.g., training and skills development, training materials, user manuals, including regular updating of relevant
procedure manuals, online help, service desk support, key user identification, evaluation). knowledge and learning are an important BAI08.02 Identify and classify
Review training and implementation materials to determine if the defined process element for countering social engineering sources of information
includes the required content. attacks.
Confirm through interviews with key staff members that the user is aware of and able to As part of an organizations BAI08.03 Organise and
use the feedback mechanism to assess the adequacy of the support Cybersecurity program, employees and contextualise information into
documentation, procedures and related training. third-parties contractors should be knowlegde
required to undergo a minimum number
of hours of awareness training in order to BAI08.04 Use and share
ensure that they are aware of their roles knowlegde
and responsibilities in the Cyberspace,
and technical controls that they should
implement as individuals using the
Cyberspace. In addition, as part of the
9.1 program to counter social engineering
attacks, such awareness training should
include contents such as the following:
a) The latest threats and forms of social
engineering attacks, for example, how
phishing has evolved from fake websites
alone to a combination of Spam, Cross
Site Scripting, and SQL Injection attacks.
b) How individual and corporate
information can be stolen and
manipulated through social engineering
attacks, providing understanding on how
attackers can take advantage of human
nature, such as a tendency to comply to
requests that are made with authority
(even though it can be unreal), friendly
demeanour, posing as a victim, and
reciprocation by first giving something of
value or help.
c) What information needs to be
protected and how to protect it, in
accordance with the information security
policy.
d) When to report or escalate a
suspected event or malicious application
to approach authorities or response
agency, and information on these
contacts available. Organizations
providing Cyberspace applications and
services online should provide awareness
materials to subscribers or consumers
covering the above contents within the
context of their applications or services.

360521017.xlsx
People Confidential Final

Knowledge transfer to operations and support staff: Interview key staff members about the operation and technical support staffs awareness Control 9: AI4.4 BAI08.01 Nurture and facilitate 8.2.2
Knowledge and skills are transferred to enable operations and and knowledge of the process to effectively and efficiently deliver, support and maintain 1. Quick wins: Perform gap analysis to a knowledge-sharing culture. 10.1.1
technical support staff to effectively and efficiently deliver, support the application system and associated infrastructure according to service levels (e.g., see which security areas employees are 10.3.2
and maintain the system and associated infrastructure. training and skills development, training materials, user manuals, procedure manuals, not adhering to and use this as the basis BAI08.02 Identify and classify 10.7.4
online help, service desk scenarios). for an awareness program. Organizations sources of information 13.2.2
Review training and implementation materials to determine if the defined process should devise periodic security
includes the required content. awareness assessments to be given to BAI08.03 Organise and
Confirm through interviews with key staff members that operation and technical support employees and contractors on at least an contextualise information into
personnel are aware of and able to use the feedback mechanism to assess adequacy of the annual basis in order to determine knowlegde
support documentation, procedures and related training. whether they understand the information
Determine if operations and support staff members are involved in the development and security policies and procedures, as well BAI08.04 Use and share
maintenance of operations and support documentation. as their role in those procedures. knowlegde
Identify areas where operational support procedures are not integrated with existing 2. Quick wins: Develop security
operational support procedures. awareness training for various personnel
9.2 job descriptions. The training should
include specific, incident-based scenarios
showing the threats an organization
faces, and should present proven
defenses against the latest attack
techniques.
3. Quick wins: Awareness should be
carefully validated with policies and
training. Policies tell users what to do,
training provides them the skills to do it,
and awareness changes their behavior so
that they understand the importance of
following the policy.
4. Visibility/Attribution: Metrics should be
created for all policies and measured on
a regular basis. Awareness should focus
on the areas that are receiving the
lowest compliance score.
5. Configuration/Hygiene: Conduct
periodic exercises to verify that
employees and contractors are fulfilling
their information security duties by
conducting tests to see whether
employees will click on a link from
suspicious e-mail or provide sensitive
information on the telephone without
following appropriate procedures for
authenticating a caller.
6. Configuration/Hygiene: Provide
awareness sessions for users who are not
following policies after they have
received appropriate training.

360521017.xlsx
Processes Confidential Final

Domain PR Processes

Ensure that system and infrastructure development,


maintenance and access is performed in a secured way
and comply to the information policies, standards and
procedures, and laws and regulations. Information
security weaknesses and business interruptions should
be counteract adequately avoiding unintended negative
business exposure.
No Standard / Control measure Points to Consider from Cobit V4.1 Points to consider from SANS Critical controls and/or CobiT Cobit 5.0 ISO
ISO27032 4.1 27002:20
05

10 Change Management: Ensure that all changes, including patches, support enterprise objectives and are carried out in a secure manner. Ensure that day-to-day business processes are not impacted.

Change standards and procedures: Formal change Enquire whether and confirm that the processes and procedures for handling change requests (including Not applicable AI6.1 BAI06.01 Evaluate, prioritise 10.1.2
management procedures has been set up to handle in maintenance and patches) apply to applications, procedures, processes, system and service parameters, and the and authorise change requests. 12.5.3
a standardised manner all requests (including underlying platforms.
maintenance and patches) for changes to applications, Review the change management framework to determine if the framework includes: BAI06.02 Manage emergency
procedures, processes, system and service The definition of roles and responsibilities changes.
parameters, and the underlying platforms. Classification (e.g., between infrastructure and application software) and prioritisation of all changes
Assessment of impact, authorisation and approval BAI06.03 Track and report
Tracking of changes change status.
Version control mechanism
Impact on data integrity (e.g., all changes to data files made under system and application control rather than by BAI06.04 Close and document
direct user intervention) the changes.
Management of change from initiation to review and closure
10.1 Definition of rollback procedures
Use of emergency change processes
Business continuity planning
Use of a record management system
Audit trails
Segregation of duties
Enquire whether and confirm that processes and procedures for contracted services providers (e.g., infrastructure,
application development, application service providers, shared services) are included in the change management
process.
Determine if the process and procedures include the contractual terms and SLAs.

Impact assessment, prioritisation and Enquire whether and confirm that the change management process allows business process owners and IT to Not applicable AI6.2 BAI06.01 Evaluate, prioritise 10.1.2
authorisation: All requests for change in a structured request changes to infrastructure, systems or applications. and authorise 12.5.3
way are assessed to determine the impact on the Enquire whether and confirm that requested changes are categorised (e.g., between infrastructures, operating change requests. 12.6.1
operational system and its functionality. All changes systems, networks, application systems, purchased/packaged application software).
are categorised, prioritised and authorised. Confirm through interviews with key staff members that requested changes are prioritised based on predefined
criteria (e.g., business and technical needs for the change and legal, regulatory and contractual requirements).
Enquire whether and confirm that change requests are assessed and documented in a structured method that
addresses impact analysis on infrastructure, systems and applications.
Enquire whether and confirm that security, legal, contractual and compliance implications are considered in the
10.2 assessment process for the requested change and that business owners are involved.
Enquire whether and confirm that each requested change is formally approved by the business process owners
and IT technical stakeholders.
Inspect a representative sample of change management requests to ensure that they were appropriately
assessed, evaluated, prioritised and reviewed.

Test environment: A secure test environment is Enquire whether and confirm that the test environment is set up to mirror the production environment (factors Not applicable AI7.4 BAI07.04 Establish a test 10.1.4
defined and established representative of the planned include workload/stress, operating systems, necessary application software, database management systems, environment. 12.4.3
operations environment relative to security, internal network and computing infrastructure). 12.5.2
controls, operational practices, data quality and privacy Enquire whether and confirm that the test environment is incapable of interacting with production environments.
requirements, and workloads. Enquire whether and confirm that a test database exists.
Evaluate the existence and quality of a data-sanitising process in creating a test database.
Assess protection measures and the authorisation of access to the test environment.
Enquire whether and confirm that a process exists and is complied with to manage retention or disposal of test
10.3 results.
Enquire whether and confirm that the retention process meets or exceeds regulatory or compliance requirements.

Testing of changes: Changes are tested Enquire whether and confirm that testing of changes is developed with independence (separation of duties) and Not applicable AI7.6 BAI07.05 Perform acceptance 6.1.4
independently in accordance with the defined test plan conducted only in the test environment. tests. 12.4.3
prior to migration to the operational environment. It is Enquire whether and confirm that test scripts exist to validate security and performance requirements. 12.5.2
ensured that the plan considers security and Confirm through interviews that fallback or back out plans are prepared and tested prior to changes being
10.4 performance. promoted into production.

Promotion to production: The following procedure is Review procedures for program transfer to verify that a formal process exists that requires documented approval Not applicable AI7.8 BAI07.06 Promote to production None
being following: Following testing, the handover of the from user management and system development. and
changed system to operations is controlled, keeping it Confirm that the approval process identifies effective dates for promotion of new systems, applications or manage releases.
in line with the implementation plan. Approval is infrastructure to production, as well as for the retirement of old systems, applications and infrastructure.
obtained of the key stakeholders, such as users, Enquire whether and confirm that the approval process includes a formal documented sign-off from business
system owner and operational management. Where process owners, third parties and IT stakeholders as appropriate (e.g., development group, security group,
appropriate, the system is run in parallel with the old database management, user support and operations group).
system for a while, and the behaviour and results are Confirm procedures for updating copies of system documentation and relevant contingency plan.
compared. Enquire of key staff members concerning procedures for updating all source program libraries and procedures for
labelling and retaining prior versions.
Enquire of key staff members regarding required procedures for obtaining from the acceptance testing function
the media used for implementation.
Enquire of key staff members whether automated software distribution is controlled and whether there are checks
in the distribution process that verify that the destination environment is of the correct standard implementation and
10.5 version.
Evaluate the effectiveness of the control to verify that distribution occurs only to authorised and correctly
identified destinations.
Enquire of key staff members whether a formal log is kept of what software and configuration items have been
distributed, to whom they have been distributed, where they have been implemented, and when each has been
updated.
Enquire of key staff members concerning procedures for promptly updating all program copies and procedures for
providing implementation order instructions in advance to all impacted locations.

11 Continuity Management: Counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.

IT Continuity plans: IT continuity plans are Confirm that business continuity plans exist for all key business functions and processes. Not applicable DS4.2 DSS04.03 Develop and 6.1.6
developed based on the framework and designed to Review an appropriate sample of business continuity plans and confirm that each plan: implement a 6.1.7
reduce the impact of a major disruption on key Is designed to establish the resilience, alternative processing and recovery capability in line with service business continuity response. 14.1.1
business functions and processes. The plans are based commitments and availability targets 14.1.2
on risk understanding of potential business impacts Defines roles and responsibilities 14.1.3
and address requirements for resilience, alternative Includes communication processes
11.1 processing and recovery capability of all critical IT Defines the minimum acceptable recovery configuration
services. The plans also cover usage guidelines, roles Obtain the overall testing strategy for business continuity plans and evidence that tests are being executed with
and responsibilities, procedures, communication the agreed-upon frequency.
processes, and the testing approach. Review the outcome of testing, and ensure that resulting actions are followed up.

Testing of the IT Continuity plan: The IT continuity Enquire whether and confirm that IT continuity tests are scheduled and completed on a regular basis after Not applicable DS4.5 DSS04.04 Exercise, test and 14.1.5
plan is tested on a regular basis to ensure that IT changes to the IT infrastructure or business and related applications. review the BCP.
systems can be effectively recovered, shortcomings Ensure that new components and updates are included in the schedule.
are addressed and the plan remains relevant. This Enquire whether and confirm that a detailed test schedule has been created and includes testing details and event
requires careful preparation, documentation, reporting chronology to ensure a logical and real sequence of occurring interruptions.
of test results and, according to the results, Enquire whether and confirm that a test task force has been established, and the members are not key personnel
implementation of an action plan. The extent of testing defined in the plan and the reporting is appropriate.
11.2 recovery of single applications to integrated testing Enquire through interviews with key staff members whether debriefing events occur and, within these events,
scenarios to end-to-end testing and integrated vendor whether failures are analysed and solutions are developed.
testing is considered. Enquire through interviews with key staff members whether alternative means are evaluated when testing is not
feasible.
Enquire whether and confirm that success or failure of the test is measured and reported and the consequential
change is made to the IT continuity plan.
Review results and evaluate how the results are reviewed to determine operating effectiveness.

Offsite backup storage: All critical backup media, Enquire whether and confirm that data are protected when they are taken offsite, whilst they are in transport and Not applicable DS4.9 DSS04.07 Manage backup
documentation and other IT resources necessary for IT when they are at the storage location. arrangements
recovery and business continuity plans are stored Enquire whether and confirm that the backup facilities are not subject to the same risks as the primary site.
offsite. The content of backup storage in collaboration Enquire whether and confirm that regular testing is performed to ensure the quality of the backups and media.
between business process owners and IT personnel is Review testing procedures to determine operating effectiveness.
determined. Management of the offsite storage facility Verify that the backup media contain all information required by the IT continuity plan, e.g., by comparing the
respond to the data classification policy and the contents of the backups and/or the restored systems with the operational systems.
enterprises media storage practices. IT management Enquire whether and confirm that sufficient recovery instructions and labelling exist.
ensures that offsite arrangements are periodically Enquire whether and confirm that an inventory of backups and media exists, and verify its correctness.
11.3 assessed, at least annually, for content, environmental
protection and security. Compatibility of hardware and
software to restore archived data, and periodically test
and refresh archived data is ensured.

None

360521017.xlsx
Processes Confidential Final

No Standard / Control measure Points to Consider from Cobit V4.1 Points to consider from SANS Critical controls and/or CobiT Cobit 5.0 ISO
ISO27032 4.1 27002:20
05
Backup and restoration: Procedures are defined and Enquire whether and confirm that: Control 8: DS11.5 DSS04.08 Conduct post- 10.5.1
implemented for backup and restoration of systems, Critical data that affect business operations are periodically identified in alignment with the risk management 1. Quick wins: Ensure that each system is automatically resumption
applications, data and documentation in line with model and IT service continuity plan backed up on at least a weekly basis, and more often for review.
business requirements and the continuity plan. Adequate policies and procedures for the backup of systems, applications, data and documentation exist and systems storing sensitive information. To help ensure the
consider factors including: ability to rapidly restore a system from backup, the
. Frequency of backup (e.g., disk mirroring for real-time backups vs. DVD-ROM for long-term retention) operating system, application software, and data on a
. Type of backup (e.g., full vs. incremental) machine should each be included in the overall backup
. Type of media procedure. These three components of a system do not
. Automated online backups have to be included in the same backup file or use the
. Data types (e.g., voice, optical) same backup software. All backup policies should be
. Creation of logs compliant with any regulatory or official requirements.
. Critical end-user computing data (e.g., spreadsheets) 2. Quick wins: Data on backup media should be tested on a
. Physical and logical location of data sources regular basis by performing a data restoration process to
. Security and access rights ensure that the backup is properly working.
11.4 . Encryption 3. Quick wins: Key personal should be trained on both the
Responsibilities have been assigned for taking and monitoring backups backup and restoration processes. To be ready in case a
A schedule exists for taking and logging backups in accordance with established policies and procedures major incident occurs, alternative personnel should also be
System, application, data and documentation maintained or processed by third parties are adequately backed up trained on the restoration process just in case the primary
or otherwise secured. The return of backups from third parties should be required and escrow or deposit IT point of contact is not available.
arrangements considered. 4. Configuration/Hygiene: Ensure that backups are properly
Requirements for onsite and offsite storage of backup data have been defined that meet the business protected via physical security or encryption when they are
requirements, including the access required to backup data stored, as well as when they are moved across the
Sufficient restoration tests have been performed periodically to ensure that all components of backups can be network. This includes remote backups and cloud services.
effectively restored 5. Configuration/Hygiene: Backup media, such as hard
The time frame required for restoration has been agreed upon and communicated with the business or IT process drives and tapes, should be stored in physically secure,
owner. The priority for data recovery has been based on business requirements and IT service continuity locked facilities. End-of-life backup media should be
procedures. securely erased/destroyed.

360521017.xlsx
Processes Confidential Final

No Standard / Control measure Points to Consider from Cobit V4.1 Points to consider from SANS Critical controls and/or CobiT Cobit 5.0 ISO
ISO27032 4.1 27002:20
05

12 Manage data: Maintain the completeness, accuracy, availability and protection of data

Storage and retention arrangements: Procedures Review the data model, and ensure that storage techniques satisfy business requirements. Not applicable DS11.2 DSS04.08 Conduct post- 10.5.1
are defined and implemented for effective and efficient Review retention periods for data, and ensure that they are in line with contractual, legal and regulatory resumption review. 10.7.1
data storage, retention and archiving to meet business requirements. 15.1.3
objectives, the organisations security policy and DSS06.04 Manage errors and
regulatory requirements. exceptions

12.1

Disposal: Procedures are defined and implemented to Enquire whether and confirm that: Not applicable DS11.4 DSS05.06 Manage sensitive 9.2.6
ensure that business requirements for protection of Responsibility for the development and communication of policies on disposal is clearly defined documents and output devices. 10.7.1
sensitive data and software are met when data and Equipment and media containing sensitive information are sanitised prior to reuse or disposal in such a way that 10.7.2
hardware are disposed or transferred. data marked as deleted or to be disposed cannot be retrieved (e.g., media containing highly sensitive data have DSS06.05 Ensure traceability of
been physically destroyed) information events and
Disposed equipment and media containing sensitive information have been logged to maintain an audit trail accountabilities.
12.2 There is a procedure to remove active media from the media inventory list upon disposal. Check that the current
inventory has been updated to reflect recent disposals in the log. DSS06.06 Secure information
Unsanitised equipment and media are transported in a secure way throughout the disposal process assets.
Disposal contractors have the necessary physical security and procedures to store and handle the equipment and
media before and during disposal

Security requirements for data management: Enquire whether and confirm that: Control 17: DS11.6 DSS01.01 Perform operational 10.8.3
Policies and procedures are defined and implemented A process is in place that identifies sensitive data and addresses the business need for confidentiality of the data, 1. Quick wins: Deploy approved hard drive encryption procedures 10.5.1
to identify and apply security requirements applicable compliance with applicable laws and regulations has been addressed, and the classification of data has been agreed software to mobile devices and systems that hold sensitive 10.7.3
to the receipt, processing, storage and output of data upon with the business process owners data. DSS05.02 Manage network and 10.8.4
to meet business objectives, the organisations security A policy has been defined and implemented to protect sensitive data and messages from unauthorised access and 2. Visibility/Attribution: Deploy an automated tool on connectivity security 10.8.5
policy and regulatory requirements. incorrect transmission and transport, including, but not limited to, encryption, message authentication codes, hash network perimeters that monitors for certain sensitive DSS05.03 Manage endpoint 12.2.1
12.3 totals, bonded couriers and tamper-resistant packaging for physical transport information (i.e., personally identifiable information), security 12.2.2
Requirements have been established for physical and logical access to data output, and confidentiality of output is keywords, and other document characteristics to discover DSS05.04 Manage user identity 12.4.2
clearly defined and taken into consideration unauthorized attempts to exfiltrate data across network and logical access 12.4.3
Rules and procedures have been established for end-user access to data and management and backup of sensitive boundaries and block such transfers while alerting DSS05.05 Manage physical
data information security personnel. access to IT assets
Rules and procedures have been established for end-user applications that may adversely impact data stored on 3. Visibility/Attribution: Conduct periodic scans of server DSS06.03 Manage roles,
end-user computers or networked applications or data machines using automated tools to determine whether responsibilities, access privileges
(e.g., consider policies on user rights on networked personal computers) sensitive data (i.e., personally identifiable information, and levels of authority
Awareness programmes have been instituted to create and maintain awareness of security in the handling and health, credit card, and classified information) is present on
13 Configuration Management: Ensure that all configuration processing of sensitive
items are data secured and security risks minimised by ensuring the enterprise's awareness of its IT-related
appropriately the system
assets in clear
and text. These tools, which search for
licenses. DSS06.06 Secure information
Sensitive information processing facilities are within secure physical locations protected by defined security patterns that indicate the presence of sensitive information, assets
perimeters coupled with appropriate surveillance, security barriers and entry controls can help identify if a business or technical process is
Configuration repository and baseline: A
Enquire whether
The design of theand confirm
physical that senior management
infrastructure sets
prevents losses scope
from fire,and measures external
interference, for configuration
attack ormanagement
unauthorised Not applicable
leaving behind or otherwise leaking sensitive information. DS9.1 BAI10.01-02 Establish and 7.2.2
supporting tool and a central repository are established functions, and are
access. There assesses
secureperformance.
output drop-off points for sensitive outputs or transfer of data to third parties. 4. Configuration/Hygiene: Data should be moved between maintain a configuration model 12.4.1
to contain all relevant information on configuration Enquire whether and confirm that a tool is in place to enable the effective logging of configuration management networks using secure, authenticated, and encrypted Establish and maintain a 12.4.2
items. All assets and changes to assets are monitored information in a repository. mechanisms. configuration repository and
and recorded. A baseline of configuration items for Determine that access to the tool is restricted to appropriate personnel. 5. Configuration/Hygiene: If there is no business need for baseline
every system and service as a checkpoint to which to Review a sample of configuration items to ensure that a unique identifier is assigned. supporting such devices, organizations should configure
return after changes is maintained. Enquire whether and confirm that configuration baselines for components are defined and documented. systems so that they will not write data to USB tokens or BAI10.04 Produce status and
13.1 Review that baselines enable identification of system configuration at discrete points in time. USB hard drives. If such devices are required, enterprise configuration reports
Enquire whether and confirm that there is a documented process to revert to the baseline configuration. software should be used that can configure systems to
Test a sample of systems and applications by verifying that they can be reverted to baseline configurations. allow only specific USB devices (based on serial number or DSS02.01 Define incident and
Enquire whether and confirm that mechanisms exist to monitor changes against the defined repository and other unique property) to be accessed, and that can service request classification
baseline. automatically encrypt all data placed on such devices. An schems
Verify that management is receiving regular reports and that these reports result in continuous improvement inventory of all authorized devices must be maintained.
plans. 6. Configuration/Hygiene: Use network-based DLP solutions
to monitor and control the flow of data within the network.
Any anomalies that exceed the normal traffic patterns
Identification and Maintenance of Configuration Enquire whether and confirm that a policy is in place to ensure that all configuration items and their attributes are should Control be1:noted and appropriate action taken to address DS9.2 BAI10.03 Maintain and control 7.1.1
Items: Configuration procedures to support identified and maintained. 1. Quick wins: Deploy an automated asset inventory
them. configuration items 7.1.2
management and logging of all changes to the Enquire whether and confirm that there is a policy for physical asset tagging. discovery
7. Advanced: toolMonitor
and useall
it traffic
to build a preliminary
leaving asset
the organization 10.7.4
configuration repository are established. These Verify that assets are physically tagged according to policy. inventory
and detectofanysystems connected
unauthorized usetoofan organizations
encryption. public
Attackers 11.4.3
procedures are integrated with change management, Enquire whether and confirm that a role-based access policy exists. and private
often use annetwork(s). Both active
encrypted channel tools that
to bypass scan security
network through 12.4.2
incident management and problem management Verify that authorised and appropriate personnel have designated access to the configuration repository as per the devices.
network address ranges and passive tools that identify
Therefore it is essential that organizations be able 12.5.3
procedures. policy. hosts
to based
detect on analyzing
rogue their
connections, traffic should
terminate be employed.
the connection, and 12.6.1
Enquire whether and confirm that a policy is in place to ensure that change and problem management procedures remediate2. Quick wins: Deploy DHCP
the infected Server logging, and utilize a
system. 15.1.5
are integrated with the maintenance of the configuration repository. system to
8. Advanced: improve
Block the asset
access toinventory
known fileand help detect
transfer and e-mail
Enquire whether and confirm that a process is in place to record new, modified and deleted configuration items, unknown systems
exfiltration through this DHCP information.
websites.
and identify and maintain the relationships amongst configuration items in the configuration repository. 3. Quick wins: All equipment acquisitions should
Inspect relevant documentation, timely execution and data integrity of the process. automatically update the inventory system as new,
Enquire whether and confirm that a process is in place to ensure that analysis is done to identify critical approved devices are connected to the network. A robust
configuration items. change control process can also be used to validate and
Verify that this process supports change management and analysis of future processing demands and technology approve all new devices.
acquisitions. 4. Visibility/Attribution: Maintain an asset inventory of all
13.2 Enquire whether and confirm that procurement procedures provide for the recording of new assets within the systems connected to the network and the network devices
configuration management tool. themselves, recording at least the network addresses,
Validate that the confirmation management data match the procurement records. machine name(s), purpose of each system, an asset owner
responsible for each device, and the department associated
with each device. The inventory should include every
system that has an Internet Protocol (IP) address on the
network, including but not limited to desktops, laptops,
servers, network equipment (routers, switches, firewalls,
etc.), printers, storage area networks, Voice Over-IP
telephones, multi-homed addresses, virtual addresses, etc.
The asset inventory created must also include data on
whether the device is a portable and/or personal device.
Devices such as mobile phones, tablets, laptops, and other
portable electronic devices that store or process data must
be identified, regardless of whether or not they are
attached to the organizations network.
5. Configuration/Hygiene: Make sure the asset inventory
database is properly protected and a copy stored in a
Control 2:
1. Quick wins: Devise a list of authorized software that is
required in the enterprise for each type of system,
including servers, workstations, and laptops of various
kinds and uses. This list should be tied to file integrity
checking software to validate that the software has not be
modified.
2. Quick wins: Perform regular scanning and generate
alerts when unapproved software is installed on a
computer. A strict change control process should also be
implemented to control any changes or installation of
software to any systems on the network.
3. Visibility/Attribution: Deploy application white listing
technology that allows systems to run only approved
software and prevents execution of all other software on
the system.
4. Visibility/Attribution: Deploy software inventory tools
throughout the organization covering each of the operating
system types in use, including servers, workstations, and
laptops. The software inventory system should track the
version of the underlying operating system as well as the
applications installed on it. Furthermore, the tool should
record not only the type of software installed on each
system, but also its version number
13
and patch level. The software inventory should be tied to
vulnerability reporting/threat intelligence services to fix
vulnerable software proactively.
5. Visibility/Attribution: The software inventory systems
must be tied into the hardware asset inventory so all
devices and associated software are tracked from a single
location.
6. Configuration/Hygiene: The software inventory tool
should also monitor for unauthorized software installed on

14 Manage third party and supplier services: Ensure that third party (suppliers, vendors and partners) services meet business requirements and that related business and IT risks associated with continuity and security are minimized.

Monitoring and reporting of Service Level Points to consider: DS1.5 APO09.04 Monitor and report 6.2.3
Achievements: Specified service level performance Through interviews with key staff members responsible for monitoring service level performance, determine service levels 10.2.1
criteria are continuously monitored. Reports on reporting criteria. 10.2.2
14.1 achievement of service levels are provided in a format Obtain samples of SLA performance reporting, and verify distribution. 10.2.3
that is meaningful to the stakeholders. The monitoring Inspect reviews for forecast and trends in service level performance. 10.4.2
statistics are analysed and acted upon to identify 12.5.5
negative and positive trends for individual services as
well as forrisk
Supplier services overall.
management: Risks are identified and Enquire whether risks associated with the inability to fulfil the supplier contracts are defined. DS2.3 APO10.04 Manage supplier risk 6.2.1
mitigated relating to suppliers ability to continue Enquire whether remedies were considered when defining the supplier contract. 6.2.3
effective service delivery in a secure and efficient Inspect contract documentation for evidence of review. 8.1.2
14.2 manner on a continual basis. Contracts conform to Enquire of key staff members whether a risk management process exists to identify and monitor supplier risk. 8.1.3
universal business standards in accordance with legal Determine if policies exist requiring independence within the vendor sourcing and selection process, and between 10.2.3
and regulatory requirements. Risk management vendor and management personnel within the organisation. 10.8.2
considers non-disclosure agreements (NDAs), escrow
contracts, continued supplier viability, conformance

15 Incident Management: Ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.

360521017.xlsx
Processes Confidential Final

No Standard / Control measure Points to Consider from Cobit V4.1 Points to consider from SANS Critical controls and/or CobiT Cobit 5.0 ISO
ISO27032 4.1 27002:20
05
Security Incident Definition: The characteristics of Determine if a computer emergency response team (CERT) exists to recognise and effectively manage security DS5.6 DSS02.01 Define incident and 8.2.3
potential security incidents are defined and emergencies. The following areas should exist as part of an effective CERT process: service request classification 13.1.1
communicated so they are properly classified and Incident handlingGeneral and specific procedures and other requirements to ensure effective handling of schemes 13.1.2
treated by the incident and problem management incidents and reported vulnerabilities 13.2.1
process. Vendor relationsThe role and responsibilities of vendors in incident prevention and follow-up, software flaw 13.2.3
correction, and other areas
CommunicationsRequirements, implementation and operation of emergency and routine communications
channels amongst key members of management
Legal and criminal investigative issuesIssues driven by legal considerations and the requirements or constraints
resulting from the involvement of criminal investigative organisations during an incident
Constituency relationsResponse centre support services and methods of interaction with constituents, including
training and awareness, configuration management, and authentication
Research agenda and interactionIdentification of existing research activities and requirements and rationale for
needed research relating to response centre activities
Model of the threatDevelopment of a basic model that characterises potential threats and risks to help focus risk
15.1
reduction activities and progress in those activities
External issuesFactors that are outside the direct control of the company (e.g., legislation, policy, procedural
requirements) but that could affect the operation and effectiveness of the companys activities
Determine if the security incident management process appropriately interfaces with key organisation functions,
including the help desk, external service providers and network management.
Evaluate if the security incident management process includes the following key elements:
Event detection
Correlation of events and evaluation of threat/incident
Resolution of threat, or creation and escalation work order
Criteria for initiating the organisations CERT process
Verification and required levels of documentation of the resolution
Post-remediation analysis
Work order/incident closure

Incident escalation: Service desk procedures are Enquire whether and confirm that the service desk maintains ownership of customer-related requests and Control 18: DS8.3 DSS02.04 Investigate, diagnose 13.1.2
established, so incidents that cannot be resolved incidents. 1. Quick wins: Ensure that there are written incident and allocate incidents 13.2.3
immediately are appropriately escalated according to Verify that the end-to-end life cycle of requests/incidents is monitored and escalated appropriately by the service response procedures that include a definition of personnel 14.1.1
limits defined in the SLA and, if appropriate, desk. roles for handling incidents. The procedures should define 14.1.4
workarounds are provided. Incident ownership and life Confirm with members of management that significant incidents are reported to them. the phases of incident handling.
cycle monitoring remain with the service desk for user- Review procedures for reporting significant incidents to management. 2. Quick wins: Assign job titles and duties for handling
based incidents, regardless which IT group is working Confirm the existence of a process to ensure that the incident records are updated to show the date and time of computer and network incidents to specific individuals.
on resolution activities. and the assignment of IT personnel to each query. 3. Quick wins: Define management personnel who will
Enquire whether and confirm that there is a process in place to ensure that IT staff members are involved in support the incident handling process by acting in key
dealing with queries and incidents and that the incident request records are updated throughout the life cycle. decision-making roles.
4. Quick wins: Devise organization-wide standards for the
time required for system administrators and other
personnel to report anomalous events to the incident
handling team, the mechanisms for such reporting, and the
kind of information that should be included in the incident
notification. This reporting should also include notifying the
15.2 appropriate Community Emergency Response Team in
accordance with all legal or regulatory requirements for
involving that organization in computer incidents.
5. Quick wins: Assemble and maintain information on third
party contact information to be used to report a security
incident (i.e., maintain an e-mail address of
security@organization.com or have a web page
http://organization.com/security).
6. Quick wins: Publish information for all personnel,
including employees and contractors, regarding reporting
computer anomalies and incidents to the incident handling
team. Such information should be included in routine
employee awareness activities.
7. Configuration/Hygiene: Conduct periodic incident
scenario sessions for personnel associated with the incident
handling team to ensure that they understand current
threats and risks, as well as their responsibilities in
supporting the incident handling team.

360521017.xlsx
Processes Confidential Final

No Standard / Control measure Points to Consider from Cobit V4.1 Points to consider from SANS Critical controls and/or CobiT Cobit 5.0 ISO
ISO27032 4.1 27002:20
05

16 Monitoring: Avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements. Ensure compliancy of systems with and people's adherence to organizational information security related policies, standards and procedures.

Security testing, surveillance and monitoring: The Enquire whether and confirm that an inventory of all network devices, services and applications exists and that Control 6: DS5.5 DSS05.07 Monitor the 6.1.8
IT security implementation is tested and monitored in each component has been assigned a security risk rating. 1. Quick wins: Protect web applications by deploying web infrastructure for security- 10.10.2
a proactive way. IT security should be reaccredited in a Determine if security baselines exist for all IT utilised by the organisation. application firewalls (WAFs) that inspect all traffic flowing to related events 10.10.3
timely manner to ensure that the approved Determine if all organisation-critical, higher-risk network assets are routinely monitored for security events. the web application for common web application attacks, 10.10.4
enterprises information security baseline is Determine if the IT security management function has been integrated within the organisations project including but not limited to cross-site scripting, SQL 12.6.1
maintained. A logging and monitoring function will management initiatives to ensure that security is considered in development, design and testing requirements, to injection, command injection, and directory traversal 13.1.2
enable the early prevention and/or detection and minimise the risk of new or existing systems introducing security vulnerabilities. attacks. For applications that are not web-based, specific 15.2.2
subsequent timely reporting of unusual and/or application firewalls should be deployed if such tools are 15.3.1
abnormal activities that may need to be addressed. available for the given application type. If the traffic is
encrypted, the device should either sit behind the
encryption or be capable of decrypting the traffic prior to
analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
2. Visibility/Attribution: At a minimum, explicit error
checking should be done for all input. Whenever a variable
is created in source code, the size and type should be
16.1 determined. When input is provided by the user it should
be verified that it does not exceed the size or the data type
of the memory location in which it is stored or moved in
the future.
3. Visibility/Attribution: Test in-house-developed and third-
party-procured web applications for common security
weaknesses using automated remote web application
scanners prior to deployment, whenever updates are made
to the application and on a regular recurring basis.
Organizations should understand how their applications
behave under denial of service or resource exhaustion
attacks.
4. Visibility/Attribution: System error messages should not
be displayed to end-users (output sanitization).
5. Visibility/Attribution: Maintain separate environments for
production and nonproduction systems. Developers should
not typically have unmonitored access to production
environments.
Control 14:
1. Quick wins: Each organization should include at least
two synchronized time sources (i.e., Network Time Protocol
NTP) from which all servers and network equipment
retrieve time information on a regular basis so that
timestamps in logs are consistent.
2. Quick wins: Validate audit log settings for each hardware
device and the software installed on it, ensuring that logs
include a date, timestamp, source addresses, destination
addresses, and various other useful elements of each
packet and/or transaction. Systems should record logs in a
standardized format such as syslog entries or those
outlined by the Common Event Expression initiative. If
systems cannot generate logs in a standardized format, log
normalization tools can be deployed to convert logs into
such a format.
3. Quick wins: Ensure that all systems that store logs have
adequate storage space for the logs generated on a regular
basis, so that log files will not fill up between log rotation
intervals. The logs must be archived and digitally signed on
a periodic basis.
4. Quick wins: Develop a log retention policy to make sure
that the logs are kept for a sufficient period of time. As APT
(advanced persistent threat) continues to stealthily break
into systems, organizations are often compromised for
several months without detection. The logs must be kept
for a longer period of time than it takes an organization to
detect an attack so they can accurately determine what
occurred.
5. Quick wins: All remote access to a network, whether to
the DMZ or the internal network (i.e., VPN, dial-up, or
other mechanism), should be logged verbosely.
6. Quick wins: Operating systems should be configured to
log access control events associated with a user attempting
Monitoring of internal control framework: The IT Assess whether there is executive-level support for organisational governance standards for internal control and ME2.1 MEA02.01 Monitor internal 5.1.1
control environment and control framework are risk management (e.g., minutes, corporate policies, interview with CEO). Verify that policies and procedures include controls 5.1.2
continuously monitored, benchmarked and improved to governance for internal standards and risk management (e.g., adoption of COSO Internal ControlIntegrated 15.2.1
16.2
meet organisational objectives and adherence to Framework, COSO Enterprise Risk ManagementIntegrated Framework, COBIT). MEA02.02 Review business
information security policies, standards and Assess whether there is a continuous improvement approach to internal control monitoring (i.e., balanced process control effectiveness
procedures. scorecard, self-assessment).
Internal control at third parties: The status of Confirm that internal control requirements are addressed in the policies and procedures for contracts and ME2.6 MEA02.01 Monitor internal 6.2.3
external service providers internal controls are agreements with third parties and that appropriate provisions for rights to audit are included. controls 10.2.2
assessed. Procedures are in place to ensure that Confirm that there is a process in place to ensure that reviews are periodically performed to access the internal 15.2.1
external service providers comply with legal and controls of all third parties and that non-compliance issues are communicated.
16.3 regulatory requirements and contractual obligations. Confirm that policies and procedures are in place to confirm receipt of any required legal or regulatory internal
control assertions from affected third-party service providers.
Confirm that policies and procedures are in place to investigate exceptions, and obtain assurance that appropriate
remedial actions have been implemented.
Evaluation of compliance with external Review the IT organisation policies, standards and procedures and confirm their regular and timely update to ME3.3 MEA03.03 Confirm external 6.1.6
requirements: IT policies, standards, procedures and address any non-compliance (legal and regulatory) gaps identified. compliance 15.1.2
16.4
methodologies comply with legal and regulatory 15.1.4
requirements.
Independent assurance: Independent assurance Enquire whether and confirm that an audit committee has been established with a mandate to consider what the ME4.7 MEA02.05 Ensure that assurance 5.1.2
(internal or external) is obtained about the significant risks are; assess how they are identified, evaluated and managed; commission IT and security audits; providers are independent and 6.1.8
conformance of IT with relevant laws and regulations; and rigorously follow up closure of subsequent recommendations. qualified 10.10.2
the organisations policies, standards and procedures; Interview the audit committee and assess its knowledge and awareness of its responsibilities. Determine whether
generally accepted practices; and the effective and the established audit committee is operating effectively. MEA02.06 Plan assurance
efficient performance of IT. Enquire whether and confirm that independent reviews, certifications or accreditations of compliance with IT initiatives
16.5 policies, standards and procedures have been obtained. Physically inspect for adequacy the documents produced by
the independent reviews. MEA02.07 Scope assurance
initiatives

MEA02.08 Execute assurance


initiatives

17 User Account Management: Ensure that all users (internal, external and temporary) only have authorised access to data and functionalities, and their activities within the IT environment are uniquely identifiable.

Identity management: All users (internal, external Determine if security practices require users and system processes to be uniquely identifiable and systems to be Control 15: DS5.3 DSS05.04 Manage user identity 5.1.1
and temporary) and their activity on IT systems configured to enforce authentication before access is granted. 1. Quick wins: Any sensitive information should be located and logical access 5.1.2
(business application, IT environment, system If predetermined and preapproved roles are utilised to grant access, determine if the roles clearly delineate on separated VLANS with proper firewall filtering. All 6.1.2
operations, development and maintenance) are responsibilities based on least privileges and ensure that the establishment and modification of roles are approved communication of sensitive information over less-trusted 6.1.5
uniquely identifiable. User identities are enabled via by process owner management. networks needs to be encrypted. 8.2.2
authentication mechanisms. User access rights to Determine if access provisioning and authentication control mechanisms are utilised for controlling logical access 2. Visibility/Attribution: Establish a multi-level data 11.1.1
systems and data are in line with defined and across all users, system processes and IT resources, for in-house and remotely managed users, processes and identification/classification scheme (e.g., a three- or four- 11.2.3
documented business needs and that job requirements systems. tiered scheme with data separated into categories based on 11.5.2
are attached to user identities. User access rights are the impact of exposure of the data). 11.7.1
requested by user management, approved by system 3. Visibility/Attribution: Enforce detailed audit logging for 11.7.2
owners and implemented by the security-responsible access to nonpublic data and special authentication for
person. User identities and access rights are sensitive data.
17.1 maintained in a central repository. Deploy cost- 4. Configuration/Hygiene: The network should be
effective technical and procedural measures are segmented based on the trust levels of the information
deployed, and kept current to establish user stored on the servers. Whenever information flows over a
identification, implement authentication and enforce network of lower trust level, the information should be
access rights. encrypted.
5. Advanced: Host-based data loss prevention (DLP) should
be used to enforce ACLs even when data is copied off a
server. In most organizations, access to the data is
controlled by ACLs that are implemented on the server.
Once the data have been copied to a desktop system, the
ACLs are no longer enforced and the users can send the
data to whomever they want.

User account management: Requesting, Determine if procedures exist to periodically assess and recertify system and application access and authorities. Control 16: DS5.4 DSS05.04 Manage user identity 6.1.5
establishing, issuing, suspending, modifying and Determine if access control procedures exist to control and manage system and application rights and privileges 1. Quick wins: Review all system accounts and disable any and logical access 6.2.1
closing user accounts and related user privileges are according to the organisations security policies and compliance and regulatory requirements. account that cannot be associated with a business process 6.2.2
addressed with a set of user account management Determine if systems, applications and data have been classified by levels of importance and risk, and if process and owner. 8.1.1
procedures. An approval procedure outlining the data owners have been identified and assigned. 2. Quick wins: All accounts should have an expiration date 8.3.1
or system owner granting the access privileges is Determine if user provisioning policies, standards and procedures extend to all system users and processes, associated with the account. 8.3.3
included. These procedures should apply for all users, including vendors, service providers and business partners. 3. Quick wins: Systems should automatically create a 10.1.3
including administrators (privileged users) and internal report on a daily basis that includes a list of locked-out 11.1.1
and external users, for normal and emergency cases. accounts, disabled accounts, accounts with passwords that 11.2.1
Rights and obligations relative to access to enterprise exceed the maximum password age, and accounts with 11.2.2
systems and information are contractually arranged for passwords that never expire. This list should be sent to the 11.2.4
all types of users. Regular management review of all associated system administrator in a secure fashion. 11.3.1
accounts and related privileges are performed. 4. Quick wins: Establish and follow a process for revoking 11.5.1
system access by disabling accounts immediately upon 11.5.3
termination of an employee or contractor. 11.6.1
5. Quick wins: Regularly monitor the use of all accounts,
17.2 automatically logging off users after a standard period of
inactivity.
6. Quick wins: Monitor account usage to determine
dormant accounts that have not been used for a given
period, such as 45 days, notifying the user or users
manager of the dormancy. After a longer period, such as
60 days, the account should be disabled.
7. Quick wins: When a dormant account is disabled, any
files associated with that account should be encrypted and
moved to a secure file server for analysis by security or
management personnel.
8. Quick wins: All nonadministrator accounts should be
required to have strong passwords that contain letters,
numbers, and special characters, be changed at least every
90 days, have a minimal age of one day, and not be
allowed to use the previous 15 passwords as a new
password. These values can be adjusted based on the
specific business needs of the organization.

360521017.xlsx
Processes Confidential Final

No Standard / Control measure Points to Consider from Cobit V4.1 Points to consider from SANS Critical controls and/or CobiT Cobit 5.0 ISO
ISO27032 4.1 27002:20
05
Control 12:
1. Quick wins: Use automated tools to inventory all
administrative accounts and validate that each person with
administrative privileges on desktops, laptops, and servers
is authorized by a senior executive.
2. Quick wins: Configure all administrative passwords to be
complex and contain letters, numbers and special
characters intermixed with no dictionary words present in
the password. Strong passwords should be of a sufficient
length to increase the difficultly it takes to crack the
password. Pass phrases containing multiple dictionary
words, along with special characters, are acceptable if they
are of a reasonable length.
3. Quick wins: Configure all administrative-level accounts
to require regular password changes on a frequent interval
tied to the complexity of the password.
4. Quick wins: Before deploying any new devices in a
networked environment, organizations should change all
default passwords for applications, operating systems,
routers, firewalls, wireless access points, and other
systems to a difficult-to-guess value.
5. Quick wins: Ensure all service accounts have long and
difficult-to-guess passwords that are changed on a periodic
basis, as is done for traditional user and administrator
passwords, at a frequent interval of no longer than 90
days.
6. Quick wins: Passwords for all systems should be stored
in a well-hashed or encrypted format, with weaker formats
eliminated from the environment. Furthermore, files
containing these encrypted or hashed passwords required
for systems to authenticate users should be readable only
with super-user privileges.
7. Quick wins: Utilize access control lists to ensure that
administrator accounts are used only for system

360521017.xlsx
Technology Confidential Final

Domain T Technology

Ensure the protection of information in networks, the


protection of the supporting infrastructure and the
secure exchange of information within the organization
and with any external entity.

No Standard / Control measure Points to Consider from Cobit V4.1 Points to consider from SANS Critical CobiT Cobit 5.0 ISO
controls and/or ISO27032 4.1 27002:20
05

Secure Infrastructure: Security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection, trusted path or medium, encryption) are used to secure data storage and transport within the enterprise's technical
18
infrastructure, flows from and to the network and mobile devices (e.g. smart phones, usb sticks). Applied techniques are in accordance with the related data classification.

Infrastructure resource protection and Confirm with key staff members that all infrastructure data and software are backed up prior to installation and/or maintenance
Control 3: AI3.2 BAI03.03 Develop solution 12.1.1
availability: Internal control, security and auditability tasks. Inspect backup logs to confirm that infrastructure data and software are successfully backed up. 1. Quick wins: Strict configuration management components
measures are implemented during configuration, Confirm with key staff members that all application software is tested prior to installation in an environment separate from, but
should be followed, building a secure image that
integration and maintenance of hardware and sufficiently similar to, production. is used to build all new systems that are DSS02.03 Verify, approve and
infrastructural software to protect resources and Review test specifications and procedures to confirm that tests include functionality, security, availability and integrity condition,
deployed to the enterprise. Any existing system fulfil service requests
ensure availability and integrity. Responsibilities for and any other vendor recommendations. that becomes compromised is re-imaged with
using sensitive infrastructure components are clearly Inspect the software configuration to confirm that key aspects have been addressed, including the modification of defaultthe secure build. Regular updates to this image
defined and understood by those who develop and passwords, initial application parameter settings relative to security and any other vendor defaults. are integrated into the organizations change
integrate infrastructure components. Their use is Enquire whether and confirm that temporary access granted for installation purposes is monitored and that passwords are management processes. Images should be
monitored and evaluated. changed immediately after installation is completed. Inspect the application security settings to confirm compliance. created for both workstations and servers.
Confirm with key staff members that only appropriately licensed software is tested and installed and that installations are
2. Quick wins: System images must have
performed in accordance with vendor guidelines. Identify instances where vendor guidelines were not followed, and confirm that
documented security settings that are tested
vendors were consulted regarding the potential impact. before deployment, approved by an organization
Confirm with key staff members that an independent group (e.g., librarian) is granted access for the movement of the programs
change control board, and registered with a
and data amongst libraries. Where applicable, inspect user access to the library management system. central image library for the organization or
Trace all users with access to check-in/check-out programs and data from the libraries to their originating access request forms,
multiple organizations. These images should be
18.1 and confirm approval by an appropriate senior staff member. validated and refreshed on a regular basis to
Enquire with staff members whether acceptance procedures are enforced using objective acceptance criteria and whether update their security configuration in light of
acceptance criteria ensures that product performance is consistent with agreed-upon specifications and requirements. Reviewrecent vulnerabilities and attack vectors.
agreed-upon specifications and/or SLA requirements, and compare with acceptance procedures identifying areas where procedures
3. Quick wins: Standardized images should
are not adequately followed. represent hardened versions of the underlying
Confirm with key staff members that access to maintenance activities over sensitive infrastructure components is logged and
operating system and the applications installed
regularly reviewed by a responsible senior staff member. on the system, such as those released by the
Review maintenance logs and confirm that all items have been recorded. Review relevant documentation (e.g., the log review
NIST, NSA, Defense Information Systems
matrix and periodic system security reports) to confirm that logs are reviewed on a regular basis. Agency (DISA), Center for Internet Security
(CIS), and others. This hardening would typically
include removal of unnecessary accounts,
disabling or removal of unnecessary services,
and configuring nonexecutable stacks and
heaps. Such hardening also involves, among
other measures, applying patches, closing open
and unused network ports, implementing
intrusion detection systems and/or intrusion
prevention systems, and erecting host-based
Control 7:
1. Quick wins: Ensure that each wireless device
connected to the network matches an authorized
configuration and security profile, with a
documented owner of the connection and a
defined business need. Organizations should
deny access to those wireless devices that do
not have such a configuration and profile.
2. Quick wins: Ensure that all wireless access
points are manageable using enterprise
management tools. Access points designed for
home use often lack such enterprise
management capabilities, and should therefore
be avoided in enterprise environments.
3. Quick wins: Network vulnerability scanning
tools should be configured to detect wireless
access points connected to the wired network.
Identified devices should be reconciled against a
list of authorized wireless access points.
Unauthorized (i.e., rogue) access points should
be deactivated.
4. Visibility/Attribution: Use wireless intrusion
detection systems (WIDS) to identify rogue
wireless devices and detect attack attempts and
successful compromises. In addition to WIDS, all
wireless traffic should be monitored by WIDS as
traffic passes into the wired network.
5. Visibility/Attribution: 802.1x should be used
to control which devices are allowed to connect
to the wireless network.
6. Visibility/Attribution: A site survey should be
performed to determine what areas within the
organization need coverage. After the wireless
access points are strategically placed, the signal
Infrastructure maintenance: A strategy and plan Confirm with key staff members that maintenance of the installed system software process utilises the same process as Control 19: AI3.3 BAI02.02 Perform a feasibility 9.1.5
for infrastructure maintenance is developed, and application updates, where applicable. Inspect the planned system software maintenance and identify deviations from the normal How to Implement, Automate, and Measure the study and formulate alternative 9.2.4
ensure that changes are controlled in line with the process for application updates and/or exceptions to vendor procedures and guidelines. Effectiveness of this Control solutions 12.4.2
organisations change management procedure. Include Confirm with key staff members that documentation of system software is maintained, kept current and updated with vendor 1. Quick wins: The network should be designed 12.5.2
periodic reviews against business needs, patch documentation for all system using a minimum of a three-tier architecture 12.6.1
management, upgrade strategies, risks, vulnerabilities maintenance activity. (DMZ, middleware, and private network). Any
assessment and security requirements. Inspect relevant documentation and identify areas where it is incomplete or out of date. system accessible from the Internet should be
Enquire of key staff members to confirm the process or method used to obtain timely notification of availability of vendor on the DMZ, but DMZ systems never contain
upgrades and/or patches (e.g., a specific sensitive data. Any system with sensitive data
18.2 vendor agreement, membership in a product user group, subscriptions to a trade journal). should reside on the private network and never
Inspect a sample of system software and confirm that upgrades and/or patches have been applied in a timely manner. be directly accessible from the Internet. DMZ
Identify all deviations and/or exceptions. systems should communicate with private
Enquire of key staff members whether the amount of maintenance being performed, the vulnerability to unsupported network systems through an application proxy
infrastructure, and future risks and security residing on the middleware tier.
vulnerabilities are reviewed on a regular basis. 2. Configuration/Hygiene: To support rapid
Perform an assessment of these reviews and note areas where risks identified by the assessment have not been discussed by key response and shunning of detected attacks, the
staff members. network architecture and the systems that make
Inspect maintenance tracking logs and feedback tools to ensure that the results of these reviews are communicated to the IT it up should be engineered for rapid deployment
council or equivalent group for consideration within the infrastructure planning process. of new access control lists, rules, signatures,
blocks,
Controlblackholes,
20: and other defensive
measures.
1. Quick wins: Conduct regular external and
3. Visibility/Attribution:
internal penetration tests DNS should be deployed
to identify
in a hierarchical,
vulnerabilities andstructured fashion,
attack vectors thatwith
canall
be
internal
used networkenterprise
to exploit client machines
systems configured to
successfully.
send requests
Penetration to intranet
testing shouldDNS occurservers, not to
from outside
DNSnetwork
the servers perimeter
located on(i.e.,
the Internet.
the InternetTheseor
internal
wireless DNS servers around
frequencies should an be organization)
configured to as
forward
well requests
as from withinthey cannot resolve
its boundaries toon
(i.e., DNS
the
servers located on a protected DMZ.
internal network) to simulate both outsider These DMZ
and
servers,attacks.
insider in turn, should be the only DNS servers
allowed
2. Quickto sendIfrequests
wins: any userto orthe Internet.
system accounts
4. Configuration/Hygiene:
are used to perform penetration Segment the those
testing,
enterprise network
accounts should be into multiple,
carefully separate
controlled andtrust
zones to provide
monitored to makemoresuregranular
they arecontrol of
only being
system access and additional
used for legitimate purposes. intranet boundary
defenses.
3. Visibility/Attribution: Perform periodic red
Cryptographic key management: Policies and Determine if a defined key life cycle management process exists. The process should include: team exercises to test the readiness of
Not applicable DS5.8 DSS05.03 Manage endpoint 10.8.4,
procedures are in place to organise the generation, Minimum key sizes required for the generation of strong keys organizations to identify and stop attacks or to security 12.2.3,
change, revocation, destruction, distribution, Use of required key generation algorithms respond quickly and effectively. 12.3.1,
certification, storage, entry, use and archiving of Identification of required standards for the generation of keys 4. Visibility/Attribution: Ensure that systemic 12.3.2,
cryptographic keys is in place to ensure the protection Purposes for which keys should be used and restricted problems discovered in penetration tests and red 15.1.6
of keys against modification and unauthorised Allowable usage periods or active lifetimes for keys team exercises are fully tracked and mitigated.
disclosure. Acceptable methods of key distribution 5. Visibility/Attribution: Measure how well the
Key backup, archival and destruction organization has reduced the significant enablers
Assess if controls over private keys exist to enforce their confidentiality and integrity. Consideration should be given to the for attackers by setting up automated processes
18.3 following: to find:
Storage of private signing keys within secure cryptographic devices (e.g., FIPS 140-1, ISO 15782-1, ANSI X9.66) o Cleartext e-mails and documents with
Private keys not exported from a secure cryptographic module password in the filename or body
Private keys backed up, stored and recovered only by authorised personnel using dual control in a physically secured environment o Critical network diagrams stored online and in
Enquire whether and confirm that the organisation has implemented information classification and associated protective controls cleartext
for information that account for the organisations needs for sharing or restricting information and the organisational impacts o Critical configuration files stored online and in
associated with such needs. cleartext
Determine if procedures are defined to ensure that information labelling and handling is performed in accordance with the o Vulnerability assessment, penetration test
organisations information classification scheme. reports, and red team finding documents stored
online and in cleartext
o Other sensitive information identified by
Network security: Security techniques and related Enquire whether and confirm that a network security policy (e.g., provided services, allowed traffic, types of connections Control 10: DS5.10 DSS05.02 Manage network and 11.6.2
management personnel as critical to the
management procedures (e.g., firewalls, security permitted) has been established and is maintained. 1. Quick wins: Compare firewall, router, and connectivity security
operation of the enterprise during the scoping of
appliances, network segmentation, intrusion detection) Enquire whether and confirm that procedures and guidelines for administering all critical networking components (e.g., core switch configuration against standard secure
a penetration test or red team exercise.
are used to authorise access and control information routers, DMZ, VPN switches) are established and updated regularly by the key administration personnel, and changes to the configurations defined for each type of network
6. Visibility/Attribution: Social engineering
flows from and to networks. Available best practices in documentation are tracked in the document history. device in use in the organization. The security
should be included within a penetration test. The
this area (i.e. GovCert, ISO/IEC, ITSec) are configuration of such devices should be
human element is often the weakest link in an
considered. documented, reviewed, and approved by an
organization and one that attackers often target.
organization change control board. Any
7. Visibility/Attribution: Plan clear goals of the
deviations from the standard configuration or
penetration test itself with blended attacks in
18.4 updates to the standard configuration should be
mind, identifying
documented the goal machine
and approved in a change or target
control
asset. Many APT-style attacks deploy multiple
system.
vectors,
2. Quick oftenwins: social
At networkengineering combinedpoints
interconnection with
web or network exploitation. Red team manual
such as Internet gateways, inter-organization
or automatedand
connections, testing that network
internal capturessegmentspivoted and with
multi-vector attacks offers a more realistic
different security controlsimplement ingress
assessment of security posture and risk to
and egress filtering to allow only those ports and
critical assets.
protocols with an explicit and documented
8. Configuration/Hygiene:
business need. All other ports Use and vulnerability
protocols
scanning and penetration testing tools in
should be11:
Control blocked with default-deny rules by
concert. The
firewalls, results of vulnerability
network-based IPS, and/or scanning
1. Quick wins:should
assessments Any service
be used thatas is notrouters.
a starting needed point
3. Configuration/Hygiene:
should beand turned off for 30All daysnewand configuration
after 30
to guide
rules beyond focus
a penetration
baseline-hardened testing efforts.
configuration
days
9. uninstalled
Advanced: Devisefromathe system.
scoring method for
that
2. allowwins:
Quick traffic to flow through
Host-based firewalls network
or port
determining
security toolsdevices,the results of
suchbeasappliedred
firewallsteam exercises so
filtering
that results can should
be compared onand
over endnetwork-
time. systems,
based a IPS,
withAdvanced: should berule
default-deny documented
that beddrops and recorded
all mimics
traffic
10. Create a test that a
in a configuration
except those services management
and system, are with a
production environment forports thatpenetration
specific
specific
explicitly business
allowed. reason for each change, a
tests and red team attacks against elements that
specific
3. individuals name responsible for thatbe
are not typically tested in production, should
Quick wins: Automated port scans such as
business
performed need,
on a and an expected
regular basiscontrol duration
against all dataof the
key
attacks
need. and against supervisory and
Control
servers 13:compared to a known effective
acquisition and other control systems.
4.
1. Configuration/Hygiene:
Quick
baseline. wins: Deny communications
If a change that is Network
not listed filtering
with
on the (or
technologies
limit data flow
organizations employed
to) known
approved between
malicious
baseline networks
is IP with
addresses
discovered,
different
(black security
lists), or levels
limit access(firewalls,
an alert should be generated and reviewed.sites only to network-
trusted
based
(white
4. QuickIPS
lists). tools,
wins: Alland
Tests canrouters with access
be periodically
services should be kept controls
carried
up to
lists)
out
dateby should
and anybe
sending deployed
packets
unnecessary with
from capabilities
bogon
components sourcetoIP
filter Internet
addresses
uninstalled and Protocol
(unroutable
removed version
or from 6 (IPv6)
otherwise
the unused
system. traffic.
IP
However,
addresses) if into
IPv6the
5. Visibility/Attribution: is not currently
network being
to verify
Any server used
that
that it
they
is visible
should
are not
from the be disabled.
transmitted
Internet orSince
through many
an untrusted operating
network perimeters.
network
systems
Lists
should of be today
bogon shipand
addresses
verified, withifIPv6
are support
it is publicly
not activated,
available
required for
filtering
business technologies
on the Internet purposes, need
fromit various
should tobe take
sources,
movedit into
andto an
account.VLAN
indicate
internal a series and ofgiven
IP addresses
a privatethat should not
address.
5.
6. Configuration/Hygiene: Services devices
be Configuration/Hygiene:
used for legitimate trafficNetwork
traversing needed the for
should beuse
Internet.
business managed
across using two-factor
the internal network should
authentication
2. Quick wins: and
On encrypted
DMZ networks,
be reviewed quarterly via a change control sessions.
monitoring
6. Configuration/Hygiene:
systems
group, and (which
business may units
be built The inlatest
should thestable
torejustify IDS the
version
businessof
sensors or any security-related
deployed
use. Services as that are updates
a separate turned must
technology)
on for be
installed
should
projects beorwithin
configured
limited 30 engagements
days of the update
to record leastbeing
atshould packet
be
360521017.xlsx released
header from
information, the device
and vendor.
preferably
turned off when they are no longer needed and full packet
7. Advanced:
header
properly and The network
payloads
documented. of theinfrastructure
traffic destined should
for or
be managed
passing through across
7. Configuration/Hygiene: the network
network connections
border.
Operate Thisthat
critical traffic
are separated
should
services beonsent from
to a the
separate business
physical use of host
or logical that
network, relying
56
machines, such as onDNS,
separate VLANs
file, mail, or, and
web,
preferably,
properly configured
database on entirely
servers. different
Security Eventphysical
Information
connectivity
8. Advanced:for
Management management
(SEIM)
Application or log sessions
analytics
firewalls forbe so
system
should
Technology Confidential Final

No Standard / Control measure Points to Consider from Cobit V4.1 Points to consider from SANS Critical CobiT Cobit 5.0 ISO
controls and/or ISO27032 4.1 27002:20
05

Exchange of sensitive data: Sensitive transaction Enquire whether and confirm that data transmissions outside the organisation require encrypted format prior to transmission. Not applicable DS5.11 DSS05.02 Manage network and 6.2.1
data is only exchanged over a trusted path or medium Enquire whether and confirm that corporate data are classified according to exposure level and classification scheme (e.g., connectivity security 10.6.1
with controls to provide authenticity of content, proof confidential, sensitive). 10.6.2
of submission, proof of receipt and non-repudiation of Enquire whether and confirm that sensitive data processing is controlled through application controls that validate the transaction 10.8.1
origin. prior to transmission. 10.9.1
Review that the application logs or halts processing for invalid or incomplete transactions. 11.4.1
11.4.2
11.4.3
11.4.4
18.5 11.4.5
11.4.6
11.4.7
11.6.2

19 Manage malware attacks: Preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).

Malicious software prevention, detection and Enquire whether and confirm that a malicious software prevention policy is established, documented and communicated Control 5: DS5.9 DSS05.01 Protect against 6.2.1
correction: Preventive, detective and corrective throughout the organisation. 1. Quick wins: Employ automated tools to malware 10.4.1
measures are in place (especially up-to-date security Ensure that automated controls have been implemented to provide virus protection and that violations are appropriately continuously monitor workstations, servers, and 10.4.2
patches and virus control) across the organisation to communicated. mobile devices for active, up-to-date anti- 10.6.1
protect information systems and technology from Enquire of key staff members whether they are aware of the malicious software prevention policy and their responsibility for malware protection with anti-virus, anti- 10.6.2
malware (e.g., viruses, worms, spyware, spam). ensuring compliance. spyware, personal firewalls, and host-based IPS 11.4.1
From a sample of user workstations, observe whether a virus protection tool has been installed and includes virus definition files
functionality. All malware detection events 11.4.2
and the last time the definitions were updated. should be sent to enterprise anti-malware 11.4.3
Enquire whether and confirm that the protection software is centrally distributed (version and patch-level) using a centralised administration tools and event log servers. The 11.4.4
configuration and change management process. endpoint security solution should include zero- 11.4.5
Review the distribution process to determine the operating effectiveness. day protection such as network behavioral 11.4.6
19.1 Enquire whether and confirm that information on new potential threats is regularly reviewed and evaluated and, as necessary, heuristics. 11.4.7
manually updated to the virus definition files. 2. Quick wins: Employ anti-malware software
Review the review and evaluation process to determine operating effectiveness. and signature auto-update features or have
Enquire whether and confirm that incoming e-mail is filtered appropriately against unsolicited information. administrators manually push updates to all
Review the filtering process to determine operating effectiveness, or review the automated process established for filtering machines on a daily basis. After applying an
purposes. update, automated systems should verify that
each system has received its signature update.
3. Quick wins: Configure laptops, workstations,
and servers so that they will not auto-run
content from USB tokens (i.e., thumb drives),
USB hard drives, CDs/DVDs, Firewire devices,
external serial advanced technology attachment
devices, mounted network shares, or other
removable media. If the devices are not required
20 Protect infrastructure components: Technology is hardened, security-related technology is made resistant to tampering, and security documentation is not disclosed unnecessarily. for business use, they should be disabled.
4. Quick wins: Configure systems so that they
conduct an automated anti-malware scan of
Protection of security technology: Security-related Enquire whether and confirm that policies and procedures have been established to address security breach consequences Not applicable
removable media when it is inserted. DS5.7 DSS05.05 Manage physical 6.1.4
technology is made resistant to tampering, and (specifically to address controls to configuration management, application access, data security and physical security requirements). 5. Quick wins: All e-mail attachments entering access to IT assets 9.1.6
security documentation is not disclosed unnecessarily. Inspect the control records granting and approving access and logging unsuccessful attempts, lockouts, authorised access to the organizations e-mail gateway should be 9.2.1
sensitive files and/or data, and physical scanned and blocked if they contain malicious 9.2.3
access to facilities. code or file types unneeded for the 10.7.4
Enquire whether and confirm that the security design features facilitate password rules (e.g., maximum length, characters, organizations business. This scanning should be 10.6.2
expiration, reuse). done before the e-mail is placed in the users 10.10.1
Enquire whether and confirm that the control requires annual management reviews of security features for physical and logical inbox. This includes e-mail content filtering and 10.10.3
access to files and data. web content filtering. 10.10.4
Verify that access is authorised and appropriately approved. 6. Quick wins: Apply anti-virus scanning at the 10.10.5
Inspect security reports generated from system tools preventing network penetration vulnerability attacks. Web Proxy gateway. Content filtering for file- 10.10.6
types should be applied at the perimeter. 11.3.2
7. Quick wins: Deploy features and toolkits such 11.3.3
20.1
as Data Execution Prevention (DEP) and 11.4.3
Enhanced Mitigation Experience Toolkit (EMET), 11.4.4
products that provide sandboxing (e.g., run 11.5.1
browsers in a VM), and other techniques that 11.5.4
prevent malware exploitation. 11.5.5
8. Quick wins: Limit use of external devices to 11.5.6
those that have business need. Monitor for use 10.6.2
and attempted use of external devices. 11.7.1
9. Visibility/Attribution: Block access to external 11.7.2
e-mail systems, instant messaging services and 12.4.1
other social media tools. 12.6.1
10. Visibility/Attribution: Automated monitoring 13.1.2
tools should use behavior-based anomaly 13.2.3
detection to complement and enhance traditional 15.2.2
signature-based detection. 15.3.2
11. Visibility/Attribution: Utilize network-based
anti-malware tools to analyze all inbound traffic
and filter out malicious content before it arrives
at the endpoint.
12. Advanced: Continuous monitoring should be
performed on all inbound and outbound traffic.
Any large transfers of data or unauthorized
traffic should be flagged and, if validated as
malicious, the computer should be moved to an
isolated VLAN.
13. Advanced: Implement an incident response
process that allows their IT Support Organization
to supply their Security Team with samples of
malware running undetected on corporate
systems. Samples should be provided to the
security vendor for out-of-band signature
creation and deployed to the enterprise by
system administrators.
14. Advanced: Utilize network-based flow
analysis tools to analyze inbound and outbound
traffic looking for anomalies, indicators of
malware, and compromised systems.
15. Advanced: Deploy reputation-based
technologies on all endpoint devices to cover
the gap of signature based technologies.
16. Advanced: Enable domain name system
(DNS) query logging to detect hostname lookup
for known malicious C2 domains.
17. Advanced: Apply proxy technology to all
communication between internal network and
the Internet.

360521017.xlsx
Facilities Confidential Final

Domain F Facilities

Prevent loss, damage, theft or compromise of organizations


premises and information and interruption to the organizations
activities.

No Standard / Control measure Points to Consider from Cobit V4.1 Points to consider from SANS Critical controls CobiT Cobit 5.0 ISO
and/or ISO27032 4.1 27002:20
05

Physical security: Physical security measures are defined and implemented in line with business and data classification requirements to secure facilities (e.g. buildings, power supply) and the physical and information assets. Physical security must be capable of
21
effectively preventing, detecting and mitigating risks relating to disasters and accidents (e.g. nature, human, vandalism, terror).

Physical security measures: Physical security measures are Enquire whether and confirm that: Not applicable DS12.2 DSS05.05 Manage physical 9.1.1
defined and implemented in line with business requirements to A policy is defined and implemented for the physical security and access control access to IT assets 9.1.2
secure the location and the physical assets. Physical security measures to be followed for IT sites. The policy is regularly reviewed to ensure that it 9.1.3
measures must be capable of effectively preventing, detecting and remains relevant and up to date. 9.1.4
mitigating risks relating to theft, temperature, fire, smoke, water, Access to information about sensitive IT sites and their design plans is limited 9.2.1
vibration, terror, vandalism, power outages, chemicals or External signs and other identification of sensitive IT sites are discreet and do not 9.2.2
explosives. obviously identify the site from outside 9.2.3
Organisational directories/site maps do not identify the location of the IT site 9.2.5
The design of physical security measures takes into account the risks associated with the 9.2.7
business and operation. Where appropriate, physical security measures include alarm
systems, building hardening, armoured cabling protection, secure partitioning, etc.
Tests of the preventive, detective and corrective physical security measures are
performed periodically to verify design, implementation and effectiveness
The site design takes into account the physical cabling of telecommunication and piping
of water, power and sewer
21.1 A process supported by the appropriate authorisation is defined and implemented for the
secure removal of IT equipment
Receiving and shipping areas of IT equipment are safeguarded in the same manner and
scope as normal IT sites and operations
A policy and process are defined to transport and store equipment securely
A process exists to ensure that storage devices containing sensitive information are
physically destroyed or sanitised
A process exists for recording, monitoring, managing, reporting and resolving physical
security incidents, in line with the overall IT incident management process
Particularly sensitive sites are checked frequently (including weekends and holidays) by
security personnel.

Physical access: Procedures are defined and implemented to Enquire whether and confirm that: Not applicable DS12.3 DSS05.05 Manage physical 6.2.1
grant, limit and revoke access to premises, buildings and areas A process is in place that governs the requesting and granting of access to the computing access to IT assets 9.1.2
according to business needs, including emergencies. Access to facilities 9.1.5
premises, buildings and areas can be justified, authorised, logged Formal access requests are completed and authorised by management of the IT site, the 9.1.6
and monitored. This applies to all persons entering the premises, records are retained, and the forms specifically identify the areas to which the individual is 9.2.5
including staff, temporary staff, clients, vendors, visitors or any granted access. This is verified by observation or review of approvals.
other third party. Procedures are in place to ensure that access profiles remain current. Verify that access
to IT sites (server rooms, buildings, areas or zones) is based on job function and
responsibilities.
There is a process to log and monitor all entry points to IT sites, registering all visitors,
including contractors and vendors, to the site
A policy exists instructing all personnel to display visible identification at all times and
21.2 prevents the issuance of identity cards or badges without proper authorisation. Observe
whether badges are being worn in practice.
A policy exists requiring visitors to be escorted at all times by a member of the IT
operations group whilst onsite, and individuals who are not wearing appropriate
identification are pointed out to security personnel
Access to sensitive IT sites is restricted through perimeter restrictions, such as
fences/walls and security devices on interior and exterior doors. Verify that the devices
record entry and sound an alarm in the event of unauthorised access. Examples of such
devices include badges or key cards, key pads, closed-circuit television and biometric
scanners.
Regular physical security awareness training is conducted. Verify by reviewing training
logs.

360521017.xlsx

You might also like