Yes
No
In Progress
Is the implementation of security policy reviewed independently on regular basis? This is
a.
to provide assurance that organizational practices properly reflect the policy, and that it is
feasible and effective.
Security of third party access
1. Identification of risks from third party
Are risks from third party access identified and appropriate security controls
a.
implemented?
b.
Are the types of accesses identified, classified and reasons for access justified?
Are security risks with third party contractors working onsite identified and appropriate
c.
controls implemented?
2. Security requirements in third party contracts
Is there a formal contract containing, or referring to, all the security requirements to ensure
a.
compliance with the organization=s security policies and standards?
Outsourcing
1. Security requirements in outsourcing contracts
Are security requirements addressed in the contract with the third party, when the
a.
organization has outsourced the management and control of all or some of its information
systems, networks and/ or desktop environments?
Does contract address how the legal requirements are to be met, how the security of
the organization =s assets are maintained and tested, and the right of audit, physical security
issues and how the availability of the services is to be maintained in the event of disaster?
Asset classification and control
Accountability of assets