Yes
No
In Progress
2. Incident management procedures
Does an Incident Management procedure exist to handle security/threat incidents?
a.
b.
Does the procedure address the incident management responsibilities, orderly and quick
response to security/threat incidents?
c.
Does the procedure address different types of incidents ranging from denial of service to
breach of confidentiality etc., and ways to handle them?
d.
Are the audit trails and logs relating to the incidents are maintained and proactive action
taken in a way that the incident doesn’t reoccur?
3. External facilities management
Are any of the Information processing facilities managed by an external company or
a.
contractor (third party)?
b.
Are the risks associated with such management identified in advance, discussed with the
third party and appropriate controls incorporated into the contract?
c.
Is necessary approval obtained from business and application owners?
Media handling and Security
1. Management of removable computer media
a.
Does a procedure exist for management of removable computer media such as tapes,
disks, cassettes, memory cards and reports?
Exchange of Information and software
1. Information and software exchange agreement
a.
Is there any formal or informal agreement between the organizations for exchange of
information and software?