Information Security Program Assessment Tool (166215873)
Content
Introduction and Guidance
How to Use This Tool This assessment tool was created to evaluate the maturity of higher education information security pr Standardization (ISO) 27002 "Information technology Security techniques. Code of practice for inform as a whole, although a unit within an institution may also use it to help determine the maturity of its i completed by chief information officer, chief information security officer or equivalent, or a designee. an information security officer or equivalent, familiar with their environment, to complete this tool.
The self-assessment has been designed to be completed annually or at the frequency your insitution f framework for scoring maturing, which scales from 0 to 5, with 5 being the highest level of maturity. Y NIST, CMMI, or another maturity framework, that may be more familiar, with the same numeric 0 thro maturity, 0–5. Each ISO section will be added up then averaged to provide a maturity assessment for "Score Definitions" tab of the spreadsheet. Not Performed = 0; Performed Informally = 1; Planned = 2; Well Defined = 3; Quantitatively Controlled = 4; Continuously Improving = 5
Below is a summary of the focus of each section and scoring to be used for that section. The same inf Please send any feedback to [email protected].
ISO 4: Risk Management
Assess the risk management process as it relates to creating an information security strategy and pro management process, which includes not only assessing information security risks to the institution b managing and implementing controls to protect against those risks.
ISO 5: Security Policy Assess how an institution expresses its intent with regard to information security.
ISO 6: Organization of Information Security Assess how an institution manages its information security across the entire enterprise, including how direction.
ISO 7: Asset Management Assess an institution's asset management program. Does it include ways to identify, track, classify, an adequately protected?
ISO 8: Human Resources Security Assess an institution's safeguards and processes for ensuring that all employees (including contractor and responsibilities of their job duties and that access is removed once employment is terminated.
ISO 9: Physical and Environmental Security Assess an institution's steps taken to protect systems, buildings, and related supporting infrastructure
Introduction and Guidance
ISO 10: Communications and Operations Management Assess an institution’s formalized policies, procedures, and controls, which assist in data and system p
ISO 11: Access Control Assess an institution’s use of administrative, physical, or technical security features to manage how u resources.
ISO 12: Information Systems Acquisition, Development, and Maintenance Assess whether an institution has security requirements established as an integral part of the develop ISO 13: Information Security Incident Management Assess an institution’s information security incident management program. An effective program will adverse events.
ISO 14: Business Continuity Management Assess an institution’s business continuity management. A mature institution has a managed, organiz operations under extraordinary circumstances including the maintenance of measures to ensure the p
ISO 15: Compliance Assess an institution’s processes for staying current with legal and contractual requirements to protec
0 1
ISO 21827 Not Performed Performed Informally
Definitions There are no security controls or plans in place. The controls are nonexistent. Base practices of the control area are generally performed on an ad hoc basis. There is general agreement within the organization that identified actions should be performed, and they are performed when required. The practices are not formally adopted, tracked, and reported on.
2
Planned
The base requirements for the control area are planned, implemented, and repeatable.
3
Well Defined
The primary distinction from Level 2, Planned and Tracked, is that in addition to being repeatable the processes used are more mature: documented, approved, and implemented organization-wide.
4
Quantitatively Controlled
The primary distinction from Level 3, Well Defined, is that the defined, standard processes are regularly reviewed and updated. Improvements reflect an understanding of, and response to, a vulnerability's impact.
The primary distinction from Level 4, Quantitatively Controlled, is that the defined, standard processes are regularly reviewed and updated . Improvements reflect an understanding of, and response to, a vulnerability's impact.
5
Continuously Improving
ISO 21827 https://www.sabs.co.za/content/uploads/files/SANS21827%28colour%29.pdf
ISG (ECAR) Not Implemented
CMMI Non-existent
NIST Non-existent
COBIT Non-existent
Planning Stages
Ad hoc
Documented Policy
Initial/Ad-hoc
Partially Implemented
Repeatable
Documented Procedures
Repeatable but Intuitive
Close to Completion
Defined & Implemented
Procedures & Controls
Defined Process
Fully Implemented
Managed
Measured Program
Managed & Measurable
Optimized
Pervasive Program
Optimized
HEISC Information Security Benchmark Assessment Tool for Higher Education November 2012
B 10 C D E F G
This tool can be used to assess an enterprise information security program, department, or other. Please select from the drop down box -> Name of person completing assessment:
Enterprise Information Security Program
11
12 13
Name of department or institution (if applicable): Date completed Reset Worksheet ----->
Not Performed = 0; Performed Informally = 1; Planned = 2; Well Defined = 3; Quantitatively Controlled = 4; Continuously Improving = 5; Item Score Not Applicable = Blank NOTE: 5 is the highest level of maturity Total Score for ISO 4 ->
Not Performed Not Performed Not Performed
FALSE
14
Questions
Category Score
Help
15
Risk Management (ISO 4) 1 2 3 Does your institution have a risk management program? Does your institution have a process for identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing sensitive information? Does your organization conduct routine risk assessments to identify the key objectives that need to be supported by your information security program? Security Policy (ISO 5) 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Does your institution have an information security policy that has been approved by management? Has it been published and communicated to all relevant parties? Does your institution review the policy at defined intervals to encompass significant change and monitor for compliance?
Not Performed Not Performed Not Performed
#NAME?
16
17
0
18
0
19
Total Score for ISO 5->
0
#NAME?
20
21
0
22
0
23
Organization of Information Security (ISO 6) Does your information security function have the authority it needs to manage and ensure compliance with the information security program? Does your institution have an individual with enterprise-wide (campus) information security responsibility and authority written in their job description, or equivalent? Note: This may be the CIO, CISO, CSO, or other. Is responsibility clearly assigned for all areas of the information security architecture, compliance, processes, and audits? Is there a formal process for having the individual with information security responsibility assess and sign off on appropriate hardware, software, and services, ensuring they follow security policies and requirements? Does your institution require the use of confidentiality or nondisclosure agreements for employees and third parties?
Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed
Total Score for ISO 6 ->
0
#NAME?
24
25
0
26
0
27
0
28
0
29
Does your institution maintain relationships with local authorities? Does your institution participate with local or national security groups (e.g., REN-ISAC, EDUCAUSE, InfraGard, Information Systems Security Association, etc.)? Does your institution have independent security reviews completed at planned intervals or when significant changes to the environment occur? Does your institution specify security requirements in contracts with external entities (third party) before granting access to sensitive institutional information assets? Are requirements addressed and remediated prior to granting access to data, assets, and information systems?
0
30
0
31
0
32
0
33
0
HEISC Information Security Benchmark Assessment Tool for Higher Education November 2012
B C D E F G
14
Questions
Not Performed = 0; Performed Informally = 1; Planned = 2; Well Defined = 3; Quantitatively Controlled = 4; Continuously Improving = 5; Item Score Not Applicable = Blank NOTE: 5 is the highest level of maturity Total Score for ISO 7->
Not Performed Not Performed
0
Category Score
Help
34
Asset Management (ISO 7) 18 19 20 21 22 23 24 25 Has your organization identified critical information assets and the functions that rely on them? Does your institution classify information to indicate the appropriate levels of information security?
#NAME?
35
36
0
37
Human Resource Security (ISO 8) Do all individuals interacting with university systems receive information security awareness training? Does your institution conduct specialized role-based training? Do the information security programs clearly state responsibilities, liabilities, and consequences? Does your institution have a process for revoking system and building access and returning assigned assets? Does your institution have a process for revoking system access when there is a position change or when responsibilities change? Physical and Environmental Security (ISO 9)
Not Performed Not Performed Not Performed Not Performed Not Performed
Total Score for ISO 8->
0
#NAME?
38
39
0
40
0
41
0
42
0
43
Total Score for ISO 9->
Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed
0
#NAME?
44
26 27 28 29 30 31
Do your institution's data centers include controls to ensure that only authorized parties are allowed physical access? Does your institution have preventative measures in place to protect critical hardware and wiring from natural and man-made threats? Does your institution have a process for issuing keys, codes, and/or cards that require appropriate authorization and background checks for access to these sensitive facilities? Does your institution follow vendor-recommended guidance for maintaining equipment? Does your institution have a media-sanitization process that is applied to equipment prior to disposal, reuse, or release? Are there processes in place to detect the unauthorized removal of equipment, information, or software?
45
0
46
0
47
0
49
0
50
0
HEISC Information Security Benchmark Assessment Tool for Higher Education November 2012
B C D E F G
14
Questions
Not Performed = 0; Performed Informally = 1; Planned = 2; Well Defined = 3; Quantitatively Controlled = 4; Continuously Improving = 5; Item Score Not Applicable = Blank NOTE: 5 is the highest level of maturity Total Score for ISO 10->
Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed
0
Category Score
Help
51
Communications and Operations Management (ISO 10) 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 Does your institution maintain security configuration standards for information systems and applications? Are changes to information systems tested, authorized, and reported? Are duties sufficiently segregated to ensure unintentional or unauthorized modification of information is detected? Are production systems separated from other stages of the development life cycle? Do agreements for external information system services specify appropriate security requirements? Does your institution have a process in place for assessing that external information system providers comply with appropriate security requirements? Is external information system services provider compliance with security controls monitored? Are external information system service agreements executed and routinely reviewed to ensure security requirements are current? Does your institution have processes in place to monitor the utilization of key system resources and to mitigate the risk of system downtime? Are methods used to detect, quarantine, and eradicate known malicious code on information systems including workstations, servers, and mobile computing devices? Are methods used to detect and eradicate known malicious code transported by electronic mail, the web, or removable media? Is your data backup process frequency consistent with the availability requirements of your organization? Does your institution routinely test your restore procedures? Does your institution continuously monitor your wired and wireless networks for unauthorized access?
#NAME?
52
53
0
54
0
55
0
56
0
57
0
58
0
59
0
60
0
61
0
62
0
63
0
64
0
65
0
66
Does your institution have a process for posture checking, such as current antivirus software, firewall enabled, OS patch level, etc., of devices as they connect to your network? Does your institution have a segmented network architecture to provide different levels of security based on the information's classification? Are Internet-accessible servers protected by more than one security layer (firewalls, network IDS, host IDS, application IDS)? Does your institution use appropriate/vetted encryption methods to protect sensitive data in transit? Are controls in place to protect, track, and report status of media that has been removed from secure organization sites? Does your institution have policies and procedures in place to protect exchanged information (within your organization and in third-party agreements) from interception, copying, modification, misrouting, and destruction? Does your institution have a process in place to ensure data related to electronic commerce (e-commerce) traversing public networks is protected from fraudulent activity, unauthorized disclosure, or modification? Are security-related activities such as hardware configuration changes, software configuration changes, access attempts, and authorization and privilege assignments automatically logged? Does your institution have a process for routinely monitoring logs to detect unauthorized and anomalous activities? Does your institution record your log reviews (recertification/attestation)? Are steps taken to secure log data to prevent unauthorized access and tampering? Does your institution regularly review administrative and operative access to audit logs? Are file-integrity monitoring tools used to alert personnel to unauthorized modification of critical system files, configuration files, or content files and to configure the software to perform critical file comparisons at least weekly? Does your institution have a procedure to ensure synchronization of system clocks with an authoritative source on a riskbased frequency (i.e., NTP)? Access Control (ISO 11)
0
67
0
68
0
69
0
70
0
71
0
72
0
73
0
74
0
75
0
76
0
77
0
78
0
79
0
80
Total Score for ISO 11->
Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed
0
#NAME?
81
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76
Does your institution have an access control policy for authorizing and revoking access rights to information systems? Does your institution have a process in place for granting and revoking appropriate user access? Does your institution have a password management program that follows current security standards? Does your institution have procedures to regularly review users' access to ensure only needed privileges are applied? Does your institution employ specific measures to secure remote access services? Does your institution ensure that user access to diagnostic and configuration ports is restricted to authorized individuals and applications? Does your institution employ specific measures to prevent and detect rogue access for all of your wireless LANs? Does your institution employ technologies to block or restrict unencrypted sensitive information from traveling to untrusted networks? Does your institution have mechanisms in place to manage digital identities (accounts, keys, tokens) throughout their life cycle, from registration through termination? Is there a policy in place to restrict the sharing of passwords? Does your institution prohibit use of generic accounts with privileged access to systems? Does your institution have an authentication system in place that applies higher levels of authentication to protect resources with higher levels of sensitivity? Does your institution have an authorization system that enforces time limits lockout on login failure and defaults to minimum privileges? Does your institution have standards for isolating sensitive data and procedures and technologies in place to protect it from unauthorized access and tampering? Does your institution have usage guidance established for mobile computing devices (regardless of ownership) that store, process, or transmit institutional data? Does your institution require encryption on mobile (i.e., laptops, tablets, etc.) computing devices? Does your institution have a telework policy that addresses multifactor access and security requirements for the end point used?
82
0
84
0
85
0
86
0
87
0
88
0
89
0
90
0
91
0
92
0
93
0
94
0
95
0
96
0
97
0
98
0
HEISC Information Security Benchmark Assessment Tool for Higher Education November 2012
B C D E F G
14
Questions
Not Performed = 0; Performed Informally = 1; Planned = 2; Well Defined = 3; Quantitatively Controlled = 4; Continuously Improving = 5; Item Score Not Applicable = Blank NOTE: 5 is the highest level of maturity Total Score for ISO 12->
Not Performed Not Performed
0
Category Score
Help
99
Information Systems Acquisition, Development, and Maintenance (ISO 12) 77 78 79 Does your institution have a process for validating the security of purchased software products and services? Are new information systems or enhancements to existing information systems validated against defined security requirements? Have standards been established that address secure coding practices (e.g., input validation, proper error handling, session management, etc.), and take into consideration common application security vulnerabilities (e.g., CSRF, XSS, code injection, etc.)? Are validation checks incorporated into applications to detect any corruption of information through processing errors or deliberate acts? Are processes in place to check whether message integrity is required? Incorrect output may occur, even in tested systems. Does your institution have validation checks to ensure data output is as expected? Do your policies indicate when encryption should be used (e.g., at rest, in transit, with sensitive or confidential data, etc.)? Are standards for key management documented and employed? Have you established procedures for maintaining source code during the development life cycle and while in production to reduce the risk of software corruption? Does your institution apply the same security standards for sensitive test data that you apply to sensitive production data? Does your institution restrict and monitor access to source code libraries to reduce the risk of corruption? Does your institution have a configuration-management process in place to ensure that changes to your critical systems are for valid business reasons and have received proper authorization? Are reviews and tests performed to ensure that changes made to production systems do not have an adverse impact on security or operations? Have you implemented tools and procedures to monitor for and prevent loss of sensitive data? Do your contract agreements include security requirements for outsourced software development? Does your institution have a patch management strategy in place and responsibilities assigned for monitoring and promptly responding to patch releases, security bulletins, and vulnerability reports? Information Security Incident Management (ISO 13) 93 94 Are incident-handling procedures in place to report and respond to security events throughout the incident life cycle, including the definition of roles and responsibilities? Are your incident response staff aware of legal or compliance requirements surrounding evidence collection?
Not Performed Not Performed
#NAME?
100
102
0
103
Not Performed
0
104
80 81 82 83 84 85 86 87 88 89 90 91 92
Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed
0
105
0
106
0
107
0
108
0
109
0
110
0
111
0
112
0
113
0
114
0
115
0
116
0
117
Total Score for ISO 13->
0
#NAME?
118
119
0
120
Business Continuity Management (ISO 14) 95 Does your institution have a documented business continuity plan for information technology that is based on a business impact analysis, is periodically tested, and has been reviewed and approved by senior staff or the board of trustees? Compliance (ISO 15) 96 97 98 99 100 101 102 103 Does your institution have a records management or data governance policy that addresses the life cycle of both paper and electronic records at your institution? Does your institution have an enforceable data protection policy that covers personally identifiable information (PII)? Does your institution have an Acceptable Use Policy that defines misuse? Does your institution provide guidance for the community on export control laws? Are standard operating procedures periodically evaluated for compliance with your organization's security policies, standards, and procedures? Does your institution perform periodic application and network layer vulnerability testing or penetration testing against critical information systems? Are you performing independent audits on information systems to identify strengths and weaknesses? Are audit tools properly separated from development and operational system environments to prevent any misuse or compromise?
Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed
Total Score for ISO 14->
0
#NAME?
121
122
Total Score for ISO 15->
0
#NAME?
123
124
0
125
0
126
0
127
0
128
0
129
0
130
0
131
THE END -- overall average ------>
#NAME?
Assessment Tool Questions* Ma
Assessment Questions 1 2 3 4 5 6 ISO
4.1 4.2 5.1.1 5.1.1 A.5 Security Policy A.5.1 Information security policy A.5.1.1 Information security policy document A.5.1.2 Review of the information security policy A.6 Organization of information security A.6.1 Internal A.6.1.1 Management commitment to information security A.6.1.2 Information security coordination A.6.1.3 Allocation of information security responsibilities A.6.1.4 Authorization process for information processing facilities A.6.1.5 Confidentiality agreements A.6.1.6 Contact with authorities A.6.1.7 Contact with special interest groups A.6.1.8 Independent review of information security
7
5.1.2
8
6.1.1
9
6.1.2
10
6.1.3
11
6.1.4
12
6.1.5
13 14
6.1.6 6.1.7
15
6.1.8
A.6.2 External Parties 16 6.2.1 A.6.2.1 Identification of risks related to external parties A.6.2.2 Addressing security when dealing with customers A.6.2.3 Addressing security in third party agreements A.7 Asset Management A.7.1 Responsibility for assets A.7.1.1 Inventory of assets A.7.1.2 Ownership of assets A.7.1.3 Acceptable use of assets A.7.2 Information Classification A.7.2.1 Classification Guidelines A.7.2.2 Information labeling and handling A.8 Human Resources Security A.8.1 Prior to Employment A.8.1.1 Roles and Responsibilities A.8.1.2 Screening A.8.1.3 Terms and conditions of employment A.8.2 During employment A.8.2.1 Management responsibilities
17
6.2.2
18 19
7.1.1 7.2.1
20
8.2.1
21
8.2.2
A.8.2.2 Awareness, education, and training A.8.2.3 Disciplinary process A.8.3 Termination or change of employment A.8.3.1 Termination responsibilities A.8.3.2 Return of assets A.8.3.3 Removal of access rights A.9 Physical and environmental security A.9.1 Secure areas A.9.1.1 Physical security perimeter A.9.1.2 Physical entry controls A.9.1.3 Securing offices, rooms, facilities A.9.1.4 Protecting against external and environmental threats A.9.1.5 Working in secure areas A.9.1.6 Public access, delivery and loading areas A.9.2 Equipment security A.9.2.1 Equipment siting and protection A.9.2.2 Supporting utilities A.9.2.3 Cabling security A.9.2.4 Equipment maintenance
22 23
8.2.3 8.3.1
24
8.3.2 8.3.3
25
9.1.2
26
9.1.4
27
9.1.5
28
9.2.4
A.9.2.5 Security of equipment offpremises 29 9.2.6 A.9.2.6 Secure disposal or reuse of equipment A.9.2.7 Removal of property MP-5, PE-16 A.10 Communications and operations management A.10.1 Operational procedures and responsibilities 31 10.1.1 A.10.1.1 Documented operating procedures
30
9.2.7
32 33
10.1.2 10.1.3
A.10.1.2 Change management A.10.1.3 Segregation of duties A.10.1.4 Separation of development, test A.10.2 Third-party and operational service delivery facilities management A.10.2.1 Service delivery A.10.2.2 Monitoring and review of thirdparty services A.10.2.3 Managing changes to thirdparty services
34
10.1.4
35 36
10.2.1 10.2.2
40
10.3.1
A.10.3 System planning and A.10.3.1 Capacity acceptance management A.10.3.2 System acceptance A.10.4 Protection against malicious and mobile code
41
10.4.1
A.10.4.1 Controls against malicious code
43
10.5.1
A.10.4.2 Controls against mobile code A.10.5 Backup A.10.5.1 Information backup A.10.6 Network security management A.10.6.1 Network controls A.10.6.2 Security of network services A.10.7 Media handling A.10.7.1 Management of of A.10.7.2 Disposal removable media media A.10.7.3 Information handling procedures A.10.7.4 Security of system documentation
45
10.6.1
50
10.7.1 10.7.3
51
10.8.1
A.10.8 Exchange of information A.10.8.1 Information exchange policies and procedures A.10.8.2 Exchange agreements A.10.8.3 Physical media in transit A.10.8.4 Electronic messaging A.10.8.5 Business information systems A.10.9 Electronic commerce services A.10.9.1 Electronic commerce A.10.9.2 Online transactions A.10.9.3 Publicly available information A.10.10 Monitoring A.10.10.1 Audit logging
52
10.9.1 10.9.2
53
10.10.1
54
10.10.2
A.10.10.2 Monitoring system use A.10.10.3 Protection of log information
57 59 60
10.10.4 10.10.5 10.10.6
A.10.10.4 Administrator and A.10.10.5 Fault operator logs logging A.10.10.6 Clock synchronization A.11 Access Control A.11.1 Business requirement for A.11.1.1 Access access control control policy A.11.2 User access management A.11.2.1 User registration A.11.2.2 Privilege management A.11.2.3 User password management A.11.2.4 Review of user access A 11.3 User rights responsibilities A.11.3.1 Password use A.11.3.2 Unattended user equipment A.11.3.3 Clear desk and clear screen policy A.11.4 Network access control A.11.4.1 Policy on use of network services
61
11.1.1
62
11.2.1 11.2.2 11.2.3
63
64
11.2.4
65
11.4.2
A.11.4.2 User authentication for A.11.4.3 Equipment external connections identification in networks A.11.4.4 Remote diagnostic and configuration port protection
66
11.4.4
A.11.4.5 Segregation in networks 67 68 11.4.6 11.4.7 A.11.4.6 Network connection control A.11.4.7 Network routing control A 11.5 Operating system access control A.11.5.1 Secure logon procedures A.11.5.2 User identification and authentication A.11.5.3 Password management system A.11.5.4 Use of system utilities A.11.5.5 Session time-out A.11.5.6 Limitation of connection time A.11.6 Application and information A.11.6.1 Information control access restriction A.11.6.2 Sensitive system isolation A.11.7 Mobile computing and teleworking A.11.7.1 Mobile computing and A.11.7.2 Teleworking communications A.12 Information systems acquisition, development and maintenance 78 79 12.1 12.1.1 A.12.1 Security requirements of A.12.1.1 Security information systems requirements analysis and specification A.12.2 Correct processing in data A.12.2.1 Input applications validation A.12.2.2 Control of internal processing A.12.2.3 Message integrity
69 70
11.5.1 11.5.2
72 73
11.5.3 11.5.4
74
11.6.2
75 77
11.7.1 11.7.2
80 81 82
12.2.1 12.2.2 12.2.3
83
12.2.4
A.12.2.4 Output data validation A.12.3 Cryptographic controls A.12.3.1 Policy on the use of cryptographic controls A.12.3.2 Key management A.12.4 Security of system files A.12.4.1 Control of operational software A.12.4.2 Protection of system test data Multiple controls; protection of test data not addressed separately in SP 80053 (e.g., AC-3, AC-4) A.12.4.3 Access control to program source code A.12.5 Security in development and support processes A.12.5.1 Change control procedures A.12.5.2 Technical review ofRestrictions applications A.12.5.3 after operating on changes to system changes software packages A.12.5.4 Information leakage A.12.5.5 Outsourced software A.12.6 Technical development Vulnerability Management A.12.6.1 Control of technical vulnerabilities A.13 Information security incident management A.13.1 Reporting information security events and weaknesses
84
12.3.1
85
12.3.2
86 87
12.4.1 12.4.2
88
12.4.3
89
12.5.1
90
12.5.2
91 92
12.5.4 12.5.5
93
12.6.1
94
13.1.1 13.1.2
A.13.1.1 Reporting information security events A.13.1.2 Reporting security weaknesses A.13.2 Management of information security incidents and improvements A.13.2.1 Responsibilities and A.13.2.2 Learning procedures from information security incidents
95
13.2.3
A.13.2.3 Collection of evidence A.14 Business continuity management A.14.1 Information security aspects of business continuity management
96
14.1.1
A.14.1.1 Including information security A.14.1.2 Business in the business continuity and risk continuity assessment management process A.14.1.3 Developing and implementing continuity plans including information security A.14.1.4 Business continuity planning framework A.14.1.5 Testing, maintaining and reassessing business continuity plans A.15 Compliance A.15.1 Compliance with legal A.15.1.1 requirements Identification of applicable legislation A.15.1.2 Intellectual property rights (IPR) A.15.1.3 Protection of organizational records
97
15.1.3
98
15.1.4
A.15.1.4 Data protection and privacy of personal information A.15.1.5 Prevention of misuse of information processing facilities A.15.1.6 Regulation of cryptographic controls A.15.2 Compliance with security policies and standards, and technical compliance
99
15.1.5
100
15.1.6
101 102
15.2.1 15.2.2
A.15.2.1 Compliance with security policies A.15.2.2 Technical and standards compliance checking A.15.3 Information systems audit considerations
103
15.3.1
A.15.3.1 Information systems audit controls A.15.3.2 Protection of information systems audit tools
104
15.3.2
* Direct mappings are listed above. In some cases questions were formed that covered more than one **NIST to ISO mapping from http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pd
Assessment Tool Questions* Mapped to ISO and NIST**
NIST Controls
XX-1 controls
XX-1 controls
XX-1 controls, PM-2, PM-3, PM-9; SP 800-39,SP 800-37
CP-2, CP-4, IR-4, PL-1, PL-2, PM-2, SA-2;SP 800-39, SP 800-37
XX-1 controls, AC-5, AC-6, CM-9, PM-2; SP 800-39, SP 800-37
CA-1, CA-6, PM-10; SP 800-37
PL-4, PS-6, SA-9
Multiple controls with contact reference (e.g.,IR-6, SI-5), SP 800-39; SP 80037 AT-5, SI-5
CA-2, CA-7; SP 800-39, SP 800-37
CA-3, PM-9, RA-3, SA-1, SA-9, SC-7
AC-8 , AT-2, PL-4
AU-16, CA-2, CA-3, PS-7, SA-9
CM-8, CM-9, PM-5 CM-8, CM-9, PM-5 AC-20, PL-4
RA-2
AC-16, MP-2, MP-3, SC-16
XX-1 controls, AC-5, AC-6, AC-8, AC-20, AT-2, AT-3, CM-9, PL-4, PS-2, PS-6, PS-7, SA-9 PS-3 AC-20, PL-4, PS-6, PS-7
PL-4, PM-13, PM-15, PS-6, PS-7, SA-9
AT-2, AT-3, IR-2
PS-8
PS-4, PS-5 PS-4, PS-5 AC-2, PS-4, PS-5
PE-3 PE-3, PE-5, PE-6 PE-3, PE-4, PE-5
CP Family; PE-1, PE-9, PE-10, PE-11, PE-13,PE-15
AT-2, AT-3 , PL-4, PS-6, PE-2, PE-3, PE-4, PE-6, PE-8 PE-3 , PE-16
PE-1, PE-18
PE-1, PE-9, PE-11, PE-12, PE-14 PE-4, PE-9 MA Family
MP-5, PE-17
MP-6
MP-5 , PE-16
XX-1 controls, CM-9
CM-1, CM-3, CM-4, CM-5, CM-9 AC-5
CM-2
SA-9 SA-9
RA-3, SA-9, SA-10
AU-4, AU-5, CP-2, SA-2, SC-5 CA-2, CA-6, CM-3, CM-4, CM-9, SA-11, SA-15, SA-17
AC-19, AT-2, PE-20, SA-8, SC-2, SC-3, SC-7,SC-14, SC-38, SI-3, SI-7
SA-8, SC-2, SC-3, SC-7, SC-14, SC-8, SC-18
CP-9
AC-4, AC-17, AC-18, AC-20, CA-3, CP-8, PE-5,SC-7, SC-8, SC-9, SC-10, SC19, SC-20, SC-21, SC-22, SC-23 CA-3, SA-9, SC-8, SC-9
PE-16, MP Family MP-6 SI-12, MP Family
MP-4, SA-5
AC-1, AC-3, AC-4, AC-17, AC-18, AC-20, CA-3, PL-4, PS-6, SC-7, SC-16, SI-9
CA-3, SA-9 MP-5 Multiple controls; electronic messaging not addressed separately in SP 80053 CA-1, CA-3
AU-10, IA-8, SC-7, SC-8, SC-9, SC-3, SC-14 SC-3, SC-7, SC-8, SC-9, SC-14 SC-14
AU-1, AU-2, AU-3, AU-4, AU-5, AU-8, AU-11, AU-12
AU-1, AU-6, AU-7, PE-6, PE-8, SC-7, SI-4
AU-9
AU-2, AU-12 AU-2, AU-12, SI-2 AU-8
AC-1, AC-5, AC-6, AC-17, AC-18, AC-19, CM-5, MP-1, SI-9
AC-1, AC-2, AC-21, IA-5, PE-1, PE-2 AC-1, AC-2, AC-6, AC-21, PE-1, PE-2, SI-9 IA-5
AC-2, PE-2
IA-2, IA-5 AC-11, IA-2, PE-3, PE-5, PE-18, SC-10
AC-11, MP-4
AC-1, AC-5, AC-6, AC-17, AC-18, AC-20
AC-17, AC-18, AC-20, CA-3, IA-2, IA-8 AC-19, IA-3
AC-3, AC-6, AC-17, AC-18, PE-3, MA-3, MA-4
AC-3, AC-6, AC-17, AC-18, SC-7 AC-4, AC-17, AC-18
AC-7, AC-8, AC-9, AC-10, IA-2, IA-6, IA-8, SC-10 IA-2, IA-4, IA-5, IA-8
IA-2, IA-5 AC-3, AC-6 AC-11, SC-10 AC-2 AC-3, AC-6, AC-14, CM-5
SC-7; SP 800-39
AC-1, AC-17, AC-18, AC-19, PL-4, PS-6 AC-1, AC-4, AC-17, AC-18, PE-17, PL-4, PS-6
PL-7, PL-8, SA-1, SA-3, SA-4
SI-10 SI-7, SI-9, SI-10 AU-10, SC-8, SC-23, SI-7
SI-7
Multiple controls address cryptography (e.g., IA-7, SC-8, SC-9, SC-12, SC13)
SC-12, SC-17
CM-1, CM-2, CM-3, CM-4, CM-5, CM-9, CM-10, CM-11, PL-4
AC-3, AC-6, CM-5, CM-9, MA-5, SA-10
CM-1, CM-3, CM-9, SA-10 CM-3, CM-4, CM-9, SI-2 CM-3, CM-4, CM-5, CM-9
AC-4, IR-9, PE-19 CM-10, CM-11, SA-1, SA-4, SA-8, SA-9, SA-11, SA-12, SA-15, SA-17
RA-3, RA-5, SI-2, SI-5
AU-6, IR-1, IR-6, SI-4, SI-5
PL-4, SI-2, SI-4, SI-5
IR-1 IR-4
AU-7, AU-9, IR-4
CP-1, CP-2, CP-4 CP-2, PM-9, RA Family
CP Family
CP-2, CP-4
CP-2, CP-4
XX-1 controls, IA-7
CM-10 AU-9, AU-11, CP-9, MP-1, MP-4, SA-5, SI-12
Appendix J; SI-12
AC-8, AU-6, CM-11, PL-4, PS-6, PS-8
IA-7, SC-13
XX-1 controls, AC-2, CA-2, CA-7, IA-7, PE-8, SI-12 CA-2, CA-7, RA-5
AU-1, AU-2
AU-9
cases questions were formed that covered more than one ISO area making one-to-one mapping difficult. ov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf
nd NIST**
NIST Family
AC: Access Control AT: Awareness and Training AU: Audit and Accountability
CA: Security Assessment and Authorization
CM: Configuration Management CP: Contingency Planning IA: Identificaton and Authentication
IR: Incident Response
MP: Media Protection
PE: Physical and Environmental Protection
PL: Planning
PS: Personnel Security RA: Risk Assessment
SA: System and Services Acquisition
SC: System and Communications Protection SI: System and Information Integrity
PM: Program Management
ne-to-one mapping difficult.
Description Not Performed Performed Informally Planned Well Defined Quantitatively Controlled Continuously Improving Not Applicable
Value 0 1 2 3 4 5 Blank
How to Use This Tool This assessment tool was created to evaluate the maturity of higher education information security pr Standardization (ISO) 27002 "Information technology Security techniques. Code of practice for inform as a whole, although a unit within an institution may also use it to help determine the maturity of its i completed by chief information officer, chief information security officer or equivalent, or a designee. an information security officer or equivalent, familiar with their environment, to complete this tool.
The self-assessment has been designed to be completed annually or at the frequency your insitution f framework for scoring maturing, which scales from 0 to 5, with 5 being the highest level of maturity. Y NIST, CMMI, or another maturity framework, that may be more familiar, with the same numeric 0 thro maturity, 0–5. Each ISO section will be added up then averaged to provide a maturity assessment for "Score Definitions" tab of the spreadsheet. Not Performed = 0; Performed Informally = 1; Planned = 2; Well Defined = 3; Quantitatively Controlled = 4; Continuously Improving = 5
Below is a summary of the focus of each section and scoring to be used for that section. The same inf Please send any feedback to [email protected].
ISO 4: Risk Management
Assess the risk management process as it relates to creating an information security strategy and pro management process, which includes not only assessing information security risks to the institution b managing and implementing controls to protect against those risks.
ISO 5: Security Policy Assess how an institution expresses its intent with regard to information security.
ISO 6: Organization of Information Security Assess how an institution manages its information security across the entire enterprise, including how direction.
ISO 7: Asset Management Assess an institution's asset management program. Does it include ways to identify, track, classify, an adequately protected?
ISO 8: Human Resources Security Assess an institution's safeguards and processes for ensuring that all employees (including contractor and responsibilities of their job duties and that access is removed once employment is terminated.
ISO 9: Physical and Environmental Security Assess an institution's steps taken to protect systems, buildings, and related supporting infrastructure
Introduction and Guidance
ISO 10: Communications and Operations Management Assess an institution’s formalized policies, procedures, and controls, which assist in data and system p
ISO 11: Access Control Assess an institution’s use of administrative, physical, or technical security features to manage how u resources.
ISO 12: Information Systems Acquisition, Development, and Maintenance Assess whether an institution has security requirements established as an integral part of the develop ISO 13: Information Security Incident Management Assess an institution’s information security incident management program. An effective program will adverse events.
ISO 14: Business Continuity Management Assess an institution’s business continuity management. A mature institution has a managed, organiz operations under extraordinary circumstances including the maintenance of measures to ensure the p
ISO 15: Compliance Assess an institution’s processes for staying current with legal and contractual requirements to protec
0 1
ISO 21827 Not Performed Performed Informally
Definitions There are no security controls or plans in place. The controls are nonexistent. Base practices of the control area are generally performed on an ad hoc basis. There is general agreement within the organization that identified actions should be performed, and they are performed when required. The practices are not formally adopted, tracked, and reported on.
2
Planned
The base requirements for the control area are planned, implemented, and repeatable.
3
Well Defined
The primary distinction from Level 2, Planned and Tracked, is that in addition to being repeatable the processes used are more mature: documented, approved, and implemented organization-wide.
4
Quantitatively Controlled
The primary distinction from Level 3, Well Defined, is that the defined, standard processes are regularly reviewed and updated. Improvements reflect an understanding of, and response to, a vulnerability's impact.
The primary distinction from Level 4, Quantitatively Controlled, is that the defined, standard processes are regularly reviewed and updated . Improvements reflect an understanding of, and response to, a vulnerability's impact.
5
Continuously Improving
ISO 21827 https://www.sabs.co.za/content/uploads/files/SANS21827%28colour%29.pdf
ISG (ECAR) Not Implemented
CMMI Non-existent
NIST Non-existent
COBIT Non-existent
Planning Stages
Ad hoc
Documented Policy
Initial/Ad-hoc
Partially Implemented
Repeatable
Documented Procedures
Repeatable but Intuitive
Close to Completion
Defined & Implemented
Procedures & Controls
Defined Process
Fully Implemented
Managed
Measured Program
Managed & Measurable
Optimized
Pervasive Program
Optimized
HEISC Information Security Benchmark Assessment Tool for Higher Education November 2012
B 10 C D E F G
This tool can be used to assess an enterprise information security program, department, or other. Please select from the drop down box -> Name of person completing assessment:
Enterprise Information Security Program
11
12 13
Name of department or institution (if applicable): Date completed Reset Worksheet ----->
Not Performed = 0; Performed Informally = 1; Planned = 2; Well Defined = 3; Quantitatively Controlled = 4; Continuously Improving = 5; Item Score Not Applicable = Blank NOTE: 5 is the highest level of maturity Total Score for ISO 4 ->
Not Performed Not Performed Not Performed
FALSE
14
Questions
Category Score
Help
15
Risk Management (ISO 4) 1 2 3 Does your institution have a risk management program? Does your institution have a process for identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing sensitive information? Does your organization conduct routine risk assessments to identify the key objectives that need to be supported by your information security program? Security Policy (ISO 5) 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Does your institution have an information security policy that has been approved by management? Has it been published and communicated to all relevant parties? Does your institution review the policy at defined intervals to encompass significant change and monitor for compliance?
Not Performed Not Performed Not Performed
#NAME?
16
17
0
18
0
19
Total Score for ISO 5->
0
#NAME?
20
21
0
22
0
23
Organization of Information Security (ISO 6) Does your information security function have the authority it needs to manage and ensure compliance with the information security program? Does your institution have an individual with enterprise-wide (campus) information security responsibility and authority written in their job description, or equivalent? Note: This may be the CIO, CISO, CSO, or other. Is responsibility clearly assigned for all areas of the information security architecture, compliance, processes, and audits? Is there a formal process for having the individual with information security responsibility assess and sign off on appropriate hardware, software, and services, ensuring they follow security policies and requirements? Does your institution require the use of confidentiality or nondisclosure agreements for employees and third parties?
Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed
Total Score for ISO 6 ->
0
#NAME?
24
25
0
26
0
27
0
28
0
29
Does your institution maintain relationships with local authorities? Does your institution participate with local or national security groups (e.g., REN-ISAC, EDUCAUSE, InfraGard, Information Systems Security Association, etc.)? Does your institution have independent security reviews completed at planned intervals or when significant changes to the environment occur? Does your institution specify security requirements in contracts with external entities (third party) before granting access to sensitive institutional information assets? Are requirements addressed and remediated prior to granting access to data, assets, and information systems?
0
30
0
31
0
32
0
33
0
HEISC Information Security Benchmark Assessment Tool for Higher Education November 2012
B C D E F G
14
Questions
Not Performed = 0; Performed Informally = 1; Planned = 2; Well Defined = 3; Quantitatively Controlled = 4; Continuously Improving = 5; Item Score Not Applicable = Blank NOTE: 5 is the highest level of maturity Total Score for ISO 7->
Not Performed Not Performed
0
Category Score
Help
34
Asset Management (ISO 7) 18 19 20 21 22 23 24 25 Has your organization identified critical information assets and the functions that rely on them? Does your institution classify information to indicate the appropriate levels of information security?
#NAME?
35
36
0
37
Human Resource Security (ISO 8) Do all individuals interacting with university systems receive information security awareness training? Does your institution conduct specialized role-based training? Do the information security programs clearly state responsibilities, liabilities, and consequences? Does your institution have a process for revoking system and building access and returning assigned assets? Does your institution have a process for revoking system access when there is a position change or when responsibilities change? Physical and Environmental Security (ISO 9)
Not Performed Not Performed Not Performed Not Performed Not Performed
Total Score for ISO 8->
0
#NAME?
38
39
0
40
0
41
0
42
0
43
Total Score for ISO 9->
Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed
0
#NAME?
44
26 27 28 29 30 31
Do your institution's data centers include controls to ensure that only authorized parties are allowed physical access? Does your institution have preventative measures in place to protect critical hardware and wiring from natural and man-made threats? Does your institution have a process for issuing keys, codes, and/or cards that require appropriate authorization and background checks for access to these sensitive facilities? Does your institution follow vendor-recommended guidance for maintaining equipment? Does your institution have a media-sanitization process that is applied to equipment prior to disposal, reuse, or release? Are there processes in place to detect the unauthorized removal of equipment, information, or software?
45
0
46
0
47
0
49
0
50
0
HEISC Information Security Benchmark Assessment Tool for Higher Education November 2012
B C D E F G
14
Questions
Not Performed = 0; Performed Informally = 1; Planned = 2; Well Defined = 3; Quantitatively Controlled = 4; Continuously Improving = 5; Item Score Not Applicable = Blank NOTE: 5 is the highest level of maturity Total Score for ISO 10->
Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed
0
Category Score
Help
51
Communications and Operations Management (ISO 10) 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 Does your institution maintain security configuration standards for information systems and applications? Are changes to information systems tested, authorized, and reported? Are duties sufficiently segregated to ensure unintentional or unauthorized modification of information is detected? Are production systems separated from other stages of the development life cycle? Do agreements for external information system services specify appropriate security requirements? Does your institution have a process in place for assessing that external information system providers comply with appropriate security requirements? Is external information system services provider compliance with security controls monitored? Are external information system service agreements executed and routinely reviewed to ensure security requirements are current? Does your institution have processes in place to monitor the utilization of key system resources and to mitigate the risk of system downtime? Are methods used to detect, quarantine, and eradicate known malicious code on information systems including workstations, servers, and mobile computing devices? Are methods used to detect and eradicate known malicious code transported by electronic mail, the web, or removable media? Is your data backup process frequency consistent with the availability requirements of your organization? Does your institution routinely test your restore procedures? Does your institution continuously monitor your wired and wireless networks for unauthorized access?
#NAME?
52
53
0
54
0
55
0
56
0
57
0
58
0
59
0
60
0
61
0
62
0
63
0
64
0
65
0
66
Does your institution have a process for posture checking, such as current antivirus software, firewall enabled, OS patch level, etc., of devices as they connect to your network? Does your institution have a segmented network architecture to provide different levels of security based on the information's classification? Are Internet-accessible servers protected by more than one security layer (firewalls, network IDS, host IDS, application IDS)? Does your institution use appropriate/vetted encryption methods to protect sensitive data in transit? Are controls in place to protect, track, and report status of media that has been removed from secure organization sites? Does your institution have policies and procedures in place to protect exchanged information (within your organization and in third-party agreements) from interception, copying, modification, misrouting, and destruction? Does your institution have a process in place to ensure data related to electronic commerce (e-commerce) traversing public networks is protected from fraudulent activity, unauthorized disclosure, or modification? Are security-related activities such as hardware configuration changes, software configuration changes, access attempts, and authorization and privilege assignments automatically logged? Does your institution have a process for routinely monitoring logs to detect unauthorized and anomalous activities? Does your institution record your log reviews (recertification/attestation)? Are steps taken to secure log data to prevent unauthorized access and tampering? Does your institution regularly review administrative and operative access to audit logs? Are file-integrity monitoring tools used to alert personnel to unauthorized modification of critical system files, configuration files, or content files and to configure the software to perform critical file comparisons at least weekly? Does your institution have a procedure to ensure synchronization of system clocks with an authoritative source on a riskbased frequency (i.e., NTP)? Access Control (ISO 11)
0
67
0
68
0
69
0
70
0
71
0
72
0
73
0
74
0
75
0
76
0
77
0
78
0
79
0
80
Total Score for ISO 11->
Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed
0
#NAME?
81
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76
Does your institution have an access control policy for authorizing and revoking access rights to information systems? Does your institution have a process in place for granting and revoking appropriate user access? Does your institution have a password management program that follows current security standards? Does your institution have procedures to regularly review users' access to ensure only needed privileges are applied? Does your institution employ specific measures to secure remote access services? Does your institution ensure that user access to diagnostic and configuration ports is restricted to authorized individuals and applications? Does your institution employ specific measures to prevent and detect rogue access for all of your wireless LANs? Does your institution employ technologies to block or restrict unencrypted sensitive information from traveling to untrusted networks? Does your institution have mechanisms in place to manage digital identities (accounts, keys, tokens) throughout their life cycle, from registration through termination? Is there a policy in place to restrict the sharing of passwords? Does your institution prohibit use of generic accounts with privileged access to systems? Does your institution have an authentication system in place that applies higher levels of authentication to protect resources with higher levels of sensitivity? Does your institution have an authorization system that enforces time limits lockout on login failure and defaults to minimum privileges? Does your institution have standards for isolating sensitive data and procedures and technologies in place to protect it from unauthorized access and tampering? Does your institution have usage guidance established for mobile computing devices (regardless of ownership) that store, process, or transmit institutional data? Does your institution require encryption on mobile (i.e., laptops, tablets, etc.) computing devices? Does your institution have a telework policy that addresses multifactor access and security requirements for the end point used?
82
0
84
0
85
0
86
0
87
0
88
0
89
0
90
0
91
0
92
0
93
0
94
0
95
0
96
0
97
0
98
0
HEISC Information Security Benchmark Assessment Tool for Higher Education November 2012
B C D E F G
14
Questions
Not Performed = 0; Performed Informally = 1; Planned = 2; Well Defined = 3; Quantitatively Controlled = 4; Continuously Improving = 5; Item Score Not Applicable = Blank NOTE: 5 is the highest level of maturity Total Score for ISO 12->
Not Performed Not Performed
0
Category Score
Help
99
Information Systems Acquisition, Development, and Maintenance (ISO 12) 77 78 79 Does your institution have a process for validating the security of purchased software products and services? Are new information systems or enhancements to existing information systems validated against defined security requirements? Have standards been established that address secure coding practices (e.g., input validation, proper error handling, session management, etc.), and take into consideration common application security vulnerabilities (e.g., CSRF, XSS, code injection, etc.)? Are validation checks incorporated into applications to detect any corruption of information through processing errors or deliberate acts? Are processes in place to check whether message integrity is required? Incorrect output may occur, even in tested systems. Does your institution have validation checks to ensure data output is as expected? Do your policies indicate when encryption should be used (e.g., at rest, in transit, with sensitive or confidential data, etc.)? Are standards for key management documented and employed? Have you established procedures for maintaining source code during the development life cycle and while in production to reduce the risk of software corruption? Does your institution apply the same security standards for sensitive test data that you apply to sensitive production data? Does your institution restrict and monitor access to source code libraries to reduce the risk of corruption? Does your institution have a configuration-management process in place to ensure that changes to your critical systems are for valid business reasons and have received proper authorization? Are reviews and tests performed to ensure that changes made to production systems do not have an adverse impact on security or operations? Have you implemented tools and procedures to monitor for and prevent loss of sensitive data? Do your contract agreements include security requirements for outsourced software development? Does your institution have a patch management strategy in place and responsibilities assigned for monitoring and promptly responding to patch releases, security bulletins, and vulnerability reports? Information Security Incident Management (ISO 13) 93 94 Are incident-handling procedures in place to report and respond to security events throughout the incident life cycle, including the definition of roles and responsibilities? Are your incident response staff aware of legal or compliance requirements surrounding evidence collection?
Not Performed Not Performed
#NAME?
100
102
0
103
Not Performed
0
104
80 81 82 83 84 85 86 87 88 89 90 91 92
Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed
0
105
0
106
0
107
0
108
0
109
0
110
0
111
0
112
0
113
0
114
0
115
0
116
0
117
Total Score for ISO 13->
0
#NAME?
118
119
0
120
Business Continuity Management (ISO 14) 95 Does your institution have a documented business continuity plan for information technology that is based on a business impact analysis, is periodically tested, and has been reviewed and approved by senior staff or the board of trustees? Compliance (ISO 15) 96 97 98 99 100 101 102 103 Does your institution have a records management or data governance policy that addresses the life cycle of both paper and electronic records at your institution? Does your institution have an enforceable data protection policy that covers personally identifiable information (PII)? Does your institution have an Acceptable Use Policy that defines misuse? Does your institution provide guidance for the community on export control laws? Are standard operating procedures periodically evaluated for compliance with your organization's security policies, standards, and procedures? Does your institution perform periodic application and network layer vulnerability testing or penetration testing against critical information systems? Are you performing independent audits on information systems to identify strengths and weaknesses? Are audit tools properly separated from development and operational system environments to prevent any misuse or compromise?
Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed Not Performed
Total Score for ISO 14->
0
#NAME?
121
122
Total Score for ISO 15->
0
#NAME?
123
124
0
125
0
126
0
127
0
128
0
129
0
130
0
131
THE END -- overall average ------>
#NAME?
Assessment Tool Questions* Ma
Assessment Questions 1 2 3 4 5 6 ISO
4.1 4.2 5.1.1 5.1.1 A.5 Security Policy A.5.1 Information security policy A.5.1.1 Information security policy document A.5.1.2 Review of the information security policy A.6 Organization of information security A.6.1 Internal A.6.1.1 Management commitment to information security A.6.1.2 Information security coordination A.6.1.3 Allocation of information security responsibilities A.6.1.4 Authorization process for information processing facilities A.6.1.5 Confidentiality agreements A.6.1.6 Contact with authorities A.6.1.7 Contact with special interest groups A.6.1.8 Independent review of information security
7
5.1.2
8
6.1.1
9
6.1.2
10
6.1.3
11
6.1.4
12
6.1.5
13 14
6.1.6 6.1.7
15
6.1.8
A.6.2 External Parties 16 6.2.1 A.6.2.1 Identification of risks related to external parties A.6.2.2 Addressing security when dealing with customers A.6.2.3 Addressing security in third party agreements A.7 Asset Management A.7.1 Responsibility for assets A.7.1.1 Inventory of assets A.7.1.2 Ownership of assets A.7.1.3 Acceptable use of assets A.7.2 Information Classification A.7.2.1 Classification Guidelines A.7.2.2 Information labeling and handling A.8 Human Resources Security A.8.1 Prior to Employment A.8.1.1 Roles and Responsibilities A.8.1.2 Screening A.8.1.3 Terms and conditions of employment A.8.2 During employment A.8.2.1 Management responsibilities
17
6.2.2
18 19
7.1.1 7.2.1
20
8.2.1
21
8.2.2
A.8.2.2 Awareness, education, and training A.8.2.3 Disciplinary process A.8.3 Termination or change of employment A.8.3.1 Termination responsibilities A.8.3.2 Return of assets A.8.3.3 Removal of access rights A.9 Physical and environmental security A.9.1 Secure areas A.9.1.1 Physical security perimeter A.9.1.2 Physical entry controls A.9.1.3 Securing offices, rooms, facilities A.9.1.4 Protecting against external and environmental threats A.9.1.5 Working in secure areas A.9.1.6 Public access, delivery and loading areas A.9.2 Equipment security A.9.2.1 Equipment siting and protection A.9.2.2 Supporting utilities A.9.2.3 Cabling security A.9.2.4 Equipment maintenance
22 23
8.2.3 8.3.1
24
8.3.2 8.3.3
25
9.1.2
26
9.1.4
27
9.1.5
28
9.2.4
A.9.2.5 Security of equipment offpremises 29 9.2.6 A.9.2.6 Secure disposal or reuse of equipment A.9.2.7 Removal of property MP-5, PE-16 A.10 Communications and operations management A.10.1 Operational procedures and responsibilities 31 10.1.1 A.10.1.1 Documented operating procedures
30
9.2.7
32 33
10.1.2 10.1.3
A.10.1.2 Change management A.10.1.3 Segregation of duties A.10.1.4 Separation of development, test A.10.2 Third-party and operational service delivery facilities management A.10.2.1 Service delivery A.10.2.2 Monitoring and review of thirdparty services A.10.2.3 Managing changes to thirdparty services
34
10.1.4
35 36
10.2.1 10.2.2
40
10.3.1
A.10.3 System planning and A.10.3.1 Capacity acceptance management A.10.3.2 System acceptance A.10.4 Protection against malicious and mobile code
41
10.4.1
A.10.4.1 Controls against malicious code
43
10.5.1
A.10.4.2 Controls against mobile code A.10.5 Backup A.10.5.1 Information backup A.10.6 Network security management A.10.6.1 Network controls A.10.6.2 Security of network services A.10.7 Media handling A.10.7.1 Management of of A.10.7.2 Disposal removable media media A.10.7.3 Information handling procedures A.10.7.4 Security of system documentation
45
10.6.1
50
10.7.1 10.7.3
51
10.8.1
A.10.8 Exchange of information A.10.8.1 Information exchange policies and procedures A.10.8.2 Exchange agreements A.10.8.3 Physical media in transit A.10.8.4 Electronic messaging A.10.8.5 Business information systems A.10.9 Electronic commerce services A.10.9.1 Electronic commerce A.10.9.2 Online transactions A.10.9.3 Publicly available information A.10.10 Monitoring A.10.10.1 Audit logging
52
10.9.1 10.9.2
53
10.10.1
54
10.10.2
A.10.10.2 Monitoring system use A.10.10.3 Protection of log information
57 59 60
10.10.4 10.10.5 10.10.6
A.10.10.4 Administrator and A.10.10.5 Fault operator logs logging A.10.10.6 Clock synchronization A.11 Access Control A.11.1 Business requirement for A.11.1.1 Access access control control policy A.11.2 User access management A.11.2.1 User registration A.11.2.2 Privilege management A.11.2.3 User password management A.11.2.4 Review of user access A 11.3 User rights responsibilities A.11.3.1 Password use A.11.3.2 Unattended user equipment A.11.3.3 Clear desk and clear screen policy A.11.4 Network access control A.11.4.1 Policy on use of network services
61
11.1.1
62
11.2.1 11.2.2 11.2.3
63
64
11.2.4
65
11.4.2
A.11.4.2 User authentication for A.11.4.3 Equipment external connections identification in networks A.11.4.4 Remote diagnostic and configuration port protection
66
11.4.4
A.11.4.5 Segregation in networks 67 68 11.4.6 11.4.7 A.11.4.6 Network connection control A.11.4.7 Network routing control A 11.5 Operating system access control A.11.5.1 Secure logon procedures A.11.5.2 User identification and authentication A.11.5.3 Password management system A.11.5.4 Use of system utilities A.11.5.5 Session time-out A.11.5.6 Limitation of connection time A.11.6 Application and information A.11.6.1 Information control access restriction A.11.6.2 Sensitive system isolation A.11.7 Mobile computing and teleworking A.11.7.1 Mobile computing and A.11.7.2 Teleworking communications A.12 Information systems acquisition, development and maintenance 78 79 12.1 12.1.1 A.12.1 Security requirements of A.12.1.1 Security information systems requirements analysis and specification A.12.2 Correct processing in data A.12.2.1 Input applications validation A.12.2.2 Control of internal processing A.12.2.3 Message integrity
69 70
11.5.1 11.5.2
72 73
11.5.3 11.5.4
74
11.6.2
75 77
11.7.1 11.7.2
80 81 82
12.2.1 12.2.2 12.2.3
83
12.2.4
A.12.2.4 Output data validation A.12.3 Cryptographic controls A.12.3.1 Policy on the use of cryptographic controls A.12.3.2 Key management A.12.4 Security of system files A.12.4.1 Control of operational software A.12.4.2 Protection of system test data Multiple controls; protection of test data not addressed separately in SP 80053 (e.g., AC-3, AC-4) A.12.4.3 Access control to program source code A.12.5 Security in development and support processes A.12.5.1 Change control procedures A.12.5.2 Technical review ofRestrictions applications A.12.5.3 after operating on changes to system changes software packages A.12.5.4 Information leakage A.12.5.5 Outsourced software A.12.6 Technical development Vulnerability Management A.12.6.1 Control of technical vulnerabilities A.13 Information security incident management A.13.1 Reporting information security events and weaknesses
84
12.3.1
85
12.3.2
86 87
12.4.1 12.4.2
88
12.4.3
89
12.5.1
90
12.5.2
91 92
12.5.4 12.5.5
93
12.6.1
94
13.1.1 13.1.2
A.13.1.1 Reporting information security events A.13.1.2 Reporting security weaknesses A.13.2 Management of information security incidents and improvements A.13.2.1 Responsibilities and A.13.2.2 Learning procedures from information security incidents
95
13.2.3
A.13.2.3 Collection of evidence A.14 Business continuity management A.14.1 Information security aspects of business continuity management
96
14.1.1
A.14.1.1 Including information security A.14.1.2 Business in the business continuity and risk continuity assessment management process A.14.1.3 Developing and implementing continuity plans including information security A.14.1.4 Business continuity planning framework A.14.1.5 Testing, maintaining and reassessing business continuity plans A.15 Compliance A.15.1 Compliance with legal A.15.1.1 requirements Identification of applicable legislation A.15.1.2 Intellectual property rights (IPR) A.15.1.3 Protection of organizational records
97
15.1.3
98
15.1.4
A.15.1.4 Data protection and privacy of personal information A.15.1.5 Prevention of misuse of information processing facilities A.15.1.6 Regulation of cryptographic controls A.15.2 Compliance with security policies and standards, and technical compliance
99
15.1.5
100
15.1.6
101 102
15.2.1 15.2.2
A.15.2.1 Compliance with security policies A.15.2.2 Technical and standards compliance checking A.15.3 Information systems audit considerations
103
15.3.1
A.15.3.1 Information systems audit controls A.15.3.2 Protection of information systems audit tools
104
15.3.2
* Direct mappings are listed above. In some cases questions were formed that covered more than one **NIST to ISO mapping from http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pd
Assessment Tool Questions* Mapped to ISO and NIST**
NIST Controls
XX-1 controls
XX-1 controls
XX-1 controls, PM-2, PM-3, PM-9; SP 800-39,SP 800-37
CP-2, CP-4, IR-4, PL-1, PL-2, PM-2, SA-2;SP 800-39, SP 800-37
XX-1 controls, AC-5, AC-6, CM-9, PM-2; SP 800-39, SP 800-37
CA-1, CA-6, PM-10; SP 800-37
PL-4, PS-6, SA-9
Multiple controls with contact reference (e.g.,IR-6, SI-5), SP 800-39; SP 80037 AT-5, SI-5
CA-2, CA-7; SP 800-39, SP 800-37
CA-3, PM-9, RA-3, SA-1, SA-9, SC-7
AC-8 , AT-2, PL-4
AU-16, CA-2, CA-3, PS-7, SA-9
CM-8, CM-9, PM-5 CM-8, CM-9, PM-5 AC-20, PL-4
RA-2
AC-16, MP-2, MP-3, SC-16
XX-1 controls, AC-5, AC-6, AC-8, AC-20, AT-2, AT-3, CM-9, PL-4, PS-2, PS-6, PS-7, SA-9 PS-3 AC-20, PL-4, PS-6, PS-7
PL-4, PM-13, PM-15, PS-6, PS-7, SA-9
AT-2, AT-3, IR-2
PS-8
PS-4, PS-5 PS-4, PS-5 AC-2, PS-4, PS-5
PE-3 PE-3, PE-5, PE-6 PE-3, PE-4, PE-5
CP Family; PE-1, PE-9, PE-10, PE-11, PE-13,PE-15
AT-2, AT-3 , PL-4, PS-6, PE-2, PE-3, PE-4, PE-6, PE-8 PE-3 , PE-16
PE-1, PE-18
PE-1, PE-9, PE-11, PE-12, PE-14 PE-4, PE-9 MA Family
MP-5, PE-17
MP-6
MP-5 , PE-16
XX-1 controls, CM-9
CM-1, CM-3, CM-4, CM-5, CM-9 AC-5
CM-2
SA-9 SA-9
RA-3, SA-9, SA-10
AU-4, AU-5, CP-2, SA-2, SC-5 CA-2, CA-6, CM-3, CM-4, CM-9, SA-11, SA-15, SA-17
AC-19, AT-2, PE-20, SA-8, SC-2, SC-3, SC-7,SC-14, SC-38, SI-3, SI-7
SA-8, SC-2, SC-3, SC-7, SC-14, SC-8, SC-18
CP-9
AC-4, AC-17, AC-18, AC-20, CA-3, CP-8, PE-5,SC-7, SC-8, SC-9, SC-10, SC19, SC-20, SC-21, SC-22, SC-23 CA-3, SA-9, SC-8, SC-9
PE-16, MP Family MP-6 SI-12, MP Family
MP-4, SA-5
AC-1, AC-3, AC-4, AC-17, AC-18, AC-20, CA-3, PL-4, PS-6, SC-7, SC-16, SI-9
CA-3, SA-9 MP-5 Multiple controls; electronic messaging not addressed separately in SP 80053 CA-1, CA-3
AU-10, IA-8, SC-7, SC-8, SC-9, SC-3, SC-14 SC-3, SC-7, SC-8, SC-9, SC-14 SC-14
AU-1, AU-2, AU-3, AU-4, AU-5, AU-8, AU-11, AU-12
AU-1, AU-6, AU-7, PE-6, PE-8, SC-7, SI-4
AU-9
AU-2, AU-12 AU-2, AU-12, SI-2 AU-8
AC-1, AC-5, AC-6, AC-17, AC-18, AC-19, CM-5, MP-1, SI-9
AC-1, AC-2, AC-21, IA-5, PE-1, PE-2 AC-1, AC-2, AC-6, AC-21, PE-1, PE-2, SI-9 IA-5
AC-2, PE-2
IA-2, IA-5 AC-11, IA-2, PE-3, PE-5, PE-18, SC-10
AC-11, MP-4
AC-1, AC-5, AC-6, AC-17, AC-18, AC-20
AC-17, AC-18, AC-20, CA-3, IA-2, IA-8 AC-19, IA-3
AC-3, AC-6, AC-17, AC-18, PE-3, MA-3, MA-4
AC-3, AC-6, AC-17, AC-18, SC-7 AC-4, AC-17, AC-18
AC-7, AC-8, AC-9, AC-10, IA-2, IA-6, IA-8, SC-10 IA-2, IA-4, IA-5, IA-8
IA-2, IA-5 AC-3, AC-6 AC-11, SC-10 AC-2 AC-3, AC-6, AC-14, CM-5
SC-7; SP 800-39
AC-1, AC-17, AC-18, AC-19, PL-4, PS-6 AC-1, AC-4, AC-17, AC-18, PE-17, PL-4, PS-6
PL-7, PL-8, SA-1, SA-3, SA-4
SI-10 SI-7, SI-9, SI-10 AU-10, SC-8, SC-23, SI-7
SI-7
Multiple controls address cryptography (e.g., IA-7, SC-8, SC-9, SC-12, SC13)
SC-12, SC-17
CM-1, CM-2, CM-3, CM-4, CM-5, CM-9, CM-10, CM-11, PL-4
AC-3, AC-6, CM-5, CM-9, MA-5, SA-10
CM-1, CM-3, CM-9, SA-10 CM-3, CM-4, CM-9, SI-2 CM-3, CM-4, CM-5, CM-9
AC-4, IR-9, PE-19 CM-10, CM-11, SA-1, SA-4, SA-8, SA-9, SA-11, SA-12, SA-15, SA-17
RA-3, RA-5, SI-2, SI-5
AU-6, IR-1, IR-6, SI-4, SI-5
PL-4, SI-2, SI-4, SI-5
IR-1 IR-4
AU-7, AU-9, IR-4
CP-1, CP-2, CP-4 CP-2, PM-9, RA Family
CP Family
CP-2, CP-4
CP-2, CP-4
XX-1 controls, IA-7
CM-10 AU-9, AU-11, CP-9, MP-1, MP-4, SA-5, SI-12
Appendix J; SI-12
AC-8, AU-6, CM-11, PL-4, PS-6, PS-8
IA-7, SC-13
XX-1 controls, AC-2, CA-2, CA-7, IA-7, PE-8, SI-12 CA-2, CA-7, RA-5
AU-1, AU-2
AU-9
cases questions were formed that covered more than one ISO area making one-to-one mapping difficult. ov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf
nd NIST**
NIST Family
AC: Access Control AT: Awareness and Training AU: Audit and Accountability
CA: Security Assessment and Authorization
CM: Configuration Management CP: Contingency Planning IA: Identificaton and Authentication
IR: Incident Response
MP: Media Protection
PE: Physical and Environmental Protection
PL: Planning
PS: Personnel Security RA: Risk Assessment
SA: System and Services Acquisition
SC: System and Communications Protection SI: System and Information Integrity
PM: Program Management
ne-to-one mapping difficult.
Description Not Performed Performed Informally Planned Well Defined Quantitatively Controlled Continuously Improving Not Applicable
Value 0 1 2 3 4 5 Blank
