Download as pdf or txt
Download as pdf or txt
You are on page 1of 3

Annex 2

Preliminary IS Security Analysis

yes partly no

1. Does the management of an organisation

know the IS Security Rules? ‰ ‰ ‰

2. Does the IS security constitute an integrated part

of security policy of an organisation? ‰ ‰ ‰

3. Are the security measures as regards data confidentiality,

integrity and availability formulated in writing
and implemented? (rules, directives) ‰ ‰ ‰

4. Was the IS security state tested in organisation last year?

(audit, risk identification, IS security analysis) ‰ ‰ ‰

5. Are the employees obliged to comply with the rules

and directives o IS? ‰ ‰ ‰

6. Are the employees (also those newly recruited) trained

regularly as regards IS security measure and do they
refer to them? (data security, passwords used, etc.) ‰ ‰ ‰

7. Is there a documentation in writing in place for each

application governing which access rights
are for what employees within their respective functions? ‰ ‰ ‰

8. Is retention of all input, manipulation or access authorisations

and tools for employees leaving ensured? ‰ ‰ ‰

9. Is the password standard laid down in writing and has it been

discussed with employees? ‰ ‰ ‰

10. Are the IS users familiar with proper password handling? ‰ ‰ ‰

11. Does the manual or automated system provide

that all of the employees have to change their respective
passwords regularly? ‰ ‰ ‰

12. Is there any actual documentation on input or access

authorisations granted? ‰ ‰ ‰

13. Are the passwords stored safe as regards the access? ‰ ‰ ‰

14. Has it been ensured that a password is required to enter
into any of the systems, and/or important applications?
(registration/login) ‰ ‰ ‰

15. Do all of the users have their respective password? ‰ ‰ ‰

16. Does the blocking follow should the wrong password

be loaded three times? ‰ ‰ ‰

17. Are all the attempts for unjustified login and exceeding
the authorisation recorded and reviewed?
(this should be regulated by an internal directive) ‰ ‰ ‰

18. Have the fire protection measures been considered

in planning and implementation of internal network?
(cabling separated, fire alarms) ‰ ‰ ‰

19. Have the fire extinguishers been installed, labelled properly,

easy accessible and maintained? (fire protecting ceilings,
fire extinguishers) ‰ ‰ ‰

20. Is the server room protected against fire properly ? ‰ ‰ ‰

21. Have any organisational measures been adopted

in the server room in case of a fire? ‰ ‰ ‰

22. Has any uninterruptible feeding resource been installed

for the central IS components? ‰ ‰ ‰

23. Is there any ban, in writing, and controlled, to use

undelivered hardware or communication tools ? (e.g.. modems,
laptops, etc.) ‰ ‰ ‰

24. Is there any ban, in writing, and controlled to use undelivered

software? (private software programmes) ‰ ‰ ‰

25. Is compatibility tested when procuring new parts of hardware

or software with the systems used already? ‰ ‰ ‰

26. Have agreements been made with suppliers about important

system components? (spare parts, maintenance, elimination
of breakdowns or damages) ‰ ‰ ‰

27. Is there any concept in place to secure data (way of security,

frequency of occurrence, certain moments, procedure,
accountability)? ‰ ‰ ‰

28. Are the employees obliged to protect data? ‰ ‰ ‰

29. Are the data and software used backed-up regularly? ‰ ‰ ‰

30. Is there relevant documentation in place to secure data?
(plan to protect data) ‰ ‰ ‰

31. Has it been tested whether or not data can be reconstructed

with existing copies secured? ‰ ‰ ‰

32. Are the carriers of back-up data stored on adequate place

outside the server room? ‰ ‰ ‰

33. Is the data safe protected against fire or theft? ‰ ‰ ‰

34. Have the concept of virus-protection and

strategy of combating the viruses been set? ‰ ‰ ‰

35. Do the servers have anti-virus programme updated? ‰ ‰ ‰

36. Do all types of computers (PCs, Macs, laptops) have

anti-virus programme updated? ‰ ‰ ‰

37. Are the anti-virus programmes updated regularly

(including macro-viruses)? ‰ ‰ ‰

38. Have the safety rules be set for using Internet at work? ‰ ‰ ‰

39. Is the access to the Internet secured by anti-virus programme

or firewall? ‰ ‰ ‰

40. Has the emergency procedure been drafted in case of the IT breakdown
(alarm plan, emergency measures and relevant information requirements
together with persons accountable)? ‰ ‰ ‰

41. Is there any recovery / renewal / reconstruction plan in place

(position and installation of hardware, software downloading,
data preparation)? ‰ ‰ ‰

42. Once the computer virus attacks, are the procedure and measures
formulated in writing? ‰ ‰ ‰

43. Has an adequate insurance policy for the IT system been contracted?
(fire, natural disaster, theft, data carriers, operation breakdowns) ‰ ‰ ‰

This procedure, however, is not exhaustive for the comprehensive IS Security

Analysis to be conducted, yet it may be used as an initial information to become familiar with
an auditee and to estimate whether or not a comprehensive IS Security Analysis is needed.

You might also like