Section Key Objectives/Control Questions Results

High-Level Directions

Documents Requested: Verification Test Details (Full Results in Work Program):

• Information security policy
• Key information security job
descriptions
• Review the information security policy and supporting policies on
the intranet website.
• Sample 30 contractors that are no longer active at (Company).
Verify that the selected accounts have been disabled in the active
directory.

Management • Verify that a high-level information security plan/strategy exists Test:

Commitment and is formally documented.
Reviewed the
− Has management documented its responsibility for the internal Following:
controls and security of the enterprise?
Results:
− Has management performed a formal risk assessment? (risks
vs. controls)? Preliminary Issues
Noted:
− Does the security strategy incorporate corporate
governance/regulatory compliance?
− Does the strategy include monitoring and metrics pertaining to
the security posture of the organization?
− Is information security a critical business issue?
− Does it demonstrate to third parties that information security is
dealt with professionally?
− Determine if sufficient resources have been allocated to
information security?
• Are all policies annually reviewed and formally approved by
upper management?

Security • Verify that a formal information security policy has been

Policy documented and contains the following:
− Does the policy apply to the entire organization?
− Who is responsible for maintaining the policy with updates? Is
this person/group appropriate?
− Does the policy define responsibilities and principles related to
information security to be followed by staff?
• Does the information security policy contain statements that
address the following:
− Risk Assessment
◦ List of critical repositories (systems and paper)
◦ Risk ratings for each repository (Confidentiality, Integrity
and Availability)
◦ Owners of critical repositories
◦ Mapping of critical repository to the criticality to the
enterprise (e.g., aggregate risk rating)
− Information Security Awareness
◦ Initial Training: New employees
◦ Periodic Training: Existing employees
◦ Do materials contain relevant topics to information
security? (e.g., social engineering)

2 Source: www.knowledgeleader.com
 Section Key Objectives/Control Questions Results

− Provisions for software license compliance and with legal,

regulatory and contractual obligations
− A data classification policy
Any breaches of the security policy must be reported to
management. (e.g., incident response).
• Does the information security policy contain the following high-
level components:
− Acceptable Use:
◦ Prohibits the use of enterprise information and systems
without authorization or for purposes that are not worked
related
◦ Prohibits downloading of illegal material
◦ Prohibits unauthorized movement of information or
equipment off-site without authorization
◦ Prohibits unauthorized copying of information/software
− Harassment:
◦ Making sexual, racist or other statements that may be
offensive (e.g., harassment policy) through email
− Confidentiality:
◦ Using personally identifiable information for business
purposes
◦ Discussing business matters in public places
◦ Tampering with evidence in the case of an incident
◦ “clean desk policy”
◦ Leaving workstation/terminal security provisions
unattended
− Are the above policies communicated to all staff?
− Are users required to sign or accept (through the website)?
− Does the information security policy (and all other policies
separate from the ISP) state any disciplinary actions to be
taken against individuals who violate its provisions?

Staff • Verify that information security responsibilities for all employees

Agreements are specified in job descriptions and that terms and conditions of
employment contain the following:
− Terms of employment state that information security
responsibilities extend outside normal working hours and
premises and continue after employment has ended.
− The employee’s legal responsibilities and rights (e.g.,
regarding copyright laws and/or data protection)
− A nondisclosure/confidentiality clause
− If the above is formally documented
− How long the documents are retained
• Confirm that a policy/procedure exists that outlines a process for
adding/removing/changing access to network resources.
− Is there a documented process map/flow?
− Is there a formal process for adding users to the active
directory and other sensitive systems/applications?

3 Source: www.knowledgeleader.com
 Section Key Objectives/Control Questions Results

− Does a process exist for user maintenance (e.g., when a user

moves departments)?
− Does a formal process exist for terminating accounts, and is it
executed in a timely manner?
− Are accounts periodically reviewed?
• Confirm that applicants for employment are adequately screened
prior to their start date.
− Are references taken/checked?
− Are the following checks performed:
◦ Credit History
◦ Criminal
◦ Educational
◦ Previous employment

SM2: Security Organization

Documents Requested: SM Ref: Verification Test Details (Full Results in Work

Program):
• Information security policy
• SM2.1 • Review “architecture review board” meeting
• Key information security job
minutes.
descriptions
• SM2.4 • Sample 20 global employees and 15 contractors.
Verify that “acceptable use” and “IT security
awareness” training modules in Software X have
been completed.

• SM2.4 • Compare the information security policy and

supporting policies to the corresponding Software
X training modules and identify differences.

High-Level • Is there a top-level executive (or equivalent) with overall

Control responsibility for information security?
• Has a committee or high-level working group been created to
coordinate information security across the entire organization?
− Does the group meet three or more times a year?
− Are meeting minutes taken and documented?
− Do group members comprise someone from:
◦ Top management
◦ Business owners
◦ Representatives across different departments
◦ Head of IT
• What are the responsibilities assigned to the high-level
information security working group?
Roles should include:
− Considering information security interests throughout the
organization
− Ensuring that information security interests are addressed in a
consistent, coherent manner
− Approving information security policies and
standards/procedures

4 Source: www.knowledgeleader.com
 Section Key Objectives/Control Questions Results

− Monitoring information security performance and the

enterprise’s exposure to information security threats
− Approving and prioritizing information security improvement
activity
− Ensuring that information security is addressed in the
enterprise’s information planning process
− Coordinating the implementation of information security
controls in new systems and services
− Emphasizing the importance of information security to the
enterprise

Information • Does a dedicated, full-time information security function exist?

Security
• Do roles include the following:
Function
− Develop information security standards/procedures and
guidelines.
− Provide expert advice on all aspects of information security.
− Investigate any major information security incidents.
− Run one or more awareness programs and develop security
skills for staff enterprisewide.
− Evaluate the security implications of specialized areas.
− Monitor the effectiveness of information security.
− Support for audits/reviews
− Monitor new threats/vulnerabilities and emerging
technologies/compliance regulations.
− Maintain relevant certifications.

Local Security • Determine if there are local information security coordinators

Coordination appointed to each business unit/geographical location. Local
information security coordinators should have:
− A clear understanding of their information security role
− Sufficient time, skill, tools and authority to carry out their role
− Access to in-house and external expertise in information
security
− Documented standards/procedures to support day-to-day
functions

Security • Has training been put into place for:

Awareness − New Employees: (Initial Training)
− Existing Employees: (Periodic Training)
− Is the training specific to area/discipline (e.g., system
administrator)?
− What form is the training in (e.g., CBT, internal class, external
class)?
• Verify that activities are in place throughout the organization to
promote security awareness to all staff and employees. The
security awareness program should include the following:
− Is information security awareness:
◦ Endorsed by top-level management

5 Source: www.knowledgeleader.com
 Section Key Objectives/Control Questions Results

◦ Supported by a documented set of objectives

◦ Kept up to date with current practices and requirements
◦ Based on risk assessment results
◦ Aimed at reducing the frequency and magnitude of
incidents
◦ Mandatory for all employees, especially those dealing with
electronic or sensitive data
• Determine that the security awareness program has measurable
goals and that those goals are actively monitored for
receptiveness and effectiveness:
− Is it possible to monitor the level of awareness from staff and
is it reviewed periodically?
− Is there monitoring of the frequency and magnitude of
incidents, and has the trend been on a decline since the
institution of the security awareness program?
• Verify that an education/training program is available to all
employees to provide them with the necessary security skills.
Education should be carried out to provide:
− Systems development staff with the skills they need to design
systems in a disciplined manner and develop security controls
− IT staff with the skills they need to run computer installations
and networks correctly and apply security controls
− Business users with the skills they need to use systems
correctly and apply security controls
− Information security specialists with the skills they need to
understand the business, run security projects, communicate
effectively and perform specialist security activities

Security Requirements

Documents Requested: Verification Test Details (Full Results in Work Program):

• Security classification scheme • Obtain and review the inventory list(s) of applications, and confirm
that the business owner, a brief description and the unique identifier
• Inventory (or equivalent) of critical
are documented. Identify applications that are not present on the
information and systems
inventory list.
• Responsibilities of information
• Sample two recent global application risk reviews (also called
owners
surveys and risk assessments). Verify that the reviews identify
• Procedures/standards supporting critical data and are signed off by the application owners.
information risk analysis activities

Security • Has a security classification scheme been defined?

Classification − Does the classification scheme take into consideration the
possible business impact of a loss of confidentiality, integrity
or availability?
− Does the scheme cover all potential areas of risk (paper,
electronic, hardware, etc.)?
− Can critical information and systems be distinguished from
other information and systems?
• Confirm that an inventory of critical systems and information is
kept. How is this information/documentation managed and

6 Source: www.knowledgeleader.com
 Section Key Objectives/Control Questions Results

maintained?
• Verify that all data classifications are signed off on by the
business owner of that data and that security classifications are
reviewed periodically for accuracy.
• Confirm that brief descriptions accompany each recorded
security classification. Each should also be accompanied by a
unique identifier.

Ownership • Determine if each critical system or information is assigned a

business owner.
− How is the list maintained?
− Is there a process to provide owners with the necessary skills,
tools and staff to complete their responsibility?
− Is each data owner required to sign off on his/her data?
• Are responsibilities for each owner documented? Some
examples include:
− Determining business (including information security)
requirements
− Ensuring that information and systems are protected in line
with their importance to the enterprise
− Determining which users are authorized to access particular
information and systems
− Signing off access privileges for each user or set of users
− Defining information interchange agreements or similar
developing service-level agreements
− Signing-off specifications for business requirements (including
security requirements)
− Authorizing new or significantly changed systems
− Ensuring that users are aware of their security responsibilities
and can fulfill them
− Being involved with security audits/reviews
• Verify that there is a process involved to assign all new types of
data to owners and that they are aware of their responsibilities to
keep that data secure.
− Is this document published to the entire organization?
• Is there a process in place to reassign data or system owners in
the event an existing owner is unavailable, reassigned or is
terminated from the company?

Information • Determine if a structured risk analysis of the application,

Risk Analysis computer installations, networks and systems under development
are regularly performed.
− Have risks been identified?
− Have associated controls been noted to minimize identified
risks?
− Has the business and other key users been included as part of
the risk analysis?

7 Source: www.knowledgeleader.com
 Section Key Objectives/Control Questions Results

− Have the results of the risk analysis been documented?

Secure Environment

Documents Requested: Verification Test Details (Full Results in Work Program):

• Information security architecture
(software settings, hardware,
administration and other control
procedures)
• Procedures/standards for dealing
with information privacy
• Privacy assessment materials
• Perform a simple port scan of three subnets, including an office
environment, manufacturing facility and a regional outsourced data
center.
− Verify that filtering between data centers, geographic regions,
has not been enforced by connecting to a sample of 50 common
service ports on various operating systems and applications
from the conference room DF 6-5SME.
− Perform a limited vulnerability assessment on the three selected
subnets for critical misconfigurations and other “low hanging
fruits.”
• Verify that egress filtering is limited by establishing a series of
connections to a test server on the public internet across a sample
of common application, Trojan and virus ports.

Security • Confirm that there is a documented information security

Architecture architecture plan that exists for the organization.
− Is this plan documented and published to the entire
organization?
− Is this document used during new installations of
systems/network devices?
− Are the plans approved by business/IT owners and security
managers?
• Have the following security architecture components been
defined and implemented:
− Configuration Management
◦ Baseline configuration standards (servers, networking
equipment, applications)
◦ Hardening guidelines
− Network Diagrams
◦ Are comprehensive diagrams in place?
◦ Is appropriate segregation of duties in place both internally
and externally?
◦ Is the topology flat (servers on a different subnet from
workstations)?
• Have standard hardware/software solutions been selected across
the organization? (severs, networking equipment, etc.)?
• Examine the posture of the technical controls in place to regulate
the authentication of users to sign in users into the network and
sensitive applications.
− Are the rules and controls consistent for all users throughout
the organization?
− Is an SSO/IDM (single sign-on) utilized for all systems/apps?
− Are access privileges role-based?
− How are provisioning and de-provisioning handled?

8 Source: www.knowledgeleader.com
 Section Key Objectives/Control Questions Results

− Are administrators required to adhere to stronger

authentication methods than normal users?
− Authentication:
◦ Is a single database maintained for authentication?
◦ Is it an industry-approved solution?
◦ Does this include applications?

Information • Is there an information privacy officer or committee in existence

Privacy that’s purpose is to address information privacy issues?
− Is there currently a privacy strategy in place within the
organization?
− Is the committee aware of all personally identifiable
information held on individuals?
− Does the committee know how and when personally
identifiable information is used?
• Confirm that procedures and policies exist to deal with
information privacy.
− Do the policies cover acceptable use of personally identifiable
information?
− Do the policies state what the legal and regulatory
requirements are for privacy for the specific organization?
− Are there procedures that lay out the structure of any privacy
awareness campaigns or programs?
• Verify that the individuals about whom the personally identifiable
information is held are aware of the types of data that the
organization has on file for them.
− Are employee approvals sought prior to the information
collection, stored, processed or disclosed?
− Are they informed on how the information will be used and
stored?
• Verify that a privacy assessment is performed regularly in order
to determine the level of compliance with regulatory
requirements.
− (HIPAA, FDA, FISMA)

Asset • There should be documented standards/procedures for asset

Management management, which should cover:
− Acquisition of software/hardware
− Software licensing
− Recording of assets in an inventory (or equivalent)
− Archiving of information (HIPPA, FDA, FISMA)

Malicious Cells

Documents Requested: Verification Test Details (Full Results in Work Program):

• Procedures/standards supporting:
− Protection against viruses
− Intrusion detection activities
• Review the output from the anti-virus audit report tool for the global
(Company) environment (10.x.x.x). Identify devices out of
compliance.
• Perform a basic port scan of three subnets, including an office

9 Source: www.knowledgeleader.com
 Section Key Objectives/Control Questions Results

− Incidents that may require
forensic investigation
• Escalation process to address
situations involving suspected or
actual malicious code
• Escalation process for reporting
serious attacks (emergency
response process)
• Patch management
framework/strategy
environment, manufacturing facility and a regional outsourced data
center.
− Perform a basic vulnerability scan on the three selected subnets
for the presence of three critical Microsoft Windows patches
(MS04-011, MS05-039, MS06-040). Exploit and utilize
weaknesses if found.
− Test third-party vendor’s response to suspected malicious
internal traffic (as a result of the above tests).
• Review the noncompliance report generated for the following
MS04-011, MS05-039, MS06-040 patches.

Virus • Are there documented procedures addressing the protection of

Protection information systems from computer viruses?
− Is an industry-approved anti-virus solution in use?
− Are antivirus solutions deployed on all applicable systems
(such as email servers, file servers and workstations)?
◦ If there are exceptions, are they formally documented?
− How often are systems scanned? (e.g., daily, weekly, real
time, etc.)
◦ If real-time scanning is done, are there still periodic scans
being performed?
− How frequently are virus definitions and signatures updated?
− How are critical virus notifications obtained and communicated
to users?
− Are anti-virus packages included in system images or part of
build process documentation?
− Are anti-virus installations configured securely (to prevent
scans from being canceled or software from being turned off)?
− Are viruses covered in incident response procedures?
• Review policies and procedures to identify action steps in the
event of a real virus outbreak.
− Are there points of contact for each business unit to notify
them of the situation?
− Are there email templates pre-written to explain to employees
the breadth of the problem?
− Are these procedures effectively communicated to all parties
involved?

Malicious • Verify that a company has a policy and strategy in place to

Code combat the introduction of malicious code from outside the
Protection organization.
− Does the company actively warn users about the dangers of
downloading untrusted material from the web?
− Are group policies in place that restrict users from running
scripts on their web browsers?
− Are there processes to properly test all new tools and
applications in a development environment prior to their
release into production?

10 Source: www.knowledgeleader.com
 Section Key Objectives/Control Questions Results

− Are there procedures for reporting suspected code?

Intrusion • Confirm that an intrusion detection system is in place to protect

Detection systems and data that the organization deems as critical. The
IDS infrastructure should at a minimum report on the following
events:
− Unauthorized access (actual or attempted) to systems or data
− Rogue processes or applications
− Unexpected termination of a service or application
− Malicious code signatures introduced to the organization’s
environment
• Is the IDS placed in an appropriate place?
− Are sensors located on both the internal, DMZ and external
segments?
• Review and discuss documented policies and procedures
surrounding the intrusion detection process.
− Are there methods of reporting and escalating serious and
successful attacks?
◦ Is this documented in the incident response plan?
− Are handlers trained to forensically piece together the point,
time, type and quantifying the extent of the attack?

Emergency • Determine if procedures are available that document an action

Response plan in the event of a serious attack. The policies should cover:
− A definition of an emergency
− Roles and responsibilities for the response team
− Clear and precise action steps
− Contact details for all key personnel
− Processes to recover after an event has occurred (system
restoration, review of system controls, etc.)
− Methods of dealing with third parties, such as the media
− Methods for contacting law enforcement
• Inspect reports of previous tests of the emergency response plan
and evaluate:
− Adequacy of the test in terms of coverage with regard to
previously identified critical business processes
− Involvement of stakeholders from the impacted areas
− Ability to meet service-level targets
− Documentation and resolution of noted issues
− Modifications to the business continuity process and plan
based on the test results

Forensic • Discuss any procedures in place that pertain to dealing with

Investigations incidents that require forensic investigation. The procedures
should cover topics such as:
− Immediate preservation of evidence with as little tampering as
possible
− Data recovery methods

11 Source: www.knowledgeleader.com
 Section Key Objectives/Control Questions Results

− Maintenance of log of evidence collection and investigation

procedures
− Chain of custody document
− Reporting to senior management and law enforcement if
applicable
• Has a forensic procedure been put into place?
The following steps should be detailed:
− Establish and document a chronological sequence of events.
− Log investigative actions.
− Demonstrate that appropriate evidence has been collected
and preserved and that no one could have tampered with it.
− Secure target computer equipment.
− Analyze evidence in a controlled environment (e.g., using a
copy or ‘image’ of the computer).
− Use media to avoid corruption of the original.
− Have evidence reviewed by an impartial independent expert to
ensure that it meets legal requirements.
− Ensure that processes used to create and preserve evidence
can be repeated by an independent third party.
− Limit information about an investigation to a few nominated
individuals and ensure that it is kept confidential.

Patch • Verify that a process has been defined for the testing and
Management installation of system patches and updates.
− Is all patch testing performed in accordance with the corporate
policy?
− How often are patches pushed to critical servers and
workstations?
− Do operations personnel receive key security advisories,
including information on new vulnerabilities and patches, from
industry-recognized security groups and vendors (i.e.,
Microsoft, CERT, CIAC, Cisco, etc.)?
− Do they define the roles and responsibilities of the patch
management process?
− Is there a process in place to identify non-Microsoft and
application-specific patches?
• Confirm that a log of rolled out patches is kept by IT personnel.
The log should contain information such as the date, vendor and
type of patch.

Special Topics

Documents Requested: Verification Test Details (Full Results in Work Program)

• Procedures/standards supporting: • Attempt to authenticate to the wireless network without a valid PKI
− Provision and use of email certificate.
− Provisioning third-party access • Test email content filtering through a series of tests.
− Electronic commerce initiatives • Send inappropriate email to/from a valid Lotus Notes account.

12 Source: www.knowledgeleader.com
 Section Key Objectives/Control Questions Results

− Instant messaging services
• Mail server configurations
• Inventory of key third-party access
connections
• Sample outsourcing contracts
• Send malicious attachments to/from a valid Lotus Notes account.
• Log into and use Yahoo Mail, Hotmail and other third-party
websites to send emails to a Lotus Notes account.
• Connect to AOL Instant Messenger and MSN messenger to verify if
ports are not blocked.

• Escalation process for reporting • Pull the firewall logs for outbound traffic on common instant
outsourcing provider security messaging TCP/UDP ports.
issues

Public Key • For an enterprise that makes use of a public key infrastructure
Infrastructure (PKI), documented stand procedures should be established,
which define the:
− The process required to manage cryptographic keys/digital
certificates within the PKI scanning email for viruses and
offensive material
− Methods required to operate the PKI
− Actions to be taken in the event of a compromise or suspected
compromise of the PKI
• Are users aware of their function to protect private keys?

E-mail • Does the acceptable use policy include email provisions? Below
is a list of topics that should be covered:
− Configuring mail servers (assuming a pre-built image isn’t
already provided)
◦ Are mail servers covered in configuration management
documentation?
− Applying the industry-approved anti-virus solution to the email
infrastructure
− Applying encryption for sensitive data (if applicable)
− Making users aware of the consequences of improper email
use
− Prohibiting the use of web email, automatic forwarding to
external addresses, private encryption and the opening of
attachments from unauthorized sources.
• Verify if capacity planning efforts have been documented to
ensure that the mail server is not overloaded.
− Are controls in place to limit the size of each message and
mailbox?
− Are there restrictions on the use of large distribution lists?
− Are spam filters in place to eliminate spam messages sent to
the corporate servers?
• Verify that a legal banner is appended to all outgoing mail
messages and return-to-sender messages. It should warn all
users and recipients that the contents of the actual message may
be legally in the possession of the organization and that use may
be monitored.

Third Party • Is third-party access part of the change management or access

Access

13 Source: www.knowledgeleader.com
 Section Key Objectives/Control Questions Results

request process?
− If not, why?
• Is third-party access part of the vendor management program?
− If not, why?
• Discuss processes surrounding the provisioning and termination
of third-party access.
− Are the business risks associated with the third-party
assessed?
− Is senior management responsible for authorizing third-party
access?
− Are contracts in place between the two parties to waive liability
if damage occurs?
• Assess the technical controls in place between the third-party
and the corporate architecture.
− Are all communications encrypted between the two parties?
− If utilizing VPN, is split tunneling enabled?
− Is a TACACS server used to centrally manage all accounts,
and are all login attempts logged?
− Are all vendor actions logged to a central repository?
− Are there automatic timeouts if idle thresholds are met?

Electronic • Discuss the organization of the group that is responsible for all
Commerce electronic commerce initiatives.
− Is there a top-level business manager ultimately responsible
for all electronic commerce?
− Is there a high-level group responsible for coordinating
electronic commerce initiatives throughout the organization?
• Confirm that risk analysis has been performed prior to the
execution of any major electronic commerce venture.
− Was an industry-proven risk analysis method used?
− Did it focus on key risks, such as capacity problems due to
high customer demand or divulgence of sensitive customer
information?
• Confirm that adequate testing has been performed prior to going
live. A review should be performed by an experienced information
security practitioner and approved by senior management.
• Verify plans are in place to ensure that important domain
registrations are renewed and that domain names that could be
used to masquerade as the organization are registered.

Outsourcing • Discuss the strategy and policies of outsourced providers and the
transfer of activity to them.
− Have the information risks associated with outsourcing been
thoroughly examined?
− Has critical and sensitive parts of the network been identified
and segregated?
− Has an exit strategy been formed in the eventuality of an early

14 Source: www.knowledgeleader.com
 Section Key Objectives/Control Questions Results

(or normal) agreement termination?

− Are there agreements in place that limit the outsourcing
provider means of outsourcing their work to another provider?
• Confirm that proper approvals are obtained prior to an agreement
with an outsourcing provider. Required information controls
should be agreed on beforehand.
− Has a process been agreed upon for dealing with security
issues through a point of contact within the provider?
− Have the agreements outlined the audit work requirements for
the upcoming year?

Instant • Confirm that there are documented policies that outline proper
Messaging usage for instant messaging clients. Topics can include:
− Guidelines for business and personal use
− The types of instant messaging services permitted
− User guidelines for acceptable use
− Details of any monitoring activities that may take place on the
network
− Disabling of various packaged services (video, voice, etc.)
• Assess the technical controls prohibiting the misuse of instant
messaging software.
− Is there the use of encryption to protect sensitive messages?
− Is logging enabled of key events at clients and servers?
− Are firewalls blocking instant messaging traffic at the network
perimeter?
− Is a standard configuration applied to all employee machines?

Management Review

Documents Requested:
• Information technology audit
plan/approach
• Information technology audit
results

Security • Verify that independent security audits/reviews are performed

Audit/Review periodically for critical environments, including business
applications, computer installations, networks, systems
development activities and key enterprisewide security activities.
− Are the reviews defined in scope and documented?
− Are the reviews performed by qualified individuals who have
the technical skills and knowledge?
− Are they conducted regularly?
− Are the results of the audit report agreed upon by the business
owners being audited?
− Who is responsible for remediation?
• Verify that periodic assessments are performed to determine the
effectiveness of the overall security posture of the company.

15 Source: www.knowledgeleader.com
 Section Key Objectives/Control Questions Results

Monitoring efforts should:

− Keep management informed of key organizational risks.
− Focus on business-critical systems and data.
− Note any improvements made over the last review.
− Define improvements still need to be made.
− Show the pattern of business impacts of incidents.

16 Source: www.knowledgeleader.com