1. Think of the most senior person in your organization who has
"information security" (or equivalent) in their job title or as an
explicit responsibility in their job description. Does this person's
immediate supervisor have the title of:
President/CEO
Vice President
Other Director or Manager
No one in this organization has explicit responsibility for
information security.
2. Which of the following statements best describes the state of
information security policies in your organization?
Our policies are comprehensive, and compliance is demonstrably high.
Our policies are comprehensive, but compliance is inconsistent.
We have some documented policies on file.
We have no documents policies for information security.
3. Which of the following statements best describes the state of your
business continuity (disaster recovery) plan?
We have developed and tested detailed plans. We can recover
from most disasters without significant impact to our customers.
We have developed detailed plans, but have not tested their
effectiveness.
We have a pretty good idea of what ad hoc activities we would engage
in the event of a disaster.
We haven't really thought about what we would do in the event of a
disaster.
4. Which of the following statements best describes how your
organization employs independent auditing functions specifically covering
information security?
We conduct annual (or more frequent) independent audits. Upper
management sees the audit reports and expects negative findings to be
corrected in a timely manner.
We conduct occasional independent audits. Upper management sees the
audit reports and expects negative findings to be corrected in a timely
manner.
We conduct occasional independent audits, but the recommendations
proceeding from audits are not considered by management to be on a par
with other business requirements.
We do not conduct independent audits of our information security
controls.
5. Which of the following statements best describes your
organization's investment in information security technology?
Our organization has a significant relationship with one or more of
the major security technology vendors. We have deployed or are planning
the deployment of such technologies as Public Key Infrastructure,
Intrusion Detection Systems, Enterprise Access Administration, Strong
Authentication and Secure Single Sign-On.
Our organization has demonstrated our commitment to appropriate
information security technologies by investing in a corporate firewall and
secure remote access facilities.
Our organization relies on the native security capabilities of the
platforms and applications we use.
Our organization considers security technology to be an impediment to
our business. We often turn off or circumvent the native controls offered
in our platforms and applications for the convenience of users or to
accommodate applications that are incompatible with security controls.
6. How does your organization obtain and employ information about
platform and application vulnerabilities?
We monitor public sources such as SANS, CERT and FIRST, and receive or
retrieve monthly (or more frequent) security reports from our platform and
application vendors. We systematically install the applicable patches
throughout the enterprise within 60 days. Both the current state of
patches and the process employed to deploy them could be validated by an
unannounced inspection held today.
When we become aware of security vulnerabilities in the products we
use, we try to apply the patches to most of our systems when resources are
available to do so.
We apply security related patches to our platforms and applications
only when not doing so would interfere with carrying out the
business.
Tracking and dealing with reported vulnerabilities in the platforms
and applications we use is rarely, if ever, done.
7. How would you describe your organization's approach to making
changes to mission critical applications and elements of your information
infrastructure (networks, servers, etc.)?
There may be significant career penalties for those who circumvent the
formal change request, approval and implementation procedures.
Formal change request, approval and implementation procedures are in
effect, but they may be overridden in the event of a perceived emergency.
There are no formal requirements, but our support staff is usually
diligent about notifying affected parties before changes are made.
Support personnel make changes as they see fit. Coordination with or
notification of others is not required.
8. Which of the following statements best describes the computer virus
control program at your organization?
I am certain than an unannounced inspection would reveal that each and
every PC in my organization has the current version of an anti-virus
software product from a leading vendor installed, that it is activated,
that it is configured properly, and that the virus definitions it is using
are no more than 7 days old.
We have deployed anti but there is no program in place to ensure that
the versions and definitions are consistently kept up-to-date.
Our organization has purchased licenses for anti is not clear how many
PCs actually have the software installed, or if it is configured properly.
We haven't deployed anti any PCs with such software in our
environment, it is because an end-user installed it at their own
initiative.
9. Which of the following statements best describes the status of
dial-up access facilities at your organization?
Desktop modems are prohibited. All remote access takes place through
centralized facilities, and requires strong authentication (tokens,
smartcards, PKI credentials) for access. The process for granting and
revoking remote access privileges is well organized and effective. We have
a complete inventory of all telephone lines into our facilities, which is
updated whenever lines are added or dropped.
Our policy requires explicit management approval for attaching modems
to any corporate computing resource. Desktop modems are prohibited by
policy from being configured to answer incoming calls. Server modems are
physically disconnected except when in authorized use (e.g. for vendor
maintenance).
We have provided a centralized facility for modem access, but users
are also permitted to have modems at their desktop machines.
We don't have an inventory of our telephone lines, and users have
complete control over whether a modem is attached to their PC and how it
is configured. We have no central modem facility.
10. Which of the following statements best describes the use of system
and application logs at your organization?
We turn on all system, application and database logging features, and
configure them appropriately for the sensitivity and criticality of the
supported function. The logs are harvested daily and copied to a safe
location, a digital signature is applied, and logs containing potentially
sensitive data are encrypted. We employ automated means to distill the
logs and a qualified person reviews the logs at least weekly to detect
anomalous activity.
We use logging facilities on our most critical systems. I think
someone looks over the logs once in a while, if they think of it.
We turn on system, application and database logging features only when
there seems to be a compelling reason to do so. The logs are reviewed
whenever a problem is detected.
Back in the 1980's, somebody told us that turning on logging
facilities caused performance degradation, and ever since then we've used
that as the excuse for not turning on system or application logging
features.
11. In the event of an incident such as suspected network intrusion, a
denial of service attack, or other event that negatively impacts your
information systems, does your organization have a plan to respond?
We have a cyber incident response plan and a procedures manual. Team
members have been pre-identified and trained in their responsibilities.
The response would be managed by a senior executive with management
authority to act and direct the activities of people from all departments.
We have tested this plan by activating the response team and
presenting a realistic scenario for them to solve.
We have a cyber incident response plan, but the contents are not
necessarily familiar to those who would need to follow it. We have not
tested the plan.
In the event of a cyber incident, we'd have "all hands on deck" and
figure out what to do about it from there.
We haven't really thought about what we'd do if something like that
happened.
12. Does your organization have policies and practices that address
the privacy of customer information?
We do not share customer information with other parties, and we
protect that data to the same degree that other sensitive corporate data
is protected.
Our privacy policy is clear and is communicated to our customers in
many ways (mail, website, etc.). Customers may access their personal data
and can easily change it to correct errors. There is also a convenient
mechanism for them to "opt out" of any information sharing delineated in
our privacy policy. All of this is supported by appropriate technology and
security mechanisms.
We make no representation to our customers that their data will be
kept private. If they don't want us to share that data, they should take
their business elsewhere.
We don't have a privacy policy.
13. What is the state of physical security at your facilities?
Work areas are restricted access. We require employees to present
identification (either to a guard or to an automated cardkey access
system) and visitors to be escorted at all times. Production servers are
kept in rooms that are further restricted only to personnel with a job
requirement for access (such as server administrators and technicians).
Work areas are restricted access, but servers are kept in rooms that
are accessible to all employees.
Work areas are accessible to the public, but production servers are
kept in restricted areas, accessible only to technical support personnel.
Work areas are accessible to the public. Productions servers are kept
in the general work area.
14. How would you characterize the level of awareness of your staff
with respect to their responsibilities for information security?
Employees receive instruction during their in-processing orientation
on their responsibilities, and at annual refresher briefings thereafter.
Information security is also explicitly mentioned on each employee's
performance review.
Employees receive periodic reminders about specific aspects of their
responsibilities with respect to information security.
In this industry/company, everybody pretty much understands their
intrinsic responsibility to protect information.
By and large, I don't think anyone has the first clue.
15. What is the current state of documents describing your computing
and communications infrastructure?
Superior: Our network diagrams are up-to-date. We also have current
and correct lists of network addresses, hub port assignments, wall jack
assignments, and equipment. These are all kept in a database or
spreadsheet to facilitate update, and to support a variety of operations
support project management tasks. Policy requires that configuration
changes be documented at the time the change is made.
Good: We have online diagrams and lists that are mostly up-to-date.
However, there is no mechanism to assure the ongoing maintenance of these
documents. They are updated whenever an inconsistency is discovered.
Adequate: We have network diagrams, resource lists and such which are
updated periodically as required. Many of these documents are on paper.
They're probably not up-to-date.
Nonexistent.
16. What does your organization do to ensure that the people you hire
and retain are trustworthy?
We conduct comprehensive interviews, and supplement our own judgment
with an in-depth background check performed by a qualified investigative
firm, which includes a credit check. We re-check employees in sensitive
positions annually, and others every other year. We have policies
addressing gambling, recreational drug use, and personal bankruptcy.
We conduct interviews and background checks on employees at the time
they are hired.
We will investigate if any employee begins to act suspiciously.
When we interview job candidates, we check to see if they have "shifty
eyes". If they do, we don't hire them unless we're really desperate.
17. Does your organization do anything to "harden" (improve the
default security of) computing platforms?
We have published standards for each of the major platforms used in
our organization. The standards specify configuration settings which are
mandatory for that platform, as well as "recommended" settings which
should be used unless there is a compelling business requirement
otherwise. Compliance with the standards is audited annually.
We have published standards for platform configuration, but compliance
is inconsistent and audited only infrequently.
Our systems administrators do their best to "harden" the systems as
they deploy them
We rely on our systems vendors to provide us with secure
configurations as the default. We don't have time to mess with this stuff,
anyway.
18. How would you describe your organization's information labeling
program?
We have a mature labeling program in place. Documents and other
information is consistently labeled with one of no more than four
classifications, including "public". All employees are familiar with the
labels and what they mean in terms of how they are expected to store,
transmit, and dispose of the information.
We have a document labeling policy, but it is not well understood by
all employees, either because it is not emphasized by management or
because it is too complex.
Any document labels are done "ad hoc", the label text is invented by
the person labeling the document and is not consistent across the
organization.
We do not label documents or other data to indicate sensitivity or
handling expectations.
19. Does your organization purchase insurance to cover information
security related losses?
We have a strong relationship with a reputable insurance broker, with
whom we have shared the results of our independent information security
assessments and audits. Together, we have crafted or selected appropriate
policies to cover the risk gap between what we have mitigated and the
residual risk.
We have taken out a website policy to cover our internet presence.
We are currently working with a reputable broker to develop a plan for
risk transfer.
We believe that our standard corporate casualty and liability policies
are sufficient, and we do not require special insurance to cover
information security related losses.
20. How would you describe the approach taken by your organization's
information security (IS) function with respect to influencing good
employee behavior for information security?
Authoritarian: The IS function has the support of upper management,
and employees and other managers are expected to comply with the policies
and guidance they set.
Consultative: The IS function does not have strong support from upper
management, but instead employs a "friendly" approach to persuading
employees to comply with guidance and policy.
Balanced: The IS function promotes good practices consultatively, but
if individuals or departments do not respond they have the backing of
upper management to compel, when necessary.
Impotent: Our IS function has neither the will/authority to compel
compliance nor the credibility to foster it.
21. Which of the following most closely resembles your organizations
approach to making risk decisions?
Risk decisions are made consistently by a person with the
management scope of authority that is appropriate to the risk. The
decision is made on an informed basis, considering the threat,
vulnerability and asset value. Both the negative impact and the
probability of occurrence are considered.
Risk decisions are made by someone with the appropriate management
authority. However, the decision maker may or may not understand the risk
before making a decision, and the risk analysis may be based more on
intuition than rational consideration of qualitative and quantitative
parameters.
Information security risks are not really considered by management.
They are more concerned with "conventional" risks such as financial,
market, legal, etc.
It is quite possible for a low-level employee to make a decision to
introduce or accept a risk that threatens the entire enterprise. (E.g.: A
technician decides to open a channel through the firewall.)
22. Which of the following best describes the typical long-term
response to problems in your organization?
Upper management expects (and gets) a comprehensive "post mortem"
analysis of any major outages. The analysis includes recommendations for
changes in procedures, technologies, or policies to prevent recurrence.
The recommendations are usually adopted.
"Post mortem" reports are created, and the recommendations may be
adopted if upper management is not distracted by other perceived
urgencies.
Individual contributors and first ideas for how to avoid such problems
in the future, but have difficulty getting attention from management at a
level sufficient to get action (budget, etc.)
We only have the capacity to get systems back up and running again as
soon as possible.