SIGv7

SIGv7

A. Risk Assessment and Treatment	
A.1	Is there a risk assessment program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the program? If so, does it include:
A.1.1	A risk assessment, conducted within the last 12 months?
A.1.2	Risk Governance?
A.1.3	Range of assets to include: people, processes, data and technology?
A.1.4	Range of threats to include: malicious, natural, accidental, business changes (transaction volume)?
A.1.5	Risk scoping?
A.1.6	Risk context?
A.1.7	Risk training plan?
A.1.8	Risk evaluation criteria?
A.1.9	Risk scenarios? If so:
A.1.9.1	Have scenarios been created for a variety of events with a range of possible threats that could impact the range of assets?
A.1.9.2	Do the scenarios include threat types impacting all assets resulting in business impact?
A.1.10	Ownership, action plan, response plan, management update?
A.2	Are controls identified for each risk classified as: preventive, detective, corrective, predictive (technical or administrative controls)?
0	0
	
B. Security Policy	
B.1	Is there an information security policy that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? If so, does the policy contain:
B.1.1	Risk assessment?
B.1.2	Risk management?
B.1.3	Security awareness training/education?
B.1.4	Business continuity?
B.1.5	Consequences for non-compliance with corporate policies?
B.1.6	Responsibilities for information security management?
B.1.7	Acceptable use?
B.1.8	Access control?
B.1.9	Application security?
B.1.10	Change control?
B.1.11	Clean desk?
B.1.12	Computer and communication systems access and use?
B.1.13	Data handling?
B.1.14	Desktop computing?
B.1.15	Disaster recovery?
B.1.16	Email?
B.1.17	Constituent accountability?
B.1.18	Encryption?
B.1.19	Exception process?
B.1.20	Information classification?
B.1.21	Internet/Intranet access and use?
B.1.22	Mobile computing?
B.1.23	Network security?
B.1.24	Operating system security?
B.1.25	Personnel security and termination?
B.1.26	Physical access?
B.1.27	Policy maintenance?
B.1.28	Remote access?
B.1.29	Security incident and privacy event management?
B.1.30	Secure disposal?
B.1.31	Social media, social networking?
B.1.32	Vulnerability management?
B.1.33	Have the policies been reviewed in the last 12 months? If so, did the review include:
B.1.33.1	Feedback from interested parties?
B.1.33.2	Results of independent reviews?
B.1.33.3	Policy compliance?
B.1.33.4	Changes that could affect the approach to managing information security?
B.1.33.5	Reported information security incidents?
B.1.33.6	Recommendations provided by relevant authorities?
B.1.33.7	Records management?
B.1.34	Is there a process to approve exceptions to the policy? 
B.1.34.1	Does security own the approval process?
B.1.35	Is the information security policy communicated to constituents? If so, is it communicated to:
B.1.35.1	Full time employees?
B.1.35.2	Part time employees?
B.1.35.3	Contractors?
B.1.35.4	Temporary workers?
0	0
	
C. Organizational Security	
C.1	Is there an information security function responsible for security initiatives within the organization? If so, does it include:
C.1.1	Creation, review and approve of information security policies?
C.1.2	Review the effectiveness of information security policy implementation?
C.1.3	Manage assignment of specific roles and responsibilities for information security?
C.1.4	Develop and maintain an overall strategic security plan?
C.1.5	Consistent implementation of information security across different parts of the organization?
C.1.6	Review and monitor information security / privacy incidents or events?
C.1.7	Monitor significant changes in the exposure of information assets?
C.1.8	Contacts with information security special interest groups, specialist security forums, or professional associations?
C.1.9	Identify and document instances of non-compliance with security policies?
C.1.10	Identify key Information Technology roles?
C.2	Do external parties have access to Scoped Systems and Data or processing facilities? If so, is:
C.2.1	Access prohibited prior to a risk assessment being conducted?
C.2.2	A risk assessment performed on third parties?
C.2.3	A controls assessment performed on third parties?
C.2.4	Agreements in place when customers access Scoped Systems and Data?
C.2.5	Does management require the use of confidentiality or non-disclosure agreements for all third parties? If so, do they contain:
C.2.5.1	Ownership of information, trade secrets and intellectual property?
C.2.5.2	The permitted use of confidential information, and granting of rights to the signatory to use information?
C.2.5.3	Process for notification and reporting of unauthorized disclosure or confidential information breaches?
C.2.5.4	Expected actions to be taken in case of a breach of this agreement?
C.2.6	Are there contracts with third party service providers who have access to Scoped Systems and Data ? If so do the contracts include: 
C.2.6.1	Non-Disclosure agreement?
C.2.6.2	Confidentiality Agreement?
C.2.6.3	Media handling?
C.2.6.4	Requirement of an awareness program to communicate security standards and expectations?
C.2.6.5	Responsibilities regarding hardware and software installation and maintenance?
C.2.6.6	Clear reporting structure and agreed reporting formats?
C.2.6.7	Clear and specified process of change management?
C.2.6.8	Notification of change?
C.2.6.9	A process to address any identified issues?
C.2.6.10	Access control policy?
C.2.6.11	Breach notification?
C.2.6.12	Description of the product or service to be provided?
C.2.6.13	Description of the information to be made available along with its security classification?
C.2.6.14	SLAs?
C.2.6.15	Audit reporting?
C.2.6.16	Ongoing monitoring?
C.2.6.17	A process to regularly monitor to ensure compliance with security standards?
C.2.6.18	Onsite review?
C.2.6.19	Right to audit?
C.2.6.20	Right to inspect?
C.2.6.21	Problem reporting and escalation procedures?
C.2.6.22	Business resumption responsibilities?
C.2.6.23	Indemnification/liability?
C.2.6.24	Privacy requirements?
C.2.6.25	Dispute resolution?
C.2.6.26	Choice of venue?
C.2.6.27	Data ownership?
C.2.6.28	Ownership of intellectual property?
C.2.6.29	Involvement of the third party with subcontractors?
C.2.6.30	Security controls these subcontractors need to implement?
C.2.6.31	Termination/exit clause?
C.2.6.32	Contingency plan in case either party wishes to terminate the relationship before the end of the agreements?
C.2.6.33	Renegotiation of agreements if the security requirements of the organization change?
C.2.6.34	Current documentation of asset lists, licenses, agreements or rights relating to them?
0	0
	
D. Asset Management	
D.1	Is there an asset management policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
D.1.1	Is there an Inventory system for hardware and software assets? If so, does it include:
D.1.1.1	Asset control tag?
D.1.1.2	Operating system?
D.1.1.3	Physical location?
D.1.1.4	Serial number?
D.1.1.5	Business function supported?
D.1.1.6	Environment (dev, test, etc.)?
D.1.1.7	IP address?
D.1.2	Is there a detailed description of software licenses (number of seats, concurrent users, etc.) ?
D.1.3	Is ownership assigned for information assets? If so, is the owner responsible to:
D.1.3.1	Appropriately classify information and assets?
D.1.3.2	Review and approve access to those information assets?
D.1.3.3	Establish, document and implement rules for the acceptable use of information and assets?
D.2	Are information assets classified?
D.2.1	Is there an information asset classification policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
D.2.2	Is there a procedure for handling of information assets? If so, does it include:
D.2.2.1	Data ownership?
D.2.2.2	Data access controls including authorization?
D.2.2.3	Data labeling?
D.2.2.4	Data on removable media?
D.2.2.5	Data in transit?
D.2.2.6	Data encryption?
D.2.2.7	Data in storage?
D.2.2.8	Data reclassification?
D.2.2.9	Data retention?
D.2.2.10	Data destruction?
D.2.2.11	Data disposal?
D.2.2.12	Reviewed at least annually?
D.2.2.13	Data handling based on classification?
D.2.2.14	Physical media destruction?
D.2.2.15	Reuse of physical media (tapes, disk drives, etc.)?
D.3	Is there insurance coverage for business interruptions or general services interruption? If so, are there:
D.3.1	Limitations based on the cause of the interruption?
D.3.2	Insurance coverage for products and services provided to clients?
0	0
	
E. Human Resource Security	
E.1	Are security roles and responsibilities of constituents defined and documented in accordance with the organization’s information security policy?
E.2	Is a background screening performed prior to allowing constituent access to Scoped Systems and Data? If so, does it include:
E.2.1	Criminal?
E.2.2	Credit?
E.2.3	Academic?
E.2.4	Reference?
E.2.5	Resume or curriculum vitae?
E.2.6	Drug Screening?
E.3	Are new hires required to sign any agreements upon hire? If so, does it include:
E.3.1	Acceptable Use?
E.3.2	Code of Conduct / Ethics?
E.3.3	Non-Disclosure Agreement?
E.3.4	Confidentiality Agreement?
E.3.5	Are constituents required to sign annual acknowledgements? If so, do they  include:
E.3.5.1	Acceptable Use?
E.3.5.2	Code of Conduct / Ethics?
E.3.5.3	Non-Disclosure Agreement?
E.3.5.4	Confidentiality Agreement?
E.4	Is there a security awareness training program? If so, does it include:
E.4.1	Security policies, procedures and processes?
E.4.2	Scored test to evaluate successful completion?
E.4.3	New Hire and annual participation?
E.4.4	Is security training commensurate with levels of responsibilities and access?
E.4.5	Do constituents responsible for information security undergo additional training?
E.4.6	Do information security personnel have professional security certifications?
E.5	Is there a disciplinary process for non-compliance with information security policies?
E.6	Is there a constituent termination or change of status process?
E.6.1	Is there a documented termination or change of status policy or process that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
E.6.2	Does HR notify security / access administration of constituent termination for access rights removal? If so, is notification provided:
E.6.2.1	On the actual date?
E.6.2.2	Two to seven days after termination?
E.6.2.3	Greater than seven days after termination?
E.6.3	Does HR notify security / access administration of a constituent change of status for access rights removal? If so, is notification provided:
E.6.3.1	On the actual date of the change of status?
E.6.3.2	Two to seven days after the change of status?
E.6.3.3	Greater than seven days after the change of status?
E.6.4	Are constituents required to return assets (laptop, desktop, PDA, cell phones, access cards, tokens, smart cards, keys, proprietary documentation) upon:
E.6.4.1	Termination?
E.6.4.2	Change of Status?
0	0
	
F. Physical and Environmental Security	
F.1	Is there a physical security program?
F.1.1	Is there a documented physical security policy approved by management, communicated to constituents and an owner assigned to maintain and review the policy?
F.1.2	Are reasonable physical security and environmental controls present in the building/data center that contains Scoped Systems and Data? If so, does it include:
F.1.2.1	Signage to identify the operations of the facility (data center)?
F.1.2.2	Other tenants using the building?
F.1.2.3	Access restricted and logs kept of all access?
F.1.2.4	Electronic system (key card, token, fob, biometric reader etc.) to control access?
F.1.2.5	Cipher locks (electronic or mechanical) to control access within or to the facility? If yes, is there a process to:
F.1.2.5.1	Change the code(s) at least every 90 days?
F.1.2.5.2	Change the code(s) when an authorized individual is terminated or transferred to another role?
F.1.2.6	Security guards that provide onsite security services?
F.1.2.7	Perimeter physical barrier (such as fence or walls)?
F.1.2.8	Entry and exit doors alarmed (forced entry, propped open) and/or monitored by security guards?
F.1.2.9	A mechanism to prevent tailgating / piggybacking?
F.1.2.10	External lighting?
F.1.2.11	Lighting on all doors?
F.1.2.12	Exterior doors with external hinge pins?
F.1.2.13	Emergency doors which only permit egress?
F.1.2.14	Windows with contact or break alarms on all windows?
F.1.2.15	CCTV with video stored at least 90 days?
F.1.2.16	Walls which extend from actual floor to actual ceiling?
F.1.2.17	Fluid or water sensor?
F.1.2.18	Air conditioning and humidity controls?
F.1.2.19	Heat detection?
F.1.2.20	Smoke detection?
F.1.2.21	Fire suppression?
F.1.2.22	Multiple power feeds?
F.1.2.23	Multiple communication feeds?
F.1.2.24	Physical access control procedures? If yes, is there:
F.1.2.24.1	Segregation of duties for issuing and approving access to the facility (keys, badge, etc.)?
F.1.2.24.2	Access reviews at least every six months?
F.1.2.24.3	Collection of access equipment (badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer require access?
F.1.2.24.4	A process to report lost or stolen access cards / keys?
F.1.3	Are visitors permitted in the facility? If so, are they required to:
F.1.3.1	Sign in and out?
F.1.3.2	Provide a government issued ID?
F.1.3.3	Be escorted through secure areas?
F.1.3.4	Wear badge distinguishing them from employees?
F.1.3.5	Subject to right to search while at the facility?
F.1.3.6	Are visitor logs maintained for at least 90 days?
F.1.4	Is there a loading dock at the facility? If yes, is there:
F.1.4.1	Any other tenants using the loading dock?
F.1.4.2	A security guards at each point of entry?
F.1.4.3	Smoke detector?
F.1.4.4	Fire alarm?
F.1.4.5	Fire suppression?
F.1.4.6	CCTV and the video stored for at least 90 days?
F.1.4.7	Restricted access and logs kept of all access?
F.1.5	Is there a battery/UPS room? If yes, does it contain:
F.1.5.1	Hydrogen sensors?
F.1.5.2	Monitored fire alarm?
F.1.5.3	Fire suppression system?
F.1.5.4	CCTV and the video stored for at least 90 days?
F.1.5.5	Restricted access and logs kept of all access?
F.1.5.6	Are visitors permitted in the battery/UPS room?
F.1.5.7	Does UPS support N+1?
F.1.6	Is there a generator or generator area? If yes, is there:
F.1.6.1	A fuel supply readily available to ensure uninterrupted service?
F.1.6.2	Adequate capacity to supply power for at least 48 hours?
F.1.6.3	Restricted access and logs kept of all access?
F.1.6.4	CCTV and the video stored for at least 90 days?
F.1.7	Is there a mailroom that handles Scoped Data? If so, is access:
F.1.7.1	Restricted access and logs kept of all access?
F.1.7.2	CCTV and the video stored for at least 90 days?
F.1.8	Is there a media library to store Scoped Data? If so, is access:
F.1.8.1	Restricted and logs kept of all access?
F.1.8.2	CCTV and the video stored for at least 90 days?
F.1.9	Is there a separate room for telecom equipment? If so, is access:
F.1.9.1	Monitored with CCTV and the video stored for 90 days?
F.1.9.2	Restricted and logs kept of all access?
F.2	Do the Scoped Systems and Data reside in a data center? If yes, are the following controls in place:
F.2.1	Is the data center shared with other tenants?
F.2.2	Fluid or water sensor?
F.2.3	Air conditioning?
F.2.4	heat detection?
F.2.5	smoke detection?
F.2.6	fire suppression?
F.2.7	Vibration alarm / sensor?
F.2.8	Monitored fire alarm?
F.2.9	Fire suppression e.g., dry, chemical, wet?
F.2.10	Multiple power feeds?
F.2.11	Multiple communication feeds?
F.2.12	Are there generator(s)?
F.2.13	Is access to the data center restricted and logs kept of all access?
F.2.14	Badge readers at points of entry?
F.2.14.0.1	Locked doors requiring a key or PIN at points of entry?
F.2.14.1	Access request procedures?
F.2.14.1.1	Segregation of duties for issuing and approving access?
F.2.14.2	Access reviews conducted at least every six months?
F.2.14.3	Is there a mechanism to thwart tailgating / piggybacking into the data center?
F.2.14.4	Are there security guards at points of entry?
F.2.14.5	Do the security guards monitor security systems and alarms?
F.2.14.6	Are visitors permitted in the data center?
F.2.14.6.1	Are they required to sign in and out of the data center?
F.2.14.6.2	Are they escorted within the data center?
F.2.14.7	Are all entry and exit points to the data center alarmed?
F.2.14.8	Are there alarm motion sensors monitoring the data center?
F.2.14.9	Are there alarm contact sensors on the data center doors?
F.2.14.10	Are there prop alarms on data center doors?
F.2.14.11	Do emergency doors only permit egress?
F.2.14.12	Is access to the Data center monitored with CCTV and the video stored for at least 90 days?
F.2.14.13	Walls extending from true floor to true ceiling?
F.2.14.14	Windows or glass walls along the perimeter?
F.2.15	Does the Scoped Systems and Data reside in a caged environment within a data center? If so, are these controls present:
F.2.15.1	Locks requiring a key or PIN used at points of entry?
F.2.15.2	A process for requesting access?
F.2.15.2.1	Segregation of duties for granting and storage of access devices (badges, keys, etc.)?
F.2.15.3	A list maintained of personnel with cards / keys to the caged environment?
F.2.15.4	A process to report lost access cards / keys?
F.2.15.5	A process to review access to the cage at least every six months?
F.2.15.6	A process to collect access equipment (badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer requires access?
F.2.15.7	Are visitors permitted in the caged environment? If so, are they:
F.2.15.7.1	Required to sign in and out?
F.2.15.7.2	Escorted?
F.2.15.8	Monitored with CCTV and the video stored for at least 90 days?
F.2.16	Does the Scoped Systems and Data reside in a locked cabinet? If so, is there:
F.2.16.1	Shared cabinets?
F.2.16.2	Restricted access and logs kept of all access?
F.2.16.3	Access request procedures?
F.2.16.4	Segregation of duties for issuing, approving access and storing devices (badges, keys, etc.)?
F.2.16.5	Segregation of duties for issuing and approving access?
F.2.16.6	A list of personnel with cards / keys to the cabinet?
F.2.16.7	A process to report lost access cards / keys?
F.2.16.8	Collection access equipment (badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer requires access?
F.2.16.9	Cabinets monitored with CCTV and the video stored for at least 90 days?
F.2.17	Is there a policy on using locking screensavers on unattended system displays or locks on consoles within the data center?
F.2.18	Is there a procedure for equipment removal from the data center?
F.2.19	Is there a preventive maintenance or current maintenance contracts for:
F.2.19.1	UPS system?
F.2.19.2	Security system?
F.2.19.3	Generator?
F.2.19.4	Batteries?
F.2.19.5	Monitored fire alarm?
F.2.19.6	Fire suppression systems?
F.2.19.7	HVAC?
F.2.20	Are the following tested:
F.2.20.1	UPS system - annually?
F.2.20.2	Security alarm system - annually?
F.2.20.3	Fire alarms - annually?
F.2.20.4	Fire suppression system - annually?
F.2.20.5	Generators - monthly?
F.2.20.6	Generators full load tested - monthly?
0	0
	
G. Communications and Operations Management	
G.1	Are Management approved operating procedures utilized? If so, are they:
G.1.1	Documented, maintained, and made available to all users?
G.2	Is there an operational change management / change control policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? If so, does it include:
G.2.1	Documentation of changes?
G.2.2	Request, review and approval of proposed changes?
G.2.3	Pre-implementation testing?
G.2.4	Post-implementation testing?
G.2.5	Review for potential security impact?
G.2.6	Review for potential operational impact?
G.2.7	Communication of changes to all relevant constituents?
G.2.8	Rollback procedures?
G.2.9	Maintenance of change control logs?
G.2.10	Code reviewed by information security prior to the implementation of internally developed applications and / or application updates?
G.2.11	Is Information security's approval required prior to implementation changes?
G.2.12	Are the following changes to the production environment subject to the change control process:
G.2.12.1	Network?
G.2.12.2	Systems?
G.2.12.3	Application updates?
G.2.12.4	Code changes?
G.2.13	Is there a segregation of duties between those requesting, approving and implementing a change?
G.3	Is application development performed? If so, is:
G.3.1	Development, test, and staging environment separate from the production environment? If so how are they separated:
G.3.1.0.1	Logically?
G.3.1.0.2	Physically?
G.3.1.0.3	No segregation?
G.4	Do third party vendors have access to Scoped Systems and Data? (backup vendors, service providers, equipment support maintenance, software maintenance vendors, data recovery vendors, etc)? If so, is there:
G.4.1	Security review prior to engaging their services (logical, physical, other controls)?
G.4.2	Security review at least annually, on an ongoing basis?
G.4.3	Risk assessments or review?
G.4.4	Confidentiality and/or Non Disclosure Agreement requirements?
G.4.5	Requirement to notify of changes that might affect services rendered?
G.5	Are system resources reviewed to ensure adequate capacity is maintained?
G.6	Are criteria for accepting new information systems, upgrades, and new versions established? If so, do they include:
G.6.1	Performance and computer capacity requirements?
G.6.2	Error recovery and restart procedures?
G.6.3	Preparation and testing of operating procedures?
G.6.4	Agreed set of security controls?
G.6.5	Effective manual procedures?
G.6.6	Business continuity arrangements?
G.6.7	Evidence that new system will not adversely affect existing systems, particularly at peak processing times, such as month end?
G.6.8	Evidence of the effect on the overall security of the organization?
G.7	Is there an  anti-virus / malware policy or program (workstations, servers, mobile devices) that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
G.7.1	What is the interval between the availability of a new signature update and its deployment:
G.7.1.1	Hourly?
G.7.1.2	Daily?
G.7.1.3	Weekly?
G.7.1.4	Monthly?
G.8	Are system backups of Scoped Systems and Data performed?
G.8.1	Is there a policy or process for the backup of production data? If so, does it include a requirement to:
G.8.1.1	Store backups to avoid any damage from a disaster at the main site?
G.8.1.2	Test backup media and restoration procedures at least annually?
G.8.2	Is backup media stored offsite? If so, is there:
G.8.2.0.1	Secure transport?
G.8.2.0.2	Tracking shipments?
G.8.2.0.3	Verification of receipt?
G.9	Are there external network connections (Internet, extranet, etc.)? If so, is there:
G.9.1	Security and hardening standards for network devices (baseline configuration, patching, passwords, access control)?
G.9.1.1	Regular review and/or monitoring of network devices for continued compliance to security requirements?
G.9.2	Is every connection to an external network terminated at a firewall?
G.9.3	Are network devices configured to prevent communications from unapproved networks?
G.9.4	Do network devices deny all access by default?
G.9.5	Is there a process to request, approve, log, and review access to networks across network devices?
G.9.6	Is network traffic logged to support forensics?
G.9.6.1	Do logs contain: failed login attempts, disabling of audit logs, changes, timestamps, IP info, etc?
G.9.6.2	In the event of a network device audit log failure, does the network device generate an alert and prevent further connections?
G.9.6.3	Is the overwriting of audit logs disabled?
G.9.6.4	Are the logs from network devices aggregated to a central server?
G.9.7	Are security patches reviewed and applied to network devices?
G.9.8	Is there an approval process prior to installing a network device?
G.9.9	Is there an approval process for the ports allowed through the network devices?
G.9.10	Are critical network segments isolated?
G.9.11	Is there a process to prevent unauthorized devices from physically connecting to the internal network?
G.9.12	Are internal systems required to pass through a content filtering proxy prior to accessing the Internet?
G.9.13	Is there an approval process to allow extranet connections?
G.9.14	Are insecure protocols (telnet) used to access network devices?
G.9.15	Is access to diagnostic or maintenance ports on network devices restricted?
G.9.16	Is there a separate network segment or endpoints for remote access?
G.9.17	Are firewall rules and network access control lists regularly reviewed?
G.9.18	Is there a DMZ environment within the network that transmits, processes or stores Scoped Systems and Data? If so, is it:
G.9.18.1	Limited to only those servers that require access from the Internet?
G.9.18.2	Separated with DMZ segments for devices that initiate outbound traffic to the Internet?
G.9.19	Is Intrusion Detection/Prevention System employed in all network zones? If so, does it include:
G.9.19.1	Configuration to generate alerts when incidents and values exceed predetermined thresholds?
G.9.19.2	Regularly updated signatures based on new threats?
G.9.19.3	System monitoring 24x7x365?
G.9.19.4	Event feeds into the Incident Management process?
G.9.20	Is approval required prior to connecting any outbound or inbound modem lines, cable modem lines, DSL phone lines or wireless access points to a desktop or other access point directly connected to the company-managed network?
G.9.21	Are modems used? If so are they all set to auto-answer and required to use an authentication or encryption device?
G.10	Is wireless networking technology used? Is so, is there:
G.10.1	Approved and fully implemented wireless networking policy?
G.10.2	Two active network connections allowed at the same time (split-tunneling)?
G.10.3	Wireless connections authenticated using multi-factor authentication?
G.10.4	Encrypted using strong encryption (WPA2 or higher)?
G.10.5	Wireless access points SNMP community strings changed?
G.10.6	Quarterly scans for rogue wireless access points?
G.11	Is there a removable media policy or program (CDs, DVDs, tapes, disk drives) that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the policy? If so, is:
G.11.1	Data encrypted while stored?
G.11.2	Sensitive data encrypted?
G.11.3	Is all media containing Scoped Systems and Data disposed of securely to prevent recovery?? If so, is it:
G.11.3.1	Logged to maintain an audit trail?
G.11.3.2	Made unrecoverable (wiped or overwritten) prior to asset reuse?
G.11.3.3	Inventoried at least quarterly?
G.12	Is Scoped Data sent or received electronically or via physical media? If so, is there:
G.12.1	Encryption in transit while outside the network?
G.12.2	Encryption in transit within the network?
G.12.3	Protection against malicious code?
G.12.4	Confidentiality / integrity of data following any transmissions?
G.12.5	Review and approval process for transmissions?
G.12.6	Transport containers to protect against physical damage?
G.12.7	Locked or have tamper evident transport containers?
G.12.8	Physical media tracking?
G.12.9	Protection when transmitted through email?
G.12.10	Encryption when sent through email?
G.12.11	Are content filtering scans performed on incoming/outgoing email to enforce email policy?
G.13	Do systems and network devices utilize a common time synchronization service?
G.14	Are UNIX or Linux operating systems used for transmitting, processing or storing Scoped Data? If so, is there:
G.14.1	 UNIX hardening standards?
G.14.1.1	Periodic monitoring for continued compliance to build standards and security requirements?
G.14.2	Are users required to ‘su’ or ‘sudo’ into root?
G.14.3	Does remote SU/root access require multi-factor authentication?
G.14.4	Are remote access tools that do not require authentication (e.g., rhost, shost, etc.) allowed?
G.14.5	Is access to modify startup and shutdown scripts restricted to root-level users?
G.14.6	Are all unnecessary/unused services turned off?
G.14.7	Are logs regularly reviewed using a specific methodology to uncover potential incidents?
G.14.8	Do operating system event logs contain sufficient detail to support incident investigation including failed login attempts?
G.14.9	Are operating system logs retained for a minimum of one year?
G.14.10	In the event of an operating system audit log failure, does the system generate an alert?
G.14.11	Are audit logs stored on alternate systems?
G.14.12	Are audit logs protected against modification, deletion, and/or inappropriate access?
G.14.13	Minimum password length at least eight characters?
G.14.14	Complex passwords required?
G.14.15	Minimum password expiration at least 90 days?
G.14.16	Password history at least 12 before reuse?
G.14.17	Initial password required to be changed at first logon?
G.14.18	Passwords encrypted in transit?
G.14.19	Passwords encrypted or hashed in storage?
G.14.20	Passwords displayed when entered into a system?
G.14.21	User accounts associated to a unique individual?
G.14.22	Does the system lock an account when three to five invalid login attempts are made?
G.15	Are Windows systems used to transmit, process or store Scoped Data? If so, are there:
G.15.1	Windows hardening standards?
G.15.1.1	Standard builds/security compliance checks?
G.15.2	Current patches?
G.15.3	Unnecessary/unused services turned off?
G.15.4	Regular log reviews using a specific methodology to uncover potential incidents?
G.15.5	Sufficient information in the logs to evaluate incidents?
G.15.6	Logs retained for a minimum of one year?
G.15.7	System generated alerts in the event of an audit log failure?
G.15.8	Audit logs stored on alternate systems?
G.15.9	Audit logs protected against modification, deletion, and/or inappropriate access?
G.15.10	Minimum password length at least eight characters?
G.15.11	Complex passwords required?
G.15.12	Minimum password expiration at least every 90 days?
G.15.13	Password history of 12 before reuse?
G.15.14	Initial password required to be changed at first logon?
G.15.15	Can a PIN or secret question be a stand-alone method of authentication?
G.15.16	Passwords encrypted in transit?
G.15.17	Passwords encrypted or hashed in storage?
G.15.18	Passwords displayed when entered into a system?
G.15.19	User accounts associated to a unique  individual?
G.15.20	Does the system lock an account when three to five invalid login attempts are made?
G.16	Is a mainframe used to transmit, process or store Scoped Systems and Data? If so, are:
G.16.1	Mainframe security controls documented?
G.16.1.1	Reviews performed to validate compliance with documented standards?
G.16.2	Transmission encrypted?
G.16.3	Authentication required for access to any transaction or database system?
G.16.4	Job scheduling systems secured to control the submission of production jobs?
G.16.5	Storage management personnel (tape operators) given privileged access to mainframe systems?
G.16.6	ESM (RACF) and inherent security configuration settings configured to support the access control standards and requirements?
G.16.7	Regular review of logs using a specific methodology to uncover potential incidents?
G.16.8	System generated alerts in the event of an audit log failure?
G.16.9	Logs retained for a minimum of one year?
G.16.10	Audit logs adequately protected against modification, deletion, and/or inappropriate access?
G.16.11	Minimum password length at least eight characters?
G.16.12	Complex passwords required?
G.16.13	Minimum password expiration at least 90 days?
G.16.14	Password history of 12 before reuse?
G.16.15	Password minimum age?
G.16.16	Initial password required to be changed at first logon?
G.16.17	Can a PIN or secret question be a stand alone method of authentication?
G.16.18	Passwords encrypted in transit?
G.16.19	Passwords encrypted or hashed in storage?
G.16.20	Passwords displayed when entered into a system?
G.16.21	User accounts associated to a unique individual?
G.16.22	Does the system lock an account when three to five invalid login attempts are made?
G.16.23	Administrator intervention required to unlock an account?
G.17	Is an AS400 used to transmit, process or store Scoped Systems and Data? If so, are:
G.17.1	Security controls documented?
G.17.1.1	Systems periodically monitored to ensure continued compliance with the documented standards?
G.17.2	Group profile assignments based on constituent role?
G.17.3	Group profile assignments approved?
G.17.4	User profiles created with the principle of least privilege?
G.17.5	Logs regularly reviewed using a specific methodology to uncover potential incidents?
G.17.6	Sufficient information in the logs to evaluate incidents?
G.17.7	Logs retained for a minimum of one year?
G.17.8	System generated alerts in the event of an audit log failure?
G.17.9	Audit logs protected against modification, deletion, and/or inappropriate access?
G.17.10	Minimum password length at least eight characters:
G.17.11	Complex passwords required?
G.17.12	Minimum password expiration at least 90 days?
G.17.13	Password history of 12 before reuse?
G.17.14	Initial password required to be changed at first logon?
G.17.15	Can a PIN or secret question be a stand alone method of authentication?
G.17.16	Passwords encrypted in transit?
G.17.17	Passwords encrypted or hashed in storage?
G.17.18	Passwords displayed when entered into a system?
G.17.19	User accounts associated to a unique individual?
G.17.20	Does the system lock an account when three to five invalid login attempts are made?
G.17.21	Users required to log off when the session is finished?
G.18	Is an Open VMS (VAX or Alpha) system used to transmit, process or store Scoped Systems and Data? If so, are:
G.18.1	Administrative privilege restricted to those responsible for VMS administration?
G.18.2	Logs regularly reviewed using a specific methodology to uncover potential incidents?
G.18.3	Sufficient information to investigate incidents including (failed login attempts)?
G.18.4	Logs retained for a minimum of one year?
G.18.5	System generated alerts in the event of an audit log failure?
G.18.6	Are audit logs protected against modification, deletion, and/or inappropriate access?
G.18.7	Minimum password length at least eight characters?
G.18.8	Complex passwords required?
G.18.9	Minimum password expiration at least every 90 days?
G.18.10	Password history of 12 before reuse?
G.18.11	Initial password required to be changed at first logon?
G.18.12	Can a PIN or secret question be a stand alone method of authentication?
G.18.13	Passwords encrypted in transit?
G.18.14	Passwords encrypted or hashed in storage?
G.18.15	Passwords displayed when entered into a system?
G.18.16	User accounts associated to a unique individual?
G.18.17	Does the system lock an account when three to five invalid login attempts are made?
G.19	Are Web services provided? If so, are:
G.19.1	Electronic commerce web sites or applications used to transmit, process or store Scoped Systems and Data?
G.19.1.1	Cryptographic controls used for the electronic commerce application (SSL)?
G.19.1.2	Users required to authenticate to the application?
G.19.1.3	Transaction details stored in the DMZ?
G.19.2	Is Windows IIS for these Web services used? If so, is:
G.19.2.1	Anonymous access to FTP disabled?
G.19.2.2	Membership to the IIS Administrators group restricted to those with web administration roles and responsibilities?
G.19.2.3	Dedicated virtual directory structure used for each website?
G.19.2.4	Unused services turned off on IIS servers?
G.19.2.5	Services running on standard ports?
G.19.2.6	Logging configured to support incident investigation?
G.19.2.7	Sample applications and scripts removed?
G.19.2.8	Least privilege used when setting IIS content permissions?
G.19.2.9	Content folder on the same drive as the operating system?
G.19.3	Is Apache used for these Web services? If so, is:
G.19.3.1	Logging configured to support incident investigation?
G.19.3.2	Anonymous access to FTP disabled?
G.19.3.3	Membership to the Apache group restricted to those with web administration roles and responsibilities?
G.19.3.4	Dedicated virtual directory structure used for each website?
G.19.3.5	Configuration options restricted to authorized users?
G.19.3.6	Services run on standard ports?
G.19.3.7	Sample applications and scripts removed?
G.19.3.8	Least privilege used when setting permissions?
G.20	Are desktop computers used to transmit, process or store Scoped Systems and Data. If so, is:
G.20.1	Segregation of duties for granting access and approving access?
G.20.2	Segregation of duties for approving and implementing access requests?
G.20.3	User able to use removable media (floppy disk, recordable CD, USB drive) without detection?
G.20.4	User of a system also responsible for reviewing its security audit logs?
G.20.5	Segregation of duties to prevent the user of a system from modifying or deleting its security audit logs?
G.20.6	Standard operating environment required?
G.20.7	Content filtering proxy used prior to accessing the Internet?
G.20.8	Security approval required prior to implementing non-standard operating equipment?
G.20.9	Security approval required prior to implementing freeware or shareware applications?
G.20.10	Non-company managed PCs used to connect to the company network without detection?
G.20.11	Installation of software on company-owned equipment (workstations, mobile devices) restricted to administrators?
G.20.12	Users permitted to execute mobile code?
G.20.13	Mobile devices used?
G.20.14	Encryption used to secure mobile computing devices?
0	0
	
H. Access Control	
H.1	Are electronic systems used to transmit, process or store Scoped Systems and Data?
H.1.1	Is there an access control policy that has been approved by management, communicated to appropriate constituents and  an owner to maintain and review the policy?
H.1.2	Does access control on applications, operating systems, databases, and network devices ensure users have least privilege?
H.2	Are unique user IDs used for access?
H.2.1	Can a user ID contain personal information (SSN, access level, admin of the user)?
H.2.2	Is an inactive user ID deleted or disabled within 90 days?
H.2.3	Can a user ID be shared?
H.2.4	Is there a process to grant and approve access to systems transmitting, processing or storing Scoped Systems and Data?
H.2.4.1	Does access to electronic systems include a formal request and management approval?
H.2.4.2	Are approved requests for granting access logged, archived and maintained?
H.2.5	Is system access limited by:
H.2.5.1	Time of day?
H.2.5.2	Physical location?
H.2.5.3	Network subnet?
H.2.6	Are user access rights reviewed at least quarterly?
H.2.7	Are access rights reviewed when a constituent changes roles?
H.2.8	Are reviews of privileged systems conducted to ensure unauthorized privileges have not been obtained?
H.2.9	Are privileged user access rights reviewed at least quarterly?
H.2.10	Are changes to privileged user access rights logged?
H.2.11	Are there logon banners for all electronic systems access?
H.2.12	Upon logon failure, does the error message describe the cause of the failure to the user (Invalid password, invalid user ID, etc.)?
H.2.13	Upon successful logon, does a message indicate the last time of successful logon?
H.2.14	Is multi-factor authentication deployed for “high-risk” environments?
H.2.15	Do all users have a unique user ID when accessing applications?
H.2.16	Is the use of system utilities restricted to authorized users only?
H.2.17	Do inactive workstation lock within 15 minutes?
H.2.18	Do inactive sessions timeout within 15 minutes?
H.3	Is application development performed? If so, are developers permitted to:
H.3.1	Access production environments, including read only access?
H.3.2	Access systems and applications based on established profiles that define responsibilities or job functions?
H.3.3	Request or obtain access outside an established role (emergency access)?
H.3.4	Are system, vendor, or service accounts disallowed for normal operations and monitored for usage?
H.4	Are passwords required to access systems transmitting, processing or storing Scoped Systems and Data?
H.4.1	Is there a password policy for systems that transmit, process or store Scoped Systems and Data that has been approved by management and communicated to appropriate constituents? If so, does it include:
H.4.1.1	Keep passwords confidential?
H.4.1.2	Not keep a record of passwords (paper, software file or handheld device)?
H.4.1.3	Change passwords when there is an indication of possible system or password compromise?
H.4.1.4	Change passwords at regular intervals?
H.4.1.5	Change temporary passwords at first logon?
H.4.1.6	Not include passwords in automated logon processes? (stored in a macro or function key)?
H.4.1.7	Terminate or secure active sessions when finished?
H.4.1.8	Logoff terminals, PC or servers when the session is finished?
H.4.1.9	Lock (using key lock or equivalent control) when systems are unattended?
H.4.1.10	Prohibit users from sharing passwords?
H.4.2	Are strong passwords required on systems transmitting, processing storing Scoped Systems and Data?
H.4.3	Are password files and application system data stored in different file systems?
H.4.4	Are user ID and passwords communicated/distributed via separate media (e-mail and phone)?
H.4.5	Are new constituents issued random initial single use passwords?
H.4.6	Do temporary passwords expire within 10 days?
H.4.7	Is a user’s identity verified prior to resetting a password?
H.4.8	Are vendor default passwords removed, disabled or changed prior to placing the device or system into production?
H.4.9	Is password reset authority restricted to authorized persons and/or an automated password reset tool?
H.5	Is remote access permitted?
H.5.1	Is there a remote access policy for systems transmitting, processing and storing Scoped Systems and Data that has been approved by management and communicated to appropriate constituents?
H.5.2	Is split tunneling or bridged internet connections allowed by policy and/or technical control?
H.5.3	Is only company owned equipment permitted to connect remotely?
H.5.4	Is remote desktop technology (Citrix) used to access the network remotely?
H.5.5	Are remote users prevented from copying data to remote devices?
H.5.6	Are encrypted communications required for all remote connections?
H.5.7	Is multi-factor authentication required for remote access?
0	0
	
I. Information Systems Acquisition Development & Maintenance	
I.1	Are business information systems used to transmit, process or store Scoped Systems and Data? If so, are:
I.1.1	Security requirements documented?
I.1.2	Information security reviews conducted and approved for the use or installation of open source software (Linux, Apache, etc.)?
I.2	Is application development performed? If so, does it provide:
I.2.1	Independent security evaluation or certification?
I.2.2	Formal application methodology (OWASP)?
I.2.3	An authenticated and maintained state for every data transaction?
I.2.4	A means for secure session management?
I.2.5	Comprehensive secure error handling?
I.2.6	Audit log failures and generate an alert?
I.2.7	Is there a formal Software Development Life Cycle (SDLC) process? If so, does it include:
I.2.7.1	Peer code review, integration testing, and acceptance testing?
I.2.7.2	Separate source code repositories for production and non-production?
I.2.8	Do IT support personnel have access to program source libraries?
I.2.9	Is all access to program source libraries logged?
I.2.10	Are change control procedures required for all changes to the production environment?
I.2.11	Do applications provide granular and comprehensive logging?
I.2.12	Are application sessions set to time out within 15 minutes or less?
I.2.13	Is application development Third party / outsourced developers onshore?
I.2.14	Is application development Third party / outsourced developers offshore?
I.2.15	Are there access controls to protect source code and test data?
I.2.16	Does the version management system provide segregation of code, data and environments?
I.2.17	Do changes to applications or application code go through a risk assessment including application testing?
I.2.18	Is Scoped Systems and Data ever used in the test, development, or QA environments? If so, is:
I.2.18.1	Authorization required when production data is copied to the test environment?
I.2.18.2	Test data destroyed following the testing phase?
I.2.18.3	Test data masked or obfuscated during the testing phase?
I.2.18.4	Copying to the test environment logged?
I.2.19	Are access control procedures the same for both the test and production environment?
I.2.20	Prior to implementation, do applications go through a risk assessment and approval by security?
I.2.21	Is Internet facing software and infrastructure tested prior to implementation? If so, does the testing include:
I.2.21.1	Issue tracking and resolution?
I.2.21.2	Metrics on software defects and release incidents?
I.2.22	Is there a documented change management / change control process? If so, does it include:
I.2.22.1	Testing prior to deployment?
I.2.22.2	Management approval prior to deployment?
I.2.22.3	Establishment of restart points?
I.2.22.4	Management approval for changes?
I.2.22.5	Requirements for the transfer of software from development to production?
I.2.22.6	Review of code changes by information security?
I.2.22.7	Stakeholder communication and/or approvals?
I.2.22.8	A list of individuals authorized to approve changes?
I.2.22.9	An impact assessment to review of all affected systems and applications?
I.2.22.10	Documentation for all system changes?
I.2.22.11	Version control for all software?
I.2.22.12	Logging of all change requests?
I.2.22.13	Changes only take place during specified and agreed upon times (green zone)?
I.2.22.14	Modifications and changes to software are strictly controlled?
I.2.23	Are audit logs maintained and reviewed for all program library updates?
I.2.24	Are compilers, editors or other development tools present in the production environment?
I.3	Are systems and applications patched? If so, does the process include:
I.3.1	Testing of patches, service packs, and hot fixes prior to installation?
I.3.2	Evaluation and prioritize vulnerabilities?
I.3.3	Logging?
I.3.4	Priority patching of high-risk systems first?
I.3.5	Are third party alert services used to keep up to date with the latest vulnerabilities?
I.4	Is a web site supported, hosted or maintained that has access to Scoped Systems and Data? If so, are these controls in place:
I.4.1	Regular penetration tests executed against web-based applications?
I.4.2	Physical separation of server components (web, application, database)?
I.4.3	Web applications configured to follow best practices or security guidelines (OWASP)?
I.4.4	Data input into applications validated for accuracy?
I.4.5	Do validation checks include cross site scripting and SQL injections?
I.5	Are vulnerability tests (internal/external) performed on all applications at least annually? If so, are there:
I.5.1	Results tracked, remediated and reported to management?
I.5.2	Processes to manage threat and vulnerability assessment tools and the data they collect?
I.6	Are encryption tools managed and maintained for Scoped Data? If so, is there:
I.6.1	An encryption policy?
I.6.2	Encryption in storage / at rest?
I.6.3	Is encrypted Scoped Data ever visible in clear text by anyone including systems administrators?
I.6.4	Centralized key management system?
I.6.5	Encryption keys encrypted at rest and when transmitted?
I.6.6	Segregation of duties between key management duties and normal operational duties?
I.6.7	Key/certificate sharing between production and non-production?
I.6.8	Default certificates provided by vendors replaced with proprietary certificates?
I.6.9	Segregation of access to both parts of a symmetric key?
I.6.10	Asymmetric encryption key length a minimum of 256 bit?
0	0
	
J. Incident Event and Communications Management	
J.1	Is there an Incident Management program?
J.1.1	Is there a documented policy for incident management that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
J.1.2	Is there a formal Incident Response Plan. If so, does it include:
J.1.2.1	Reporting procedure for an information security event?
J.1.2.2	Escalation procedure?
J.1.2.3	An Incident / Event Response team with defined roles and response related qualifications available 24x7x365?
J.1.2.4	Procedures to collect and maintain a chain of custody for evidence during incident investigation?
J.1.2.5	Feedback process to ensure those reporting information security events are notified of the results after the issue has been dealt with and closed?
J.1.2.6	Event reporting mechanism to support the reporting action, and to list all necessary actions in case of an information security event?
J.1.2.7	Actions to be taken in the event of an information security event?
J.1.2.8	Formal disciplinary process for dealing with those who commit a security breach?
J.1.2.9	Process for assessing and executing client and third party notification requirements (legal, regulatory, and contractual)?
J.1.2.10	Postmortem to include root cause analysis and remediation plan, provided to leadership?
J.1.2.11	Is there an identification of incident process? If so, does it include:
J.1.2.11.1	Unauthorized physical access?
J.1.2.11.2	Information system failure or loss of service?
J.1.2.11.3	Malware activity (anti-virus, worms, Trojans)?
J.1.2.11.4	Denial of service?
J.1.2.11.5	Errors resulting from incomplete or inaccurate business data?
J.1.2.11.6	Breach or loss of confidentiality?
J.1.2.11.7	System exploit?
J.1.2.11.8	Unauthorized logical access or use of system resources?
J.1.2.11.9	Containment?
J.1.2.11.10	Remediation?
J.1.2.11.11	Notification of stakeholders?
J.1.2.11.12	Tracking?
J.1.2.11.13	Repair?
J.1.2.11.14	Recovery?
J.1.2.11.15	Feedback and lessons learned?
J.1.2.11.16	Unique, specific, applicable data breach notification requirements, including timing of notification (HIPAA/HITECH, state breach laws, client contracts)?
J.1.2.11.17	Annual testing of the procedures?
J.1.3	Are the following considered Information Security events:
J.1.3.1	Loss of service (equipment or facility)?
J.1.3.2	System malfunction or overload?
J.1.3.3	Human error?
J.1.3.4	Non-compliance with policy or guidelines?
J.1.3.5	Breach of physical security arrangement?
J.1.3.6	Uncontrolled system change?
J.1.3.7	Malfunction of software or hardware?
J.1.3.8	Access violation?
J.1.3.9	Physical asset loss or theft?
0	0
	
K. Business Continuity and Disaster Recovery	
K.1	Is there a documented policy for business continuity and disaster recovery that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
K.1.1	Has a third party evaluated the BC/DR Program within the past 12 months?
K.1.2	Is there a BC/DR Program that has been approved by management, communicated to appropriate constituents and an owner or group to maintain and review the plan? If so ,does it include:
K.1.2.1	Annual management review of the BC program for adequacy of resources (people, technology, facilities, and funding)?
K.1.2.2	Virtual or physical command center where management can meet, organize, and conduct emergency operations in a secure setting?
K.1.2.3	The product or service in scope have an assured business continuity capability?
K.1.2.4	Conditions for activating the plan, and the associated roles and responsibilities?
K.1.2.5	Maintenance schedule to revise and test the plan?
K.1.2.6	Awareness and education activities?
K.1.2.7	Roles and responsibilities for those who invoke and execute the plan?
K.1.2.8	Change management to ensure changes are replicated to contingency environments?
K.1.2.9	Identification of applications, equipment, facilities, personnel, supplies and vital records necessary for recovery?
K.1.2.10	Updates from the inventory of IT and telecom assets?
K.1.2.11	Alternate and diverse means of communications in the event standard communication channels are unavailable?
K.1.2.12	Interaction with the media during an event?
K.1.2.13	Resumption procedures to return to normal business operations?
K.1.2.14	Notification and escalation to clients?
K.1.2.15	Dependencies upon critical service providers. If so, does it include:
K.1.2.15.1	Contact information for key personnel, which is updated at least annually?
K.1.2.15.2	Notification and escalation?
K.1.2.15.3	Communication in the event of a disruption at their facility?
K.1.2.15.4	Capabilities adequate to support the plan through contract requirements, SAS 70 reviews or both?
K.1.2.15.5	Notification when their BCP is modified?
K.1.2.16	Annual review which includes: critical functions, organizational structure and personnel changes?
K.1.3	Is there an annual schedule of required tests? If so, does it include:
K.1.3.1	Test objectives for a technology outage, loss of facility or personnel, identification of parties involved, and the evaluation of testing results?
K.1.4	Are BC/DR tests conducted at least annually? If so, do they include:
K.1.4.1	Evacuation drills?
K.1.4.2	Notification tests?
K.1.4.3	Tabletop exercises?
K.1.4.4	Application recovery tests?
K.1.4.5	Remote access tests?
K.1.4.6	Full scale exercises?
K.1.4.7	Business relocation test?
K.1.4.8	Business disruptions?
K.1.4.9	Data center failover test?
K.1.4.10	Critical service providers included in testing?
K.1.4.11	Recovery site tests?
K.1.4.12	Assessment of the Ability to retrieve vital records?
K.2	Is there a Pandemic Plan? If so, does it include:
K.2.1	Trigger points for activating the plan?
K.2.2	Travel and visitor restrictions?
K.2.3	Cleaning and disinfecting protocols?
K.2.4	Pandemic-specific HR policies and procedures?
K.2.5	Specific "Social Distancing" criteria / techniques (work from home)?
K.2.6	Personal protective equipment for constituents (face masks)?
K.2.7	Special food handling in cafeterias?
K.2.8	Seasonal flu vaccinations for constituents?
K.2.9	Annual review?
K.2.10	Periodic testing of the plan?
K.2.11	Verification of critical service provider pandemic plans?
K.2.12	Business Impact Analysis?
K.3	Is a Business Impact Analysis conducted at least annually? If so, does it include:
K.3.1	Business Process Criticality (high, medium, low or numerical rating) that distinguishes the relative importance of each process?
K.3.2	Recovery Time Objective?
K.3.3	Recovery Point Objective?
K.3.4	Maximum allowable downtime?
K.3.5	Impact to clients?
0	0
	
L. Compliance	
L.1	Is there an internal audit, risk management or compliance department with responsibility for identifying and tracking resolution of outstanding regulatory issues?
L.2	Are audits performed to ensure compliance with any legal, regulatory or industry requirements?
L.3	Is there a process used to manage the controls on a life cycle basis?
L.4	Are there procedures to ensure compliance with legislative, regulatory, and contractual requirements on the use of material where intellectual property rights may be applied and on the use of proprietary software products?
L.5	Is there a records retention policy covering paper and electronic records, including email, in support of applicable regulations, standards and contractual requirements?
L.6	Are encryption tools managed and maintained?
L.7	Does management regularly review the compliance of information processing within their area of responsibility with the appropriate security policies, standards, and any other security requirements?
L.8	Has a review of security policies, standards, procedures, and/or guidelines been performed within the last 12 months?
L.9	Are information systems regularly checked for compliance with security implementation standards?
L.10	Has a network penetration test been conducted within the last 12 months?
L.11	Is there an independent audit function within the organization?
L.12	Are information systems audit tools (e.g., software or data files) protected and separated from development and operational systems nor held in tape libraries or user areas?
0	0
	
P. Privacy	
P.1	Is there a dedicated person (or group) responsible for privacy compliance? If yes, describe. If no, explain reason.
P.2	Is there a formally documented privacy policy (or policies)? If yes, describe. If no, explain reason.
P.2.1	Is the privacy policy (or policies) reviewed by a licensed, qualified attorney?
P.2.2	Is the privacy policy (or policies) approved by the organization’s senior management?
P.2.3	Is the privacy policy (or policies) reviewed and revised (as needed) on a regular basis (e.g. annually)?
P.3	Are there regular privacy risk assessments? If yes, provide frequency and scope. If no, explain reason.
P.3.1	Are identified privacy risks and associated mitigation plans formally documented?
P.3.2	Are reasonable resources (in time and money) allocated to mitigating identified privacy risks?
P.4	Is there formal privacy awareness training for employees, contractors, volunteers (and other parties, as appropriate)? If yes, provide frequency and scope. If no, explain reason.
P.4.1	Is proof of privacy training formally documented and appropriately retained?
P.4.2	Is privacy training updated as needed?
P.4.3	Are employees, contractors, volunteers (and other parties, as appropriate) re-trained when privacy training is updated?
P.5	Is personal information about individuals transmitted to or received from non-US countries? If yes, identify the countries.
P.6	Is there a process for responding to a privacy incident? If yes, describe. If no, explain reason.
P.6.1	Are privacy incident response plans formally documented and updated regularly?
P.7	Is personal information collected directly from individuals as a service to the client? If yes, describe the information collected.
P.7.1	Are controls in place to ensure that the collection of personal information is limited to the contract between the client and service provider?
P.7.2	Are controls in place to ensure that the collection of personal information is fair and lawful?
P.7.3	Are controls in place to ensure that third parties contracted by the service provider collect information fairly and lawfully?
P.7.4	If personal information is collected directly from individuals as a service to the client, are individuals from whom personal information is collected provided with appropriate notice? If yes, describe. If no, explain reason.
P.7.4.1	Does the notice describe the types of personal information collected? 
P.7.4.2	Does the notice describe purposes for which the information will be used? 
P.7.4.3	Does the notice describe the categories of people within the organization who will have access to the information? 
P.7.4.4	Does the notice describe categories of third parties with which the information will be shared? 
P.7.4.5	Does the notice describe the length of time that the information will be retained? 
P.7.4.6	Does the notice provide details on the access and correction rights available to the individual? 
P.7.4.7	Does the notice describe an individual's right to object to certain types of processing of their information (e.g., direct marketing)? 
P.7.4.8	Does the notice describe the countries in which the information will be accessible or to which the information will be transferred? 
P.7.4.9	Does the notice provide contact information for questions or complaints?
P.7.4.10	Is the notice provided to individuals prior to or at the time of collection?
P.7.4.11	Is the notice provided in the local language or in the same language as other employment documents (in the case of employees) or marketing materials (in the case of customers)?
P.7.4.12	If business practices change with respect to individual notice, are individuals provided a revised notice prior to implementation of the changes?
P.7.5	Is the notice reviewed and updated (as needed) at least annually? If yes, describe. If no, explain reason.
P.7.5.1	Is the notice reviewed by a licensed, qualified attorney?
P.7.6	If personal information is collected directly from individuals as a service to the client, are individuals from whom personal information is collected provided with appropriate choice and consent options? If yes, describe. If no, explain reason.
P.7.6.1	Is the choice and consent language included on the privacy policy?
P.7.6.2	Does the choice and consent language cover the collection, use, and cross-border transfer of personal information? 
P.7.6.3	Are there documented processes to allow an individual to remove his/her consent to share personal information?
P.7.6.4	Are there documented processes to facilitate the removal of consent, or consent, to/from the service provider's third party contractors?
P.7.6.5	Are there controls to ensure that choice and consent language is followed?
P.7.6.6	Are there any exemptions or restrictions regarding an individual's choice and/or consent to allow the service provider to share personal information?
P.8	Is there a document retention program that isolates protected subsets of sensitive or confidential information for special handling? If yes, identify the subsets and describe the process for isolating these subsets.
P.9	If the service provider hosts and/or maintains (as a service to the client) data about an individual, does the organization provide appropriate controls to ensure the privacy of that data? If yes, describe. If no, explain reason.
P.9.1	Are there processes in place that enable individuals to access and update their personal information?
P.9.2	Are there processes in place and communicated so that individuals can request and  review their personal information maintained by the service provider?
P.9.3	Are there processes in place to confirm the identity of individuals who request access prior to providing such personal information?
P.9.4	"Are there processes in place or mechanisms to allow individuals to update or correct personal information held by service provider?
"
P.9.5	Are there measures in place to limit what personal information an individual has the ability to modify or correct? 
P.10	Is personal information - provided by the client - shared with other third parties within the US only? If yes, describe.
P.11	Is personal information - provided by the client - shared with other third parties outside of the US? If yes, list countries.
P.12	Are there appropriate contractual controls to ensure that personal information shared with other third parties is appropriately protected by the third party? If yes, describe. If no, explain reason.
P.12.1	Do contracts or agreements with other third parties include privacy provisions if required?
P.12.2	Are there appropriate contractual controls to ensure that personal information shared with other third parties is limited to defined parameters for access, use and disclosure? If yes, describe. If no, explain reason.
P.12.3	Is there a remediation plan to address other third-party misuse and/or breach of personal information? If yes, describe. If no, explain reason.
P.13	Are there documented controls and procedures to appropriately safeguard personal information about individuals? If yes, describe. If no, explain reason.
P.14	Does the information security program address the protection of personal information separately from other information (such as proprietary business information)? If yes, describe. If no, explain reason.
P.15	Does the information security function regularly communicate and collaborate with the privacy function (if the two functions are separate)? If yes, describe. If no, explain reason.
P.16	Is there a process for ensuring the accuracy and currency of personal information at the direction of the client? If yes, describe. If no, explain reason.
P.16.1	Is there a process to inform an individual supplying his/her personal information that he/she is responsible for the accuracy of such information?  If yes, describe. If no, explain reason.
P.16.2	Is there a process to inform an individual that he/she is responsible for informing the organization of needed corrections to his/her personal information? If yes, describe. If no, explain reason.
P.17	Is there a process to ensure that the personal information provided by an individual is limited for the purposes described in the organization's privacy notice? If yes, describe. If no, explain reason.
P.18	Are employees, contractors, volunteers (and other parties, as appropriate) regularly monitored for privacy compliance? If yes, describe. If no, explain reason.
P.19	Are third-party service providers regularly monitored for privacy compliance? If yes, describe. If no, explain reason.
P.20	Are appropriate sanctions applied to employees, contractors, volunteers (and other parties, as appropriate) who violate privacy policies? If yes, describe process. If no, explain reason.
P.21	Is there a process for employees, contractors, volunteers (and other parties, as appropriate) to notify privacy compliance personnel of an actual or suspected privacy breach? If yes, describe. If no, explain reason.
0	0
	
SIG Lite	
SL.1	Is there a risk assessment program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the program?
	B. Security Policy
SL.2	Is there an information security policy that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
SL.3	Have the policies been reviewed in the last 12 months?
	C. Organizational Security
SL.4	Is there an information security function responsible for security initiatives within the organization?
SL.5	Do external parties have access to Scoped Systems and Data or processing facilities?
	D. Asset Management
SL.6	Is there an asset management policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
SL.7	Are information assets classified?
SL.8	Is there insurance coverage for business interruptions or general services interruption?
	E. Human Resource Security
SL.9	Are security roles and responsibilities of constituents defined and documented in accordance with the organization’s information security policy?
SL.10	Is a background screening performed prior to allowing constituent access to Scoped Systems and Data?
SL.11	Are new hires required to sign any agreements upon hire?
SL.12	Is there a security awareness training program?
SL.13	Is there a disciplinarily process for non-compliance with information security policies?
SL.14	Is there a constituent termination or change of status process?
	F. Physical and Environmental Security
SL.15	Is there a physical security program?
SL.16	Are reasonable physical security and environmental controls present in the building/data center that contains Scoped Systems and Data?
SL.17	Are visitors permitted in the facility?
	G. Communications and Operations Management
SL.18	Are Management approved operating procedures utilized?
SL.19	Is there an operational change management / change control policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
SL.20	Is application development performed?
SL.21	Do third party vendors have access to Scoped Systems and Data? (backup vendors, service providers, equipment support maintenance, software maintenance vendors, data recovery vendors, etc)?
SL.22	Is there an  anti-virus / malware policy or program (workstations, servers, mobile devices) that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
SL.23	Are system backups of Scoped Systems and Data performed?
SL.24	Are there external network connections (Internet, intranet, extranet, etc.)?
SL.25	Is wireless networking technology used?
SL.26	Is there a removable media policy or program (CDs, DVDs, tapes, disk drives) that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the policy?
SL.27	Is Scoped Data sent or received electronically or via physical media?
SL.28	Are Web services provided?
	H. Access Control
SL.29	Are electronic systems used to transmit, process or store Scoped Systems and Data?
SL.30	Are unique user IDs used for access?
SL.31	Is application development performed?
SL.32	Are passwords required to access systems transmitting, processing or storing Scoped Systems and Data?
SL.33	Is remote access permitted?
	I. Information Systems Acquisition Development & Maintenance
SL.34	Are business information systems used to transmit, process or store Scoped Systems and Data?
SL.35	Is application development performed?
SL.36	Is there a formal Software Development Life Cycle (SDLC) process?
SL.37	Are systems and applications patched?
SL.38	Is a web site supported, hosted or maintained that has access to Scoped Systems and Data?
SL.39	Are vulnerability tests (internal/external) performed on all applications at least annually?
SL.40	Are encryption tools managed and maintained for Scoped Data?
	J. Incident Event and Communications Management
SL.41	Is there an Incident Management program?
	K. Business Continuity and Disaster Recovery
SL.42	Is there a documented policy for business continuity and disaster recovery that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
SL.43	Is there an annual schedule of required tests?
SL.44	Are BC/DR tests conducted at least annually?
SL.45	Is there a Pandemic Plan?
SL.46	Is a Business Impact Analysis conducted at least annually?
	L. Compliance
SL.47	Is there an internal audit, risk management or compliance department with responsibility for identifying and tracking resolution of outstanding regulatory issues?
	P. Privacy
SL.48	Is there a dedicated person (or group) responsible for privacy compliance? If yes, describe. If no, explain reason.
SL.49	Is there a formally documented privacy policy (or policies)? If yes, describe. If no, explain reason.
SL.50	Are there regular privacy risk assessments? If yes, provide frequency and scope. If no, explain reason.
SL.51	Is there formal privacy awareness training for employees, contractors, volunteers (and other parties, as appropriate)? If yes, provide frequency and scope. If no, explain reason.
SL.52	Is personal information about individuals transmitted to or received from non-US countries? If yes, identify the countries.
SL.53	Is there a process for responding to a privacy incident? If yes, describe. If no, explain reason.
SL.54	Is personal information collected directly from individuals as a service to the client? If yes, describe the information collected.
SL.55	Is there a document retention program that isolates protected subsets of sensitive or confidential information for special handling? If yes, identify the subsets and describe the process for isolating these subsets.
SL.56	If the service provider hosts and/or maintains (as a service to the client) data about an individual, does the organization provide appropriate controls to ensure the privacy of that data? If yes, describe. If no, explain reason.
SL.57	Is personal information - provided by the client - shared with other third parties within the US only? If yes, describe.
SL.58	Is personal information - provided by the client - shared with other third parties outside of the US? If yes, list countries.
SL.59	Are there appropriate contractual controls to ensure that personal information shared with other third parties is appropriately protected by the third party? If yes, describe. If no, explain reason.
SL.60	Are there documented controls and procedures to appropriately safeguard personal information about individuals? If yes, describe. If no, explain reason.
SL.61	Does the information security program address the protection of personal information separately from other information (such as proprietary business information)? If yes, describe. If no, explain reason.
SL.62	Does the information security function regularly communicate and collaborate with the privacy function (if the two functions are separate)? If yes, describe. If no, explain reason.
SL.63	Is there a process for ensuring the accuracy and currency of personal information at the direction of the client? If yes, describe. If no, explain reason.
SL.64	Is there a process to ensure that the personal information provided by an individual is limited for the purposes described in the organization's privacy notice? If yes, describe. If no, explain reason.
SL.65	Are employees, contractors, volunteers (and other parties, as appropriate) regularly monitored for privacy compliance? If yes, describe. If no, explain reason.
SL.66	Are third-party service providers regularly monitored for privacy compliance? If yes, describe. If no, explain reason.
SL.67	Are appropriate sanctions applied to employees, contractors, volunteers (and other parties, as appropriate) who violate privacy policies? If yes, describe process. If no, explain reason.
SL.68	Is there a process for employees, contractors, volunteers (and other parties, as appropriate) to notify privacy compliance personnel of an actual or suspected privacy breach? If yes, describe. If no, explain reason.