Checks We Perform
Below is a list of all the checks we perform. Select one to view more information.
- All (21)
- Policy Administration (5)
- Laws and Regulations (2)
- Personnel Issues (5)
- Control Requirements (9)
Policy Administration
1.1 Is the scope of the information security policy defined? Does it focus on particular departments, products, or geography?
Description:
An information security policy is key to an effective security compliance management program. The policy should describe the security standards with which the organization intends to comply. It is important to define the scope of your policy according to business needs, organizational structure, and compliance goals to ensure relevant aspects are not excluded.
Laws and Regulations
1.2 Does the policy reference laws, regulations, or standards that impact the organization? (i.e. GLBA, HIPAA, GDPR, PCI DSS, etc.)
Description:
A security compliance program can be impacted by the regulatory or industry requirements facing the business. Specific control requirements, such as those found in frameworks like HIPAA or PCI DSS, should be included in your policies and procedures.
Policy Administration
1.3 Has the policy been reviewed and approved by an appropriate board, executive, or committee? Is there executive endorsement?
Description:
The ultimate responsibility for policy falls on the board and executive management. The policy should document who has the responsibility to review and approve. Review and approval should occur at least annually to ensure your policies are relevant, accurate and current.
Policy Administration
1.4 Does the policy specify how it is distributed and communicated to relevant stakeholders? Is an acknowledgment required?
Description:
Once policies are clearly defined and approved, they must be distributed to stakeholders in a way that is accessible, understandable, and trackable. Capturing the reader's acknowledgement is a must for legal and compliance purposes.
Personnel Issues
1.5 Does the policy specify that discipline is possible for failure to comply?
Description:
Effective internal control involves accountability. Your policies should define standards and allow for corrective measures when employees deviate from expectations. Articulating the progressive methods of discipline brings teeth to the policy.
Policy Administration
1.6 Does the policy assign responsibility for the information security program to and individual, such as a security officer?
Description:
Security compliance management requires leadership and clear communication with stakeholders throughout the organization. Your information security policy should assign responsibility for the security program to at least one of the following roles: A leader with authority to sponsor security compliance projects. This may be an executive or a security compliance steering team with executive support. A compliance manager or managers with information security expertise. The compliance manager is responsible for overseeing compliance projects that integrate security compliance throughout the business.
Policy Administration
1.7 Does the policy outline operationally-independent security reporting lines? Can the security officer communicate directly with the board?
Description:
Separation of duties for compliance and security personnel brings accountability to operational functions. When security or compliance reports to technology leadership, conflicts of interest may arise. At a minimum, a dotted line directly to the board is necessary to communicate findings that compromise the organization's objectives for compliance and results.
Personnel Issues
1.8 How does the policy address security responsibilities for specific positions? Does it address security in development, for example?
Description:
Security is everyone's responsibility but the day-to day security procedures are determined by the respective role. Security responsibilities should be communicated specifically for how it applies to the given role. Many frameworks require specialized training for incident response teams, call center personnel, etc.
Personnel Issues
1.9 Does the policy address security requirements for WFH and remote access capabilities?
Description:
With the increase of remote workplaces comes a number of policies that need to be updated to encourage productivity, security, and efficiency. Whether it's desktops, laptops, tablets, or smartphones, employees must have a clear and thorough understanding of how they should use personal or company devices securely. The information security policy that you've developed for your company should be adjusted to fit the needs of your remote employees by providing a deeper focus on remote security. Defining access controls for remote employees is critical in environments the organization does not fully control.
Control Requirements
1.10 Does the policy define acceptable use of critical systems and company assets?
Description:
Your usage policies should detail acceptable uses of the technology at your organization. Acceptable use policies normally have users agree to not use the services for illegal purposes, not attempt to harm the security of the technology or system, and to report any suspicious activity. Many frameworks require acceptable use be communicated to protect the organization from misuse and unintentional outcomes.
Personnel Issues
1.11 How does the policy address personally owned devices accessing company systems and data?
Description:
Known as a Bring-Your-Own-Device (BYOD) policy, you should define a policy for how, when, and why personally owned devices access company systems and data. These policies should clearly articulate to the end-user the possibility for confiscation and/or investigation, and the legal rights to the digital records kept on the device.
Laws and Regulations
1.12 Does the policy address security requirements for vendors, including due diligence and monitoring?
Description:
Effective compliance management includes the process by which organizations understand and control the risk associated with vendors, third parties, or business partners. While you can outsource processes, you can never outsource responsibility. Your policy should require vendors to understand and follow your requirements and support you in the achievement of compliance objectives.
Personnel Issues
1.13 Does the policy require security training for the workforce? What about job specific training, such as privacy, incident handling, or development?
Description:
Regular training is critical for maintaining awareness of expectations, trends, and threats facing our environment. A security awareness training program is one component that inspires and educates your employees to recognize and defend against threats. Additional types of training to include in policy are data handling procedures, incident handling, secure software development, and other role-specific topics.
Control Requirements
1.14 Does the policy require specific controls, both physical and logical, when accessing critical systems and environments?
Description:
Organizations must align their policies with the control frameworks applicable to their environment. Specific objectives should be communicated by policy so that procedures can be developed to support the expectation. For example, have you implemented a policy to require multi-factor authentication? Ultimately, physical and logical control requirements should be defined so that compliance goals are met.
Control Requirements
1.15 Does the policy provide guidance for password creation, change, and best practices?
Description:
Your information security program should address how your organization expects passwords to be managed. For example, do you have password policy enforcement? Do you have a password reset process? Do you allow fewer change intervals because there is a password breach monitoring process? Employees should clearly understand how to manage their passwords and make changes when compromises occur.
Control Requirements
1.16 Does the policy require audit logs and monitoring for anomalies for all critical systems?
Description:
Policies should require audit and accountability requirements in the form of system logs. Personnel deploying systems and applications should understand the organization’s requirement for log generation, centralization, and alerting to ensure proper configuration. Personnel responsible for monitoring systems need policies and procedures to define what is expected to be monitored and how log reviews occur. This documentation is integral to your network monitoring and incident response programs.
Control Requirements
1.17 Does the policy specify standards for configuring critical systems?
Description:
Manufacturer hardening standards and industry best practices are great benchmarks for system configuration. A good policy requires alignment with these industry standards and procedures guide the implementation steps for maintaining secure configuration.
Control Requirements
1.18 Does the policy address expectations for removable media usage, logging, and tracking?
Description:
It is important to communicate requirements in policies, so personnel are clear on how to protect against data loss. Empower your people to understand when and how removable media can be used. Instill the need for logging and tracking its use for compliance purposes to reduce the potential for data loss.
Control Requirements
1.19 Does the policy provide guidance for when and how to apply protections to sensitive data, such as encryption standards?
Description:
Your personnel hold the keys to protecting data during storage and transmission. Educating them on proper protection methodologies, such as encryption, is a must. Your policies and procedures should guide them on how and when to apply protections to protect against data loss.
Control Requirements
1.20 Does the policy specify security requirements when acquiring or developing new systems?
Description:
Any new system or application that is acquired or developed should be onboarded to the organization's security standards. Your policies should guide the personnel responsible for selecting these systems to ensure they can comply with the policies. The development team should follow policy to incorporate security in development. Testing strategies should be included in your policies so new systems are required to go through an evaluation to ensure proper security configuration.
Control Requirements
1.21 Does the policy address the risk of AI and provide guidance for employee acceptable use, data transfers to vendors, and controls to implement when using AI?
Description:
Detailed description coming soon.Policy Administration
1.1 Is the scope of the information security policy defined? Does it focus on particular departments, products, or geography?
Description:
An information security policy is key to an effective security compliance management program. The policy should describe the security standards with which the organization intends to comply. It is important to define the scope of your policy according to business needs, organizational structure, and compliance goals to ensure relevant aspects are not excluded.
Policy Administration
1.3 Has the policy been reviewed and approved by an appropriate board, executive, or committee? Is there executive endorsement?
Description:
The ultimate responsibility for policy falls on the board and executive management. The policy should document who has the responsibility to review and approve. Review and approval should occur at least annually to ensure your policies are relevant, accurate and current.
Policy Administration
1.4 Does the policy specify how it is distributed and communicated to relevant stakeholders? Is an acknowledgment required?
Description:
Once policies are clearly defined and approved, they must be distributed to stakeholders in a way that is accessible, understandable, and trackable. Capturing the reader's acknowledgement is a must for legal and compliance purposes.
Policy Administration
1.6 Does the policy assign responsibility for the information security program to and individual, such as a security officer?
Description:
Security compliance management requires leadership and clear communication with stakeholders throughout the organization. Your information security policy should assign responsibility for the security program to at least one of the following roles: A leader with authority to sponsor security compliance projects. This may be an executive or a security compliance steering team with executive support. A compliance manager or managers with information security expertise. The compliance manager is responsible for overseeing compliance projects that integrate security compliance throughout the business.
Policy Administration
1.7 Does the policy outline operationally-independent security reporting lines? Can the security officer communicate directly with the board?
Description:
Separation of duties for compliance and security personnel brings accountability to operational functions. When security or compliance reports to technology leadership, conflicts of interest may arise. At a minimum, a dotted line directly to the board is necessary to communicate findings that compromise the organization's objectives for compliance and results.
Laws and Regulations
1.2 Does the policy reference laws, regulations, or standards that impact the organization? (i.e. GLBA, HIPAA, GDPR, PCI DSS, etc.)
Description:
A security compliance program can be impacted by the regulatory or industry requirements facing the business. Specific control requirements, such as those found in frameworks like HIPAA or PCI DSS, should be included in your policies and procedures.
Laws and Regulations
1.12 Does the policy address security requirements for vendors, including due diligence and monitoring?
Description:
Effective compliance management includes the process by which organizations understand and control the risk associated with vendors, third parties, or business partners. While you can outsource processes, you can never outsource responsibility. Your policy should require vendors to understand and follow your requirements and support you in the achievement of compliance objectives.
Personnel Issues
1.5 Does the policy specify that discipline is possible for failure to comply?
Description:
Effective internal control involves accountability. Your policies should define standards and allow for corrective measures when employees deviate from expectations. Articulating the progressive methods of discipline brings teeth to the policy.
Personnel Issues
1.8 How does the policy address security responsibilities for specific positions? Does it address security in development, for example?
Description:
Security is everyone's responsibility but the day-to day security procedures are determined by the respective role. Security responsibilities should be communicated specifically for how it applies to the given role. Many frameworks require specialized training for incident response teams, call center personnel, etc.
Personnel Issues
1.9 Does the policy address security requirements for WFH and remote access capabilities?
Description:
With the increase of remote workplaces comes a number of policies that need to be updated to encourage productivity, security, and efficiency. Whether it's desktops, laptops, tablets, or smartphones, employees must have a clear and thorough understanding of how they should use personal or company devices securely. The information security policy that you've developed for your company should be adjusted to fit the needs of your remote employees by providing a deeper focus on remote security. Defining access controls for remote employees is critical in environments the organization does not fully control.
Personnel Issues
1.11 How does the policy address personally owned devices accessing company systems and data?
Description:
Known as a Bring-Your-Own-Device (BYOD) policy, you should define a policy for how, when, and why personally owned devices access company systems and data. These policies should clearly articulate to the end-user the possibility for confiscation and/or investigation, and the legal rights to the digital records kept on the device.
Personnel Issues
1.13 Does the policy require security training for the workforce? What about job specific training, such as privacy, incident handling, or development?
Description:
Regular training is critical for maintaining awareness of expectations, trends, and threats facing our environment. A security awareness training program is one component that inspires and educates your employees to recognize and defend against threats. Additional types of training to include in policy are data handling procedures, incident handling, secure software development, and other role-specific topics.
Control Requirements
1.10 Does the policy define acceptable use of critical systems and company assets?
Description:
Your usage policies should detail acceptable uses of the technology at your organization. Acceptable use policies normally have users agree to not use the services for illegal purposes, not attempt to harm the security of the technology or system, and to report any suspicious activity. Many frameworks require acceptable use be communicated to protect the organization from misuse and unintentional outcomes.
Control Requirements
1.14 Does the policy require specific controls, both physical and logical, when accessing critical systems and environments?
Description:
Organizations must align their policies with the control frameworks applicable to their environment. Specific objectives should be communicated by policy so that procedures can be developed to support the expectation. For example, have you implemented a policy to require multi-factor authentication? Ultimately, physical and logical control requirements should be defined so that compliance goals are met.
Control Requirements
1.15 Does the policy provide guidance for password creation, change, and best practices?
Description:
Your information security program should address how your organization expects passwords to be managed. For example, do you have password policy enforcement? Do you have a password reset process? Do you allow fewer change intervals because there is a password breach monitoring process? Employees should clearly understand how to manage their passwords and make changes when compromises occur.
Control Requirements
1.16 Does the policy require audit logs and monitoring for anomalies for all critical systems?
Description:
Policies should require audit and accountability requirements in the form of system logs. Personnel deploying systems and applications should understand the organization’s requirement for log generation, centralization, and alerting to ensure proper configuration. Personnel responsible for monitoring systems need policies and procedures to define what is expected to be monitored and how log reviews occur. This documentation is integral to your network monitoring and incident response programs.
Control Requirements
1.17 Does the policy specify standards for configuring critical systems?
Description:
Manufacturer hardening standards and industry best practices are great benchmarks for system configuration. A good policy requires alignment with these industry standards and procedures guide the implementation steps for maintaining secure configuration.
Control Requirements
1.18 Does the policy address expectations for removable media usage, logging, and tracking?
Description:
It is important to communicate requirements in policies, so personnel are clear on how to protect against data loss. Empower your people to understand when and how removable media can be used. Instill the need for logging and tracking its use for compliance purposes to reduce the potential for data loss.
Control Requirements
1.19 Does the policy provide guidance for when and how to apply protections to sensitive data, such as encryption standards?
Description:
Your personnel hold the keys to protecting data during storage and transmission. Educating them on proper protection methodologies, such as encryption, is a must. Your policies and procedures should guide them on how and when to apply protections to protect against data loss.
Control Requirements
1.20 Does the policy specify security requirements when acquiring or developing new systems?
Description:
Any new system or application that is acquired or developed should be onboarded to the organization's security standards. Your policies should guide the personnel responsible for selecting these systems to ensure they can comply with the policies. The development team should follow policy to incorporate security in development. Testing strategies should be included in your policies so new systems are required to go through an evaluation to ensure proper security configuration.
Control Requirements
1.21 Does the policy address the risk of AI and provide guidance for employee acceptable use, data transfers to vendors, and controls to implement when using AI?