Reference no: EM133173415

Governance - Risk - Compliance

Instructions

Complete the document only for the tabs:

1. Under the Statement of Applicability tab (Rows 3-16)

Security Policy

A5.1 Information security policy

A.5.1.1 Policies for information security A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.
A.5.1.2 Review of the policies for information security The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness
A.6 Organization of information security
A.6.1 Internal Organization To manage information security within the organization.
A.6.1.1 Information security roles and responsibilities All information security responsibilities shall be defined and allocated.
A.6.1.2 Segregation of duties Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets.
A.6.1.3 Contact with authorities Appropriate contacts with relevant authorities shall be maintained.
A.6.1.4 Contact with special interest groups Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.
A.6.1.5 Information security in project management Information security shall be addressed in project management, regardless of the type of the project.
A6.2 Mobile devices and teleworking
A.6.2.1 Mobile device policy A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.
A.6.2.2 Teleworking A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites.

2. Info Sec Policy

Question
"[ISP 1.01] Does the Information Security Policy address the following:
- Access control
- Asset Management
- Business Continuity Management
- Communications and Operations Management
- Compliance
- Human Resource Security
- Information Security Incident Management
- Information Systems Acquisition, Development, and Maintenance
- Physical and Environmental Security"
[ISP 1.02] Do you maintain an information security policy that is , approved by top management, communicated to all vendor resources, and reviewed at least annually?
[ISP 1.03] Do data classification requirements define rules for managing, handling, and labeling of data for each data class?
[ISP 1.04] Is there a documented, approved, and communicated formal disciplinary or sanction policy?

3. Organization of Information Security

Question
[PES 1.01] Is there a documented, approved, and communicated physical security policy?
[PES 1.02] Do your facilities meet legal and regulatory requirements, and do you have a valid certificate of operations?
"[PES 1.03] Does your facility have adequate physical security perimeter controls (doors, solid walls, locked windows, CCTV, manned reception desk, etc.)?
Please provide details in ""Comments"" section."
[PES 1.04] Are access points such as delivery and loading areas and other possible entry points controlled and isolated from information processing facilities?
"[PES 1.05] Are KP-related activities performed from a dedicated area that is only accessible to staff dedicated to the KP account?
If yes, please describe controls that are in place to limit access to unauthorized individuals.
Examples:
(a) Badge readers on all entry/exit points, anti pass back activated
(b) Presence of security guards
(c) Entry/exit points equipped with CCTV cameras
(d) Windows are frosted to protect individuals from looking in to the restricted area
(e) Existence of strict visitor processes, where KP management needs to approve external visitors
(f) Emergency exits are monitored and only allow individuals to exit work area in case of emergency"
[PES 1.06] Are personnel (including subcontractors and external parties) with access to the KP work area authorized by appropriate KP personnel and issued a personally identifiable photo badge that is displayed while the individual is within the facility?
[PES 1.07] Do facility and datacenter have adequate fire detection/prevention and water detection/prevention measures in place?
[PES 1.08] Are all physical security equipment (such as access control systems and surveillance systems) hosted in a secured area?
[PES 1.09] Are physical access logs and surveillance feeds captured, reviewed, and maintained ?
[PES 1.10] Do you have process for provisioning of physical access?
[PES 1.11] Do you have process for termination of physical access (that also includes provisions for transfer)?
[PES 1.12] Are all vendor personnel who are authorized to approve access to the KP work area reviewed on a periodic basis and is the list communicated to authorized KP personnel?
[PES 1.13] Is a process for periodic review of physical access in place?
"[PES 1.14] Is segregation of duties maintained for the following functions:
- Approving and configuring physical access
- Configuring access and reviewing access logs
- Configuring and storing/issuing access cards which are not in use"
[PES 1.15] Is an inventory of access cards maintained and reviewed by the physical security team?
[PES 1.16] Is there a process for management of visitors that includes check in/check out and requirement to escort visitors during their stay at the facility?
[PES 1.17] Are all external visitors to the Offshore Development Center (ODC) approved by the authorized KP personnel in advance?
[PES 1.18] Is there a process for replacing lost / stolen access cards?
"[PES 1.19] Are measures in place to prevent staff from taking sensitive information in/out of the dedicated work area?
If yes, please describe measures
Examples:
(a) Screening of bags at point of entry
(b) No allowing staff to take paper in/out of the dedicated work area
(c) No use of cell phones into the work area"
[PES 2.01] Are physical and environmental measures (e.g. temperature, water, humidity) monitored within the critical infrastructure rooms?
[PES 2.02] Is personnel training conducted and security measures applied to usage of off-site equipment and infrastructure?
[PES 2.03] Are technical infrastructure, media, and physical security equipment hosted in secure areas?
[PES 2.04] Are processes in place (including approval) for the removal of data and / or equipment out of the critical infrastructure rooms?
[PES 2.05] Are facilities installed with adequate alternate sources of power (e.g., diesel generator set, uninterruptible power supply in order to provide 24 x 7 x 365 power backup?)
[PES 2.06] Are there maintenance contracts maintained that cover facility and security equipment?

Attachment:- Governance.rar

Attachment:- Audit_and_Assessment.rar