Summary of controls used in BS 7799
(British Standards Institute Code of Practice for Information Security Management)
and their relationship to CID protective mechanisms

BS7799 specifies aspects of an effective information protection program suitable to the needs of business and industry. Protection in BS7799 is based on assuring integrity, availability, and confidentiality of corporate information assets. Assurance is attained through controls that management creates and maintains within the organization. Ten of the controls are considered "Key Controls" because they are either legislatively required or considered fundamental building blocks. Key controls are considered central to a successful program and are marked as (Key) in the listing below.
A sample BS7799 top-level audit is included within this listing in the form of questions that might be used to help understand the degree to which compliance is in place within an organization. Sample audit questions are marked as [Question?]. This set of questions could, for example, be sent out to a random sampling of employees at all levels as a part of a survey-based self-assessment or used in an interview process by an outside expert to gather an understanding of the compliance issues within the organization.

Section 1. Policy

1.1 Protection Policy

Goal: To achieve top-level support and control of information protection.

Method: Top management must particiate in the creation and operation of a clear information protection policy the spans the entire organization.

[Is there a formal information security policy?]

1.1.1 Protection Policy Documentation and its Dissemination (Key)

A written document specifying the official organizational policies on information protection should be provided to employees with information protection responsibility.

[Can you show me the official policy statement that is distributed to employees and tell me how it is promulgated through the organization?]

Section 2. Organizational Information Protection

2.1 Organizational Infrastructure

Goal: Effectively manage information protection throughout the organization.

Method: An organizational structure should be created with the mission and power required to create and implement effective information protection controls.

[Can you tell me who is in charge of information security and how you get in touch with them?]

2.1.1 Steering Committee

Control should be provided through an appropriate management steering committee.

[How does top level management guide information security controls?]

2.1.2 Coordination of Efforts

Suitable coordination of efforts should be done so as to eliminate inappropriate inconsistencies and unnecessary wasted effort.

[How large is your organization and how are you able to coordinate the computer security effort between all of those people?]

2.1.3 Responsibilities for protection (Key)

Protection responsibility for each asset of substantial value should be individually specified.

[Who is responsible for virus protection? Who do you call if you find a virus?]

2.1.4 Facility Authorization

Facilities containing information technology must be authorized and approved for that use.

[Has this computer (pick one) been approved by computer security? How?]

2.1.5 Expert assistance

Effective protection may require the use of experts.

[What internal security expertise do you have and what outside experts do you use to augment your internal expertise?]

2.1.6 Interorganizational coordination

Cooperation between organizations should be used to mitigate common threats.

[Would you say there is a lot of cooperation between groups in the area of information security?]

2.1.7 Outside Review

Independent outside review of information protection should be done.

[Who provides your outside information security audit function and who do they work for?]

2.2 Third Party Access Controls

Goal: To control the potential effects of access by third parties.

Method: Appropriate controls should be used for access by third parties.

[How do you allow business partners access to their applications without openning up your internal systems to potential harm?]

2.2.1 Third Party Risk Identification

An assessment of third party access risks should be made and controls appropriate to producing an acceptable level of residual risk should be put in place.

[Is there a risk management report describing why you selected the controls you selected for your outside connections?]

2.2.2 Contractual measures

Third party contracts should include legal controls and specification of responsibilities and consequences for access to information and information technology.

[What provisions are put in contracts to address computer security and which contracts are those provisions included in?]

Section 3. Control and sensitivity of assets

3.1 Accountability

Goal: Appropriate control of information assets.

Method: Ownership should be specified for all assets and those owners should be accountable for the protection of those assets.(see also 0.3.11).

[Who in the organization owns the data in this (pick one) database? Who in this organization owns this (pick one) computer? Who owns the telephone connection on your desk? Who owns network you use?]

3.1.1 Asset identification and tracking

All significant information assets should be identified and tracked.

[Please show me a list of all major information and IT assets in the organization.]

3.2 Information classification

Goal: Provide assurance that protection is appropriate for all information assets.

Method: Sensitivity information should be asociated with information assets and this information should be used to inform decisions about protection priorities.

[What is the need for protecting this (pick one) document? What is the most important file in any corporate computer that you are aware of? IF I had a dollar to spend on protecting one of these two documents (pick two) which one should I spend it on?]

3.2.1 Sensitivity guidelines

Business requirements should drive the protection requirements for information assets based on their sensitivity.

[What percentage of all information assets are classified as more important than nominal systems and information? Why is that the right percentage?]

3.2.2 Sensitivity labelling

Sensitive information in all of its forms should be labeled as to its sensitivity.

[Show me the label on the most highly sensitive document you have access to and tell me what it means.]

Section 4. People Issues

4.1 Protection in personnel specifications and decisions

Goal: To control people-related risks.

Method: Personnel requirements should be include appropriate proteciton-related specification and verification throughout the lifecycle.

[What personnel security measures are taken for a janitor? for the CEO? for outsourced personnel? for your IT auditor?]

4.1.1 Protection requirements in personnel specifications

Personnel specifications should include personnel protection requirements.

[Where in the janitor's job description are their security roles and responsibilities described? for the CEO? for outsourced personnel? for your acocuntantcy firm's employees?]

4.1.2 Pre-employment checks

All potential new employees should have background checks if access to sensitive information may eventually be required as part of their employment.

[How do you determine which job positions have access to sensitive information? Is the janitor position one of them? Is the CEO? Are all the programmers and data entry clerks? Are outsourcing firm employees checked byt he same process? What checks do you make of applications for those positions before hiring them?]

4.1.3 Legal agreements

Appropriate legal agreements should be used for people working in areas where sensitive information access may occur.

[Can you show me the signed confidentiality agreement for each of these (pick a statistically meaningful sample set of employees) employees?]

4.2 Security Training

Goal: Provide assurance that the nature of threats to information are understood by those with legitimate access and that individuals with said access have a proper understanding of controls.

Method: Policies, procedures, and work rules should be part of the training of individuals with access.

[How do you make certain that your employees know how to follow all of your security procedures?]

4.2.1 Protection training and education (Key)

Appropriate training and education should be provided.

[What is the educational background of your most highly trusted employee with computer security responsibilities? Your average trusted employee with those responsibilities? Your least security-educated employee with those responsibilities?]

4.3 Incident Response

Goal: To minimize harm from protection-related incidents and to adapt protection over time.

Method: An incident reporting system should be used and reporting should be contemporaneous.

[What is the longest lag time that has ever occurred between the first detection of a security-related incident and notification of an appointed computer security person responsible for responding to the incident?]

4.3.1 Incident reporting (Key)

Incidents should be reported as soon as they are noticed.

[How often are the chief executives briefed on computer security incidents?]

4.3.2 Vulnerability reporting

Potential and actual vulnerabilities should be reported.

[How many security waeknesses have been reported in the last day, week, and month? How do people report them when they find them?]

4.3.3 Software error reporting

Software errors should be reported.

[When your computer has a problem, who do you report it to and what do they do about it?]

4.3.4 Employee Punishment Process

An effective employee punishment process is needed to deal with breeches of security.

[What is the punishment for telling your password to another employee so they can get access when you're out of town, and who administers the punishment?]

Section 5. Physical Protection

5.1 Physically Protected Places

Goal: Prevent inappropriate interaction between unauthorized and authorized people and systems.

Method: Place sensitive information and systems that affect it in protected places.

[What kind of door locks protect the air conditioner that keeps the computer rooms cooled during the summer? Why are these locks selected for those doors? Who selected them?]

5.1.1 Perimeters

Physically protected places should be deliniated by clear perimeters.

[When you bring one of your children into work with you to show them around, how do you bring them into your office?]

5.1.2 Access Controls

Physically protected places should use controls to prevent unauthorized passage across perimeters.

[What kind of access control device do you use to limit access to the area where accounting processes invoices?]

5.1.3 Protected Computer Centers

Locations sensitive housing computer centers or related rooms should be well protected.

[List the data centers that have special physical security protection and describe what special protections they have.]

5.1.4 Separating delivery areas from internal areas

The notion that delivery areas should be separated from internal computer areas should be considered.

[When printer paper is delivered to the printer room, how does the delivery-person get the paper into the computer room?]

5.1.5 Keep desks clean

Keeping desks clean when not present protects information.

[Who has the messiest desk in the company and just how messy is it?]

5.1.6 Authorized asset removal

Only authorized removal of information assets should be permitted.

[How often does the guard search people when they leave through the loading area? Who do you show the permission form to when you bring your laptop computer home to work at night?]

5.2 Hardware security

Goal: Assure business continuity and reduce exposures to loss.

Method: Protect hardware from physical and environmental threats.

[What protection does your office have from water damage to computers resulting from the sprinkler system going off in a fire?]

5.2.1 Hardware location and shielding

Hardware should be located or shielded to counter possible destruction, unauthorized access, or denial of use.

[When you want to move your computer screen from one desk to another, what rules do you follow about where the screen can be placed on the desk?]

5.2.2 Electrical Power

Electrical power failures and anomolies should be mitigated.

[Does the computer on your desk have an uninterruptable power supply? What kind?]

5.2.3 Wire protection

Wires and communications channels should be located or shielded so as to mitigate surveillance or disruption attempts.

[What kind of network connection do computers have and how is the network controlled from illicit connections?]

5.2.4 Hardware maintenance

Proper hardware maintenance should be done.

[Is there a maintenance contract on all vital office equipment? How do you get service on the copier when it breaks?]

5.2.5 Off-site hardware protection

Off-site hardware should be protected by policy and procedures.

[How do you protect cellular telephones, laptop computers, and other similar equipment when you take it home or use in in a client's office? Have you ever gotten a virus from another system when you were off-site?]

5.2.6 End of life-cycle for hardware

At the end of hardware lifecycles, content should be removed or destroyed.

[What is the procedure for disposing of a computer system, old backup tapes, and floppy disks? Is there a procedure for handling these items before sending a computer out for repair?]

Section 6. System and Infrastructure Management

6.1 Roles and Responsibilities

Goal: Properly operate facilities.

Method: Management and operational roles and responsibilities for all systems and infrastructures should be defined.

[Are there procedures for managing and operating each of the computers in your work area? What are they?]

6.1.1 Documented procedures

Procedures for all operations on all systems should be documented.

[Can you show me the documents that describe the procedures for operating your computers?]

6.1.2 Incident handling

Procedures for incident handling should be in place.

[Who is responsible for handling security incidents relating to this computer? Who do you call if this computer stops working properly and you can't figure out why?]

6.1.3 Separation of duties

Dities should be seprated so as to minimize the potential for abuse.

[Are different people responsible for different functions on all of the computers? Who is responsible for what?]

6.1.4 Development and operation separation

Development systems should be separated from operational systems.
[Do you do development or programming on the same systems used by users? How do you assure that programming mistakes or errors and omissions don't cause the operational system to fail? Do you have a change control program? Please describe it.] ***********************

6.1.5 External facilities management

Proposals to use an external facilities management service should identify the full security implications and include appropriate security controls.

[Do you use an outside firm for facilities management? If so, please show me the proposals for that service and indicate where they mandate security controls. Are those controls comperable to the controls required within your organization? How do they stack up?]

6.2 System planning and acceptance

Goal: To minimize the risk of systems failure.

Advance planning and preparation are required to ensure the availability of adequate capacity and resources.

[How do you plan for peak usage periods, normal usage periods, and the potential for expansion?]

6.2.1 Capacity planning

Capacity requirements should be monitored to avoid failures due to inadequate capacity.

[How do you monitor usage against capacity and how and when does this monitoring trigger the expansion of capacity?]

6.2.2 System acceptance

Acceptance criteria for new systems should be established and suitable tests carried out prior to acceptance.

[Do you have a standard for testing new hardware and software for compatible operation within your environment? Is this part of the acceptance criteria required for all new equipment?]

6.2.3 Fallback planning

Fallback requirements should be coordinated and reviewed.

[Who reviews fall-back plans used in case of major system outages? When there is such an outage, who is responsible for coordinating change-over? Do they practice continuity plans with simulated failures? If so, how and how often do they do that?]

6.2.4 Operational change control

Changes to IT facilities and systems should be controlled.

[Is there a comprehensive change control program that assures that changes to information systems are necessary, appropriate, and that change-over goes smoothly?]

6.3 Protection from malicious software

Goal: To safeguard the integrity of software and data.

Precautions are required to prevent and detect the introduction of malicious software.

[How do you detect malicious software? Does this work for malicious software added by your programmers? Your users? Computer viruses? Contract programmers? People who work for companies you buy software from?]

6.3.1 Virus controls (Key)

Virus detection and prevention measures and appropriate user awareness procedures should be implemented.

[What training do your employees get about computer viruses? What technical safeguards do you have in place against viruses?]

6.4 Housekeeping

Goal: To maintain the integrity and availability of IT services.

Housekeeping measures are required to maintain the integrity and availability of services.

[What regular maintenance functions are performed on systems?]

6.4.1 Data back-up

Back-up copies of essential business data and software should be regularly taken.

[Are backups of all systems done on a regular and scheduled basis? By whom? How often? How is the schedule determined?]

6.4.2 Operator logs

Computer operators should maintain a log of all work carried out.

[Which systems have operator logs? Show all the operator logs from one of those systems to me.]

6.4.3 Fault logging

Faults should be reported and corrective action taken.

[Is every system error and crash logged, and if so, how is follow-on action coordinated? Is a root cause analysis done in each of these cases?]

6.4.4 Environmental monitoring

Computer environments should be monitored where necessary.

[What environmental monitoring do you have in place to detect particles in the air in computer rooms? Smoke? Fire? Water? Chemical vapors? Other polutants?]

6.5 Network management

Goal: To ensure the safeguarding of information in networks and the protection of the supporting infrastructure.

The security management of computer networks, which may span organizational boundaries, requires special attention.

[How is computer network security managed differently than other computer security?]

6.5.1 Network security controls

A range of security controls is required in computer networks.

[What are the security controls in your computer network and what was the basis for their selection?]

6.6 Media handling and security

Goal: To prevent damage to assets and interruptions to business activities.

Computer media should be controlled and physically protected.

[What are the procedures for controlling access to disks, tapes, floppy disks, and other computer storage and transfer media?]

6.6.1 Management of removable computer media

Removable computer media should be controlled.

[Are there special controls for removable media? What are they?]

6.6.2 Data handling procedures

Procedures for handling sensitive data should be established.

[Are the handling procedures different for more sensitive information? In what way?]

6.6.3 Security of system documentation

System documentation should be protected from unauthorized access.

[How do you prevent unauthorized people from looking at, modifying, or removing the documentation for your systems?]

6.6.4 Disposal of media

Computer media should be disposed of securely and safely when no longer required.

[What do you use as your data remnants standard and how do you assure that all media are properly cleaned when no longer used?]

6.7 Data and software exchange

Goal: To prevent loss, modification or misuse of data.

Exchanges of data and software between organizations should be controlled.

[How do you control the purchase of hardware and software? How do you prevent users from accessing software from the Internet? How do you prevent users from emailing sensitive company information to the wrong recipient? How do you make certain that file transfers between your organization and other organizations are not intercepted, corrupted, or blocked from within the other organization?]

6.7.1 Data and software exchange agreements

Agreements for the exchange of data and software should specify security controls.

[Show me the clauses in our agreements with each outside partner, vendor, or customer that detail the specific security controls required when we do business with them. Are the controls specified in those clauses equivalent to the internal controls used within this organization? If not, why not? In what ways are they different?]

6.7.2 Security of media in transit

Computer media in transit should be protected from loss or misuse.

[How are floppy disks sent between offices protected? How are file transfers over the Internet protected? How are backup tapes stored in off-site storage facilities protected as they are sent, when at the off-site location, and when returned on an emergency basis for recovery?]

6.7.3 EDI security

Special security controls should be applied where necessary, to protect electronic data interchange.

[Where are special protections required for electronic data interchange and why? What protections are in place to protect those interchanges and how were they determined?]

6.7.4 Security of electronic mail

Controls should be applied where necessary, to reduce the business and security risks associated with electronic mail.

[How do you assure that all internla email remains only within the organization's network and never goes through outside systems or infrastructure without special protection?]

6.7.5 Security of electronic office systems

Clear policies and guidelines are required to control the business and security risks associated with electronic office systems.

[What are the policies and guidelines for controlling office telephone systems, copiers, computers, pagers, and cell-phones?]

Section 7. System access control

7.1 Business requirement for system access

Goal: To control access to business information.

Access to computer services and data should be controlled on the basis of business requirements.

[What are the business requirements for controlling access to this computer (point to any computers in the area) and how are those requirements used as the basis for the protections in place for that computer?]

7.1.1 Documented access control policy

Business requirements for access control should be defined and documented.

[Show me the written documents that describe the business requirements for protecting this computer (pick one that's in sight) and how those requirements were translated into the access control policy used on this computer.]

7.2 User access management

Goal: To prevent unauthorized computer access.

There should be formal procedures to control allocation of access rights to IT services.

[What are the formal procedures used to grant and remove access rights to users over information on this computer?]

7.2.1 User registration

There should be a formal user registration and de-registration procedure for access to all multi-user IT services.

[Show me the formal user registration and removal process for the network file server you use.]

7.2.2 Privilege management

The use of special privileges (see 0.3.14) should be restricted and controlled.

[Who has special privileges on this computer (pick one), what special privileges do they have, and how are those privileges restricted and controlled?]

7.2.3 User password management

The allocation of user passwords should be securely controlled.

[How do you secure the generation of passwords to make sure they are hard to guess and only the originator can ever get access to them?]

7.2.4 Review of user access rights.

User access rights should be reviewed at regular intervals.

[Who reviews all of the access control bits in each computer and how often? How do they tell the difference between a properly set protection bit and an improperly set one and what do they do when they find an improperly set one?]

7.3 User responsibilities

Goal: To prevent unauthorized user access.

The cooperation of authorized users is essential for effective security.

[How do you measure the cooperation of authorized users? At what threshold do you identify users as becoming uncooperative? What is the procedure for removing authorization from users that are below the threshold of cooperation?]

7.3.1 Password use

Users should follow good security practices in the selection and use of passwords.

[How do you select your password? Is there training to help you tell the difference between a good and a bad password? Does the computer system tell you how good or bad a password is when you try to set one?]

7.3.2 Unattended user equipment

Users should ensure that unattended equipment has appropriate security protection.

[What is the appropriate protection for unattended equipment? If nobody is there to attend the equipment, how do you assure that the security measures are always in effect?]

7.4 Network access control

Goal: Protection of networked services.

Connections to networked services should be controlled.

[How do you control connections to networked services?]

7.4.1 Limited services

Users should only be able to gain access to the services that they are authorized to use.

[What services is each individual authorized to use? Where is this information stored? How is it updated? How is this informaiton used in real-time to control access? If some user were using an unauthorized service, how would you know? How soon would you know? How could you legally prove that the user knowingly used an unauthorized service as a basis for subsequent sanctions against them?]

7.4.2 Enforced path

The route from the user terminal to the computer service may need to be controlled.

[How do you prevent users from dialing out on their PCs to external Internet Service Providers? How do you control the internal routing of information through your networks? When access requirements change, how do you make certain that no controls are violated when you reconfigure your network to affect the new access?]

7.4.3 User authentication

Connections by remote users via public (or non-organization) networks should be authenticated.

[How do you make certain that the person at the other end of a dial-in or network-based access is who they claim to be? How do you make certain that once a connection is established, the user on the other end or the connection in between doesn't change? What is the basis for asserting that this level of assurance is adequate to the business need for protection?]

7.4.4 Node authentication

Connections by remote computer systems should be authenticated.

[How do you make certain that the computer at the other end of a dial-in or network-based access is who they claim to be? How do you make certain that once a connection is established, the equipment on the other end or the connection in between doesn't change? What is the basis for asserting that this level of assurance is adequate to the business need for protection?]

7.4.5 Remote diagnostic port protection

Access to diagnostic ports should be securely controlled.

[How do you allow vendors to do remote support and at the same time protect the support connections from being abused to attack your systems?]

7.4.6 Segregation in networks

Large networks may have to be divided into separate domains.

[How do you determine when security issues force the division of networks into subnetworks and how does that division provide added protection?]

7.4.7 Network connection control

The connection capability of users may need to be controlled to support the access policy requirements of certain business applications.

[How are business application access control policies reflected in limitations on network connections? When you design or implement new applications, how do you take network connections into consideration?]

7.4.8 Network routing control

Shared networks may require network routing controls.

[How do you control network routing and why do you use those controls? How do those controls relate to business requirements for protection? What is the basis for determining that those specific controls are more or less appropriate than others?]

7.4.9 Security of network services

The risks associated with the use of network services should be established.

[How do you measure the risks of using network services? How does the measured risk get related to the business decision about who may use which services and for what purpose?]

7.5 Computer access control

Goal: To prevent unauthorized computer access.

Access to computer facilities should be controlled.

[How do you control access to computing facilities? Computer rooms? Telephone rooms? Wire rooms? Individual network wires? Conections between these?]

7.5.1 Automatic terminal identification

Automatic terminal identification should be considered to authenticate connections to specific locations.

[Do you use automatic terminal identification? If not, how do you tell which equipment is connected on which connection?]

7.5.2 Terminal logon procedures

Access to IT services should be via a secure logon process.

[How do you secure the logon process against wire taps? Against forgeries? Against logical attacks on network elements? Against snooping by authorized individuals on host systems?]

7.5.3 User identifiers

Computer activities should be traceable to individuals.

[If you detect a computer virus spreading throughout your organization's networks, how do you determine which individual in the organization first allowed the virus to enter? If a systems administrator trying to cover the tracks of an illicit activity intentioanlly deletes all information on a system's disks, uses the proper data remnants removal techniques, reformats the disk, replaces it in the original computer, and restores the contents from day-old backups, how do you determine which individual did it?]

7.5.4 Password management system

An effective password system should be used to authenticate users.

[How effective is your password system? What measures of password system effectiveness do you use?]

7.5.5 Duress alarm to safeguard users

Provision of a duress alarm (see 0.3.4) should be considered for users who might be the target of coercion.

[Have duress alarms been considered for your users? How was their use analyzed? What determination was made about their use and why?]

7.5.6 Terminal time-out

Inactive terminals in high risk locations, or serving high risk systems, should be set to time out, to prevent access by unauthorized persons.

[What terminals are in high risk locations? What terminals serve high risk systems? What timeouts are used to prevent unauthorized access to those systems? Why are those timeouts selected? How are they implemented and tested?]

7.5.7 Limitation of connection time

Restrictions on connection times should provide additional security for high-risk applications.

[What applications do you have that justify restrictions on connection times? What are those restrictions? How were they determined?]

7.6 Application access control

Goal: To prevent unauthorized access to information held in computer systems.

Logical access controls should be used to control access to application systems and data.

[What protection settings are used on (name a file) associated with (pick an application) to assure that only authorized users can perform only authorized actions on that file? Who are the authorized users for that file? What rights do they have to access that file? Do they need all of those rights? Do those rights grant access beyond that needed for their jobs? What additional controls are used to prevent their excessive access?]

7.6.1 Information access restriction

Access to data and IT services should be granted in accordance with business access policy.

[What is the business access policy? How is access granted in accordance with that policy? Hos is access revoked in accordance with that policy? How soon after a person falls into a policy category no longer requiring access are all access rights of that individual removed from all applications they no longer require access to? What is the longest time ever taken for this process?]

7.6.2 Use of system utilities

Access to system utilities should be restricted and controlled.

[How are users prevented from using system utility programs? How are they prevented from bringing in their own copy of those programs and using that comy on the system?]

7.6.3 Access control to program source library

Access to program source libraries should be restricted and controlled.

[What special controls are placed on source programs and libraries?]

7.6.4 Sensitive system isolation

Sensitive systems might require a dedicated (isolated) computing environment.

[Are there any systems with information so sensitive that they must be physically isolated? How is this isolation done?]

7.7 Monitoring system access and use

Goal: To detect unauthorized activities.

Systems should be monitored to ensure conformity to access policy and standards.

[How is it detected when access control and policy standards are violated? How long does detection take? What are the limits of detectability?]

7.7.1 Event logging

Audit trails of security events should be maintained.

[How are audit trails of security-relevant events generated, stored, and retained?]

7.7.2 Monitoring system use

Procedures for monitoring system use should be established.

[What procedures are in place to provide for legal and authorized system and user monitoring?]

7.7.3 Clock synchronization

Computer clocks should be synchronized for accurate recording.

[How is clock skew handled? How are systems synchronized? What analytical methods are used to compensate for clock skew in reviewing and analyzing audit records?]

Section 8. Systems development and maintenance

8.1 Security requirements of systems

Goal: To ensure that security is built into IT systems.

Security requirements should be identified and agreed prior to the development of IT systems.

[At what phase in the system development process are security requirements identified and agreed to?]

8.1.1 Security requirements analysis and specification

An analysis of security requirements should be carried out at the requirements analysis stage of each development project.

[Are security requirements explicitly and adequately covered in the requirements phase of system development? Are all corporate security elements analyzed with respect to the system in the requirements phase? Are cost analyses inclusive of security lifecycle costs?]

8.2 Security in application systems

Goal: To prevent loss, modification or misuse of user data in application systems.

Appropriate security controls, including audit trails, should be designed into application systems.

[Are security controls included in all application system designs? How is the determination made about which applications include which controls? How are system audits integrated into application audits and what provisions are made to allow these audit trails to be analyzed against each other for consistency checks? What fields are mandated in all audit trails and why?]

8.2.1 Input data validation

Data input to application systems should be validated.

[How is input data validated by applications systems? Are different data elements cross-correlated (e.g., postal codes correlated with cities) to verify consistency?]

8.2.2 Internal processing validation

Data processed by application systems should be validated.

[How is input data passed from other applications validated?]

8.2.3 Data encryption

Encryption should be considered for highly sensitive data.

[Under what circumstances do you require encryption? What encryption do you use?]

8.2.4 Message authentication

A message authentication system should be considered for applications which involve the transmission of sensitive data.

[Is sensitive data authenticated during transmission and in storage to assure it's integrity against illicit or accidental changes? How is this done?]

8.3 Security of application system files

Goal: To ensure that IT projects and support activities are conducted in a secure manner.

Access to system files should be controlled.

[How are appropriate system file protections identified and verified? How often is verification carried out?]

8.3.1 Control of operational software

Strict control should be exercised over the implementation of software on operational systems.

[Hos is control exercised over software on operational systems? Does this apply to all software? Does this include macros and interpreted instructions? ]

8.3.2 Protection of system test data

Test data should be protected and controlled.

[How do you generate, control, and protect test data? What is the coverage requirement for tests on vital systems and how is coverage determined and measured?]

8.4 Security in development and support environments

Goal: To maintain the security of application system software and data.

Project and support environments should be strictly controlled.

[What special provisions are made for the protection of support and project teams and the systems they depend on?]

8.4.1 Change control procedures

There should be formal change control procedures.

[Are there formal change control procedures? What are they? Are they effective against malicious insiders?]

8.4.2 Technical review of operating system changes

The impact of operating system changes on security should be reviewed.

[How do you review operating system changes for security?]

8.4.3 Restrictions on changes to software packages

Modifications to software packages should be discouraged. Any essential changes should be strictly controlled.

[How do you discourage software modification? What rules are there about the circumstances under which operation-critical software is changed?]

Section 9. Business continuity planning

9.1 Aspects of business continuity planning

Goal: To have plans available to counteract interruptions to business activities.

Business continuity plans should be available to protect critical business processes from the effects of major failures or disasters.

[If your most critical computing facilities and the normal staff that operates them were to be destroyed in a freak accident at this moment, how soon would ehose business functions be back at full capacity? How do you know that this answer is accurate?]

9.1.1 Business continuity planning process (Key)

There should be a managed process in place for developing and maintaining business continuity plans across the organization.

[Do you have a business continuity planning process? What it is? Who is in charge of it? How is it managed?]

9.1.2 Business continuity planning framework

A consistent framework of business continuity plans should be maintained.

[Do you have a business continuity framework that covers the entire organization? How is the framework promulgated throughout the organization?]

9.1.3 Testing business continuity plans

Business continuity plans should be tested.

[How do you test your business continuity plans and what do the results of those tests reveal?]

9.1.4 Updating business continuity plans

Business continuity plans should be updated regularly.

[How often do you revisit the business continuity planning process and how often does it change?]

Section 10. Compliance

10.1 Compliance with legal requirements

Goal: To avoid breaches of any statutory, criminal or civil obligations and of any security requirements.

The design, operation and use of IT systems may be subject to statutory and contractual security requirements.

[Are you aware of all the legal requirements for opertions of all your systems in all legal venues they have contact with? How do you stay aware? Are you in compliance? How do you verify this?]

10.1.1 Control of proprietary software copying (Key)

Attention is drawn to the legal restrictions on the use of copyright material.

[How do you verify that employees don't have or use illegal copies of software? Is there an organizational policy to this effect? Show it to me.]

10.1.2 Safeguarding of organizational records (Key)

Important records of an organization should be protected from loss, destruction and falsification.

[What provisions do you use to assure that all legal requirements for retention of documents are adhered to, even by parties who might want to violate these requirements as part of an illegal activity?]

10.1.3 Data protection (Key)

Applications handling personal data on individuals should comply with data protection legislation and principles.

[Is personal data about individuals protected to the standards of all applicable laws? How is this done?]

10.1.4 Prevention of misuse of IT facilities

IT facilities should only be used for authorized business purposes.

[Is there a policy mandating that information technology of the organization may only be used for legitimate purposes of the organization? Are there safeguards in place to prevent, detect, or respond to attempts to violate this policy?]

10.2 Security reviews of IT systems

Goal: To ensure compliance of systems with organizational security policies and standards.

The security of IT systems should be regularly reviewed.

[How often are security audits or reviews done of each system? Is this regularity dictated on some specific basis? What is that basis?]

10.2.1 Compliance with security policy (Key)

All areas within the organization should be considered for regular review to ensure compliance with security policies and standards.

[Which areas have been considered for a security review, and when were they last considered? Which areas have not been considered and why?]

10.2.2 Technical compliance checking

IT facilities should be regularly checked for compliance with security implementation standards.

[How often are facilities checked against corporate security standards? How detailed are these checks? What is covered and not covered? Who performs these checks? Who do they work for?]

Comments and questions?