B.1 Knowledge Elicitation Worksheets
Processes 1 to 3 elicit knowledge from senior managers, operational area managers, general staff members, and information technology staff members. Participants in processes 1 to 3 provide their perspectives on assets that are important to the success of the organization, the way in which important assets are threatened, and security requirements for important assets.
The worksheets used when you elicit the above information are identical for all participants; we provide only one set. During the last activity of processes 1 to 3, you elicit information about security practices currently used by the organization and the organizational vulnerabilities that are present in the organization. There is a different survey for each organizational level, and all of the surveys are included in this appendix. The final worksheet in processes 1 to 3 is for a follow-up discussion after participants complete their surveys and is the same for all participants. The following worksheets are provided in this section of Appendix B:
Asset Worksheet Areas of Concern Worksheet Security Requirements Worksheet Practice Surveys
- Senior management survey - Operational area management survey - General staff survey - IT staff survey Protection Strategy Worksheet
You normally use these worksheets (except for the surveys) to prompt the participants and stimulate a discussion among them. However, you could ask them to complete the worksheets in advance and be prepared to discuss their answers. The workshop's scribe records the official results of each workshop. The scribe can record data on flip charts, copies of these worksheets, or in some other, more abbreviated, electronic form.
B.1.1 Asset Worksheet
| Processes 1 to 3 |
Activity: Identify Assets and Relative Priorities (Section 5.2) |
| Purpose |
To identify assets that are important to participants (senior managers, operational area managers, general staff, or information technology staff) |
| Instructions |
Participants brainstorm a list of assets and then select those assets considered to be most important. Use the following questions to guide your discussions:
What are your important assets? Are there any other assets that you are required to protect (e.g., by law or regulation)? What related assets are important? From the assets that you have identified, which are the most important? What is your rationale for selecting these assets as important? |
Hand out the Asset Worksheet to participants and discuss each question. Use the questions as prompts to guide the discussion. |
Record all assets identified during the workshop and note which ones were identified as most important by the participants. |
What are your important assets? Consider the following:
Information Systems Software Hardware People |
Are there any other assets that you are required to protect (e.g., by law or regulation)? |
What related assets are important? Consider the following:
Information Systems Software Hardware People |
From the assets that you have identified, which are the most important? What is your rationale for selecting these assets as important? |
B.1.2 Areas of Concern Worksheet
| Process 1 to 3 |
Activity: Identify Areas of Concern (Section 5.3) |
| Purpose |
To identify areas of concern for each important asset previously identified by the participants |
| Instructions |
Participants brainstorm scenarios that could threaten their most important assets. Use the following question to guide your discussions: What scenarios threaten your important assets? |
Hand out the Areas of Concern Worksheet to participants and ask them to use the sources and outcomes as prompts when considering scenarios that threaten important assets. |
Record all areas of concern identified during the workshop. |
B.1.3 Security Requirements Worksheet
| Processes 1 to 3 |
Activity: Identify Security Requirements for Most Important Assets (Section 5.4) |
| Purpose |
To identify security requirements for each important asset previously identified by the participants |
| Instructions |
Participants brainstorm a list of security requirements for their important assets and then select which requirement is considered most important for each asset. Use the following questions to guide your discussions:
What are the important security requirements for each information asset? What is the relative ranking of the security requirements for each information asset? Which security requirement is the most important? |
Hand out the Security Requirements Worksheet to participants and discuss each question. Use the questions as prompts to guide the discussion. |
| |
Record security requirements identified for each important asset and note which requirement was identified as most important for each asset. |
What are the important security requirements for each information asset? Consider the following:
Confidentiality Integrity Availability Other |
What is the relative ranking of the security requirements for each information asset? Which security requirement is the most important? |
B.1.4 Practice Surveys
| Processes 1 to 3 |
Activity: Capture Knowledge of Current Protection Strategy Practices and Organizational Vulnerabilities (Section 5.5) |
| Purpose |
To gather survey information about security practices currently used by the organization |
| Instructions |
Hand out surveys and ask participants to complete them. Note that there are four types of surveys, each one tailored for a particular group of personnel: |
Have participants answer each question to the best of their knowledge in terms of how the practice is used in their organization by giving the following instructions:
If the practice is always or nearly always used, circle "Yes." If the practice is not used or not used very much, circle "No." If you're not sure or don't really know, circle "Don't Know." |
After participants complete their surveys, hold a follow-up discussion about current security practices and organization vulnerabilities. See Section B.1.5 of this appendix for more information about that discussion. |
B.1.4.1 Senior Management Survey
Name (optional): _________________________________________________
Position: ________________________________________________________
| Practice |
Is this practice used by your organization? |
| Security Awareness and Training |
| Staff members understand their security roles and responsibilities.This is documented and verified. |
Yes |
No |
Don't know |
| There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified. |
Yes |
No |
Don't know |
| Security awareness, training, and periodic reminders are provided for all personnel. Staff understanding is documented and conformance is periodically verified. |
Yes |
No |
Don't know |
| Security Strategy |
| The organization's business strategies routinely incorporate security considerations. |
Yes |
No |
Don't know |
| Security strategies and policies take into consideration the organization's business strategies and goals. |
Yes |
No |
Don't know |
| Security strategies, goals, and objectives are documented and are routinely reviewed, updated, and communicated to the organization. |
Yes |
No |
Don't know |
| Security Management |
| Management allocates sufficient funds and resources to information security activities. |
Yes |
No |
Don't know |
| Security roles and responsibilities are defined for all staff in the organization. |
Yes |
No |
Don't know |
| The organization's hiring and termination practices for staff take information security issues into account. |
Yes |
No |
Don't know |
| The organization manages information security risks by assessing existing risks to information security and taking steps to mitigate information security risks. |
Yes |
No |
Don't know |
| Management receives and acts upon routine reports summarizing security-related information (e.g., audits, logs, risk and vulnerability assessments). |
Yes |
No |
Don't know |
| Security Policies and Regulations |
| The organization has a comprehensive set of documented, current policies that are periodically reviewed and updated. |
Yes |
No |
Don't know |
|
There is a documented process for management of security policies:
Creation Administration (including periodic reviews and updates) Communication |
Yes |
No |
Don't know |
| The organization has a documented process for evaluating and ensuring compliance with information security policies, applicable laws and regulations, and insurance requirements. |
Yes |
No |
Don't know |
| The organization uniformly enforces its security policies. |
Yes |
No |
Don't know |
| Collaborative Security Management |
|
The organization has policies and procedures for protecting information when working with external organizations (e.g., third parties, collaborators, subcontractors, or partners):
Protecting information belonging to other organizations Understanding the security policies and procedures of external organizations Ending access to information by terminated external personnel |
Yes |
No |
Don't know |
| The organization has verified that outsourced security services, mechanisms, and technologies meet its needs and requirements. |
Yes |
No |
Don't know |
| Contingency Planning/Disaster Recovery |
| An analysis of operations, applications, and data criticality has been performed. |
Yes |
No |
Don't know |
| The organization has documented, reviewed, and tested business continuity or emergency operation plans, disaster recovery plan(s), and contingency plan(s) for responding to emergencies. |
Yes |
No |
Don't know |
| The contingency, disaster recovery, and business continuity plans consider physical and electronic access requirements and controls. |
Yes |
No |
Don't know |
| All staff are aware of the contingency, disaster recovery, and business continuity plans and understand and are able to carry out their responsibilities. |
Yes |
No |
Don't know |
| Physical Security Plans and Procedures |
| Facility security plans and procedures for safeguarding the premises, buildings, and any restricted areas are documented and tested. |
Yes |
No |
Don't know |
| There are documented policies and procedures for managing visitors. |
Yes |
No |
Don't know |
| There are documented policies and procedures for physical control of hardware and software. |
Yes |
No |
Don't know |
| Physical Access Control |
| There are documented policies and procedures for controlling physical access to work areas and hardware (computers, communication devices, etc.) and software media. |
Yes |
No |
Don't know |
| Workstations and other components that allow access to sensitive information are physically safeguarded to prevent unauthorized access. |
Yes |
No |
Don't know |
| System and Network Management |
| There are documented and tested security plan(s) for safeguarding the systems and networks. |
Yes |
No |
Don't know |
| There is a documented and tested data backup plan for backups of both software and data. All staff understand their responsibilities under the backup plans. |
Yes |
No |
Don't know |
| Authentication and Authorization |
| There are documented policies and procedures to establish and terminate the right of access to information for both individuals and groups. |
Yes |
No |
Don't know |
| Incident Management |
| Documented procedures exist for identifying, reporting, and responding to suspected security incidents and violations. |
Yes |
No |
Don't know |
| Incident management procedures are periodically tested, verified, and updated. |
Yes |
No |
Don't know |
| There are documented policies and procedures for working with law enforcement agencies. |
Yes |
No |
Don't know |
| General Staff Practices |
|
Staff members follow good security practice, for example:
Securing information for which they are responsible Not divulging sensitive information to others (resistance to social engineering) Ensuring they have adequate ability to use information technology hardware and software Using good password practices Understanding and following security policies and regulations Recognizing and reporting incidents |
Yes |
No |
Don't know |
| All staff at all levels of responsibility implement their assigned roles and responsibility for information security. |
Yes |
No |
Don't know |
| There are documented procedures for authorizing and overseeing all staff (including personnel from third-party organizations) who work with sensitive information or who work in locations where the information resides. |
Yes |
No |
Don't know |
B.1.4.2 Operational Area Management Survey
Name (optional): _________________________________________________
Position: ________________________________________________________
| Practice |
Is this practice used by your organization? |
| Security Awareness and Training |
| Staff members understand their security roles and responsibilities. This is documented and verified. |
Yes |
No |
Don't know |
| There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified. |
Yes |
No |
Don't know |
| Security awareness, training, and periodic reminders are provided for all personnel. Staff understanding is documented and conformance is periodically verified. |
Yes |
No |
Don't know |
| Security Strategy |
| The organization's business strategies routinely incorporate security considerations. |
Yes |
No |
Don't know |
| Security strategies and policies take into consideration the organization's business strategies and goals. |
Yes |
No |
Don't know |
| Security strategies, goals, and objectives are documented and are routinely reviewed, updated, and communicated to the organization. |
Yes |
No |
Don't know |
| Security Management |
| Management allocates sufficient funds and resources to information security activities. |
Yes |
No |
Don't know |
| Security roles and responsibilities are defined for all staff in the organization. |
Yes |
No |
Don't know |
| The organization's hiring and termination practices for staff take information security issues into account. |
Yes |
No |
Don't know |
| The organization manages information security risks by assessing risks to information security and taking steps to mitigate information security risks. |
Yes |
No |
Don't know |
| Management receives and acts upon routine reports summarizing security-related information (e.g., audits, logs, risk and vulnerability assessments). |
Yes |
No |
Don't know |
| Security Policies and Regulations |
| The organization has a comprehensive set of documented, current policies that are periodically reviewed and updated. |
Yes |
No |
Don't know |
|
There is a documented process for management of security policies:
Creation Administration (including periodic reviews and updates) Communication |
Yes |
No |
Don't know |
| The organization has a documented process for evaluating and ensuring compliance with information security policies, applicable laws and regulations, and insurance requirements. |
Yes |
No |
Don't know |
| The organization uniformly enforces its security policies. |
Yes |
No |
Don't know |
| Collaborative Security Management |
|
The organization has policies and procedures for protectinginformation when working with external organizations (e.g., third parties, collaborators, subcontractors, or partners):
Protecting information belonging to other organizations Understanding the security policies and procedures of external organizations Ending access to information by terminated external personnel |
Yes |
No |
Don't know |
| The organization has verified that outsourced security services,mechanisms, and technologies meet its needs and requirements. |
Yes |
No |
Don't know |
| Contingency Planning/Disaster Recovery |
| An analysis of operations, applications, and data criticality has been performed. |
Yes |
No |
Don't know |
| The organization has documented, reviewed, and tested businesscontinuity or emergency operation plans, disaster recovery plan(s), and contingency plan(s) for responding to emergencies. |
Yes |
No |
Don't know |
| The contingency, disaster recovery, and business continuity plansconsider physical and electronic access requirements and controls. |
Yes |
No |
Don't know |
| All staff are aware of the contingency, disaster recovery,and business continuity plans and understand and are able to carry out their responsibilities. |
Yes |
No |
Don't know |
| Physical Security Plans and Procedures |
| Facility security plans and procedures for safeguarding theDon't know premises, buildings, and any restricted areas are documented and tested. |
Yes |
No |
Don't know |
| There are documented policies and procedures for managing visitors. |
Yes |
No |
Don't know |
| There are documented policies and procedures for physical control of hardware and software. |
Yes |
No |
Don't know |
| Physical Access Control |
| There are documented policies and procedures for controllingphysical access to work areas and hardware (computers, communication devices, etc.) and software media. |
Yes |
No |
Don't know |
| Workstations and other components that allow access to sensitiveinformation are physically safeguarded to prevent unauthorized access. |
Yes |
No |
Don't know |
| Monitoring and Auditing Physical Security |
| Audit and monitoring records are routinely examined for anomalies, and corrective action is taken as needed. |
Yes |
No |
Don't know |
| System and Network Management |
| There are documented and tested security plan(s) for safeguarding the systems and networks. |
Yes |
No |
Don't know |
| There is a documented and tested data backup plan for backups of both software and data. All staff understand their responsibilities under the backup plans. |
Yes |
No |
Don't know |
| Authentication and Authorization |
| There are documented policies and procedures to establish and terminate the right of access to information for both individuals and groups. |
Yes |
No |
Don't know |
| Incident Management |
| Documented procedures exist for identifying, reporting, and responding to suspected security incidents and violations. |
Yes |
No |
Don't know |
| Incident management procedures are periodically tested,verified, and updated. |
Yes |
No |
Don't know |
| There are documented policies and procedures for working with law enforcement agencies. |
Yes |
No |
Don't know |
| General Staff Practices |
|
Staff members follow good security practice, for example:
Securing information for which they are responsible Not divulging sensitive information to others (resistance to social engineering) Ensuring they have adequate ability to use information technology hardware and software Using good password practices Understanding and following security policies and regulations Recognizing and reporting incidents |
Yes |
No |
Don't know |
| All staff at all levels of responsibility implement their assigned roles and responsibility for information security. |
Yes |
No |
Don't know |
| There are documented procedures for authorizing and overseeing all staff (including personnel from third-party organizations) who work with sensitive information or who work in locations where the information resides. |
Yes |
No |
Don't know |
B.1.4.3 General Staff Survey
Name (optional): _________________________________________________
Position: ________________________________________________________
| Practice |
Is this practice used byyour organization? |
| Security Awareness and Training |
| Staff members understand their security roles and responsibilities. This is documented and verified. |
Yes |
No |
Don't know |
| There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified. |
Yes |
No |
Don't know |
| Security awareness, training, and periodic reminders are provided for all personnel. Staff understanding is documented and conformance is periodically verified. |
Yes |
No |
Don't know |
| Security Management |
| Management allocates sufficient funds and resources to information security activities. |
Yes |
No |
Don't know |
| Security roles and responsibilities are defined for all staff in the organization. |
Yes |
No |
Don't know |
| The organization's hiring and termination practices for staff take information security issues into account. |
Yes |
No |
Don't know |
| The organization manages information security risks by assessing risks to information security and taking steps to mitigate information security risks. |
Yes |
No |
Don't know |
| Security Policies and Regulations |
| The organization has a comprehensive set of documented, current policies that are periodically reviewed and updated. |
Yes |
No |
Don't know |
|
There is a documented process for management of security policies:
Creation Administration (including periodic reviews and updates) Communication |
Yes |
No |
Don't know |
| The organization uniformly enforces its security policies. |
Yes |
No |
Don't know |
| Collaborative Security Management |
|
The organization has policies and procedures for protecting information when working with external organizations (e.g., third parties, collaborators, subcontractors, or partners);
Protecting information belonging to other organizations Understanding the security policies and procedures of external organizations Ending access to information by terminated external personnel |
Yes |
No |
Don't know |
| Contingency Planning/Disaster Recovery |
| All staff are aware of the contingency, disaster recovery, and business continuity plans and understand and are able to carry out their responsibilities. |
Yes |
No |
Don't know |
| Physical Security Plans and Procedures |
| Facility security plans and procedures for safeguarding the premises, buildings, and any restricted areas are documented and tested. |
Yes |
No |
Don't know |
| There are documented policies and procedures for managing visitors. |
Yes |
No |
Don't know |
| There are documented policies and procedures for physical control of hardware and software. |
Yes |
No |
Don't know |
| Physical Access Control |
| There are documented policies and procedures for controlling physical access to work areas and hardware (computers, communication devices, etc.) and software media. |
Yes |
No |
Don't know |
| Workstations and other components that allow access to sensitive information are physically safeguarded to prevent unauthorized access. |
Yes |
No |
Don't know |
| System and Network Management |
| There is a documented and tested data backup plan for backups of both software and data. All staff understand their responsibilities under the backup plans. |
Yes |
No |
Don't know |
| Incident Management |
| Documented procedures exist for identifying, reporting, and responding to suspected security incidents and violations. |
Yes |
No |
Don't know |
| Incident management procedures are periodically tested, verified, and updated. |
Yes |
No |
Don't know |
| There are documented policies and procedures for working with law enforcement agencies. |
Yes |
No |
Don't know |
| General Staff Practices |
|
Staff members follow good security practice, for example:
Securing information for which they are responsible Not divulging sensitive information to others (resistance to social engineering) Ensuring they have adequate ability to use information technology hardware and software Using good password practices Understanding and following security policies and regulations Recognizing and reporting incidents |
Yes |
No |
Don't know |
| All staff at all levels of responsibility implement their assigned roles and responsibility for information security. |
Yes |
No |
Don't know |
| There are documented procedures for authorizing and overseeing all staff (including personnel from third-party organizations) who work with sensitive information or who work in locations where the information resides. |
Yes |
No |
Don't know |
B.1.4.4 IT Staff Survey
Name (optional): _________________________________________________
Position: ________________________________________________________
| Practice |
Is this practice used by your organization? |
| Security Awareness and Training |
| Staff members understand their security roles and responsibilities. This is documented and verified. |
Yes |
No |
Don't know |
| There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified. |
Yes |
No |
Don't know |
| Security awareness, training, and periodic reminders are provided for all personnel. Staff understanding is documented and conformance is periodically verified. |
Yes |
No |
Don't know |
| Security Strategy |
| The organization's business strategies routinely incorporate security considerations. |
Yes |
No |
Don't know |
| Security strategies and policies take into consideration the organization's business strategies and goals. |
Yes |
No |
Don't know |
| Security strategies, goals, and objectives are documented and are routinely reviewed, updated, and communicated to the organization. |
Yes |
No |
Don't know |
| Security Management |
| Management allocates sufficient funds and resources to information security activities. |
Yes |
No |
Don't know |
| Security roles and responsibilities are defined for all staff in the organization. |
Yes |
No |
Don't know |
| The organization's hiring and termination practices for staff take information security issues into account. |
Yes |
No |
Don't know |
| The organization manages information security risks by assessing risks to information security and taking steps to mitigate information security risks. |
Yes |
No |
Don't know |
| Management receives and acts upon routine reports summarizing security-related information (e.g., audits, logs, risk and vulnerability assessments). |
Yes |
No |
Don't know |
| Security Policies and Regulations |
| The organization has a comprehensive set of documented, current policies that are periodically reviewed and updated. |
Yes |
No |
Don't know |
|
There is a documented process for management of security policies:
Creation Administration (including periodic reviews and updates) Communication |
Yes |
No |
Don't know |
| The organization has a documented process for evaluating and ensuring compliance with information security policies, applicable laws and regulations, and insurance requirements. |
Yes |
No |
Don't know |
| The organization uniformly enforces its security policies. |
Yes |
No |
Don't know |
| Collaborative Security Management |
|
The organization has policies and procedures for protecting information when working with external organizations (e.g., third parties, collaborators, subcontractors, or partners):
Protecting information belonging to other organizations Understanding the security polices and procedures of external organizations Ending access to information by terminated external personnel |
Yes |
No |
Don't know |
| The organization has verified that outsourced security services, mechanisms, and technologies meet its needs and requirements. |
Yes |
No |
Don't know |
| Contingency Planning/Disaster Recovery |
| An analysis of operations, applications, and data criticality has been performed. |
Yes |
No |
Don't know |
| The organization has documented, reviewed, and tested business continuity or emergency operation plans, disaster recovery plan(s), and contingency plan(s) for responding to emergencies. |
Yes |
No |
Don't know |
| The contingency, disaster recovery, and business continuity plans consider physical and electronic access requirements and controls. |
Yes |
No |
Don't know |
| All staff are aware of the contingency, disaster recovery, and business continuity plans and understand and are able to carry out their responsibilities. |
Yes |
No |
Don't know |
| Physical Security Plans and Procedures |
| Facility security plans and procedures for safeguarding the premises, buildings, and any restricted areas are documented and tested. |
Yes |
No |
Don't know |
| There are documented policies and procedures for managing visitors. |
Yes |
No |
Don't know |
| There are documented policies and procedures for physical control of hardware and software. |
Yes |
No |
Don't know |
| Physical Access Control |
| There are documented policies and procedures for controlling physical access to work areas and hardware (computers, communication devices, etc.) and software media. |
Yes |
No |
Don't know |
| Workstations and other components that allow access to sensitive information are physically safeguarded to prevent unauthorized access. |
Yes |
No |
Don't know |
| Monitoring and Auditing Physical Security |
| Maintenance records are kept to document the repairs and modifications of a facility's physical components. |
Yes |
No |
Don't know |
| An individual's or group's actions with respect to all physically controlled media can be accounted for. |
Yes |
No |
Don't know |
| Audit and monitoring records are routinely examined for anomalies, and corrective action is taken as needed. |
Yes |
No |
Don't know |
| System and Network Management |
| There are documented and tested security plan(s) for safeguarding the systems and networks. |
Yes |
No |
Don't know |
| Sensitive information is protected by secure storage (e.g., backups stored off-site, discard process for sensitive information). |
Yes |
No |
Don't know |
| The integrity of installed software is regularly verified. |
Yes |
No |
Don't know |
| All systems are up to date with respect to revisions, patches, and recommendations in security advisories. |
Yes |
No |
Don't know |
| There is a documented and tested data backup plan for backups of both software and data. All staff understand their responsibilities under the backup plans. |
Yes |
No |
Don't know |
| Changes to IT hardware and software are planned, controlled, and documented. |
Yes |
No |
Don't know |
|
IT staff members follow procedures when issuing, changing, and terminating users' passwords, accounts, and privileges:
Unique user identification is required for all information system users, including third-party users. Default accounts and default passwords have been removed from systems. |
Yes |
No |
Don't know |
| Only necessary services are running on systems; all unnecessary services have been removed. |
Yes |
No |
Don't know |
| System Administration Tools |
| Tools and mechanisms for secure system and network administration are used, and they are routinely reviewed and updated or replaced. |
Yes |
No |
Don't know |
| Monitoring and Auditing IT Security |
| System and network monitoring and auditing tools are routinely used by the organization. Unusual activity is dealt with according to the appropriate policy or procedure. |
Yes |
No |
Don't know |
| Firewall and other security components are periodically audited for compliance with policy. |
Yes |
No |
Don't know |
| Authentication and Authorization |
| Appropriate access controls and user authentication (e.g., file permissions, network configuration) consistent with policy are used to restrict user access to information, sensitive systems, specific applications and services, and network connections. |
Yes |
No |
Don't know |
| There are documented policies and procedures to establish and terminate the right of access to information for both individuals and groups. |
Yes |
No |
Don't know |
| Methods or mechanisms are provided to ensure that sensitive information has not been accessed, altered, or destroyed in an unauthorized manner. Methods or mechanisms are periodically reviewed and verified. |
Yes |
No |
Don't know |
| Vulnerability Management |
|
There is a documented set of procedures for managing vulnerabilities:
Selecting vulnerability evaluation tools, checklists, and scripts Keeping up to date with known vulnerability types and attack methods Reviewing sources of information on vulnerability announcements, security alerts, and notices Identifying infrastructure components to be evaluated Scheduling of vulnerability evaluations Interpreting and responding to the results Maintaining secure storage and disposition of vulnerability data |
Yes |
No |
Don't know |
| Vulnerability management procedures are followed and are periodically reviewed and updated. |
Yes |
No |
Don't know |
| Technology vulnerability assessments are performed on a periodic basis, and vulnerabilities are addressed when they are identified. |
Yes |
No |
Don't know |
| Encryption |
| Appropriate security controls are used to protect sensitive information while in storage and during transmission (e.g., data encryption, public key infrastructure, virtual private network technology). |
Yes |
No |
Don't know |
| Encrypted protocols are used for remote management of systems, routers, and firewalls. |
Yes |
No |
Don't know |
| Security Architecture and Design |
|
System architecture and design for new and revised systems include considerations for
Security strategies, policies, and procedures History of security compromises Results of security risk assessments |
Yes |
No |
Don't know |
| The organization has up-to-date diagrams that show the enterprisewide security architecture and network topology. |
Yes |
No |
Don't know |
| Incident Management |
| Documented procedures exist for identifying, reporting, and responding to suspected security incidents and violations. |
Yes |
No |
Don't know |
| Incident management procedures are periodically tested, verified, and updated. |
Yes |
No |
Don't know |
| There are documented policies and procedures for working with law enforcement agencies. |
Yes |
No |
Don't know |
| General Staff Practices |
|
Staff members follow good security practice, for example:
Securing information for which they are responsible Not divulging sensitive information to others (resistance to social engineering) Ensuring they have adequate ability to use information technology hardware and software Using good password practices Understanding and following security policies and regulations Recognizing and reporting incidents |
Yes |
No |
Don't know |
| All staff at all levels of responsibility implement their assigned roles and responsibility for information security. |
Yes |
No |
Don't know |
| There are documented procedures for authorizing and overseeing all staff (including personnel from third-party organizations) who work with sensitive information or who work in locations where the information resides. |
Yes |
No |
Don't know |
B.1.5 Protection Strategy Worksheet
| Processes 1 to 3 |
Activity: Capture Knowledge of Current Security Practices and Organizational Vulnerabilities (Section 5.5) |
| Purpose |
To build on the survey information by identifying specific security practices used by the organization and organizational vulnerabilities present in the organization |
| Instructions |
Participants brainstorm a list of security practices and organizational vulnerabilities. Use the following questions to guide your discussions:
Which issues from the survey would you like to discuss in more detail? What important issues did the survey not cover? Are there specific security policies, procedures, and practices unique to certain assets? What are they? Do you think that your organization's protection strategy is effective? How do you know? |
| |
Hand out the Protection Strategy Worksheet to participants and discuss each question. Use the questions as prompts to guide the discussion. |
| |
Record comments from the participants. Designate items that are security practices with a "+" and items that are organizational vulnerabilities with a "–". |
Which issues from the survey would you like to discuss in more detail? |
What important issues did the survey not cover? |
Are there specific security policies, procedures, and practices unique to certain assets? What are they? |
• Do you think that your organization's protection strategy is effective? How do you know? |
|
