Risk Assessment/Management
Does your organization:
- Regularly perform vulnerability assessments?
- Act on the results of a vulnerability assessment in a timely manner?
- Identify critical information assets?
- Identify the threats to critical information assets?
- Determine the financial and other impacts of a successful attack on critical information assets?
- Evaluate and manage your information security risks on an ongoing basis? In other words, are risks to critical information assets managed in a similar fashion to other key business risks?
Management/Policy
Does your organization:
- Have a security policy (both IT and physical) established by senior managers?
- Link your security policies to specific business objectives and specific risk areas?
- Inform all managers at all levels of their responsibilities regarding security, including policy enforcement?
- Include security as a regular agenda topic at management and staff meetings?
- Ensure that all users receive training in your organization’s security policy, as well as penalties and consequences for non-compliance, prior to receiving an account on any system?
- Periodically conduct an independent audit of organizational compliance with security policies?
System and Network Management
Does your organization:
- Assign, manage, and update user identities and access permissions?
- Control system and network changes, and manage system and network configuration, including selecting, testing, and applying high priority patches?
- Regularly scan for viruses/worms/ Trojan horses/ denial of service agents on servers, desktop systems, laptop systems, and mobile devices?
- Monitor for, detect, report, and act on suspicious files/behaviors/ events including user reports?
- Actively work to contain the damage caused by a virus/worm/Trojan horse?
- Recover/restore files, systems, and networks compromised in an attack in a timely manner?
Corporate Security
Does your organization:
- Require identification and authentication for accessing your work facilities/buildings?
- Have business continuity and disaster recovery plans in place?
- Provide training to employees on identifying suspicious packages, behaviors, persons and events, and alerting security personnel?
- Require human resources to conduct background checks on all new hires?
Source:
CSO Magazine and CERT Security Capability Assessment Tool
CSO Magazine
Subject: Security Questions