![]() Download Now: The Security Audit Questionnaire was designed primarily to help evaluate the security capabilities of cloud providers and third parties offering electronic discovery or managed services. The tool is also useful as a self-checklist for organizations testing the security capabilities of their own in-house systems. Use the questionnaire to assess an organization’s strength in protecting data from destruction or unauthorized access, as well as compliance with data-related legislation such as: • Gramm Leach Bliley Act (GLBA) • PCI DSS (Payment card industry) • Sarbanes-Oxley Act • Security breach notification laws The tool sets out 74 separate criteria under seven categories. Use it to assign the importance or weight of each of the criteria, so that you can emphasize key criteria that are mission-critical; or, downplay the criteria that are less important to your business. EDRM produced a webinar to help you determine how best to use the tool;. Areas addressed include: • Risk Management • Asset Security • Communications and networking security • Identity and Access Management • Security Operations • Software Development Security Download the Excel file here: [ Note: The Questionnaire was updated in April 2017 to correct a missing formula and remove references to HIPAA certification. This document will continue to be updated as needed. Suggestions for further edits are welcome at.] Related Resources: • (EDRM webinar that explains how to use the security audit tool) • (U.S. GAO) • (National Institute of Standards and Technology) The EDRM Security Audit Team A team of EDRM members representing e-discovery providers, corporate legal, and law firms convened in August 2016 to discuss security and compliance requirements and create a plan for the Security Audit Questionnaire. Amy Sellars, assistant general counsel, litigation support for Walmart Legal, and Julie Hackler, account executive at Avansic, led the team of 14 professionals with backgrounds in e-discovery, security, IT technologies, and litigation support in creating the tool. Over several months of collaborative effort, the team identified seven key security areas for audit, developed checklists and audit questions, and built and tested the questionnaire. Will help you in your assessment of an organization’s information security program for CobiT Maturity Level 4. CobiT Maturity Level 4 Managed and Measurable, states that the status of the Internal Control Environment is “There is an effective internal control and risk management environment. A formal, documented evaluation of controls occurs frequently. Many controls are automated and regularly reviewed. Management is likely to detect most control issues, but not all issues are routinely identified. There is consistent follow-up to address identified control weaknesses. A limited, tactical use of technology is applied to automate controls.” CobiT Maturity Level 4 Managed and Measurable, states that for the Establishment of Internal Controls; “IT process criticality is regularly defined with full support and agreement from the relevant business process owners. Assessment of control requirements is based on policy and the actual maturity of these processes, following a thorough and measured analysis involving key stakeholders. Accountability for these assessments is clear and enforced. Improvement strategies are supported by business cases. Performance in achieving the desired outcomes is consistently monitored. External control reviews are organized occasionally.” As an example, one of the questions in the section on “Allocation of information security responsibilities” is written as follows: Are the assets and security processes associated with each particular system identified and clearly defined? While this is a straightforward “yes” or “no” question, in order to answer that question the IT auditor would need to look at an organization’s Business Impact Analysis and verify that the assets and security processes were indeed identified and clearly defined. You will also notice that I have cross-referenced each of the steps to the appropriate sections within CobiT. I hope the template will be of assistance to you. J Kenneth (Ken) Magee is president and owner of Data Security Consultation and Training, LLC, which specializes in data security auditing and information security training. He has over 40 years of IT experience in both private industry and the public sector with the last 21 devoted to IT security and Risk Management. Ken holds degrees from Robert Morris University and Fairleigh Dickinson University. He holds 30 certifications including: CTT+, CEH, CPT, SSCP, CISSP-ISSMP, CAP, CISA, CISM, ISO 27001 PA, GIAC-GWAPT/GSEC/GSNA, CIA-CGAP, Security+, and CDP. He is a Senior Instructor with the InfoSec Institute. ![]() Free information security policy templates courtesy of the SANS Institute, Michele D. Guel, and other information security leaders. Server Audit Policy.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
March 2018
Categories |