"Risk Assessment Checklist Template"

ADVERTISEMENT
ADVERTISEMENT

Download "Risk Assessment Checklist Template"

127 times
Rate (4.4 / 5) 7 votes
Risk Assessment Check List
Information Security Policy
Yes
No
In Progress
1.
Information security policy document
Does an Information security policy exist, which is approved by the management, published and
communicated as appropriate to all employees?
Does it state the management commitment and set out the organizational approach to
managing information security?
2. Review and Evaluation
Does the Security policy have an owner, who is responsible for its maintenance and review
according to a defined review process?
Does the process ensure that a review takes place in response to any changes affecting the
basis of the original assessment, example: significant security incidents, new vulnerabilities or
changes to organizational or technical structure?
Organizational Security
Information security infrastructure
1. Allocation of information security responsibilities
Are responsibilities for the protection of individual assets and for carrying out specific
a.
security processes clearly defined?
2. Co-operation between organizations
Are the appropriate contacts with law enforcement authorities, regulatory bodies, utility
a.
providers, information service providers and telecommunication operators maintained to
ensure that appropriate action can be quickly taken and advice obtained, in the event of an
incident?
3. Independent review of information security
Risk Assessment Check List
Information Security Policy
Yes
No
In Progress
1.
Information security policy document
Does an Information security policy exist, which is approved by the management, published and
communicated as appropriate to all employees?
Does it state the management commitment and set out the organizational approach to
managing information security?
2. Review and Evaluation
Does the Security policy have an owner, who is responsible for its maintenance and review
according to a defined review process?
Does the process ensure that a review takes place in response to any changes affecting the
basis of the original assessment, example: significant security incidents, new vulnerabilities or
changes to organizational or technical structure?
Organizational Security
Information security infrastructure
1. Allocation of information security responsibilities
Are responsibilities for the protection of individual assets and for carrying out specific
a.
security processes clearly defined?
2. Co-operation between organizations
Are the appropriate contacts with law enforcement authorities, regulatory bodies, utility
a.
providers, information service providers and telecommunication operators maintained to
ensure that appropriate action can be quickly taken and advice obtained, in the event of an
incident?
3. Independent review of information security
Yes
No
In Progress
Is the implementation of security policy reviewed independently on regular basis? This is
a.
to provide assurance that organizational practices properly reflect the policy, and that it is
feasible and effective.
Security of third party access
1. Identification of risks from third party
Are risks from third party access identified and appropriate security controls
a.
implemented?
b.
Are the types of accesses identified, classified and reasons for access justified?
Are security risks with third party contractors working onsite identified and appropriate
c.
controls implemented?
2. Security requirements in third party contracts
Is there a formal contract containing, or referring to, all the security requirements to ensure
a.
compliance with the organization=s security policies and standards?
Outsourcing
1. Security requirements in outsourcing contracts
Are security requirements addressed in the contract with the third party, when the
a.
organization has outsourced the management and control of all or some of its information
systems, networks and/ or desktop environments?
Does contract address how the legal requirements are to be met, how the security of
the organization =s assets are maintained and tested, and the right of audit, physical security
issues and how the availability of the services is to be maintained in the event of disaster?
Asset classification and control
Accountability of assets
Yes
No
In Progress
1. Inventory of assets
Is there a maintained inventory or register of the important assets associated with each
a.
information system?
Information classification
1. Classification guidelines
Is there an Information classification scheme or guideline in place; which will assist in
a.
determining how the information is to be handled and protected?
2. Information labeling and handling
Is there an appropriate set of procedures defined for information labeling and handling in
a.
accordance with the classification scheme adopted by the organization?
Personnel security
Security in job definition and Resourcing
1. Including security in job responsibilities
Are security roles and responsibilities as laid in Organization=s information security policy
a.
documented where appropriate?
Does this include general responsibilities for implementing or maintaining security policy
as well as specific responsibilities for protection of particular assets, or for extension of
particular security processes or activities?
2. Confidentiality agreements
Do employees sign Confidentiality or non-disclosure agreements as a part of their initial
a.
terms and conditions of the employment and annually thereafter?
b.
Does this agreement cover the security of the information processing facility and
organization assets?
3. Terms and conditions of employment
Do the terms and conditions of the employment cover the employee=s responsibility for
a.
Yes
No
In Progress
information security? Where appropriate, these responsibilities might continue for a defined
period after the end of the employment.
User training
1. Information security education and training
Do all employees of the organization and third party users (where relevant) receive
a.
appropriate Information Security training and regular updates in organizational policies and
procedures?
Responding to security/threat incidents
1. Reporting security/threat incidents
Does a formal reporting procedure exist, to report security/threat incidents through
a.
appropriate management channels as quickly as possible?
2. Reporting security weaknesses
Does a formal reporting procedure or guideline exist for users, to report security weakness
a.
in, or threats to, systems or services?
Physical and Environmental Security
Equipment Security
1. Equipment location protection
Are items requiring special protection isolated to reduce the general level of protection
a.
required?
Are controls adopted to minimize risk from potential threats such as theft, fire, explosives,
b.
smoke, water, dist, vibration, chemical effects, electrical supply interfaces, electromagnetic
radiation and flood?
2. Power Supplies
Yes
No
In Progress
Is the equipment protected from power failures by using redundant power supplies such
a.
as multiple feeds, uninterruptible power supply (ups), backup generator etc.?
3. Equipment Maintenance
Is maintenance carried out only by authorized personnel?
a.
Is the equipment covered by insurance, and are the insurance requirements are satisfied?
b.
4. Securing of equipment offsite
any equipment usage outside an organization =s premises for information processing have
a.
Does
to be authorized by the management?
Is the security provided for equipment while outside the premises equal to or more than
b.
the security provided inside the premises?
5. Secure disposal or re-use of equipment
Are storage devices containing sensitive information either physically destroyed or securely
a.
over written?
General Controls
1. Removal of property
Can equipment, information or software be taken offsite without appropriate authorization?
a.
b.
Are spot checks or regular audits conducted to detect unauthorized removal of property?
c.
Are individuals aware of these types of spot checks or regular audits?
Communications and Operations Management
Operational Procedure and responsibilities
1. Documented Operating procedures
Does the Security Policy identify any Operating procedures such as Back-up, Equipment
a.
maintenance etc.?