14. A - - -
At least two generations of backup shall be kept.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
15. - B C D
At least three generations of backup shall be kept.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
16. A B C D
Surplus output material should be destroyed and sensitive information shall be shredded or destroyed in some other manner that ensures security.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
17. A B C D
Forms used for training and testing should be specially identified, in particular regarding payment routines.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
18. - B C D
Output that includes sensitive information should be stored in locked cupboards before distribution.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
19. A B C D
Users shall be reminded yearly, through training or campaigns, about their responsibility for EDP security.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
20. A B C D
Passwords shall be individual, secret, and difficult to guess.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
21. A - - -
Using a password or unlocking a physical lock shall give access to a PC system.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
22. - B - -
A combination of at least user identity and password shall be required to authorize the use of the system.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
23. - - C D
User identity and password shall be used for authorization to specified objects (resources). This also implies access to SPOOL files.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
24. - - C D
In certain cases, such as the work of the security officer, a combination of user identity and password shall give authorization for transactions to be handled on a specified terminal.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
25. A B C D
Standard passwords installed by the supplier shall be altered before using the system.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
26. - B C D
The passwords shall be changed every second or third month. Reuse of old passwords shall not be allowed.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
27. A B C D
User identity, including passwords, shall be deleted promptly when employees leave the company.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
28. - B C D
For emergency and backup purposes, the security officers password shall be kept in a secure area. Access to the password should be allowed only in an emergency situation.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
29. - B C D
After three attempts with illegitimate combinations of user identity and password, further attempts shall automatically be prevented.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
30. A B C D
When leaving the terminal for more than a short period, the user shall log off the terminal or set it in a standby position, where a new log-on is required.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
31. - - C D
As a support to the users, the following functions should be installed where possible. After a certain time (20-30 minutes) with no work at the terminal, it should automatically be set in a standby position or be shut off. Further use of the terminal should require a new sign-on procedure.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
32. A - - -
For virus protection, diskettes or files from unknown sources (especially games) shall not be used.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
33. A - - -
To protect confidential information, one of the following methods shall be used.
- 1. Data shall be stored on diskettes that are kept under lock and key.
- 2. If data is stored on a hard disk, a security system shall be implemented. It shall have functions for password security and hard disk encryption, and it shall prevent booting from diskettes.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________
34. - B C D
For file transfer data communication, the available password functions shall be used. A receipt shall be issued and sent back when a file has been received and stored.
- YES _____ NO _____ N/A _____
- ____________________________________________________________
- ____________________________________________________________