Where is your off-site storage? ______________________
- 16. A B C D
Surplus output material should be destroyed, sensitive information shall be shredded or destroyed in some other manner that ensures security.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- * 16a Do you have a shredder or other means to destroy confidential reports? _____ If so, is there a policy or other documentation explaining what is sensitive information and how it is to be handled for the employees? _____ If there is something, please attach a copy of it.
- 17. A B C D
Forms used for training and testing should be specially identified, in particular regarding payment routines.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 18. - B C D
Output that includes sensitive information should be stored in locked cupboards before distribution.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- C. Is anything done to monitor system utilization? ________ If so, describe what is done, how the data is used, and attach an example of one of the reports.
_____________________________________________________________
_____________________________________________________________
- 39. A B C D
For each application where data communication is being used, fall-back alternatives to the communication and its routines shall be developed and tested.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 43. - - C D
A log book of disturbances shall be kept. It should contain time when the disturbance was discovered, kind of disturbance and where it occurred, time for notification of error, and time when the system was working again.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 44. - - C -
A contingency plan should be worked out and kept updated.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 45. - - - D
A contingency plan must be worked out and kept updated.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 46. - - C D
The computer installations should have insurance against fire. Water and extra cost insurance is often recommended. For leased equipment, check whether the leasing company or the Group company is responsible for taking out the insurance policy.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 47. A B C D
A complete system and operation documentation shall be kept up-to-date. One copy of it shall be kept in a fireproof place.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
Continued with LOGICAL SECURITY on the following page.
LOGICAL SECURITY
- 19. A B C D
Users shall be reminded yearly, through training or campaigns, about their responsibility for EDP security.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- D Indicate the names of the individuals who have the authority to add, change, or delete user profiles and access rules.
_____________________________________________________________
_____________________________________________________________
- E Is there a standard form used for adding and maintaining user profile information? _____
If so, attach a copy. Also, is the form retained in a central place? _____ Please describe._________________________________________________________
- 20. A B C D
Passwords shall be individual and secret, and difficult to find out.
YES _____ NO _____ N/A _____
______________________________________________________________
______________________________________________________________
- 20a Please describe the syntax of user passwords:
minimum/maximum length ____/____
required alpha or numeric characters? ____________________
- 21. A - - -
Using password or unlocking a physical lock shall give access to a PC system.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 22. - B - -
A combination of at least user identity and password shall be required to authorize the use of the system.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 23. - - C D
User identity and password shall be used for authorization to specified objects (resources). This also implies access to SPOOL files.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 24. - - C D
In certain cases, such as the work of the security officer, a combination of user identity and password shall give authorization for transactions to be handled on a specified terminal.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 25. A B C D
Standard passwords installed by the supplier shall be altered before using the system.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 26. - B C D
The passwords shall be changed every second or third month. Reuse of old passwords shall not be allowed.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 27. A B C D
User identity including passwords shall be deleted promptly when employees leave the company.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- * 27a Are written procedures in place to ensure that data processing is notified of transfers and terminations on a timely basis so that any necessary changes can be made to security? _____ If so, attach a copy of the procedures.
- 28. - B C D
For emergency and backup purposes, the security officers password shall be kept in a secure area. Access to the password should be allowed only in an emergency situation.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 29. - B C D
After three attempts with illegitimate combinations of user identity and password, further attempts shall automatically be prevented.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________