Free Information Security Risk Assessment Questionnaire
Increasingly, small and medium sized business are outsourcing many of their IT functions to external managed service providers and Saas (Software as a Service) companies. Some of the most commonly outsourced functions are:
- Microsoft exchange, web mail, and spam filtering
- E-commerce store platform
- Salesforce.com or other CRM systems
- Email marketing
- Search engine marketing, web site analytics, and SEO
- Credit card gateways and payment processors
- Billing systems
- Outsourced payroll systems or payroll services
- Web site hosting, image caching, and video streaming
- Off-site file system backups
But while the economics for outsourcing are clearly there, as an SMB you need to do a security assessment for each vendor you select to make sure that their operations policies and procedures are sufficiently mature to ensure that your company will remain compliant with state, federal, and international data security and personal privacy laws. You can’t outsource your legal liability as a company officer, your company’s reputation, or your obligation to protect the data of your customers and employees.
Unfortunately, most SMB, do not have IT resources with the sufficient infosec training or certifications required to conduct a proper security review of each vendor you outsource services to during the contract negotiation process.Let’s face it, information security expertise is expensive and has largely been the province of large enterprises with big IT groups and budgets. At least, until now.
If you want to assess the information security of any outsourced provider, you should send them a copy of the free security questionnaire I have listed below. This set of questions is modeled on an international information security risk assessment standard called ISO 17799 that is used very widely throughout the IT industry and by large enterprises.
Before you sign a contract with a provider, you should require that they answer all of the questions below and that a company officer sign the response. In addition, you should add a clause to their service agreement that requires them to inform your company if they experience a security breach for any other customer. You need this notification to determine if your customer’s information may have been breached as well and to hold the provider accountable for remediation actions because you should assume that your data is also at risk.
If you’d like this questionnaire formatted in an excel spreadsheet, send a request to risk-excel@steal-this-data.com. I will send you a copy for a $5.00, one time payment via Paypal.
Information Security Policy
| Item | Question | Y | N | Comment |
|---|---|---|---|---|
| 1.1 | Does your organization have a documented information security policy which is approved by the management, and published and communicated as appropriate to all employees? | |||
| 1.2 | Does the security policy have an owner, who is responsible for its maintenance and review according to a defined review process? | |||
| 1.3 | Is security policy is reviewed independently on regular basis? | |||
| 1.4 | Do you have a defined team of managers from different parts of your organization who coordinate the implementation of information security controls? | |||
| 1.5 | Are responsibilities for the protection of individual assets and for carrying out specific security processes were clearly defined? | |||
| 1.6 | Are risks from third party access, including outsourced service providers, contractors or consultants, identified and appropriate security controls implemented? | |||
| 1.7 | Do you require formal contract with outsourced service providers, contractors, or consultants containing, or referring to, all the security requirements to ensure compliance with your organizations security policies and standards? |
Asset Management
| Item | Question | Y | N | Comment |
|---|---|---|---|---|
| 2.1 | Do you keep an up-to-date inventory of all of your organization's information system hardware and software assets? | |||
| 2.2 | Does each information asset have an identified owner, a security classification, and location? | |||
| 2.3 | Is a data classification scheme in place; which defines how all digital and non-digital information, including internal and customer information, is to be handled and protected in your organization? | |||
| 2.4 | Is there a set of procedures for information labelling and handling in accordance with the data classification scheme adopted by your organization? |
Employee Security
| Item | Question | Y | N | Comments |
|---|---|---|---|---|
| 3.1 | Are all security roles and responsibilities defined in your organization's information security policy documented? | |||
| 3.2 | Are background verification checks performed for new job applicants? | |||
| 3.3 | Are employees asked to sign confidentiality or non-disclosure agreement as a part of their terms and conditions of employment? | |||
| 3.4 | Do the terms and conditions of employment cover the employee’s responsibility for information security? | |||
| 3.5 | Do all employees of your organization and third party users (where relevant) receive appropriate information security training and regular updates in information security policies and procedures? | |||
| 3.6 | Is a formal disciplinary process in place for employees who have violated information security policies and procedures? | |||
| 3.7 | Are responsibilities for performing employment termination clearly defined and assigned? | |||
| 3.8 | Is there a process in place that ensures all employees, contractors and third party users surrender all of the organization’s assets in their possession upon termination of their employment, contract or agreement? | |||
| 3.9 | Are the access rights of all employees, contractors and third party users to information and information processing facilities, removed upon termination of employment, contract, agreement (or adjusted upon change)? |
Physical Security
| Item | Question | Y | N | Comments |
|---|---|---|---|---|
| 4.1 | Are information systems housed in a limited access area or facility? | |||
| 4.2 | Are entry controls in place that limit access to authorized personnel only. | |||
| 4.3 | Are all inforrmation systems stored in locked rooms or cabinets? | |||
| 4.4 | Are all information systems protected from natural and man-made disasters? | |||
| 4.5 | Is all security information on a need to know basis? | |||
| 4.6 | Are there security controls for third parties working in secure areas? | |||
| 4.7 | Are all delivery and information processing areas isolated from each other to prevent any unauthorized access? | |||
| 4.8 | Are information systems requiring special protection isolated to increase security? | |||
| 4.9 | Have controls been implemented to minimise risk from potential threats such as theft, fire, explosives, smoke, water, dist, vibration, chemical effects, electrical supply interfaces, electromagnetic radiation, and flood? | |||
| 4.10 | Is there a policy prohibiting eating, drinking and smoking on in proximity to information processing systems? | |||
| 4.11 | Are environmental conditions which would adversely affect the information processing facilities monitored? | |||
| 4.12 | Are all information systems protected from power failures by using redundant power supplies, uninterruptible power supply (ups), backup generator etc.? | |||
| 4.13 | Are the power and telecommunications cables carrying data or supporting information services protected from interception or damage? | |||
| 4.14 | Are there any additional security controls in place for sensitive or critical information? | |||
| 4.15 | Is all information system equipment maintained on suppliers' recommended service intervals and specifications? | |||
| 4.16 | Is all informtion system maintenance only carried out by authorized personnel? | |||
| 4.17 | Are system and work logs maintained with all suspected or actual faults and all preventive and corrective measures? | |||
| 4.18 | Are appropriate security controls implemented when sending information system equipment off-premises? | |||
| 4.19 | Does any information system equipment use outside your premises have to be authorized by organization management? | |||
| 4.20 | Is the security provided for information systems or media while outside the premises on par with or more than the security provided inside the premises. | |||
| 4.21 | Are storage devices containing sensitive information physically destroyed or securely over written? | |||
| 4.22 | Is automatic computer screen locking enabled when a computer is left unattended for a period of time? | |||
| 4.23 | Are employees required to leave any confidential material in the form of paper documents, media etc., in a locked manner while unattended? | |||
| 4.24 | Are there controls in place to prevent equipment, information or software from being taken offsite without appropriate authorization? | |||
| 4.25 | Are spot checks or regular audits conducted to detect any unauthorized removal of property? |
Computer and Network Management
| Item | Question | Y | N | Comment |
|---|---|---|---|---|
| 5.1 | Are all information system back-up pocedures and intervals documented? | |||
| 5.2 | Are all programs running on production systems subject to strict change control process where any proposed change to production programs needs to go through a change control authorization and logging process? | |||
| 5.3 | Are audit logs maintained for any change made to production programs? | |||
| 5.4 | Are operational dutires and areas of responsibility separated to reduce the opportunities for unauthorized modification of information or misuse of information and information systems? | |||
| 5.5 | Are development and testing facilities isolated from operational facilities? | |||
| 5.6 | Is your organization's information system facility managed by an external organization or contractor (third party). | |||
| 5.7 | If your organization's information system facility is managed by an external organization or contractor (third party), were the risks associated with such management identified in advance, discussed with the third party and were appropriate controls incorporated into the contract? | |||
| 5.8 | Are capacity demands monitored and projections of future capacity requirements made? | |||
| 5.9 | Are system acceptance criteria established for new information systems, upgrades and new versions? | |||
| 5.10 | Are suitable tests carried out prior to information system acceptance and deployment? | |||
| 5.11 | Are there any controls against malicious software usage? | |||
| 5.12 | Does your information security policy address software licensing issues such as prohibiting the use of usage unauthorized software? | |||
| 5.13 | Is antivirus software installed and activate on all information systems to check, isolate and remove any viruses from computers and media? | |||
| 5.14 | Are all anti-virus system signatures updated on a regular basis?. | |||
| 5.15 | Is all the traffic originating from un-trusted network in to your organization checked for viruses? Example: Checking for viruses on email, email attachments and on the web, FTP traffic. | |||
| 5.16 | Are back-ups of essential business information such as production server, critical network components, configuration backup etc., performed regularly. | |||
| 5.17 | Is backup media along with the procedure to restore the backup, stored securely and well away from the actual site. | |||
| 5.18 | Is backup media regularly tested to ensure that they can be restored within the time frame allotted in the operational procedure for recovery? | |||
| 5.19 | Does operational staff maintain a log of their activities such as name of the person, errors, corrective action etc.? | |||
| 5.20 | Are operator logs are checked on regular basis against operating procedures? | |||
| 5.21 | Are faults are reported and well managed? This includes corrective action being taken, review of the fault logs and checking the actions taken | |||
| 5.22 | Are effective operational controls such as separate network and system administration facilities established where necessary? | |||
| 5.23 | Do responsibilities and procedures for management of remote equipment, including equipment in user areas exist | |||
| 5.24 | Does your organization have any special controls to safeguard the confidentiality and integrity of data processing over the public network and to protect the connected systems? | |||
| 5.25 | Does your organization have a procedure for management of removable computer media such as tapes, disks, cassettes, memory cards and reports? | |||
| 5.26 | Is all backup or storage media that are no longer required disposed off securely and safely? | |||
| 5.27 | Is the disposal of sensitive items logged where necessary in order to maintain an audit trail? | |||
| 5.28 | Is access to information system documentation and configuration information limited to authorized individuals? | |||
| 5.29 | Is the access list for information system and configuration documentation kept to minimum and authorized by the application owner. | |||
| 5.30 | Is backup media encrypted when they are transported off-site? | |||
| 5.31 | Is backup media stored in a physically secure location with limited access by authorized individuals only? | |||
| 5.32 | Are electronic commerce systems well protected and controls implemented to protect against fraudulent activity, contract dispute and disclosure or modification of information? | |||
| 5.33 | Are security controls such as Authentication, Authorzsation are required in the ECommerce environment. | |||
| 5.34 | Do all electronic commerce arrangements between trading partners include a documented agreement, which commits both parties to the agreed terms of trading, including details of security issues? | |||
| 5.35 | Does your organization have a policy in place for the acceptable use of electronic mail? | |||
| 5.36 | Are controls such as antivirus checking, isolating potentially unsafe attachments, spam control, anti relaying etc., implemented to reduce the risks created by electronic email. | |||
| 5.37 | Does your organization have an Acceptable use policy to address the use of Electronic office systems | |||
| 5.38 | Are any guidelines in place to effectively control the business and security risks associated with the electronic office systems? | |||
| 5.39 | Is any formal authorization process in place for the information to be made publicly available?. Such as approval from Change Control which includes Business, Application owner etc., | |||
| 5.40 | Are any controls in place to protect the integrity of information publicly available from any unauthoirized access. |
Access Control
| Item | Question | Y | N | Comment |
|---|---|---|---|---|
| 6.1 | Have the business requirements for access control to all information systems been defined and documented? | |||
| 6.2 | Does your organization's access control policy address the rules and rights for each user or group of users? | |||
| 6.3 | Do you have a formal user registration and de-registration procedure for granting access to multi-user information systems and services? | |||
| 6.4 | Is the allocation and use of any privileges in multi-user information system environment restricted and controlled? | |||
| 6.5 | Is allocation and reallocation of passwords controlled through a formal management process? | |||
| 6.6 | Is there a process to review user access rights at regular intervals? Example: Special privilege review every 3 months, normal privileges every 6 months. | |||
| 6.7 | Are there any guidelines in place to guide users in selecting and maintaining secure passwords. | |||
| 6.8 | Are users and contractors made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibility to implement such protection? | |||
| 6.9 | Are users provided with access only to the services that they have been specifically authorized to use? | |||
| 6.10 | Does a policy exist that addresses concerns relating to networks and network services? | |||
| 6.11 | Are any controls that restrict the route between the user terminal and the designated computer services the user is authoirized to access? For example: enforced path to reduce the risk. | |||
| 6.12 | Is there an authentication mechanism for challenging external connections using cyrptography based technicques or hardware tokens? | |||
| 6.13 | Are connections to remote computer systems outside of the organization's security management authenticated? Node authentication can serve asan alternate means of authenticating groups of remote users where they are connected to a secure, shared computer facility. | |||
| 6.14 | Is access to diagnostic ports securely controlled? | |||
| 6.15 | Is the network that business partners and/ or third parties use access to information system segregated using perimeter security mechanisms such as firewalls? | |||
| 6.16 | Do controls exist for network connection control to shared networks that extend beyond the organizations boundaries, such as electronic mail, web access, file transfers, etc., | |||
| 6.16 | Are there any network controlsl to ensure that computer connections and information flows do not breach the access control policy of the business applications? This is often essential for networks shared with external users. | |||
| 6.17 | Are routing controls based on the positive source and destination identification mechanism? Example: Network Address Translation (NAT). | |||
| 6.18 | Are routing controls based on the positive source and destination identification mechanism? Example: Network Address Translation (NAT). | |||
| 6.19 | Does a clear description of the security attributes of all private and public network services used by the orgianization exist? | |||
| 6.20 | Is access to information system only attainable via a secure log-on process? | |||
| 6.21 | Is a procedure in place for logging in to the information system? | |||
| 6.22 | Is a unique identifier provided to every user with administrative priviledges? | |||
| 6.23 | Does the authentication method used substantiate the claimed identity of the user? For example, a password that only the user knows. | |||
| 6.24 | Is there a password management system that enforces various password controls such as: individual passwords for accountability, enforced password changes, password storage in encrypted form, no passwords displayed on screen etc., | |||
| 6.25 | Are the system utilities that come with computer installations, but may override system and application controls, tightly controlled? | |||
| 6.26 | Are there any restrictions on connection time for high-risk applications? | |||
| 6.27 | Is access to the information system by various groups/personnel within the organization defined in the access control policy and consistent with the organization’s Information access policy? | |||
| 6.28 | Are sensitive systems provided with an isolated computing environment such as running on a dedicated computer, shared resources only with trusted application systems, etc? | |||
| 6.29 | Are audit logs recording exceptions and other security relevant events produced and kept for an agreed period to assist in future investigations and access control monitoring? | |||
| 6.30 | Are procedures set up for monitoring the use of information processing facility? | |||
| 6.31 | Do procedures exist that ensure that users are performing only the activities that are explicitly authorized? | |||
| 6.32 | Are the results of the monitoring activities reviewed regularly? | |||
| 6.33 | Are all devices that generate audit logs time synched to ensure the accuracy of log information and to facilitate event correlation? | |||
| 6.34 | Has a formal policy been defined that takes into account the risks of working with computing facilities such as notebooks, palmtops etc., especially in unprotected environments. | |||
| 6.35 | Is training held for staff who use mobile computing facilities to raise their awareness on the additional risks resulting from this way of working and controls that need to be implemented to mitigate the risks? | |||
| 6.36 | Is there any policy, procedure and/ or standard to control teleworking activities, consistent with organization’s security policy. | |||
| 6.37 | Is suitable protection of teleworking sites in place to protect against threats such as theft of equipment, unauthoirized disclosure of information etc.? |
System Development and Maintenance
| Item | Question | Y | N | Comment |
|---|---|---|---|---|
| 7.1 | Does your organization have a documenetd software development lifecycle process? | |||
| 7.2 | Is a security requirements review required before the development of new information systems or enhancements of existing systems? | |||
| 7.3 | Is a risk assessment completed prior to the commencement of new information system development? | |||
| 7,4 | Are all data inputs validated to ensure that they are correct and appropriate? | |||
| 7.5 | Are all data outputs validated to ensure that the processing of stored information is correct? | |||
| 7.6 | Are validation checks incorporated into applications to detect any corruption of information through processing errors or deliberate acts? | |||
| 7.7 | Are non-repudiation services used where it might be necessary to resolve disputes about the occurrence or non-occurrence of an event or action? | |||
| 7.8 | Is an assessment of security risk carried out to determine if message authentication is required; and to identify the most appropriate method of implementation if it is necessary? | |||
| 7.9 | During the software design process, is there an assessment of the sensitivity of the data processed by an information system and the level of protection needed. | |||
| 7.10 | Are digital signatures used to protect the authenticity and integrity of electronic documents in all relevant information systems? | |||
| 7.11 | Does your organization have a management system in place to oversee and protect the use of cryptographic techniques such as secret or public keys using a consistent, agreed upon set of standards, procedures and secure methods? | |||
| 7.12 | Are cryptographic keys protected against modification, loss, and destruction? | |||
| 7.13 | Are secret and private keys protected against unauthorized disclosure? | |||
| 7.14 | Is the equipment used to generate, store keys are physically protected? | |||
| 7.15 | Is the key management system based on an agreed set of standards, procedures and secure methods? | |||
| 7.16 | Are any controls in place for the implementation of software on operational systems? | |||
| 7.17 | Is system test data protected and controlled? The use of operational database containing personal information should be avoided for test purposes. If such information is used, the data should be depersonalised before use. | |||
| 7.18 | Are operational databases or copies of operational databases containing personal information used for testing purposes? | |||
| 7.19 | Are strict controls in place over access to program source libraries to reduce the potential for corruption of computer programs? | |||
| 7.20 | Are strict control procedures in place over the implementation of changes to information systems? | |||
| 7.21 | Is there an established process or procedure in place to ensure that information systems are reviewed and tested after operating system changes or patches? | |||
| 7.22 | Are any restrictions in place to limit confirguration changes to software packages by opertions staff? | |||
| 7.23 | Are there controls in place to ensure that covert channels and Trojan codes are not introduced into new or upgraded information systems. |
Information Security Incident Management
| Item | Question | Y | N | Comment |
|---|---|---|---|---|
| 8.1 | Is an incident response process defined to handle security incidents? | |||
| 8.2 | Does the incident response process address identify incident management roles and responsibilities? | |||
| 8.3 | Does the incident management process define the different types of incidents ranging from denial of service to breach of confidentiality etc., and ways to handle them? | |||
| 8.4 | Are audit trails and logs relating to incidents maintained and is proactive action taken in a way that the incident doesn’t reoccur? | |||
| 8.5 | Is there a documented reporting procedure in your organization to report security incidents through appropriate channels as quickly as possible? | |||
| 8.6 | Do formal reporting procedures or guidelines exist for users to report security weaknesses or threats to systems or services? | |||
| 8.7 | Do procedures exist to report software malfunctions and track their status and resolution? | |||
| 8.8 | Are there are mechanisms in place to enable the types, volumes and costs of incidents and malfunctions to be quantified and monitored? | |||
| 8.9 | Are management responsibilities and procedures established to ensure quick, effective and orderly response to information security incidents? | |||
| 8.10 | Is the monitoring of systems, alerts and vulnerabilities used to detect information security incidents? | |||
| 8.11 | Is the information gained from the evaluation of the past information security incidents used to identify recurring or high impact incidents? | |||
| 8.12 | Is there follow-up action against a person or organization after an information security incident involves legal action (either civil or criminal)? | |||
| 8.13 | Is evidence relating to the incident collected, retained and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s)? |
Business Continuity Management
| Item | Question | Y | N | Comments |
|---|---|---|---|---|
| 9.1 | Does your organization have a documented business continuity plan? | |||
| 9.2 | Is your organization's business continuity plan tested at least once per year? | |||
| 9.3 | Does the business continuity plan address information security requirements? | |||
| 9.4 | Is there a managed process in place that addresses the information security requirements for developing and maintaining business continuity throughout the organization? | |||
| 9.5 | Do the business continuity plan tests ensure that all members of the recovery team and other relevant staff are aware of the plan, their responsibility for information security, and their role when the plan is evoked? | |||
| 9.6 | Is your organization's business continuity plan reviewed and updated at least once per year? | |||
| 9.7 | Does your organization's business continuity plan identify the conditions that would lead to its activation and the individuals responsible for executing each component of the plan? |
Compliance
| Item | Question | Y | N | Comment |
|---|---|---|---|---|
| 10.1 | Are all relevant statutory, regulatory and contractual requirements explicitly defined and documented for each information system? | |||
| 10.2 | Are specific controls and individual responsibilities to meet these requirements defined and documented? | |||
| 10.3 | Do any procedures exist to ensure compliance with legal restrictions on use of material in respect of which there may be intellectual property rights such as copyright, design rights, trade marks? | |||
| 10.4 | Are important records of the organization protected from loss, destruction, and falsification in accordance with statutory, regulatory, contractual and business requirements? | |||
| 10.5 | Are controls defined and implemented to protect data and privacy of personal information, per relevant legislation, regulations and if applicable as per the contractual clauses? | |||
| 10.6 | Is the use of information processing facilities for any non-business or unauthoirized purpose, without management approval, treated as improper use of the facility? | |||
| 10.7 | Is consideration given to the possibility of deterioration of media used for storage of records? | |||
| 10.8 | Are cryptographic controls used in compliance with all relevant agreements, laws, and regulations? | |||
| 10.9 | Are all areas within the organization considered for regular review to ensure compliance with security policy, standards and procedures? | |||
| 10.10 | Are information systems regularly checked for compliance with security implementation standards? | |||
| 10.11 | Are information system audit tools separated from development and operational systems, unless given an appropriate level of additional protection? | |||
| 10.12 | Provide detail of security and audit reports available from the application. | |||
| 10.13 | What user and administrator activity and status reports are available from the application? | |||
| 10.14 | What password controls does the application provide? | |||
| 10.15 | Can admin functions be segregated to allow for decentralized administration? | |||
| 10.16 | Describe the recommended data and program backup procedures. |
