DS05: Ensure Systems Security

DS5 Ensure Systems Security

Control over the IT process of ...
ensuring system security

with the business goal

of safeguarding information against unauthorised use, disclosure or modification, damage or loss

is enabled by

logical access controls which ensure that access to the systems, data and programmes is restricted to authorised users
and takes consideration
- Critical Success Factors that leverage
- specific IT Resources and is measured by
- Key Performance Indicators

Record of Assessment

Assignment ID: *

Enter Name: *

Reference Code: *

Enter Location: * Tel. Num: *

Enter Full e-mail Address:

Control Objective:

Ensure system security.

CRITICAL SUCCESS FACTORS
*Selected*	*Status*	Description
*		An overall security plan is developed that covers the building of awareness, establishes clear policies and standards, identifies a cost-effective and sustainable implementation, and defines monitoring and enforcement processes
*		There is awareness that a good security plan takes time to evolve
*		The corporate security function reports to senior management and is responsible for executing the security plan
*		Management and staff have a common understanding of security requirements, vulnerabilities and threats, and they understand and accept their own security responsibilities
*		Third-party evaluation of security policy and architecture is conducted periodically
*		A "building permit" programme is defined, identifying security baselines that have to be adhered to
*		A "drivers licence" programme is in place for those developing, implementing and using systems, enforcing security certification of staff
*		The security function has the means and ability to detect, record, analyse significance, report and act upon security incidents when they do occur, while minimising the probability of occurrence by applying intrusion testing and active monitoring
*		A centralised user management process and system provides the means to identify and assign authorisations to users in a standard and efficient manner
*		A process is in place to authenticate users at reasonable cost, light to implement and easy to use
*		*
KEY GOAL INDICATORS
*		No incidents causing public embarrassment
*		Immediate reporting on critical incidents
*		Alignment of access rights with organisational responsibilities
*		Reduced number of new implementations delayed by security concerns
*		Full compliance, or agreed and recorded deviations from minimum security requirements
*		Reduced number of incidents involving unauthorised access, loss or corruption of information
*		*
*		*
*		*
KEY PERFORMANCE INDICATORS
*		Reduced number of security-related service calls, change requests and fixes
*		Amount of downtime caused by security incidents
*		Reduced turnaround time for security administration requests
*		Number of systems subject to an intrusion detection process
*		Number of systems with active monitoring capabilities
*		Reduced time to investigate security incidents
*		Time lag between detection, reporting and acting upon security incidents
*		Number of IT security awareness training days
*		*
*		*

Conclusions:
* Non-existent

The organisation does not recognise the need for IT security. Responsibilities and accountabilities are not assigned for ensuring security. Measures supporting the management of IT security are not implemented. There is no IT security reporting and no response process to IT security breaches. There is a complete lack of a recognisable system security administration process.

* Optimised

IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimised and included in a verified security plan. Security functions are integrated with applications at the design stage and end users are increasingly accountable for managing security. IT security reporting provides early warning of changing and emerging risk, using automated active monitoring approaches for critical systems. Incidents are promptly addressed with formalised incident response procedures supported by automated tools. Periodic security assessments evaluate the effectiveness of implementation of the security plan. Information on new threats and vulnerabilities is systematically collected and analysed, and adequate mitigating controls are promptly communicated and implemented. Intrusion testing, root cause analysis of security incidents and pro-active identification of risk is the basis for continuous improvements. Security processes and technologies are integrated organisation wide.

* Managed and Measurable

Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is consistently performed. Security policies and practices are completed with specific security baselines. Security awareness briefings have become mandatory. User identification, authentication and authorisation are being standardised. Security certification of staff is being established. Intrusion testing is a standard and formalised process leading to improvements. Cost/benefit analysis, supporting the implementation of security measures, is increasingly being utilised. IT security processes are co-ordinated with the overall organisation security function. IT security reporting is linked to business objectives.

* Defined Process

Security awareness exists and is promoted by management. Security awareness briefings have been standardised and formalised. IT security procedures are defined and fit into a structure for security policies and procedures. Responsibilities for IT security are assigned, but not consistently enforced. An IT security plan exists, driving risk analysis and security solutions. IT security reporting is IT focused, rather than business focused. Ad hoc intrusion testing is performed.

* Repeatable but Intuitive

Responsibilities and accountabilities for IT security are assigned to an IT security co-ordinator with no management authority. Security awareness is fragmented and limited. IT security information is generated, but is not analysed. Security solutions tend to respond reactively to IT security incidents and by adopting third-party offerings, without addressing the specific needs of the organisation. Security policies are being developed, but inadequate skills and tools are still being used. IT security reporting is incomplete, misleading or not pertinent.

* Initial / Adhoc

The organisation recognises the need for IT security, but security awareness depends on the individual. IT security is addressed on a reactive basis and not measured. IT security breaches invoke "finger pointing" responses if detected, because responsibilities are unclear. Responses to IT security breaches are unpredictable.

Settings will expire on:

(Do NOT edit.) Field set by Form.

Save and E-mail this form. (Saves only "*" fields & sends E-mail to address above):

Maintenance Functions

Note: If using Netscape on a Macintosh you may have to submit twice, the first will fail, or you can push the "Save Changes and/or Set New Expiration" then Submit.