Security Governance and Management Scorecard Risk Analysis 1 - Please indicate the status of your risk analysis process. 6 - Documented, enforced, reviewed, and 2 - Are all (Network, Data, Apps, IAM, End User Devices, Servers, Physical) security areas covered in your risk analysis? 3 - Is risk analysis conducted for all significant projects (Application and infrastructure adoption, maintenance, outsourcing, etc.)? 4 - Are risk analysis outcomes clearly communicated to project teams for all significant projects (Application and infrastructure adoption, maintenance, outsourcing, etc.)? 5 - Have responsibility and accountability been clearly established for your risk analysis process? Compliance Management 6 - Please indicate the status of your compliance management process. 6 - Documented, enforced, reviewed, and 7 - Are compliance requirements communicated to relevant staff? 8 - Are explicitly approved exceptions audited, monitored, and reported? 9 - Is compliance promoted and enforced? 10 - Are issues investigated to prevent further offenses? 11 - Have responsibility and accountability been clearly established for your compliance management process?
Auditing 12 - Please indicate the status of your auditing process. 6 - Documented, enforced, reviewed, and 13 - How frequently do you audit for compliance with your security policies and processes? 14 - Do your audits cover all (Network, Data, Apps, IAM, End User Devices, Servers, Physical) areas of security? 15 - Have responsibility and accountability been clearly established for your auditing process? Vulnerability Management 16 - Please indicate the status of your vulnerability management process. 6 - Documented, enforced, reviewed, and 17 - Is vulnerability management applied and enforced in all (Network, Data, Apps, IAM, End User Devices, Servers, Physical) areas of security? 18 - Are security considerations included in project planning and change management processes? 19 - Have responsibility and accountability been clearly established for your vulnerability management process? Event and Incident Management 20 - Please indicate the status of your event and incident management process. 6 - Documented, enforced, reviewed, and 21 - Does your event monitoring include all (Network, Data, Apps, IAM, End User Devices, Servers, Physical) areas of security? 22 - Does your incident management include all (Network, Data, Apps, IAM, End User Devices, Servers, Physical) areas of security?
23 - Have responsibility and accountability been clearly established for your event monitoring? 24 - Have responsibility and accountability been clearly established for your incident management? Security Culture 25 - Do you use a variety of methods in your security awareness training (Instructional events, awareness campaigns, video-based training, etc.)? 26 - Do you assess the effectiveness of end user training through regular testing (Computer-based testing, mock phishing attacks, social engineering efforts, etc.) and follow up with users who fail these tests? 27 - Does your security awareness training cover IAM, data, application, physical, and end user devices security? 28 - Is security awareness training provided to new staff? 29 - How often is security training provided to existing staff? [Single Select: 1 - Rarely or never, 2 - Every two years, 3 - Annually, 4 - Every six months, 5 - Quarterly, 6 - Continuously (e.g., by way of newsletter or e-mail updates, unannounced phishing testing, etc.)] 30 - How often do your system administrators, database administrators, network administrators, and application developers get special security training? [Single Select: 1 - Rarely or never, 2 - Every two years, 3 - Annually, 4 - Every six months, 5 - Quarterly, 6 - Continuously (e.g., by way of newsletter or e-mail updates, unannounced phishing testing, etc.)] 31 - Is special security training for system administrators, database administrators, network administrators, and application developers assessed (By code review, application penetration testing, network/system penetration testing, patch currency reviews, etc.) and the results of these assessments followed up on? 32 - Have responsibility and accountability been clearly established for your security awareness training?
Network Security - Policies And Processes Governance To what extent are the following policies and processes in place for Network Security? 33a - Network segmentation policy 33b - Who is accountable? (leave blank if no one is accountable) 34a - Inbound and outbound traffic control must include IP filtering/traffic-based access control 34b - Who is accountable? (leave blank if no one is accountable) 35a - Complete a security checklist as part of deployment and decommissioning processes 35b - Who is accountable? (leave blank if no one is accountable) 36a - Audit deployed networks to ensure they still meet requirements 36b - Who is accountable? (leave blank if no one is accountable) Host Security for Servers - Policies And Processes Governance To what extent are the following policies and processes in place for Host Security for Servers? 37a - Internal security standards are defined for each platform
37b - Who is accountable? (leave blank if no one is accountable) 38a - Complete security checklist as part of deployment and decommissioning processes 38b - Who is accountable? (leave blank if no one is accountable) 39a - Perform a risk analysis prior to deploying patches/updates 39b - Who is accountable? (leave blank if no one is accountable) 40a - Audit deployed servers to ensure they still meet security requirements 40b - Who is accountable? (leave blank if no one is accountable) End User Devices - Policies And Processes Governance To what extent are the following policies and processes in place for End User Devices security? 41a - Internal security standards defined for each desktop/laptop platform (Mac, Windows, etc.) [Single Select: 1 - Not in place, 2 - Informal policy in place, inconsistently applied, 3 Informal 41b - Who is accountable? (leave blank if no one is accountable) 42a - Internal security standards defined for each tablet or smartphone platform (Android, ios, etc.)
42b - Who is accountable? (leave blank if no one is accountable) 43a - Complete a security checklist as part of deployment and decommissioning processes 43b - Who is accountable? (leave blank if no one is accountable) 44a - Audit deployed devices to ensure they still meet requirements 44b - Who is accountable? (leave blank if no one is accountable) Application Security - Policies And Processes Governance To what extent are the following policies and processes in place for Application Security? 45a - AppDev projects must include countermeasures to STRIDE (S = Spoofing, T = Tampering, R = Repudiation, I = Information disclosure, D = Denial of service, E = Elevation of privelege) 45b - Who is accountable? (leave blank if no one is accountable) 46a - Network and production data segmentation between Dev/Testing and Production environments 46b - Who is accountable? (leave blank if no one is accountable) 47a - Require security testing prior to deployment for custom and commercial off-the-shelf (COTS) apps
47b - Who is accountable? (leave blank if no one is accountable) 48a - Audit deployed apps to ensure they still meet security requirements 48b - Who is accountable? (leave blank if no one is accountable) Data Security - Policies And Processes Governance To what extent are the following policies and processes in place for Data Security? 49a - Security policies for data at rest 49b - Who is accountable? (leave blank if no one is accountable) 50a - Security policies for data in transit 50b - Who is accountable? (leave blank if no one is accountable) 51a - Data classification definitions 51b - Who is accountable? (leave blank if no one is accountable) 52a - Audit data sources to ensure policies are being followed
52b - Who is accountable? (leave blank if no one is accountable) IAM Security - Policies And Processes Governance To what extent are the following policies and processes in place for IAM Security? 53a - Acceptable use policies for IT services 53b - Who is accountable? (leave blank if no one is accountable) 54a - User access levels defined (includes for temporary staff) 54b - Who is accountable? (leave blank if no one is accountable) 55a - Require management signoff for changes to user access rights 55b - Who is accountable? (leave blank if no one is accountable) 56a - Audit user accounts to ensure they still meet requirements 56b - Who is accountable? (leave blank if no one is accountable) Physical Security - Policies And Processes Governance To what extent are the following policies and processes in place for Physical Security? 57a - Before/after hours access policies
57b - Who is accountable? (leave blank if no one is accountable) 58a - Visitor/guest registration and access policies 58b - Who is accountable? (leave blank if no one is accountable) 59a - Incorporate physical security considerations into other processes (Ensure backup tapes can be secured, ensure telecom closets are secure, etc.) 59b - Who is accountable? (leave blank if no one is accountable) 60a - Audit physical security practices to ensure they are being followed 60b - Who is accountable? (leave blank if no one is accountable)