06_QuestionsForManagement

Questionnaire for management here: Was a risk assessment done to determine possible risk exposure, risk appetite and risk tolerance? Is there an IPDS System (Intrusion Prevention Intrusion Detection System) in place? If not, what factors contributed to this decision? Where is the IPDS System placed within the network architecture? If there is an IPDS System what type is it: host-based, network-based statistical anomaly, or network-based pattern-matching, wireless, network behavior analysis (NBA)? Does the system push data to or pull data from the analysis engine? Is there an update policy, how often are updates implemented? Does the IPDS include a tool for generating written reports that summarize the daily event log? If so, who reviews the daily event log and how often? Is there a security awareness program?  Does the security policy include [1] : Does the organization have ongoing training and awareness programs related to security? Does the organization periodically (at least annually) review the security policy and make necessary changes? Who is responsible for the implementation of security management practices, continuous evaluation, monitoring, and improvement? What access control measures are in place to prevent unauthorized access or misuse of information by third parties? Does the third party contract include the right to audit outsource facilities? Does the SLA explicitly indicate that Covisia is in charge of IPC's security? Is there an inventory of assets including information assets (i.e. database, data files), software assets (i.e. application and system software, relevant licenses), physical assets (i.e. computer and communication equipment), services (i.e. general utilities, heating, lighting)? What type of files are utilized in the daily business?  What type of firewall do you utilize – screened host firewall [2], screened subnet firewall [3] , packet filter firewall [4] , stateful inspection firewall, hybrid firewall, proxy server firewall, transparent firewall, application-level (gateway) firewall? Is e-mail encrypted?
 * Definition of information security, objectives and scope
 * Statement of management’s intent to implement security management practices
 * A list of security policies, principles, standards and compliance requirements
 * Management structure and related responsibilities
 * Supporting documents in implementing security management practices i.e. detailed policies and procedures

[1] G40 Review of Security Management Practices [2] Controls access to and from a single host by means of a router operating at the network level. The single host is typically a bastion host – a highly defended and secured strong-point that can resist attack. [3] Controls access to and from a whole network by means of a router operating at a network level. It is similar to a screened host, except that it is effectively, a network of screened hosts. [4] [4]  Examine all the packets they see, then forward or drop them based on predefined rules. Packet filtering uses source/destination, protocol and port information from the packet header to restrict the flow of traffic. (ISACA Firewall Procedure P6)