MOVEit Transfer Vulnerability: Lack of Supply Chain Visibility Exacerbates Breach View Post

A. Security Governance

This domain covers how your security governance is designed, implemented, and maintained.

01) Does your organisation conduct an annual independent information security review and act upon the findings?

Answer yes if your organisation engages a third party to conduct an annual information security review, the findings are assessed by your organisation and acted upon if necessary. If yes, please add the date of your last review to the notes.

Security Governance
Independent Security Review
Read more

02) Does your organisation have an appointed person responsible for information security, such as a CISO?

Answer yes if your organisation has an appointed role that is responsible for managing and implementing security controls throughout your business. Please confirm the role and its responsibilities in the notes or provide a job role description (as a PDF file) as evidence.

Security Governance
CISO
Read more

03) Does your organisation have a documented Cybersecurity Policy or Information Security Policy?

Answer yes if your organisation has a documented Cyber Security Policy or Information Security Policy that has been reviewed in the last year. Please provide the Information Security Policy (as a PDF file) as evidence.

Security Governance
Cybersecurity Policy
Policies
Read more

04) Does your organisation have a formal policy on the use of mobile devices?

Answer yes if your organisation has a documented Mobile Device Policy that has been reviewed in the last year. Please provide the Mobile Device Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

Security Governance
Policies
Mobile Device Policy
Read more

05) Does your organisation have a formal policy for remote working that includes security?

Answer yes if your organisation has a documented Remote Working Policy that has been reviewed in the last year. Please provide the Remote Working Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

Security Governance
Policies
Remote Working
Read more

06) Does your organisation have a documented Acceptable Use Policy that outlines the rules for the acceptable use of company IT assets and information?

Answer yes if your organisation has a documented Acceptable Use Policy that has been reviewed in the last year. Please provide the Acceptable Use Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

Security Governance
Policies
Acceptable Use
Read more

07) Does your organisation have a documented Information Classification Policy?

Answer yes if your organisation has a documented Information Classification Policy that has been reviewed in the last year and that outlines the data handling procedures in operation within your organisation. Please provide the Information Classification Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

Security Governance
Policies
Information Classification
Read more

08) Does your organisation have a documented Access Control Policy?

Answer yes if your organisation has a documented Access Control Policy that has been reviewed in the last year. Please provide the Access Control Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

Security Governance
Policies
Access Control
Read more

09) Does your organisation have a policy governing the use of cloud services?

Answer yes if your organisation has a documented policy on the use of cloud services, and if it has been reviewed in the last year. The policy should include information security requirements for the acquisition, use, management, and exit from cloud services. Please provide the Cloud Services Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

Security Governance
Policies
Cloud
Read more

10) Does your organisation have a Password Policy that is technically enforced throughout its IT estate?

Answer yes if your organisation has a documented Password Policy which is enforced technically throughout the IT estate. Please provide the Password Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes. Please also include information about any controls you have to prevent brute-force attacks on passwords, such as account lockout thresholds or time-delays between password attempts.

Security Governance
Policies
Password
Read more

11) Does your organisation have a documented Backup Policy?

Answer yes if your organisation has a documented Backup Policy that has been reviewed in the last year. Please provide the Backup Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

Security Governance
Policies
Backup
Read more

12) Does your organisation enforce a Clear Desk and Screen Policy?

Answer yes if your organisation has implemented and enforces a Clear Desk and Screen Policy. Please provide the Clear Desk and Screen Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

Security Governance
Policies
Clear Desk
Clear Screen
Read more

13) Does your organisation prevent the use of removable media, and is this enforced technically?

Answer yes if your organisation blocks the use of removable media on your network and if this is enforced through the use of a technical control.

Security Governance
Policies
Removable Media
Read more

14) If the use of removable media is not prohibited and enforced technically, is its use subject to other compensatory controls?

Answer yes if your organisation subjects the use of removable media to technical controls (these can include DLP solutions, encrypted USB drives, training and awareness etc.). If yes, please describe the nature of these controls within the notes.

Security Governance
Policies
Removable Media
Compensatory Controls
Read more

15) Are your organisation's information security policies accessible to all employees?

Answer yes if all of your employee's have continuous access to your organisation's up-to-date policies (for example, through an intranet, cloud service, or networked drive).

Security Governance
Policies
Accessibility
Read more

16) Are your organisation's information security policies reviewed and approved by senior management at least annually?

Answer yes if all of your organisation's security policies are reviewed and approved by senior management.

Security Governance
Policies
Review
Read more

17) Has your organisation documented senior management roles and responsibilities for security within your organisation?

Answer yes if your organisation has clearly defined and documented the security roles and responsibilities of senior management. Please provide the documented roles (as a PDF file) as evidence.

Security Governance
Policies
Roles and Responsibilities
Read more

18) Does your organisation include information security during the planning and delivery of projects?

Answer yes if you include information security in your planning and delivery of projects (for example, by conducting a security risk assessment of each project and implementing project controls).

Security Governance
Project Delivery
Read more

19) Does your organisation restrict employee access to business information based upon the principle of least privilege?

Answer yes if you only give each employee access to the business information that they require to complete their job role (this is known as the principle of least privilege).

Security Governance
Least Privilege
Read more

20) Does your organisation have an internal audit function that ensures information security requirements are being met by the business?

Answer yes if you have an internal team who audit your security function against your policies to ensure compliance. Please comment on the frequency of the audits in the notes.

Security Governance
Internal Audit
Read more

21) Does your organisation conduct security risk assessments for your full IT estate at least annually?

Answer yes if your organisation conducts regular (at least annual) security risk assessments against the whole IT estate and takes appropriate action. Following a risk assessment, identified risks should be tracked, with assigned owners and risk treatment plans.

Security Governance
Risk Assessment
Read more

22) Does your organisation have a formal confidentiality or non disclosure agreement in place for all staff, contractors and third parties?

Answer yes if you require everyone who has access to confidential information to sign a confidentiality agreement or NDA. Please provide a template NDA (as a PDF file) as evidence.

Security Governance
NDA
Confidentiality
Employee Agreements
Read more

23) Does your organisation segregate duties to prevent unauthorised disclosure or access to information?

Answer yes if your organisation has identified and segregated relevant duties to help reduce errors and to prevent fraud. Please give an example of such segregation in the notes.

Security Governance
Segregation of Duties
Read more

24) Does your organisation have a defined process that is followed when a client contract is terminated that includes the secure destruction of client data?

Answer yes if your organisation has a defined process for terminating a client contract and removing all relevant client data securely. Please describe the process in the notes or provide a supporting document (as a PDF file) as evidence.

Security Governance
Destruction of Data
Contract Termination
Read more

25) Does your organisation use threat intelligence to inform decisions about information security?

Answer yes if your organisation uses threat intelligence to make smarter decisions relating to information security strategy, policy, processes or operations. This could be collected, analysed and produced internally, or gathered from external sources such as information services or special interest groups. In the notes section, please describe how you collect, analyse and use threat intelligence within your organisation, or upload a document (as a PDF file) as supporting evidence.

Security Governance
Threat Intelligence
Read more