Professional Documents
Culture Documents
Restricted
Description
Needs attention / improvement. Not achieving acceptable results in this area. Achieving some results in this area, but needs to be monitored. Achieving acceptable results in this area.
For the metrics measurement where the total population size is large, it is assumed that a sample of the tot population will be audited every quarter. The sampling will be done on a random basis and will be the sole discretion of the auditor. For metrics where the answer is a simple 'yes'/'no', ('0' shall be used to indicate 'no' and '1' shall indicate yes). Metric scores shall be calculated as either '1' (red) or '1' (green) and no intermediary scores are considered
The upper and lower threshold values have been indicated based on the assessment of the current environment and the targets that XYZ has set for its business in the information security policy.
Legend
where the total population size is large, it is assumed that a sample of the total quarter. The sampling will be done on a random basis and will be the sole
s a simple 'yes'/'no', ('0' shall be used to indicate 'no' and '1' shall indicate culated as either '1' (red) or '1' (green) and no intermediary scores are
values have been indicated based on the assessment of the current at XYZ has set for its business in the information security policy.
Legend
Ratings
Quarter 3 #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF! Quarter 4 #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF!
Executive Summary
100%
50% 100% 50% 50% 50% 2 75% 100% 90% 2 1.5 12 3 14 6 14 4 1 2
1.75
2.0
100%
30% 50% 50% 15% 100% 15% 100% 30% 100% 10% 100% 2.5 1 50% 3 0 3 75% 2 80% 6 1 6 100% 2 81% 3 1 4 75% 2 3 3 3 3 3 2 2 1 1
2.35
3.0
Asset Management
Accountability for Assets Number of departments which updated their asset inventory in the last quarter vs number of departments reviewed Information Classification Number of information assets(electronic files and hardcopies) that have been classified vs total number of information assets reviewed
100%
50% 100% 50% 100% 2 75% 100% 85% 2 3 50% 75% 80% 3
2.50
4.0
100%
30% 100% 2 75% 100% 88% 2
1.50
5.0
100%
20% 50% 50% 2.5 75% 0 100% 1 88% 1 2 3
1.94
Protecting against external and environmental threats Time since last fire drill conducted Public access, delivery and loading areas Registers for incoming and outgoing shipments appropriately maintained and signed off Supporting Utilities Records for incidents of failure of supporting utilities viz. electricity, water supply, sewage, heating/ventilation, and air conditioning properly maintained Equipment Maintenance Maintenance carried out as per Preventive Maintenance schedule maintained for supporting utilities Maintenance carried out as per Preventive Maintenance schedule maintained for IT equipments Disposal/ Removal of Equipments Records maintained for safe disposal/ removal of equipments
1 1 2 2 1 1 0 1 0 1 3 0 1 0 3
1.2 0 0 1 1 1 1 3 3
10% 100%
3 0 1 1 3
6.0
100%
2.15
Quarter1
5% 100%
7.0
Access Control
User Access Management Existence of domain IDs of separated employees Users Responsibilities Number of users aware if IS policies and procedures such as password policy,clear desk and clear screen, etc vs number of users interviewed Network Access Controls Number of vulnerabilities adressed by IT vs number of vulnerabilities identified in the last vulnerability assesment Operating System Access Control User Accounts created without proper approvals Application Access Control Existence of administrative privileges to Developers in Production Environments Existence of IDs of separated employees in SAP
100%
30% 100% 10% 100% 3 0 1 1 3 3 5% 10% 4% 3
2.60
20% 100%
3 0 1 1 3 2 0 0 1 1 0 1 1 3
8.0
100%
50% 100% 50% 100% 1 0% 10% 11% 1 3 10% 30% 5% 3
2.00
9.0
100%
100% 100% 2 10% 25% 13% 2
2.00
10.0
100%
100% 100% 3 0 1 1 3
3.00
11.0
Compliance
Identification of applicable legislation List of applicable legislations last reviewed
100%
10% 100% 3 6 12 6 3
3.00
Quarter1
3 3
Quarter1