[Client] Security Program Assessment (ISO/IEC 27002:2013) March 2014 DRAFT - FOR DISCUSSION PURPOSES ONLY This document has been provided for reference purposes only. Every slide in this document must be modified and tailored to your client’s specific needs and objectives and reapproved by the Partner and GB&RC as per formal approval processes. The materials contained within the document may have come from a different member firm and may not have relevance, or may have a different meaning, in your jurisdiction.
55
Embed
Security program assessment iso/iec 27002 example report
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
[Client]
Security Program Assessment
(ISO/IEC 27002:2013)
March 2014
DRAFT - FOR DISCUSSION PURPOSES ONLY
This document has been provided for reference purposes only. Every slide in this document must be modified and tailored to your client’s specific needs and objectives and reapproved by the Partner and GB&RC as per formal approval processes. The materials contained within the document may have come from a different member firm and may not have relevance, or may have a different meaning, in your jurisdiction.
On behalf of [Client](“[Client]”) KPMG assessed the state and capabilities of [Client]’s security program, using the ISO/IEC 27002:2013 framework. KPMG worked with [Client] to define the scope, develop and execute work plans, generate risk scores, identify business risks, and develop a remediation roadmap.
Executive SummaryApproach
Testing Framework [Client] requested
the ISO 27002 framework
Standard framework enables repeatable benchmarking and trending capabilities
Each domain and associated subdomains were assessed to provide holistic state of security
Scoping Tailored Work Plan
Scorecard & Business Risks
Determined enterprise wide policies and procedures in place
Identified and reviewed previously performed audits and assessments
Identified subdomains not applicable to [Client]
Work plans were tailored based on the preliminary conversations with [Client] to remove procedures not applicable to the organization
KPMG conducted interviews and collected evidence to determine alignment to ISO/IEC 27002:2013 Annex control objectives
KPMG assessed the state of controls within each work plan to calculate overall risk scores
KPMG identified the risk to the business for each noted gap, incorporating compensating controls and additional [Client] processes
KPMG produced recommended action plans and a roadmap to guide future efforts
DRAFT - FOR DISCUSSION PURPOSES ONLY
KPMG reviewed the state of information security at a global level and focused interviews with employees in Canada, UK, and USA, which included the following departments: Application Services, Global Operations, Global IT, Process and Compliance, HR, Cloud Operations, Legal, Project Management and Finance, Internal Audit, Information Architecture and Security.
Gaps determined through comparison of framework objectives to [Client] operations, scores do not reflect the residual business risk to [Client]
Gaps within security frameworks provide areas for consideration but the business risk of these gaps should be understood before undergoing significant operational changes
Gap in Framework Objectives
KPMG took the identified gaps and provided the business risk for each gap
Risks were weighted based on the potential impact to [Client] business operations
Risk levels provide insight into which gaps could negatively impact the business and help to determine remediation priority
Business Risks
How does [Client] compare against a security framework?
How could these gaps impact [Client]’s day to day business?
KPMG assessed [Client] against ISO/IEC 27002:2013 to identify gaps and to calculate scores. KPMG additionally identified the business risk to [Client], to provide an understanding of the business impact of an individual gap.
This is a good overall score and represents that [Client]’s control design is strongly aligned to meet ISO/IEC 27002:2013 objectives. [Client] has designed adequate process and procedures to protect the organization from internal and external risks. KPMG noted opportunities to more closer align with the ISO/IEC framework and has provided recommendations for consideration.
OVERALL SCORE CALCULATION
4.05 The framework score across all domains. This score is calculated as the average of all domains and does not take the risk to the business into consideration. Refer to section “Detailed Analysis” for domain and subdomain scoring methodology.
KPMG determined the risk to the business for each domain. KPMG has provided a summary of the business risks with a higher potential impact:
Asset management program is informal and applied inconsistently across the enterprise. Failure to track all assets could lead to incomplete application of security programs (e.g., patch management), inadequate level of security (controls) for sensitive assets, and increased spending on unnecessary assets.
Formal data classification schema does not exist (currently in development). Without a data classification standard in place, [Client] may not fully understand the risk presented by specific data, leading to incomplete labeling and handling of assets (i.e., inadequate security controls).
Incident response (IR) responsibilities are only communicated through training without an overarching IR plan in place. The lack of a formal incident response plan could lead to confusion over management and employee responsibilities during an incident, causing untimely or inappropriate handling of incidents that pose an immediate risk.
Site specific business continuity plans do not include required security controls identified through business impact analysis (BIA) assessments. Failure to identify (BIA) and incorporate security requirements (controls) within site business continuity plans could lead to an inadequate level of security during events that trigger the business continuity program.
8 16
5 – Information security policies 12 – Operations security
6 – Organization of information security 13 – Communications security
7 – Human resource security 14 – System acquisition, development, & maintenance
8 – Asset Management 15 – Supplier relationships
9 – Access Control 16 – Information security incident management
10 – Cryptography 17 – Information security aspects of business continuity
11 – Physical and Environmental Security 18 – Compliance
During the assessment, KPMG noted several strengths associated with the design of [Client]’s security programs and alignment with IEC/ISO 27002:2013.
9 of the 14 domains were scored between 4.01 and 5.00 (high control design alignment); including 6 domains with a score of 4.50 and higher: Information Security Policies Human Resource Security Access Control Operations Security Communications Security System Acquisition, Development and Maintenance
Change management security procedures within [Client] are mature and well maintained
[Client]’s operations group and datacenter management team exhibited extensive knowledge of their environment and the controls in place to protect business operations
Expectations for a strong information security program are clearly understood globally and [Client] is actively taking steps to address specific gaps that currently exist within their program
Recommendation ISO Gaps Remediated Priority Level of
Effort
Policy Development & RefinementDevelop or revise information security policies to address gaps in the organization of information security, asset management, cryptography, and physical security.
2, 9-10, 12, 25, 29, 33, 40, 44, 45
High Low
Asset Management & ClassificationDeploy an asset management program that centrally tracks IT assets, the asset owner, and data classification information while developing a process to require asset owners to review asset information for accuracy.
1, 8, 13, 32 High High
Business Continuity Management Define information security objectives for business continuity planning while executing site specific business impact analysis assessments to develop site business continuity plans.
4-5, 42 High High
Contractual Compliance Tracking Explicitly outline the regulatory, legal, and contractual obligations that each information system must meet and periodically review these requirements for continued applicability.
7, 23-24 Moderate Moderate
Incident Response Development Develop an incident response program that documents an effective approach to management of information security incidents, including communication of security events and weaknesses.
3, 22, 26, 46-48 Moderate Moderate
Logical Access Control Improvement Develop procedures to enforce and monitor the application of logical access controls for software development, user operations, and the regular review of administrator and user activity logs.
11, 14-16, 34-36, 43 Moderate Moderate
KPMG has provided a list of recommended actions plans to remediate identified gaps. These recommendations are prioritized based on the residual risk to [Client]’s business and the associated level of effort to remediate.
Recommendation ISO Gaps Remediated Priority Level of
Effort
Supplier Management Develop policies and procedures for managing changes in supplier services to communicate and require adherence to [Client] information security requirements while establishing a record of accountability.
17-21, 30 Low High
Embedding Security in Project Management Create project management methodologies that include information security objectives throughout the project lifecycle for all projects.
6 Low Moderate
Physical Security Improvement and Consistency Develop and refine physical access controls and standards to secure offices, rooms, and delivery areas while establishing a process to periodically audit physical security for compliance.
37-39, 41 Low Low
Training Refinement Update training documentation and define required trainings for [Client] personnel and suppliers.
28, 31 Low Low
Consulting External Advisors Define a position that is responsible for maintaining contact with specialist security forums and professionals.
KPMG has provided a list of recommended projects to remediate the gaps identified during the Security Program Assessment. Prior to executing these projects, [Client] should consider formal establishment of a strong governance program ( ).
Embedding Security in Project Management Physical Security Improvement & Consistency
Training Refinement
Consulting External Advisors
DRAFT - FOR DISCUSSION PURPOSES ONLY
Prior to remediation, [Client] should determine that a strong governance program is in place. KPMG has provided a set of governance program initiatives to review prior to remediation.
Executive SummaryIEC/ISO 27001:2013 Certification Next Steps
As [Client] plans for 27001 certification, KPMG has provided a list of next steps (in addition to gap remediation) to prepare for certification. Certification is not an easy process, [Client] will have to demonstrate a policy driven approach to data management, security, and risk management, which requires hard evidence that procedures and controls are effective.
DRAFT - FOR DISCUSSION PURPOSES ONLY
1. Senior Management Commitment
Significant effort is required across the organization, senior management is the driving force behind certification for budgeting, allocation of personnel, and enforcement
Senior management is responsible for communicating to users the importance of the Information Security Management System (ISMS) and the implications of not adhering to policies and procedures
2. Project Based Approach
Treating certification as a project helps facilitate the coordination across all required stakeholders
The project manager role is critical to monitoring and assisting with the certification
Identify and assign (nominate) personnel responsible for data governance and risk management, that report to the project manager
3. Define ISMS Scope
Though the scope of ISMS can cover the entire organization, it can also be tailored to a specific service, system, application, or site (location)
Perform a cost benefit analysis of certifying the organization as a whole versus a more tailored approach
Consider who (e.g., customers, third parties) certification is providing assurance to, which is typically the biggest factor in determining the scope of ISMS
Through detailed interviews with [Client] stakeholders, KPMG noted other areas for consideration. Those these are not covered by specific ISO requirements, they help support ISO objectives while increasing [Client] capabilities to manage the security program through centralization and automation.
DRAFT - FOR DISCUSSION PURPOSES ONLY
Area for Consideration Description Value to [Client]
Governance, Risk, and Compliance Platform (eGRC)
An eGRC platform provides a centralized means to manage, monitor, and report on the effectiveness of and across multiple security programs and business domains (e.g., finance, legal) at the enterprise level. Many eGRC solutions offer the ability to develop custom applications to tailor the solution to [Client]’s unique business.
Provides [Client] a structure to centrally manage and track security programs, including policy management, vendor management, IT risk management, business continuity, and incident management
Centralized and integrated reporting across the enterprise
Automation of business processes
Vendor Management Program
Develop a formalized vendor management program that manages supplier relationships, agreements, and compliance to [Client]’s security policies.
Designates a team to managing supplier relationships Provides processes for reviewing supplier agreements
and compliance to agreements
Policy Management Program
Establish a centralized program to develop, review, and apply policies across the enterprise (all sites).
Provides authoritative source for all policies Facilities globalization of policies Assigns responsibility to manage policy compliance
Security Program Deployment Strategy
Develop an enterprise strategy for transitioning acquisitions to [Client]’s security programs. Build a process to monitor the transition while providing a framework to determine adherence to [Client] security requirements.
Provides actionable steps to help migrate acquisitions to required level of security
Include 27001 objectives within the strategy to help maintain certification (in future audits) as [Client] continues to expand
Builds foundation for integrating acquisitions within centralized [Client] programs and domains
Detailed Remediation Projects & Roadmap Governance Program Review
Objective: Internal review to determine that a robust governance program is in place at [Client] prior to executing projects to remediate gaps. A strong governance program is critical to the development and modification of security policies to determine appropriate coverage and acceptance across the enterprise.
DRAFT - FOR DISCUSSION PURPOSES ONLY
# Activities / Components
1
EstablishmentFormal implementation of a governance program, including specific objectives for security. Governance program acts as the authoritative source for company-wide goals and objectives and as such should be defining and governing [Client]’s requirements (including security).
2
Roles & ResponsibilitiesAssigned and dedicated personnel responsible for governance of core business processes and security programs (e.g., data governance). These defined roles should include explicit responsibilities for personnel, including the determination of adherence to enterprise objectives for their areas of responsibility.
3
Key Performance Indicators (KPI)Identifying, clearly defining, tracking, and reporting on metrics that provide quantifiable insight into the effectiveness and efficiency of core business processes and security programs. A program should be in place to continuously review, refined, and establish new KPIs.
4
Self Assessment & Continuous ImprovementThough the core structure and overall program should remain as consistent as possible, the individual programs supporting the overarching governance program should be more dynamic in nature. This requires the periodic review of individual program objectives and [Client]’s strategy to meet the objectives. As the governance program is a top-down model, [Client] needs to gain assurance over the quality, applicability, and the communication of requirements.
Detailed Remediation Projects & Roadmap Policy Development & Refinement
Project objective: Develop or revise information security policies to address gaps in the organization of information security, asset management, cryptography, and physical security.
# Supporting Activities Resources / Departments
Estimated Effort
1
Centralize information security policies within a single framework and apply to the enterprise such that security expectations are consistently documented for all sites. Review standards and procedures to determine reference and adherence to the overarching information security framework.
Information security Senior management 1 - 2 weeks
2
Finalize data classification schema for electronic and physical data while documenting within information security policies, procedures or standards. Update information security policies to include labeling and handling requirements based on the data classification schema.
Data governance team Information security 2 weeks
3Update the information security policy (alternatively update procedures or standards) with a process for transferring physical media (including the identification of physical security controls and establishing a list of approved couriers).
Data governance team Information security 1 week
4Update the information security policy to include the use of cryptographic controls, including approved mechanisms, protocols and algorithms.
Detailed Remediation Projects & Roadmap Policy Development & Refinement (Continued)
# Supporting Activities Resources / Departments
Estimated Effort
5
Update teleworking agreements with employees to include allowed communication channels, expectations for sensitive data handling while teleworking, and defining approved remote access mechanisms. Require all employees to agree to and acknowledge (e.g. sign-off) the updated teleworking agreement.
Information security Senior management 2 weeks
6Update procedures for working in secure areas within information security and/or physical access policies to identify additional controls and expectations for securing areas with sensitive information and systems.
Information security 1 week
7 Establish a process to annually review and update employee agreements while developing procedures to inform users of changes to agreements.
Compliance Senior management 1 week
8Establish a process to at least annually review the principles for engineering secure systems to include procedures for mitigating new threats to the business as well as industry-wide emerging threats (e.g. vulnerabilities).
2,9-10,12,25, 29,33,40,44,45 Policy Development & Refinement
Project objective: Develop or revise information security policies to address gaps in the organization of information security, asset management, cryptography, and physical security.
Project objective: Deploy an asset management program that centrally tracks IT assets, the asset owner, and data classification information while developing a process to require asset owners to review asset information for accuracy.
# Supporting Activities Resources / Departments
Estimated Effort
1Establish a centralized repository for the tracking and classification of IT assets including PKI certificates (alternatively, develop separate program for certificates).
Data governance team IT management Network management
2 - 3 months
2Assign owners to each asset and document asset owner responsibilities.Dependent on completion of activity #1
Business owners Senior management 1 - 2 months
3Apply data classification schema (developed in information security policy development and refinement project) to assets and data contained within assets (labeling).Dependent on completion of activity #1
Asset owners Business owners 1 - 2 months
4Review assets and data to determine appropriate security controls as defined by classification schema (handling).Dependent on completion of activity #3
Asset owners Business owners 2 - 3 months
5Establish a process for asset owners to review their asset information for accuracy and update asset management information as needed. Dependent on completion of activity #2
Detailed Remediation Projects & Roadmap Business Continuity Management
Project objective: Define information security objectives for business continuity planning while executing site specific business impact analysis assessments to develop site business continuity plans.
# Supporting Activities Resources / Departments
Estimated Effort
1Create and execute business impact analysis (BIA) assessments for each [Client] site to identify and document the required level of security based on the results of BIAs. Establish a program to periodically reassess sites through BIA assessment.
Business owners Information security Senior management
1 month
2
Define and document information security controls, procedures, and processes, while incorporating the results from BIA assessments, within business continuity plans (BCP) for each site.Dependent on completion of activity #1
Business owners Information security 2 months
3Develop a process to review the BCP for each office and revise as necessary to meet the defined information security objectives.Dependent on completion of activities #1 and #2
Business owners Information security 1 - 2 weeks
4Develop a formal process for testing and documenting the results of BCPs (at least annually), including determining the effectiveness of information security controls.Dependent on completion of activity #3
Project objective: Explicitly outline the regulatory, legal, and contractual obligations that each information system must meet and periodically review these requirements for continued applicability.
# Supporting Activities Resources / Departments
Estimated Effort
1Define and fully document all regulatory and contractual requirements for [Client]’s information systems. For each information system, identify and document the cryptographic controls required.
Compliance Information security Senior management
3 - 4 weeks
2 Develop procedures to enforce and monitor the proper handling of information obtained during background checks.
Detailed Remediation Projects & Roadmap Incident Response Development
Project objective: Develop an incident response program that documents an effective approach to management of information security incidents, including communication of security events and weaknesses.
# Supporting Activities Resources / Departments
Estimated Effort
1Develop a documented incident management and response program with clear roles, responsibilities, and processes for reporting (including external contact with authorities) and handling security incidents.
Senior management Information security Global IT
1 - 2 months
2Define and document the process by which employees and suppliers can report information security incidents.Dependent on completion of activity #1
Information security Global IT 1 week
3Establish and communicate expectations that employees and suppliers are required to report security weaknesses and events.Dependent on completion of activity #2
Compliance / internal audit
Business owners1 week
4Develop a process to review and quantify security incidents for the purpose of enterprise risk strategy management. Apply process to recent security incidents for analysis.
Global IT Information security 1 month
5Implement a process to perform periodic tabletop exercises to test both the effectiveness and efficiency of incident response procedures.Dependent on completion of activity #1
Business owners Global IT Information security
1 - 2 weeks
6Establish a program to periodically review technologies supporting incident detection technologies (e.g., advance malware detection). Note: Exceeds ISO guidance.
Project objective: Develop procedures to enforce and monitor the application of logical access controls for software development, user operations, and the regular review of administrator and user activity logs.
# Supporting Activities Resources / Departments
Estimated Effort
1Develop procedures to enforce and monitor the segregation of development, test, and production environments.
Information security Network team Senior management
1 - 2 months
2Establish standards for application time-outs taking into consideration the classification of information held within.
Application services 1 - 2 weeks
3Develop procedures to enforce and monitor the application of secure code controls across all applications.Dependent on completion of activity #1
Application services Business owners 2 - 3 months
4Develop a process to enforce policies that prohibit the installation of unauthorized software on user laptops.
Compliance Global IT 1 - 2 months
5Establish a standard timeline for the periodic review of user and administrator activity and logs.
Information security Upper management 1 - 2 weeks
6Develop a standard to require business units and group owners to quarterly review access control policies and user access rights, including access to shared folders.
Project objective: Develop policies and procedures for managing changes in supplier services to communicate and require adherence to [Client] information security requirements while establishing a record of accountability.
# Supporting Activities Resources / Departments
Estimated Effort
1
Develop a process to identify and include the criticality of information, systems, and processes when making changes to supplier agreements.
Business owners Data governance team Information security Vendor management
2 - 3 weeks
2Define and include information security risks arising from engaging specific suppliers within supply change management, including risk mitigation procedures or controls.
Information security Vendor management 1 month
3Update supplier agreements to include the requirement for notifying [Client] in the case of a security breach.
Vendor management 2 months
4Establish a set of security controls to be adhered to by all suppliers and update supplier agreements to include these requirements.
Information security Global IT Vendor management
1 month
5Develop a process to routinely notify suppliers of changes to [Client]’s information security policies, procedures, and processes.
Vendor management 1 week
6Establish a process to review suppliers for adherence to [Client] information security expectations and consideration of defined security controls. Dependent on completion of activities #1 through #5
Detailed Remediation Projects & Roadmap Embedding Security in Project Management
Project objective: Create project management methodologies that include information security objectives throughout the project lifecycle for all projects.
# Supporting Activities Resources / Departments
Estimated Effort
1
Develop a process to identify and incorporate information security objectives throughout all project* lifecycles. Establish procedures for identifying and assessing risks at the beginning of projects while documenting how security objectives are adhered to as part of project management documentation.
* - Per IEC/ISO 27002 guidance: Generally applies to any project regardless of its character (e.g., core business process, IT, facility management).
Project objective: Develop and refine physical access controls and standards to secure offices, rooms, and delivery areas while establishing a process to periodically audit physical security for compliance.
# Supporting Activities Resources / Departments
Estimated Effort
1Develop standards for physical security taking into consideration physical entry controls to offices, securing rooms and facilities, and protecting delivery areas for all [Client] locations.
Global IT Senior management 2 weeks
2Apply the physical security policy consistently across all sites, including procedures for documenting visitors. Dependent on completion of activity #1
Compliance Global IT 1 - 2 months
3Establish a process to periodically audit physical security controls.Dependent on completion of activity #2
Detailed Remediation Projects & Roadmap Training Refinement
Project objective: Update training documentation and define required trainings for [Client] personnel and suppliers.
# Supporting Activities Resources / Departments
Estimated Effort
1Update security training material to include security for mobile devices. Global IT
Human resources 1 week
2Define training requirements by job profile, supplier relationship, and security professionals to require users to complete and sign-off on approved trainings.
Compliance Information security Senior management
2 weeks
3Establish a process to determine user adherence to training requirements.Dependent on completion of activity #2.
Compliance Human resources Vendor management
1 week
4Develop and deploy a roll-out program for training, specifically to gain assurance that training requirements are fulfilled.Dependent on completion of activities #1 & #2
Project objective: Define a position that is responsible for maintaining contact with specialist security forums and professionals.
# Supporting Activities Resources / Departments
Estimated Effort
1Formally assign the responsibility to maintain contact with specialist security forums to a person or team.
Information security Global IT 1 week
2Establish a process for reporting trending and emerging threats to information security and senior management for inclusion within the security policy. Dependent on completion of activity #1
KPMG used the below criteria to score the results of ISO/IEC 27002:2013 review. Based on the results of testing, each procedure performed received a score. A description of the scoring approach and criteria has been provided below.
-1 Not observed or out of scope.0 Control is not in place with no mitigating controls.1 Control is not in place but there are other mitigating controls.2 Control is partially in place with other mitigating controls.3 Control is partially in place with minimal residual risk.4 Control is in place with exceptions, but risk is effectively mitigated.5 Control is in place without exceptions.
Risk Ratings LegendScore Description Color
Between 4.01 and 5.00 High framework alignmentBetween 2.01 and 4.00 Moderate framework alignment
Between 0 and 2.00 Low framework alignmentEqual to -1.00 Not observed or out of scope
For controls that were either not observed or out of scope, the following rules apply:
• If all of the controls in a subdomain were not observed, each one is given a score of -1 and the weighting for the subdomain is changed to 0%. All other weightings for the subdomains in the domain are modified to effectively "remove" the out of scope subdomain from calculations
• If at least one control within a subdomain was in scope or observed, then any other control which was not observed or out of scope is scored as the average of all other in-scope controls from that subdomain.
Subdomain scores are based on the cumulative scoring of procedures performed for each subdomain. Overall domain scores are calculated based on the average score of all subdomains.
5. Information Security Policies 5.1 Management Direction for Information Security 4.50
6. Organization of Information Security6.1 Internal Organization 4.006.2 Mobile Devices and Teleworking 4.58
7. Human Resource Security7.1 Prior to Employment 4.757.2 During Employment 4.507.3 Termination and Change of Employment 5.00
8. Asset Management8.1 Responsibility for Assets 4.008.2 Information Classification 2.838.3 Media Handling 4.33
9. Access Control
9.1 Business Requirements of Access Control 4.509.2 User Access Management 4.839.3 User Responsibilities 5.009.4 System and Application Access Control 4.86
10. Cryptography 10.1 Cryptographic Controls 3.17
11. Physical and Environmental Security11.1 Secure Areas 3.3311.2 Equipment 5.00
12. Operations Security
12.1 Operation Procedures and Responsibilities 4.7512.2 Protection from Malware 5.0012.3 Backup 4.6712.4 Logging and Monitoring 4.6312.5 Control of Operational Software 5.0012.6 Technical Vulnerability Management 4.0012.7 Information Systems Audit Considerations 5.00
13. Access Control13.1 Network Security Management 5.0013.2 Information Transfer 4.25
14. System Acquisition, Development and Maintenance14.1 Security Requirements of Information Systems 5.0014.2 Security in Development and Support Processes 4.7214.3 Test Data 5.00
15. Supplier Relationships15.1 Information Security in Supplier Relationships 1.6715.2 Supplier Service Delivery Management 2.00
16. Information Security Incident Management 16.1 Management of Information Security Incidents and Improvements
3.57
17. Information Security Aspects of Business Continuity Management
17.1 Information Security Continuity 1.6717.2 Redundancies 5.00
18. Compliance18.1 Compliance with Legal and Contractual Requirements 3.8018.2 Information Security Reviews 5.00
Based on the results of the work plan, KPMG has provided gaps identified and the associated business risks; which go beyond the framework objectives to incorporate [Client]’s business models and processes.
KPMG developed testing procedures (questions) to be performed onsite based on the objectives of domains and subdomains
KPMG worked with local [Client] teams to walkthrough each inquiry
Based on the objectives and the result of testing, KPMG identified framework gaps
Testing Plan Gap
KPMG performed the following for each gap: Understood mitigating
controls Took [Client]’s business
model and processes into consideration
Created recommended action plans based on [Client], not just the framework objectives
BusinessRisk
Domain and subdomain scoring based on objectives
Business risks tailored to [Client]’s business, controls, architecture, and ongoing projects / assessments
Gaps and Risks to the BusinessDetailed Gaps with High Risk to the Business
# DomainSub
DomainISO Gap Business Risk
1 8 – Asset management 8.1.1
Asset management and tracking is inconsistent. [Client] uses LanSweeper to track hardware assets and a Llama database to track software assets. Asset classification other than hardware and software does not seem to exist at this point (e.g., information assets). Asset owners are not consistently defined or tracked.
Failure to accurately track hardware, software, and information assets, including asset owner assignment, could lead to increased spending on unnecessary software and hardware.
2 8 – Asset management 8.2.1
[Client] uses a classification scheme for electronic data that is not applied consistently across all business functions. Plans are in progress to create a simplified classification scheme for all data that adheres to three categories: controlled, secure, and confidential.
Continuing to operate without an agreed upon and consistently applied classification scheme could lead to mismanagement of data and confusion over the level of required security for sensitive data.
316 – Information security incident management
16.1.1
Management responsibilities for security incidents are communicated in training modules, but at this point there is no documented incident response plan.
The lack of a formal, documented incident response plan could lead to user confusion over response procedures, resulting in the possible mishandling of security incidents.
417 – Information security aspects of business continuity
17.1.1
A business impact analysis (BIA) for information security events has not been performed and information security is not considered within the business continuity plans for each office.
Without the conduction of site specific BIA assessments, it is difficult to appropriately plan for managing information security during an event, which could lead to inadequate security during business continuity events.
517 – Information security aspects of business continuity
17.1.2 & 17.1.3
Information security controls, procedures and processes have not been addressed in relation to an overall business continuity plan and there is no discussion about the review and maintenance of these procedures.
If information security controls are not implemented and established within the business continuity plans, appropriate information security controls may not be in place during the execution of business continuity plans.
Gaps and Risks to the BusinessDetailed Gaps with Moderate Risk to the Business
# DomainSub
DomainISO Gap Business Risk
66 – Organization of information security
6.1.5
Information security is not uniformly addressed in all project management procedures at this time. KPMG was informed that this is an area that [Client] knows about and is planning to address soon. Projects that specifically deal with information security issues do include information security considerations within project management planning.
The lack of information security objectives within all project management procedures could lead to the untimely (retroactive) detection of risks introduced by specific projects.
77 – Human recourses security
7.1.1
[Client] is unable to confirm that information collected as part of the background checks in the Americas is handled in accordance with relevant legislation.
Storing sensitive HR information in potentially unsafe locations could lead to incompliance with regulations or the unauthorized access to personally identifiable information.
8 8 – Asset management 8.2.1
As the formal data classification schema has not been defined, [Client] cannot establish a process to periodically review the schema.
Without regularly reviewing the data classification schema, data could be inconsistently classified, which could lead to inadequate security controls for sensitive data.
9 8 – Asset management 8.2.2
As the formal data classification schema has not been defined, [Client] does not have procedures in place to label physical or electronic data in accordance with a classification scheme.
If physical and electronic data is not labeled appropriately, then data may not be adequately protected.
10 8 – Asset management 8.2.3 Standards exist for personal and client data handling but at this moment there are no rules for corporate data.
Improper handling of data could lead to the loss or damage of sensitive information.
11 9 – Access control 9.1.1
There is no enforced standard of review by group owners on access control policies and user rights for each business unit.
Failure of group owners to review their access control policies and users rights could lead to inadequate access controls or inappropriate user access to sensitive information.
No policy on the use of cryptographic controls exists within [Client].
Not developing and maintaining a policy for cryptographic keys and certificates could lead to inconsistent use or the use of insecure protocols that are susceptible to attack.
13 10 - Cryptography 10.1.2
PKI certificates are applied and revoked without tracking or managing their protection and lifecycle.
The lack of a formal process to protect and track the lifecycle of cryptographic keys within [Client] could result in improper access being allowed for entities who have passed their allowed access time and possible dissemination of key data to unauthorized sources.
14 12 – Operations security 12.1.4
Isolation and segregation of development, testing, and production environments across [Client]'s entire organization is not consistent. Larger environments are stringently controlled while smaller environments do not adhere to these controls.
Failure to maintain consistent standards for development, testing, and production environments could lead to inappropriate access by users to development efforts and developers may be able to migrate code without prior authorization.
15 12 – Operations security 12.4.3
Logs of administrator activities are not reviewed on a periodic basis.
Not periodically reviewing administrator activity logs could result in possible malicious or illegal activity going undetected in a timely manner, including large scale system level changes.
16 12 – Operations security 12.6.2
Users have the ability to install software on their laptops and workstations without restriction though policies exist stating that software installation must be approved ahead of time.
Uncontrolled installation of software on computing devices could lead to user introduction of vulnerabilities or malware that compromises the security of the device.
DRAFT - FOR DISCUSSION PURPOSES ONLY
Gaps and Risks to the BusinessDetailed Gaps with Moderate Risk to the Business
Currently, agreements with external parties do not include the provision that [Client] must be notified upon a security breach.
Without formalized agreements with external parties that outline the responsibilities and requirements for reporting security breaches, [Client] may not be able to timely respond to security incidents.
18 15 – Supplier relationships15.1.1 & 15.1.2
[Client] does not have a set of security controls to be adhered to by suppliers. [Client] is in the process of creating a standard document. [Client] currently does not regularly review information security controls as they relate to each supplier's contract. [Client] currently does not regularly review information security controls as they relate to each supplier's contract.
Failure to include a set of security controls to be adhered to by suppliers within agreements could lead to violation of [Client] security policies without supplier accountability.
19 15 – Supplier relationships 15.1.3
Currently information security risks are not addressed in agreements with supply chain management or communication / technology suppliers (e.g. box).
Without considering the risks associated with supply chain management and suppliers providing communication / technology services, effective controls to protect sensitive information or technology may not be in place or tracked.
20 15 – Supplier relationships 15.2.1
[Client] does not maintain supplier information security documentation nor define explicit information security requirements (controls). As such, [Client] cannot monitor, review, or audit suppliers against information security policy compliance.
Failure to monitor supplier services to determine information security policies are being followed could lead to untimely detection of supplier incompliance with [Client]'s information security requirements.
21 15 – Supplier relationships 15.2.2
[Client] does not address criticality of information, systems, or processes when dealing with changes to supplier agreements.
Failure to consider the criticality of information, systems, and processes affected when supplier agreements change could result in inadequate identification and implement of new controls.
DRAFT - FOR DISCUSSION PURPOSES ONLY
Gaps and Risks to the BusinessDetailed Gaps with Moderate Risk to the Business
Procedures are not in place to formally review security incidents to identify cost, effort and scope.
Not considering the cost, effort, and scope of past security incidents hinders [Client]'s ability to properly assess its risk environment. This could result in the misappropriation of resources when developing and maintaining an enterprise security program.
23 18 – Compliance 18.1.1
[Client] does not completely document regulatory and contractual requirements for each of the company's information systems.
Failure to document the regulatory and contractual requirements for each information system could result in incompliance (e.g., reputational damage or fines).
24 18 - Compliance 18.1.5
There are no policies concerning the use of cryptographic controls in regards to compliance and regulations.
The lack of policies covering proper use of cryptographic controls in regards to regulation and agreements could result in incompliance (e.g., reputational damage or fines).
DRAFT - FOR DISCUSSION PURPOSES ONLY
Gaps and Risks to the BusinessDetailed Gaps with Moderate Risk to the Business
Gaps and Risks to the BusinessDetailed Gaps with Low Risk to the Business
# DomainSub
DomainISO Gap Business Risk
255 – Information security policies
5.1.1
Information security policies are not centralized within one document. There are redundant statements across multiple policy documents.
The lack of one single source for organizational information security objectives and management's expectations could cause confusion for employees when adhering to the standards set forth by the organization. This could lead to inadvertent incompliance with information security requirements.
266 – Organization of information security
6.1.3 Formal procedures are not in place to govern communication with authorities in the case of a security incident.
Failure to document communication procedures with authorities could result in the mishandling or untimely response to incidents.
276 – Organization of information security
6.1.4
The responsibility of maintaining contact with specialist security forums is not mandatory nor assigned to [Client] personnel (position, role, or individual).
Not maintaining contact with security specialist organizations and other security resources could lead to a lowered knowledge of the current information security threat landscape.
286 – Organization of information security
6.2.1
Security training does not cover mobile device specific topics or threats.
The lack of detailed training in mobile device security could result in users not understanding the policies and procedures (including their security expectations) for safe and secure use of mobile devices.
296 – Organization of information security
6.2.2
Teleworking agreements do not explicitly cover communication security and sensitivity of information passed over outside channels. Acceptable remote access mechanisms and communication protocols are not defined.
Not formally identifying and defining acceptable remote access mechanisms or communication mediums while not at [Client] facilities (e.g., teleworking), could result in the use of insecure protocols.
Suppliers are not uniformly informed of security policies (including changes) or required to take security trainings.
Not formally communicating [Client] information security requirements, or requiring suppliers to complete [Client] specific security trainings, could lead to suppliers breaching [Client] security policies without the ability to hold suppliers accountable.
317 – Human resource security
7.2.2
There are two information security training courses (light version and longer version specifically for Global IT personnel) but these trainings are not mandatory for units outside of Global IT. [Client] does not define who should be required to complete trainings ([Client] users and suppliers).
Not defining and enforcing security trainings for employees and suppliers could lead to users not understanding their responsibilities to protect systems and data.
32 8 – Asset management 8.1.2
Review of asset information (e.g., classification data) is not performed at this time.
Failure to regularly review asset information could result in assets being incorrectly labeled and not properly handled according to the data classification scheme.
33 8 – Asset management 8.3.3
[Client] does not maintain a set of formal policies or procedures for the transfer of physical media through courier services.
Not maintaining a formal and documented policy on the transfer of physical media could lead to insecure transport of physical media, possibly resulting in the loss or damage of sensitive data.
34 9 – Access control 9.4.2 Time-outs are not tracked as part of the application portfolio so [Client] is unable to state if all application connections are configured to time-out.
Failure to track time-out thresholds for all applications could result in inappropriate session lengths for sensitive applications.
35 9 – Access control 9.4.5
Central source code libraries for business critical applications are controlled and secured, but these practices are not consistent with all groups.
Failing to have all instances of source code maintained within libraries could lead to inconsistent development techniques and inappropriate access to source code.
DRAFT - FOR DISCUSSION PURPOSES ONLY
Gaps and Risks to the BusinessDetailed Gaps with Low Risk to the Business
Secure folders are reviewed regularly but open data is at the discretion of the group owner and does not follow any defined regular review process.
Failure to review access rights to secure folders could lead to mismanagement of information and misappropriation of rights among users, possibly leading to inappropriate access to sensitive information.
37 11 – Physical security 11.1.1
Physical security measures are not applied consistently across all offices, specifically smaller locations.
The lack of consistently applied and adhered to physical security measures could result in loss of confidential information and confusion among employees on how physical security should be applied.
38 11 – Physical security 11.1.2
Sign-in and sign-out procedures are inconsistent between different [Client] offices. Larger offices tend to have more stringent security and controls than smaller offices.
Not standardizing the sign-in and sign-out procedure could lead to inappropriate access by outside individuals, making [Client] more susceptible to physical theft and security breaches.
39 11 – Physical security 11.1.3
Physical security within offices and rooms is inconsistent and not formally defined.
The varying levels of physical security at each of [Client]'s offices could result in confusion among employees and inconsistent implementation of procedures (e.g., controls) to protect confidential information.
40 11 – Physical security 11.1.5
No procedures or guidelines exist with regard to working in secure areas at [Client].
Without a standard policy for working in secure areas, access is considered the same as general building access, which could lead to inappropriate access to information processing facilities or sensitive data.
DRAFT - FOR DISCUSSION PURPOSES ONLY
Gaps and Risks to the BusinessDetailed Gaps with Low Risk to the Business
Delivery area security is not taken into account currently by [Client].
Failure to assess the security of delivery areas may lead to breaches in physical security and possible mismanagement of incoming and outgoing shipments and packages.
42 12 – Operations security 12.3.1
A formal process is not in place for testing system, application, or data restoration (e.g. testing of backup plans).
The lack of a formal process to test and document the results of backup plans could lead to incomplete backup archives and inadequate procedures to timely restore data.
43 12 – Operations security 12.4.1 A process is not in place to formally review user activity logs at a defined frequency.
Inconsistent review of user activity logs could result in possible malicious or illegal activity not being detected in a timely manner.
4413 – Communications security
13.2.4
Employment agreements are not reviewed on a regular basis to determine appropriate coverage of new confidentiality or non-disclosure requirements.
Failing to review and update employment agreements at a defined frequency could lead to new confidentiality or non-disclosure requirements not being communicated; possibly leading to confusion over expectations and responsibilities to protect information.
4514 – System Acquisition, Development and Maintenance
14.2.5
Reviews of the principles for engineering secure systems is not performed on a defined, periodic basis.
Not reviewing the principles for engineering secure systems could result in the untimely inclusion of controls addressing emerging threats, leading to systems designed without proper security controls.
4616 – Information security management
16.1.2
Requirements for reporting information security events are not communicated to all employees and suppliers on a consistent basis.
The lack of defined process to consistently communicate responsibilities for the reporting of information security events could result in the untimely detection or escalation of information security events.
DRAFT - FOR DISCUSSION PURPOSES ONLY
Gaps and Risks to the BusinessDetailed Gaps with Low Risk to the Business
[Client] does not have an explicit requirement for the reporting of security weaknesses.
Failing to explicitly state that employees are required to report security weaknesses could result in potential points of impact going undiscovered in a timely manner.
4816 – Information security incident management
16.1.4
Procedures for reporting security events are not defined, each office has their own IT and HR contact who can escalate issues to Global IT as needed. Employees are expected to utilize these sources in the event of an incident.
Failure to document the proper process for reporting security incidents could result in the untimely detection or escalation of information security events.
Gaps and Risks to the BusinessDetailed Gaps with Low Risk to the Business