Detailed Security Work Plan for Government Department ABC

The purpose of this document is to compare security practices at Government Department ABC against leading practice requirements including those outlined in the New
Zealand Information Security Manual, ISO 27002 and COBIT.

Ref Control Objective Relevant Standard Method Results Issue Raised?

1. Policy and Procedures

1.1 Determine if an Information Security  NZ Information Security  Interview with Key
Framework has been established Manual (ISM) 4.1-4.7 Stakeholders
comprised of Policies, Procedures and  COBIT DS5.2  Documentation Review
Standards.  IS0/IEC 27002 5.1
1.2 Review Policies, Procedures and  COBIT PC 5  Interview with Key
Standards to ensure they are in final, Stakeholders
signed off and have version control.  Documentation Review

1.3 Assess whether the Information Security  ISM1.0-19.0  Documentation Review

Framework incorporates legislative  COBIT ME3.1-3.3
requirements including Privacy Principles
and key areas outlined in the ISM
including:
 Security Governance
 Security Documentation
 System Certification and
Accreditation
 Security Monitoring
 Security Incidents
 Physical Security
 Personnel Security
 Communications Security
 Communications Systems & Devices
 Information Technology Security
 Media Security
 Software Security
 Access Control
 Cryptography
 Network Security
  Gateway Security
 Working Offsite

2. Roles & Responsibilities

2.1 Understanding roles and responsibilities  ISM 3.1-3.5  Interview with Key
for security and assess whether they are  COBIT DS5.1 Stakeholders
clearly defined  IS0/IEC 27002 6.1  Documentation Review
2.2 Determine if Information Security within  ISM 3.1  Interview with Key
the agency is endorsed by the Agency  COBIT DS5.1 Stakeholders
head, in accordance with the ISM.  Documentation Review
2.3 Assess whether a Chief Information  ISM 3.2  Interview with Key
Security office has been identified to  COBIT DS5.1 Stakeholders
champion the security process is  Documentation Review
accordance with the ISM.
3.0 Confirming policies and procedures are communicated to relevant staff
3.1 Understand organisational process for  IS0/IEC 27002 10.2 6.1  Interview with Key
managing policies and procedures and  ISM 3.2 Stakeholders
assess Information Security compliance.  Documentation Review
3.2 Identify how Information Security Policies  COBIT PC5  Interview with Key
are communicated to staff and assess  IS0/IEC 27002 10.2 6.1 Stakeholders
adequacy of process.  ISM 3.2  Documentation Review
3.3 Determine if training is provided to staff  COBIT PC5  Interview with Key
on the Information Security Management  IS0/IEC 27002 10.2 6.1 Stakeholders
Framework.  ISM 3.2, 9.1  Documentation Review
3.4 Identify if any awareness raising activities  COBIT PC5  Interview with Key
have been conducted for Information  IS0/IEC 27002 10.2 6.1 Stakeholders
Security Management.  ISM 3.2, 9.1  Documentation Review
4.0 Information Security Performance Measurement
4.1 Determine if Performance Goals and/or  COBIT ME1.1-1.6  Interview with Key
Success Indicators have been Stakeholders
established for Information Security  Documentation Review
4.2 Understand if Security Performance Data  COBIT ME1.1-1.6  Interview with Key
is collected and reviewed against goals. Stakeholders
 Documentation Review
4.3 Determine if any benchmarking is  COBIT ME1.1-1.6  Interview with Key
conducted against industry performance Stakeholders
 information.  Documentation Review
4.5 Identify if a performance monitoring  COBIT ME1.1-1.6  Interview with Key
method has been implemented, for Stakeholders
example, a Balanced Scorecard.  Documentation Review
4.6 Understand if Performance Information is  COBIT ME1.1-1.6  Interview with Key
reported to the board or Senior Executive Stakeholders
Management.  Documentation Review
5.0 Vendor Compliance
5.1 Review vendor contracts for in- scope  IS0/IEC 27002 10.2  Interview with Key
applications and assess whether vendors  ISM .2 Stakeholders
are required to comply with the  COBIT DS 1.3, 1.5, 2.4  Documentation Review
organisations Information Security 
Framework, International Standards e.g.
IS0/IEC 27002 and legislative
requirements including the ISM.
5.2 Understand processes for assessing  IS0/IEC 27002 10.2  Interview with Key
Vendor Compliance with contractual  ISM .2 Stakeholders
requirements, what reporting information  COBIT DS 1.3, 1.5 & 2.4  Documentation Review
is collected and reviewed and if any
audits are conducted of Vendor
Compliance.
6.0 Security Risk Assessments
6.1 Determine if a Security Risk Assessment  IS0/IEC 27002 4.1-4.2  Interview with Key
has been completed.  COBIT PO9.4 Stakeholders
 ISM 4.1  Documentation Review
6.2 Understand if a Security Risk  IS0/IEC 27002 4.1-4.2  Interview with Key
Management Plan has been developed  COBIT PO9.5-9.6 Stakeholders
based on the results of the risk  ISM 4.1  Documentation Review
assessment.
6.3 Assess whether the Security Risk  COBIT PO9.1  Interview with Key
assessment has been conducted in Stakeholders
accordance with the organisation Risk  Documentation Review
Management framework.
6.4 Understand if a System Security Plan or  IS0/IEC 27002 4.1-4.2  Interview with Key
equivalent has been prepared for each in  COBIT PO9.4 Stakeholders
scope application in accordance with the  ISM 4.1  Documentation Review
ISM.
6.5 Identify if there is a process in place to  ISM 6.1-6.4  Interview with Key
capture and manage security incidents.  COBIT DS5.6 Stakeholders
  Documentation Review
7.0 Establishing if appropriate security documentation has been developed.
7.1 Understand if a System Security Plan has  ISM 4.1  Interview with Key
been developed in accordance with the Stakeholders
ISM.  Documentation Review

7.2 Determine if up to date Network  ISM 4.1 & 17.1  Interview with Key
Architecture Security documentation has Stakeholders
been prepared.  Documentation Review

7.3 Assess whether Operating System  ISM 4.1  Interview with Key
security documentation has been Stakeholders
prepared.  Documentation Review

8.0 Accreditation process

8.1 Understand if and certification and  ISM5.1-5.4  Interview with Key
accreditation process has been Stakeholders
established in accordance with the ISM.  Documentation Review
8.2 Understand if in scope systems are being  ISM5.1-5.4  Interview with Key
accredited. Stakeholders
 Documentation Review
9.0 Evaluating network security controls for ETP
9.1 Verify that Network Architecture  COBIT DS5.10  Interview with Key
Documentation is up to date and provides  IS0/IEC 27002 10.6 & Stakeholders
an accurate reflection of the network. 11.4  Documentation Review
 ISM 17.1 -17.9
9.2 Understand the process in place for  COBIT DS5.10  Interview with Key
managing the Network Configuration and  IS0/IEC 27002 10.6 & Stakeholders
assess if the configuration is centrally 11.4  Documentation Review
managed.  ISM 17.1 -17.9
9.3 Understand if any vulnerability  ISM 7.1  Interview with Key
assessments, hacking and penetration Stakeholders
testing has been performed on the  Documentation Review
network by internal or external parties.
9.4 Understand authentication and network  COBIT DS5.10  Interview with Key
connection controls and assess whether  IS0/IEC 27002 10.6 & Stakeholders
only authorised devices are permitted to 11.4  Documentation Review
connect to the network.  ISM 17.1 -17.9
 Identify if remote connections are
permitted and assess whether this is
adequately controlled.
9.5 Determine if Network operation  COBIT DS5.10  Interview with Key
management is segregated from  IS0/IEC 27002 10.6 & Stakeholders
Computer Operations Management. 11.4  Documentation Review
 ISM 17.1 -17.9
9.6 Understand if sensitive information  COBIT DS5.10-5.11  Interview with Key
transmitted across the network is  IS0/IEC 27002 10.6 & Stakeholders
encrypted. 11.4  Documentation Review
 ISM 17.1 -17.9
9.7 Assess whether logging and monitoring of  COBIT DS5.10  Interview with Key
security events is enabled on the network.  IS0/IEC 27002 10.6 & Stakeholders
11.4  Documentation Review
 ISM 17.1 -17.9
9.8 Understand if an Intrusion Detection  COBIT DS5.10  Interview with Key
System has been implemented in the  IS0/IEC 27002 10.6 & Stakeholders
network. 11.4  Documentation Review
 ISM 17.1 -17.9 &7.6
9.9 Identify if firewalls are in place and meet  COBIT DS5.10  Interview with Key
the minimum requirements as outlined in  IS0/IEC 27002 10.6 & Stakeholders
the ISM (e.g. EAL4-4 depending on 11.4  Documentation Review
classification of network) .  ISM 17.1 -17.9
9.10 Understand if any content filtering is in  COBIT DS5.10  Interview with Key
place over the network prohibiting the  IS0/IEC 27002 10.6 & Stakeholders
transfer of potentially malicious content 11.4  Documentation Review
e.g. executables.  ISM 8.3
9.11 Assess whether inbound and outbound  COBIT DS5.10  Interview with Key
email containing malicious code,  IS0/IEC 27002 10.6 & Stakeholders
encrypted content, unidentified content, 11.4  Documentation Review
and SPAM is blocked at the email server.  ISM 17.1 -17.9
10. Reviewing Operating System, Application and Database Security controls for above applications
10.1 Understand the process for granted users  ISM15.1-15.4 
access to operating systems, applications  IS0/IEC 27002 11.1-
and databases. Assess whether approval 11.7
is required from the relevant Applications  COBIT DS5.3-5.4
Owner.
10.2 Assess whether user access rights are  ISM15.1-15.4 
regularly reviewed by application owners
 and IT.  IS0/IEC 27002 11.1-
11.7
Assess the process in place to remove  COBIT DS5.3-5.4
terminated users from the system and
confirm this is done in a timely manner.
10.3 Confirm that no shared user accounts  ISM15.1-15.4 
exist.  IS0/IEC 27002 11.1-
11.7
 COBIT DS5.3-5.4
10.4 Understand Password Management  ISM 15.1 
Principles and assess whether  IS0/IEC 27002 11.3
passwords:
 Meet the minimum requirements
according to the ISM
 are required to be changed regularly
 repeats are not allowed for a
determined number of repetitions
 That are temporary are require to be
changed at the first logon
10.5 Assess whether controls are I place to  ISM 15.1 
prevent unauthorised access including:  IS0/IEC 27002 11.3
 screen locks and timeouts are in
place
 Users are locked out after three
failed login attempts
 User access history is logged and
reviewed by independent personnel
10.6 Confirm that antivirus software is  IS0/IEC 27002 10.4 
installed and regularly updated. Assess  COBIT DS 5.9
whether updates are tested before being
applied to production.
10.7 Determine if there is a Patch  ISM12.4 
Management Approach and patches are  COBIT DS 5.9
regularly applied.
10.8 Understand if password files are  COBIT DS 11.6 
encrypted
11. Privileged Account Management
11.1 Understand the process for identifying  COBIT DS5.4  Documentation review
and managing privileged accounts.  ISM 15.1-15.4  Interview with Key
 IS0/IEC 27002 11.1- Stakeholder
 11.7
11.2 Identify privileged and administrator  COBIT DS5.4  Documentation review
accounts for in scope applications,  ISM 15.1-15.4  Interview with Key
databases, operating systems and  IS0/IEC 27002 11.1- Stakeholder
networks. Assess whether the list is kept 11.7
to a minimum.

11.3 Understand if privileged account use is  COBIT DS5.4  Documentation review

monitored and reviewed by an  ISM 15.1-15.4  Interview with Key
independent person through the use of  IS0/IEC 27002 11.1- Stakeholder
secure automated logs. 11.7
11.4 Assess whether default vendor passwords  COBIT DS5.4  Documentation review
have been changed and passwords are  ISM 15.1-15.4  Interview with Key
managed appropriately.  IS0/IEC 27002 11.1- Stakeholder
11.7
12. Evaluating whether sensitive data held within applications is appropriately managed.
12.1 Understand if an Accreditation Process  ISM 5.1-5.4  Documentation review
has been established for Systems in   Interview with Key
accordance with the ISM. Stakeholder
12.2 Identify Systems that hold sensitive data  ISM 5.1-5.4  Documentation review
and assess whether confidential and  COBIT DS 11.6  Interview with Key
sensitive data held in systems is Stakeholder
encrypted or masked and access is
limited to a minimum number of
authorised people.
13. Physical Security Assessment
13.1 Understand the process for obtaining  ISM 8.1-8.5  Documentation review
access to the Data centre and identify  IS0/IEC 27002 9.1  Interview with Key
who has access. Assess whether access is Stakeholders
appropriate and only granted to  Physical Inspection
authorised users.
13.2 Understand how physical access is  ISM 8.1-8.5  Documentation review
controlled to the Data Centre and IT work  IS0/IEC 27002 9.1  Interview with Key
areas through the use of a manned Stakeholders
reception, physical keys, combinations  Physical Inspection
locks, and physical access cards. Assess
where keys and combinations are
appropriately secured. Identify if logs of
who accesses the data centre are
maintained and reviewed.
13.3 Identify if logs are maintained of who  ISM 8.1-8.5  Documentation review
enters IT work areas and Data centres and  IS0/IEC 27002 9.1  Interview with Key
logs are reviewed to confirm access is Stakeholders
appropriate.  Physical Inspection
13.4 Assess whether physical security  ISM 8.1-8.5  Documentation review
perimeters are physically sound and the  IS0/IEC 27002 9.1  Physical Inspection
risk of theft is minimised through:
 reinforced glass
 walls of solid construction
 fire doors that are alarmed and
monitored
 Intruder Detection Systems or
alarms
 In vendor sites, the organisation’s
servers and equipment is separated
from other organisations.
13.5 Understand if Data Centres are protected  IS0/IEC 27002 9.1-9.2  Documentation review
from external and environmental threats  Physical Inspection
including:
 The use of UPS and if required a
backup generator
 An emergency power off switch has
been put in place
 Air Conditioning Systems are
adequate
 Adequate Smoke alarms and Fire
fighting Equipment are in place
 Servers, PC and equipment are
raised from the floor to protect from
floods
 No hazardous or combustible
materials are stored in the data
centre
 Backup media is stored away from
the primary data centre and is not
subject to the same risks (e.g. is on
a separate power grid)
13.6 Assess cabling security and confirm that  IS0/IEC 27002 9.1-9.2  Documentation review
cables are organised in a safe manner  Physical Inspection
and clearly labelled.
13.7 Determine if a policy is in place to ensure  IS0/IEC 27002 9.1-9.2  Documentation review
 physical security of equipment taken  Physical Inspection
offsite e.g. Laptops and insurance is in
place and adequate insurance cover is
provided for offsite equipment.
13.8 Assess the process for disposal and reuse  IS0/IEC 27002 9.2  Documentation review
of equipment and confirm that  Physical Inspection
confidential/sensitive data is irrevocably
Destroyed.
13.9 Understand process for removal of  IS0/IEC 27002 9.1-9.2  Documentation review
property from the data centres and  Physical Inspection
assess whether equipment is records as
being moved off site and proper
authorisation is required.