SECURITY GAP ANALYSIS TEMPLATE

SECURITY POLICY IN PLACE? RATING NOTES

Information security
Information security policy document
Review and evaluation

ORGANIZATIONAL SECURITY IN PLACE? RATING NOTES

Information security infrastructure
Management forum for organizational security
Coordination of organizational security
Allocation of responsibilities
Authorization process for information processing facilities
Specialist advice
Cooperation between organizations
Independent review of organizational security
Security of third-party access
Identification of third-party access risks
Security requirements in third-party contracts
Outsourcing
Security requirements in outsourcing contracts

ASSET CLASSIFICATION AND CONTROL IN PLACE? RATING NOTES

Accountability for assets
Asset inventory
Information classification
Classification guidelines
Information labeling and handling

PERSONNEL SECURITY IN PLACE? RATING NOTES

Security in job definition and resourcing
Including security in job responsibilities
Personnel screening policy
Confidentiality/nda agreements
Employment terms and conditions
User training
Security education and training
Responding to security incidents and malfunctions
Security incident reporting
Security weakness reporting
Software malfunction reporting
Lessons learned process
Disciplinary process

PHYSICAL AND ENVIRONMENTAL SECURITY IN PLACE? RATING NOTES

Secure areas
Security of physical perimeter
Physical entry controls
Securing offices, rooms, and facilities
Working in secure areas
Security of delivery and loading areas
Equipment security
Equipment siting and protection
Power supplies
Cabling security
Equipment maintenance
Off-Premises equipment security
Reuse or disposal of equipment
General controls
Desk and clear screen policy
Removal of property policy

COMMUNICATIONS AND OPERATIONS MANAGEMENT IN PLACE? RATING NOTES

Operational procedures and responsibilities
Operating procedures documentation
Operational change control
Incident management procedures
Segregation of duties
Separation of development and operational facilities
External facilities management
System planning and acceptance
Capacity
System access
Protection against malicious software
Security against malicious software
Housekeeping
Information back-up schedule and procedures
Operator logs
Fault logs
Network management
Network controls
Media handling and security
Removable computer media management
Disposal of media
Information handling procedures
System documentation security
Information and software exchanges
Information and software exchange agreements
Security of media in transit
Electronic commerce security
Security of electronic mail
Electronic office system security
Publicly available systems
Other forms of information exchange

ACCESS CONTROL IN PLACE? RATING NOTES

Business requirement for access control
Access control policy
User access management
User registration
Privilege management
Password management
User access rights review schedule
User responsibility
Password use
Unattended equipment policy
Network access control
Network services user policy
User authentication for external connections
Node authentication
Remote diagnostic port security
Network connection control
Network routing control
Security of network services
Operating system access control
Automatic terminal identification
Terminal log-on procedures
User identification and authentication
Password management system
System utility use policy
Terminal time-out policy
Limitation of connection time policy
Application access control
Information access restriction
Sensitive system isolation
Monitoring system access and use
Event logging
Monitoring system use
Clock
Remote access
Mobile computing
Teleworking

SYSTEMS DEVELOPMENT AND MAINTENANCE IN PLACE? RATING NOTES

Systems security requirements
Security requirements analysis and specification
Security in application systems
Input data validation
Control of internal processing
Message authentication
Output data validation
Cryptographic controls
Cryptographic control security
Encryption
Digital signatures
Cryptographic key management
Security of system files
Control of operational software
System test data protection
Access control to program source library
Development and support process security
Change control procedures
Review of operating system changes
Restrictions on changes to software
Outsourced software development

BUSINESS CONTINUITY MANAGEMENT IN PLACE? RATING NOTES

Aspects of business continuity management
Business continuity management process
Business continuity and impact analysis
Writing and implementing continuity plans
Business continuity planning framework
Testing, maintaining, and reassessing business continuity plans

COMPLIANCE IN PLACE? RATING NOTES

Legal compliance
Identification of applicable legislation
Intellectual property rights
Protection of organizational records
Protection of personal records
Misuse of information processing facility policy
Cryptographic control regulation
Evidence collection
Reviews of security policy and technical compliance
Security policy compliance
Technical compliance
System audit considerations
System audit controls
System audit tool protection
DOCUMENT HISTORY
DOCUMENT
DATE SUMMARY OF CHANGES MADE BY NOTES
VERSION

0 12/12/2012 First Draft J. Smith Example Row

Any articles, templates, or information provided by Smartsheet on the website are for reference
only. While we strive to keep the information up to date and correct, we make no
representations or warranties of any kind, express or implied, about the completeness,
accuracy, reliability, suitability, or availability with respect to the website or the information,
articles, templates, or related graphics contained on the website. Any reliance you place on
such information is therefore strictly at your own risk.