richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Cleaned up Literature folder

Browse source
This commit is contained in:
Richard Kranendonk 2026-05-18 12:48:01 +02:00
parent 73a6380034
commit fe5eda4e05
586 changed files with 53911 additions and 2475 deletions
Download patch file Download diff file Expand all files Collapse all files

738
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for Insider Threat Prevention.md Normal file
View file

@ -0,0 +1,738 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/insider-threat-prevention-strategy-ask-gerardus-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: March 25, 2022
Retrieved from on December 16, 2024
1. How does your organization verify that all cleared employees have completed the required insider threat awareness training?
2. Which organization information does your insider threat detection program leverage?
3. Does your organization have a defined insider threat management program that involves cooperation among multi disciplinary areas of your organization as human resources, IT and legal?
4. How does your organization work to identify observable and reportable external cyber threats that may be linked to internal cyber insider threat activities?
5. Does your organization have a formal incident response plan with provisions for insider threat attacks?
6. How does your organization close the gap between the initial attack, discovering the insider threat actors deeds and taking action to shut down or otherwise mitigate the event?
7. Do your CSPs have a formalized insider threat program?
8. Aside from DLP/CASB solutions, what additional data security solutions does your organization leverage to protect against insider threats?
9. How does your organization fund and staff a program office to implement your organizations insider threat policy?
10. Does the insider threat program personnel receive regular, timely access to all relevant and credible information to identify violations, areas of concern or potential insider threat matters?
11. Can proactive insider threat detection leverage information already being collected for records management purposes, and what would be the ethical and legal fallout of approaches?
12. What administrative policies and procedures do you have in place for insider threat management?
13. How is your organization monitoring malicious or inadvertent insider threat risk caused by disgruntled or displaced employees and contractors?
14. Does your insider threat program have all the necessary components to be effective?
15. How can social and behavioral factors improve analytics for risk analysis, including operational security and insider threat detection?
16. How will insider threat awareness training best be accomplished and documented for your organization workforce?
17. Does any application have any insider threat detection and response capability?
18. Does your insider threat detection program leverage information from across your organization?
19. What does it take to build an effective insider threat program within your organization?
20. Does your organization have a program to identify and/or mitigate the insider threat?
21. Which departments within your organization participate with your insider threat related program?
22. Has your organization experienced potential issues of insider threat from current or recently separated employees, contractors, or vendors?
23. Does your organization have the appropriate controls to detect and prevent an insider attack?
24. What information type is more difficult to protect against insider threat activities?
25. Does your organization ignore the insider threat in favor of the outsider threat?
26. What relationship exists between your organizations program and the insider threat programs established by the various cleared contractors that work for your organization?
27. Does your organization have a dedicated team or department responsible for monitoring and/or responding to insider threats?
28. What preventative measures work best to disrupt the insider threat cycle before mission critical or sensitive data is compromised or leaked?
29. Do you anticipate utilizing a full time insider threat program team or a part time program team?
30. What does a security roadmap that includes insider threats look like for your organization?
31. Does security and privacy awareness training include information on recognizing and reporting indicators of insider threat?
32. Does any initiative become prone to insider threat or is it going to bring more value to mitigate it?
33. How long does it typically take your organization to mitigate and stop an insider attack?
34. How would an apparent insider threat change your response and communication procedures?
35. What role can technology now play in improving insider threat detection and response?
36. Does an insider threat program also encompass detection and investigation of inside threats?
37. Have arrangements to deal with the potential insider threat and changed control environment associated with remote working been put in place?
38. How does your organization allocate resources to mitigate or curtail insider threats?
39. How is insider threat awareness training accomplished and documented for your organizations workforce?
40. Should your organization use technical measures like restricting access to curtail the risk of insider attack?
41. How are you positioned to pursue a risk based insider threat monitoring program?
42. Do you believe your organization has invested enough to mitigate the risk of insider threats?
43. How do you position an insider threat program to your workforce?
44. How does cloud adoption complicate the insider threat, and what is your organization doing about it?
45. How effective do you consider your insider threat prevention and detection methods?
46. How do you create a culture of awareness and support to catch problems early and disrupt a possible insider threat before it ever exists?
47. Where is potentially anomalous or risky behavior associated with an insider threat reported?
48. What is the policy to thwart insider threat in your cybersecurity organizations?
## **Organized by Key Themes: SECURITY, DATA, RISK, INSIDER, THREAT, MANAGEMENT, PRODUCT, PROJECT, DESIGN, DEVELOP:**
### SECURITY:
How do you create a culture of awareness and support to catch problems early and disrupt a possible insider threat before it ever exists?
Lead application security solutions, data loss prevention solutions, insider threat solutions, enterprise vulnerability management and support business development (merger, acquisition, divestiture) security and IT solutions.
What is the visibility and messaging put out to your organization on the insider program?
Make sure the Information Security Incident Response team is responsible for managing the detection and reporting of information security and insider threat incidents, supporting all organization Business Units.
What auditing and tracking does your organization get when using an external cloud application?
Invest in planning, organizing and leading IT security projects related to network, system and data security, to include insider threat detection, enterprise information security reporting, auditing, as well as system risk management and mitigation.
Is your organization protected against someone who knows your system better than anyone else?
Confirm that your design is leveraging advanced threat assessment technology and involvement in building high-level information security infrastructure, you develop adaptive solutions uniquely tailored to your (internal) customers business objectives to protect sensitive data against sophisticated threats in an increasingly complex security environment.
What are the biggest challenges your organization faces in establishing whether an event or incident is an insider threat?
Make sure your company manage all enterprise cyber, data protection, and insider threat programs, including establishing incident response, 24x7 security operations center, and security engineering, architecture and intelligence teams.
How do you speed up security investigations and reduce the impact of insider threats?
Guarantee your strategy performs as a member of the security team to invest in the execution of an insider threat program.
How will you manage the risk of your hardware or software becoming unsupported?
Support the daily monitoring, escalation, and remediation of information security and insider threat events with relevant teams that support the incident response process.
How do you use your incident response planning for more than data breaches?
Make sure your company is involved in working with Insider Threat regulations and information security reports.
What environments, logical and geographical does your deployment need to reach/support?
Ensure you have involvement building and leading a team to Support Insider risk program including data loss prevention, email security, forensics and data collection (including cloud).
Does your organization have a dedicated team or department responsible for monitoring and/or responding to insider threats?
Make sure the team works closely with peers responsible for Threat Management, Malware Analysis, Insider Threat, and Security Automation.
### DATA:
Are the risks associated with cloud computing actually higher than the risks your organization is facing form internal systems?
Make sure the Director, Insider Threat serves as the Insider Risk Working Group chairperson, working to govern the program, identify, prioritize and implement insider risk use cases, and coordinating across business units to ensure those responsible and accountable for data are kept consulted and informed.
Does your organization deserve credit for trying to identify and prioritize its data?
Support log ingestion activities in partnership with application owners and analytics platform teams, run threat modelling, co-relate data and build policies to identify insider threats in critical business applications.
Do you have a budget specifically allocated for investment in enabling technologies to reduce the insider threat?
Continue to leverage and enhance User Activity Monitoring (UAM), Data Loss Prevention (DLP), and SIEM technology solutions to address risk as it relates to all aspects of Insider Threat risk.
Who will be responsible for protecting the privacy rights of the public and employees affected by the interface?
Certify your organization is responsible for Exceptions Risk Management for Insider Threat Operations as well as data movement reviews, data collection and analysis, and identification of anomalous patterns of data.
Does your organization have policies describing how to identify and respond to at risk employees?
Safeguard that your team develops analytical models that leverage relevant data from the Insider Threat detection tools, and other applicable data sources, to identify anomalies potentially indicative of an insider threat.
How do you define an insider threat?
Define business and technical requirements for data loss and insider threat detection and prevention solutions.
Which technologies do you use as part of your organizations threat hunting approach?
Manage IT Security Program involving services to include cybersecurity operations, continuous monitoring, security information and event management, security architecture, security engineering, vulnerability scanning, endpoint security, security analytics, network access control, penetration testing, data forensics, security data ingestion and analysis, incident analysis, threat monitoring/hunt and security situational awareness.
Do your CSPs have a formalized insider threat program?
Interface so that your organization is developing and analyzing data based on current and past insider threat cases and the significance of trends.
How do you improve privilege review technology to better enable vital business practices?
Support the implementation of data collection and analysis systems to enable insider threat detection activities.
### RISK:
How are security cultures developed in your organizations that you engage with?
Develop experience working with Data Loss Prevention (DLP), insider threat detection and response, Cloud Access System Brokers (CASB), SIEM solutions, and User Behavior Analytics (UBA) to address risk as it relates to Insider Threat, sensitive data exfiltration, identity access management, and/or fraud.
How do you create a culture of awareness and support to catch problems early and disrupt a possible insider threat before it ever exists?
Oversee that your company develops response strategies and technical support documents, summaries, reports, presentations and other designated products that help support the Insider Threat program and other organizational entities identification of team member centric risk.
Does your program incorporate a focus on external stakeholders as third parties to include supply chain providers?
Assure your organization provides threat information and identify best practices for managing supply chain and insider risks, from economic and threat perspectives.
What is the solution to reducing your exposure and defending against corresponding high risk insider threats?
Provide leadership and support to the Insider Threat Steering Committee to ensure the risk from Insider Threats is continually managed and reducing, if outside risk appetite.
Do you have a good understanding of the programs your personnel are performing on?
Develop experience leading, coordinating, and performing risk assessments, including insider threat related activities.
Is a system of perimeter controls maintained to deter or detect unauthorized introduction or removal of classified information from the facility?
Develop and maintain an insider threat risk convergence model.
What are the main benefits of using a threat hunting platform for security analysts?
Make sure your personnel is providing tailored intelligence and insider threat risk analysis.
Does the person of concern have problems with supervisors, management, or leadership?
Manage ownership of the intellectual property focused Insider Risk Manager Insider Threat program.
What are the leading practices for combating insider threats, and how do ours differ?
Assure your staff has involvement in developing an IS audit strategy that reflects your organizations risk profile, regulatory/legal requirements, current threat trends, and IS industry best practices.
How do you reign in privileged users and protect against insider threat?
Provide analytical support and/or other input to facilitate Sensitive Information Protection, Insider Risk, Employee Relations, Legal, or Human Relations efforts to protect sensitive content and confidential information.
### INSIDER:
How are you positioned to pursue a risk based insider threat monitoring program?
Provide support to create, build, implement and maintain Insider Threat use cases with risk focused user entity behavior analytics, user access monitoring tools, data loss prevention, and/or other related capabilities.
Is there an advanced monitoring mechanism in the solution allowing to measure the potential performance bottlenecks and to give clear information about what should be done to fix the limitation?
Be sure your process is responding to, investigating, and documenting potential insider threat indicators displayed by contractors and/or organization employees.
What approaches, if any, are currently being used for the safety and security of your organization?
Guarantee your workforce reviews information to identify anomalous behavior indicative of an insider threat, and to use detection and analysis tools in the development of a comprehensive view of the potential threat.
Does your organization ensure all classified IS users will be trained on responsibilities and the training will include information related to the insider threat program?
Assure your workforce is managing the corporate insider threat program to include training, execution and compliance.
Is it feasible to measure knowledge, knowledge sharing and knowledge management within your organization using the COBIT 5 framework?
Make sure your workforce works with Insider Threat committee to make sure of compliance with reporting and maintaining a safe work environment.
Are procedures established to review classified holdings on a recurring basis for the purpose of maintaining classified inventories to the minimum required for classified operations?
Liaison so that your group provides support to CSM for establishment and maintaining of Insider Threat Program.
What does it take to build an effective insider threat program within your organization?
Partner with internal teams to build out Insider threat related programs.
What department in your organization should be involved in an insider threat program?
Establish that your process is involved in Counterintelligence, Insider Threat, and access control systems.
What really needs to be determined is how the team will be structured and where it will be located?
Cultivate an enterprise program that embeds insider risk processes into your daily operations.
How do you detect an insider threat?
Collaborate on the build and implementation of processes and technologies to detect high risk insider activities that are accidental or malicious in nature.
### THREAT:
How are guidelines going to be adhered to in your organization and how is your business going to manage the service management requirements?
Make sure the Program Manager is responsible for leading collaboration and partnership with cross-functional stakeholders and business unit leadership across the organization to guide Insider Threat inquiries, investigations, and incidents.
How do you know if systems are trustworthy?
Guarantee your team is serving as key coordinator between multiple/cross discipline stakeholders to ensure enterprise wide integration of Insider Threat program efforts.
Does your organization have policies and practices mandating security awareness training?
Interface so that your design is identifying and recommending process improvement methodologies and principles to optimize the Insider Threat program and implement best practices.
Does the solution provide a supported and documented API to automate functionality, to push data into the solution?
Provide consulting support services to organization and private sector (internal) clients related to the development of insider threat programs.
Do you supplement traditional incident focused approaches to threat discovery with an approach that feeds metadata to a pattern focused analytic?
Verify that your team is responsible for identifying and developing Insider Threat Detection Use cases focused on insider threats.
Does your organization provide security awareness training on recognizing and reporting potential indicators of insider threat?
Guarantee your staff is collecting, analyzing and interpreting qualitative and quantitative data from multiple sources for the purpose of documenting investigations, analyzing findings and provide Insider threat metrics.
Does your organization ensure all classified IS users will be trained on responsibilities and the training will include information related to the insider threat program?
Trained and proficient working with data loss protection (DLP), user entity behavior analytics (UEBA), digital forensics and/or Insider Threat tools.
Do your cleared employees, as well as yourself, know what a violation is and to whom you should report it?
Invest in the development of an Insider Threat program from the ground up, including the development of Concept of Operations and Standard Operating Procedure documents that build on (internal) clients existing acceptable use and need to know policies.
Do the countermeasures interdict the threat during or just prior to the attack?
Be certain that your organization works with Directors on inter divisional communication for the success of compliance programs, insider threat program, quality and safety standards and business strategies.
How does your cybersecurity program apply industry standards and best practices?
Make headway so that your team is identifying and facilitating implementation of Insider Threat program best practices.
### MANAGEMENT:
How do you integrate policy and compliance with an effective Insider Threat program?
Ensure your strategy performs data discovery, data classification, insider threat management and Data Loss Prevention (DLP) tasks.
What is the probability of a given observed sequence with respect to your model?
Make sure there is program management and collaboration across diverse stakeholders for Insider Threat programs.
What value would user activity monitoring provide in overcoming insider threats?
Research or develop methodologies for conducting digital/electronic forensics, intrusion detection, insider threat monitoring, risk management, and incident response and remediation.
Are your employees properly screened for clearance and need to know prior to attending classified meetings?
Coordinate with legal, privacy, human resource, and compliance internal business partners on the intention and scope of the Insider Risk Management Program.
What is the biggest barrier to achieving the necessary agility to respond to changes in the insider threat environment?
Develop experience working on a team to implement new business programs and/or technologies and navigating change management issues.
Does an insider threat program also encompass detection and investigation of inside threats?
Establish and mature the enterprise threat management program to include threat aggregation, analysis, modeling, hunts, and insider.
What are an employees beliefs about the outcomes of compliance and noncompliance that influence beliefs about the overall assessment of consequences?
Assess and design security management functions as related to cyberspace.
What are the leading practices for combating insider threats, and how do yours differ?
Verify that your organization is involved in Cloud (AWS/Azure) change management tools and practices.
Does your organization have a defined insider threat management program that involves cooperation among multi disciplinary areas of your organization as human resources, IT and legal?
Interact and maintain highly effective partnerships with line of business management, COO team and staff.
Does security training include how to communicate employee and management concerns regarding potential indicators of insider threat?
Ensure strong business acumen and project management expertise.
### PRODUCT:
Does your program incorporate a focus on external stakeholders as third parties to include supply chain providers?
Safeguard that your team investigations, Brand Protection, Business Risk analytics/reporting, Ecommerce Enforcement, Insider Threat, Physical Security, Product Integrity, Supply Chain Security and Technical Security Countermeasures.
Does the solution provide a supported and documented API to automate functionality, to pull data from the solution?
Work on a support team providing support services for a Production application.
How do you maximize the value of your content and boost visibility and control over your sensitive data, all while safeguarding your business from ransomware and insider threats?
Work with Product team to plan new features, gather requirements and propose solutions.
How do you create a culture of awareness and support to catch problems early and disrupt a possible insider threat before it ever exists?
Be on a monthly On Call schedule to support Production environment after business hours.
How would you characterize the effectiveness of your organization to monitor, detect, and respond to insider threats?
Make sure your process troubleshoots business and production issues.
What information needs to be captured to perform the prioritization and to give the human analysts a good starting point?
Make headway so that your team is facilitating prioritization sessions for the product backlog.
Does business development and human resources understand the nature of existing threats and information to be aware of that may place your organization at risk?
Help the Scrum Team understand the need for clear and concise Product Backlog items.
What impacts do emerging information technologies have on the capabilities and limitations of the personnel security adjudicative guidelines to mitigate insider threats?
Apply best practice approaches and guide the product team through the process.
How do you maximize the value of your content and boost visibility and control over your sensitive data, all while safeguarding your business from ransomware and insider threats?
Make headway so that your design ensures the Product Owner knows how to arrange the Product Backlog to maximize value.
Does your facility have procedures in place that will help recognize and stop a threat from within?
Maintain availability and performance SLAs based on business and product requirements.
### PROJECT:
How do you improve privilege review technology to better enable vital business practices?
Verify that your team is involved in RESTful and SOAP-based web services involvement working with geographically separate project teams Liaison so that your workforce is involved in unit testing and automated testing tools Guarantee your group is involved in secure coding practices involvement implementing web content management systems in a large corporate environment.
How important are the effected components to the ICS and to operations in general?
Establish that your team provides status updates on work projects and any technical issues that present risk to project timeline with priority by selected project framework.
Does your organization have a defined insider threat management program that involves cooperation among multi disciplinary areas of your organization as human resources, IT and legal?
Capture and disseminate information pertaining to issues and risks with contingency and mitigation plans defined by Teams and the project charter and tracked in the team repository.
Will the number and type of users requiring access to the classified systems and networks change?
Make sure your team projects include significant business process and/or technology change.
Do you integrate customized tenant requirements into your security incident response plans?
Disseminate information to all Team members through transmittal methods directed by your organization per the project communication plan.
Are the numbers of clearances held to a minimum consistent with contractual requirements?
Ensure your organization manages projects from intake to delivery serving as both Business Analyst and Project Manager.
Have arrangements to deal with the potential insider threat and changed control environment associated with remote working been put in place?
Facilitate change management activities between the project team and IT service groups.
Do you have access to a comprehensive range of visualization and multidimensional analytics for the timely delivery of intelligence, including threat and fraud analytics?
Confirm that your process motivates project team in order to deliver project outcomes.
What metrics do you use to measure trustworthiness without alienating employees?
Make headway so that your design informs team members of risks and issues associated with each project.
How do you create a culture of awareness and support to catch problems early and disrupt a possible insider threat before it ever exists?
Provide project management support to the IT business area.
### DESIGN:
Are you aware of any incidents that involved the use of information found on social networking media to negatively impact your organization?
Oversee that your company is involved in insider threat analysis, mitigation and program design.
Do you have access to a comprehensive range of visualization and multidimensional analytics for the timely delivery of intelligence, including threat and fraud analytics?
Apply architectural and engineering concepts to design a solution that meets operational requirements, such as scalability, maintainability, security, reliability, extensibility, flexibility, availability and manageability Act as a key interface to your internal (internal) customers, and work closely with the delivery team to help deliver successful solution insights to your internal business leaders.
How will you manage the risk of your hardware or software becoming unsupported?
Certify your design gathers requirements, designs and deploys network solutions to support business alignment.
How do you synthesize social science and technical research output to respond to insider threat problems?
Safeguard that your operation analyzes business requirements and problems and drives research to design quality technical solutions.
What are the leading practices for combating insider threats, and how do ours differ?
Manage, monitor, and operate applications Lead other team members in design and coding phases.
Are you aware of any incidents that involved the use of information found on social networking media to negatively impact your organization?
Assure your operation is involved in design systems in large scale organizations.
How do you balance being a great place to work with the risk of insider threat?
Oversee that your personnel is maintaining operational effectiveness and efficiency by performing research on new LAN/WAN technology, designing changes to LAN and WAN activities, developing testing procedures and implementing changes Protects LAN/WAN networks by assessing current security posture.
What administrative policies and procedures do you have in place for insider threat management?
Manage Business Process Design understanding.
Is open shelf or bin storage of classified information, media, or equipment approved?
Confirm that your organization is documenting requirements and system design using approved organization formats.
Has a tcp been established to control access to all export controlled information?
Make sure your team has involvement with Design Thinking.
### DEVELOP:
What does a security roadmap that includes insider threats look like for your organization?
Develop experience developing strategy for insider threat programs to include working with various stakeholders like Privacy, Human Resources and Legal.
What auditing and tracking does your organization get when using an external cloud application?
Safeguard that your workforce provides monitoring and analysis of insider and external threats using network security tools and custom developed scripts.
How do you detect insider threats or non malware threats?
Develop and implement criteria to identify anomalous user behavior leading indicating insider threat activity.
Do you have any concerns regarding security threats coming from authorised users?
Identify and develop Insider Threat Detection Use cases focused on insider risks.
Do you conduct background investigations or currently monitor network activity?
Identify and develop Insider Threat Detection use cases and conduct Insider Threat investigations.
What are the constructs influencing the information security policy compliance existing in extant literature?
Warrant that your strategy provides guidance on business requirements to team members in developing the application.
What information type is more difficult to protect against insider threat activities?
Ensure your comprehensive solution enables CIOs and CSOs develop viable defensive positions to protect organization assets from insider threats.
What percentage of your IT budget are you currently spending for prevention and detection of insider incidents or attacks?
Make sure the Technical Business Analyst is responsible for analysis of (internal) client opportunities, validation of opportunities and use cases, develop documented analysis and recommend best practice solutions to Automation Product Managers for automation solutioning.
How may an insider first try to remove or disclose protected information from your organization?
Conduct open source research about industry trends and developments in protecting IP and countering Insider Threats.
How are security cultures developed in your organization and your organizations that you engage with?
Ensure your workforce works with team to identify potential risks, develop contingency plans.

636
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing Access Management.md Normal file
View file

@ -0,0 +1,636 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/access-management-ask-gerardus-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: January 29, 2022
Retrieved from on January 31, 2022
Relevant ISO 27001 clauses/controls:
- [ISO 27001 A 9 Access control](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%209%20Access%20control.md)
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
Related:
- [Identity and Access Management (IAM)](../../Information%20Security/Identity%20and%20Access%20Management%20(IAM).md)
## Organized by Key Themes: Identity, Access, Cloud, Security, Management, Data, Network, Risk, Development, Project:
IDENTITY:
How is IAM integrated?
Safeguard that your design is determining Identity and Access Management requirements by evaluating business strategies and requirements, implementing IAM and information security standards, conducting system and vulnerability analyses and risk assessments, recommending secure architecture aligned to business architecture, and identifying/driving remediation of integration issues in IAM. 
What changes in demand for IAM capability will be driven by business and technology trends?
Make sure the IAM Engineer provides technical consulting for identity and access management architecture, design, and strategy; and is responsible for leading technical architecture and product integration for solutions across hybrid on-premises, multi-cloud and SaaS ecosystems, and influencing engineering decisions and outcomes that drive business success. 
How does access governance fit into your GRC roadmap?
Make headway so that your staff is creating, maintaining and driving identity and access management technology strategy and its roadmap. 
What challenges are you currently experiencing with Identity and Access Management?
Produce workable solutions that meet demands of business situations using identity analytics, evaluating IAM and security processes for efficiency and agility. 
What were the drivers on strategic and tactical level in your organization to implement IAM?
Achieve strategic objectives in IAM using breakthrough thinking to create strategic plans and roadmap plans; ensure an overall architecture with consistent uses of data and significant reuse of technology and business services throughout building design; drive integration across all aspects of identity architecture. 
Does your organization conduct and maintain an inventory of all physical access devices?
Administer, troubleshoot, and maintain system and platform health for Identity Governance and Privileged Access Management solutions. 
Does your organization allow workers to bring their own devices?
Translate business strategy into requirements and work closely with the Identity Management engineering teams to bring them to life. 
Is the funder delivering on its commitments in a timely and efficient manner?
Check that your organization is involved in an IT environment as an architect delivering enterprise solutions in the IAM domain; Strong knowledge in user provisioning, directory services, authentication, authorization, public key infrastructure and identity federation. 
What do you need to educate senior management on with respect to business impact?
Manage the Digital Identity and Access Management (On Premises and Cloud) solutions and operational deliverables. 
What is needed to develop IAM architecture and improve IAM process maturity?
Invest in analyzing potential security tools and applications to enhance and improve the processes, procedures, and functions of security and identity management team. 
ACCESS:
How do you secure data and maintain compliance with increasingly strict regulations?
Manage Access Management systems and work closely with IT and other business units to ensure identity and access solutions meet or exceed security policies and regulatory compliance requirements. 
Are identity and access management policies and procedures established, documented, approved, communicated, implemented, applied, evaluated, and maintained?
Make sure the Identity and Access Management (IAM) Product and Service Manager is responsible for the business management of your (internal) customer facing IAM services as well as the acquisition and lifecycle of all related vendor tools and technologies required to maintain the service. 
Who develops system and communications protection plans?
Make sure the Lead Consumer Identity and Access Management Architect designs and develops IT applications architecture solutions to business problems in alignment with the enterprise architecture direction and standards. 
Are cloud applications supported?
Be confident that your strategy is participating in Identity and Access Management governance and processes to drive IAM service adoption and evidence gathering to support audit requests. 
Which IAM practices help your organization meet GDPR requirements?
Certify your process works with business units, development, project and application support teams to define and implement functional security access requirements and determine appropriate security restrictions in the systems to meet those requirements. 
Can new apps be easily integrated into the identity infrastructure?
Oversee that your design works with business units to define user roles enterprise wide and configure and integrate new applications into the identity access management system. 
What about a proactive approach to security that integrates risk control into its very fabric?
Collaborate with business and technical teams to research, plan, and design a robust, best in class Identity and Access Management (IAM) architecture that aligns and integrates with other Enterprise level IT efforts. 
Is the evolving design going to work?
Support new (internal) customer requirements for the creation of new access management policies, identity management workflows, and other COTS software configurations, as well as evolving security policies, related technologies, and new credential rules. 
Are access points a sufficient distance from intersections to minimize conflicts?
Provide solutions architecting and project management functions for the Identity and Access Management (IAM) platform, and serve as a liaison with the business to define requirements and translate them into automation solutions. 
What can financial organizations do to improve email security?
Analyze business and other data processing problems to implement and improve Identity and Access Management systems (IAM). 
CLOUD:
Who determines the optimal use of services?
Make sure your design is involved in developing and coordinate cloud architecture across diverse areas including Application Development, Identity and Access Management, Network, Data management and Security to determine functional and non-functional requirements. 
What capability is provided for PaaS customers to specify firewall rules, load balancer policy, name service entries, etc.?
Develop experience working with Identity and Access Management IAM products and the cloud Azure, AWS, GCP, etc. 
What are the consequences that the service is delivered to the wrong person?
Make sure your organizations innovative product portfolio offers (internal) customers an integrated set of core services including identity governance, provisioning, and access management delivered on-premises or from the cloud (IAM-as-a-service). 
Which user or application initiated the event?
Assure your strategy is managing identity and access management solutions for the cloud infrastructure. 
What access is provided to logs of activity within PaaS customer environments?
Assure your process is involved in cloud based identity and access management (hosted or aaS) for IaaS, PaaS or SaaS. 
How are costs negotiated for upgrading or expanding services?
Make sure the Solutions Architect engages with (internal) customers to understand the business drivers, assess application portfolios, design reliable and cost effective cloud native architectures. 
Is security responsible for physical and environmental protection?
Ensure your team is responsible for the development and operations of critical cloud infrastructure and platform services for your public safety SaaS offering. 
What mechanisms protect your environment from other IaaS customers?
Assure your operation is involved in securing cloud services, applications and integrations including Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). 
What access management concept defines what rights or privileges a user has?
Verify that your team has deep expertise in leading the delivery of enterprise level (internal) customer Cloud deployment projects. 
SECURITY:
Who should be responsible for addressing identity fraud?
Make sure the Information Security team is responsible for incident response, security assessments, risk mitigation programs, vulnerability scanning, identity and access management and integrating systems across the enterprise. 
How do you package and sell your support?
Make sure the Identity and Access Management Strategist, in conjunction with the Security Architecture and engineering team, is responsible for the planning, building, delivery and support of a secure IAM program. 
Are assets properly utilizing organization identities, credentials, and access management services?
Establish that your strategy is involved in assessment, implementation, optimization, and documentation of broad set of security technologies and processes such as data protection, cryptography, key management, identity and access management systems. 
When will staff be available with the skills to research and resolve?
Develop experience assessing Cyber Threat Fusion Center controls, techniques and tools; cryptographic controls and solutions; logging and monitoring; anti-virus; network security; data loss protection; endpoint protection; offensive security research team controls; third party information security risk controls; vulnerability; configuration; patch and access management controls. 
Have automated mechanisms been integrated to the audit monitoring, analysis, and reporting?
Develop experience managing Security Information and Event Management (SIEM) systems, intrusion detection/prevention systems (IDS/IPS) IDS/IPS, identity and access management (IAM) systems, and other network and system monitoring tools. 
Are the enterprises access control processes more manual or automated?
Develop experience implementing core security controls such as inventory management, logging and intrusion detection, vulnerability scanning, secrets management, identity and access management for cloud services and infrastructure assets. 
Are significant security responsibilities defined, with qualifications criteria, and documented?
Verify that your organization designs and engineers comprehensive access management and network security technical solutions based on business requirements and defined technology standards. 
Are the enhancements made to the Access Control Category enough to ensure the breadth of Identity and Access Management is addressed?
Determine baseline security configuration standards for ICS/OT/IoT, cloud, operating systems, networking, encryption, data security, data classification, and identity and access management (IAM) assuring architectures meet security best practices that reduce risk and enhance security. 
Are user access rights requested by user management, approved by system owners and implemented by IT?
Research, design, and implement Identity and Access Management (IAM) solutions for systems to ensure the appropriate context-based and permission-based security policies are enforced on users and their devices and real-time. 
MANAGEMENT:
What is your organizations position on supporting past releases?
Make sure your staff is responsible for the administration of identity and access management (IAM) solutions supporting the business for security related identity and access issues. 
Do you have clearly defined development models that enable right speed?
Ensure your Identity and Access Management team focuses on helping your (internal) clients design, implement and operate effective access controls that protect against threats, support business objectives, and enable growth. 
Who is responsible for maintaining the security categorization?
Ensure your organization responds to strategies provided by the Architecture and Engineering Team and its management for implementation and oversight, and is responsible for creating and maintaining the Identity and Access Management program and standards. 
How does your Identity Management Solution enable or improve web based Single Sign On?
Verify that your team improve data protection, data loss prevention (DLP), and identity and access management technologies and procedures for on premise and cloud services. 
How many authoritative sources of person data do you anticipate using to create person records?
Oversee security areas as vulnerability management, identity and access management (IAM), endpoint detection and response (EDR), incident response, applications, and infrastructure security. 
What information would be required by a protective monitoring team in your organization?
Invest in review of system security monitoring and analysis tools, Identity and Access Management platforms, IT GRC platforms, and DLP systems. 
Do you have a Vision & Roadmap for your IAM Strategy?
Check that your personnel is responsible for setting the strategic direction of the Identity and Access Management security architecture and roadmap.
How does the vendors total cost of ownership compare when you include customizations, upgrades, infrastructure, and other ongoing costs?
Make sure your workforce areas of focus include enterprise security management, threat and vulnerability management, identity, and access management as well as data privacy and protection. 
Is the cpm currently performing an account management task?
Establish that your group is involved in IT/IS architecture, performing technical assessments of network infrastructure, identity and access management, data management, incident management, threat and vulnerability management and encryption technologies. 
Is your cybersecurity program aligned with your business strategy?
Work closely with the Identity Access and Security Assurance teams to align access management in accordance to internal policies. 
DATA:
Can users merge identities through the self service web interface?
Perform complex Identity Credential and Access Management systems development and design work that include data modeling, development cost projections, software architecture analysis and design. 
What information is reported concerning monitoring activities?
Check that your team has leadership involvement implementing data governance and stewardship products and services for large enterprises to lead metadata management, data lineage, data quality monitoring and improvement, data access management, master data management and reference data management. 
Does the local comprehensive plan include goals, objectives, and policies that support access management?
Verify that your personnel directs the Identity and Access Management organization to include data to day operations, governance, and strategies. 
How do you access the information?
Be confident that your design is looking at data across Network Security, network traffic analysis, Network security scanning (Wired, Wireless, cloud), Endpoint (anti-malware), Application Security (micro firewalls, WAF, Data firewalls), User Behavior Analytics, Device behavior analytics, access management. 
How are business lines involved in validating security metrics?
Be certain that your workforce is involved in data security, compliance, identity and access management. 
What costs are associated with preparing and sharing the data?
Ensure your design is involved in software development life cycle (SDLC) methodologies specific to requirements analysis, business processes analysis and modeling, preparing business design specifications, and logical data modeling is under management. 
How can zero trust improve your identity and access management practices when moving to a hybrid cloud model?
Be certain that your workforce is involved in concepts and practices as threat modeling, data tokenization, access management. 
Are logged in users automatically logged off after a specified amount of time?
Perform account and access management for multiple servers, specified applications, and databases. 
What are the most effective proven and promising IAM technologies?
Ensure you have involvement in integrating business processes across applications that share common data elements using scalable and proven design patterns and techniques. 
NETWORK:
What capability is provided for PaaS customers to specify firewall rules, load balancer policy, name service entries, etc.?
Develop experience monitoring Network Access Control services to ensure availability and integration with other technical controls, services and components, such as firewalls, Wireless Network, LAN, Identity Management Systems, etc. 
Do you have a formal method for identifying security risks associated with new business ventures?
Confirm that your team is involved in leading product selection initiatives in areas that including A and O, AI, analytics, secure DevOps, identify and access management and network access control. 
Is there support for recording/ packaging patches or upgrades to operating systems and or applications?
Oversee that your staff is responsible for partnering with key (internal) customers, business units and IT team members to plan, design, implement and support network capabilities to address network service requirements. 
What operating systems, mobile devices, and endpoint agents are able to work within your model?
Ensure you are responsible for installing, upgrading and maintaining ADC (Application Delivery Controllers), network security appliances and security policies in network devices and operating systems. 
Which systems can communicate to physical and virtual resources?
Communicate network security related task status and issues to non technical staff members and managers. 
How can organizations deal with identity and access management for a geographically dispersed workforce using myriad different devices?
Verify that your company requires and schedules independent verification and validation testing of your organization networks and sensitive programs using both internal team resources and engagements with independent consultants. 
Does the cloud provider ensure that metadata remains linked to records during data migration?
Design and implement standard office network equipment, working with internal teams to ensure standards are met and provide a resilient and scalable networking solution. 
How often does your organization test the contingency plan?
Provide network engineering knowledge and skills to support everyday network operations, integration/installation and test and evaluation activities. 
Who is responsible for analyzing vulnerability scan reports and security control assessment results?
Ensure your group is responsible for operation and maintenance of WAN, LAN, wireless, firewall, load balancer and other network related equipment and services. 
What authentication stores are involved in providing privileged access?
Interface so that your personnel is involved in network security, including firewall, IDS/IPS, VPN, and vulnerability remediation. 
RISK:
Which mobility strategies relates to your organization?
Develop experience working with Data Loss Prevention (DLP), insider threat detection and response, Cloud Access System Brokers (CASB), SIEM solutions, and User Behavior Analytics (UBA) to address risk as it relates to Insider Threat, sensitive data exfiltration, identity access management, and/or fraud. 
How do you audit User Access Management?
Be certain that your design includes cybersecurity threat services, access management services and technology risk assessments. 
Is the process for identifying and managing risks at an enterprise level connected to information security effectively?
Make headway so that your company is involved in understanding and assessing business processes, analyzing and assessing business process controls, identifying risks and linking business risks to the relevant IT application controls and audit procedures. 
Which security risk concerns you the most?
Partner with business heads across your organization to raise awareness of cyber risks and regulatory compliance concerns. 
How are reset passwords communicated to the user?
Evaluate complex business and technical requirements, and communicate inherent risks and solutions to technical and non technical business owners. 
What does the authoring system cost?
Review, identify and manage requirements for moderate to complex solutions and do a cost value, feasibility and risk analysis. 
Is identity and access management defining the new security perimeter?
Collaborate with IT and business stakeholders to understand risks to critical infrastructure by defining potential business impacts. 
Who is responsible for assessing, and monitoring flaw remediation security controls?
Be certain that your group is involved in assessing the third party vendor risk of a proposed solution, escalating appropriately and driving to closure.
Which applications will be included?
Identify gaps, assess risks, and develop and manage remediation action plans through the whole M and A and Integration process that include determinations of highest risk. 
Does your organization identify all software programs that are authorized to execute on the system?
Collaborate with business and technical partners to identify and scope the opportunities, quantify costs, outline potential value and ROI, identify risks, benefits and constraints. 
DEVELOPMENT:
Is the application of protective monitoring legal in a transparent approach?
Be sure your team collaborates with development leads to ensure cloud native workloads are deployed according to IT best practices for security, governance, identity and access management, and monitoring. 
What is your identity and access management solution, and what are its security vulnerabilities?
Ensure you have understanding and involvement with key security concepts such as the SIEM logging and alerting; detection strategies; Identity and Access Governance, AWS, laptop and server hardening; security tool development; forensics and malware analysis. 
How do other organizations ensure accountability of shared privileged accounts to meet compliance and security requirements without impacting administrator productivity?
Be confident that your organization analyzes organizational needs for application development and interfaces with (internal) clients to ensure systems are developed that meet the business requirements. 
Do you need to refresh your data more than once a day?
Be confident that your workforce is involved in participate in defining best practices around report development, testing, access management, and report refresh scheduling. 
How does your work flow support your business processes?
Partner with Leaders and Account Team members to support innovation, growth, and business development activities. 
What is the expected effort to update integrations on each minor and major upgrade of the software?
Partner with applications development teams, HR IT, and other essential teams to support and improve IdM environments, applications, integrations, and business processes. 
Which security leadership roles does your organization have?
Secure that your organization is using applications and equipment knowledge to lead front line business development activities. 
How do you collaborate across areas to help implement a solution?
Collaborate with design team members to ensure user centered design is always top of mind in a bustling iterative development environment. 
How do you transition to the new model without degrading live service and project delivery?
Be certain that your company is collecting and analyzing the projects business requirements and transferring the same knowledge to development teams. 
How does IAM evolve beyond gate keeping and risk management into an enabler for business growth?
Make sure your workforce leads the identification, design and implementation of automated solutions to enable development needs. 
PROJECT:
How do you handle ever changing risk?
Participate in projects and initiatives working with IAM team members, architectural, development and engineering teams, service owners, and business stakeholders to provide enterprise IAM solutions that are scalable and adaptable with the ever-changing business needs and industry demands. 
How can back end workloads be protected?
Plan identity and access management projects and develop work programs, timelines, and other planning documents. 
What are the key problems in delivering access to end-users?
Make sure your workforce partners with project management for delivering (internal) customer projects related to IoT/M2M/B2B solution. 
Are any changes to your organizations access management program planned or currently being implemented?
Develop experience using organizational change management models for project change management. 
Do you do trend monitoring on client applications?
Guarantee your design is responsible for effectively communicating modeling concepts and progress tracking with IT specializations, project teams, business and IT leaders. 
How many accounts need privileges over the asset to complete each task and for how long?
Be certain that your process is involved in complete project life cycle activities on development and maintenance projects. 
What security testing occurs for changes to systems?
Ensure your group ensures effective change management occurs throughout the course of the project. 
Is there an engaged, cross functional IAM team representing all the key technologies and business owners?
Represent IAM organization on large scale technology projects implemented outside IAM, regulatory reviews and internal and external audits. 
What is the IAM vendors commitment to developing and adopting emerging standards?
Develop experience developing implementation strategies, and detailed implementation plans for a large and complex information technology project. 
What will you be focusing on over the next years?
Guarantee your workforce provides project leadership for network design and installation projects using standard technologies.

114
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing Business Continuity Planning.md Normal file
View file

@ -0,0 +1,114 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/effective-business-continuity-planning-ask-gerardus-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: January 14, 2022
Retrieved from on January 19, 2022
Relevant ISO 27001 clauses/controls:
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
- [ISO 27001 A 17 Information security aspects of business continuity management](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2017%20Information%20security%20aspects%20of%20business%20continuity%20management.md)
Related:
- X
1. Does your organization have a plan or framework for Business Continuity Management or disaster recovery management?
2. Do you have a disaster recovery plan (DRP) and Business Continuity Plan (BCP) for all systems and business processes supporting customer data?
3. Do you have an established Business Continuity Management framework in place, including a defined Business Continuity Plan, business impact analysis, business recovery plan and disaster recovery plan?
4. In the event of COVID 19 related disruption, does the supplier have documented plans for business unit continuity and/or information technology disaster recovery (IT DR)?
5. Has your organization customized its business continuity and disaster recovery plans or is a generic plan in place?
6. Does your organization have a documented information technology business continuity and disaster recovery program for your business?
7. Do you have a Disaster Recovery Plan / Business Continuity Plan in place to address the current or similar distress situations?
8. Do you have a disaster recovery or (DR) or Business Continuity Plan (BCP) that includes a process for reliable back up and recovery of all data?
9. Are you consistently getting data off site, and do you have both business continuity and disaster recovery plans in the event they should be required?
10. Does your organization ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks?
11. Do you need your business continuity and disaster recovery plan to be relevant for your hybrid IT environment, while meeting business needs in a timely and cost effective manner?
12. Does your organization have a Disaster Recovery and Business Continuity Plan, which is both current and which has been tested?
13. Do you have a mission assurance plan that addresses business continuity and operational and disaster recovery and is this plan regularly tested and found effective?
14. Has your organization communicated a plan to address business continuity or disaster recovery in the cloud?
15. Are your recovery procedures as they should be and does this form part of your Business Continuity Plan and/or Disaster Recovery Plan?
16. How did you build your Business Continuity Plan across several business units with different goals, and IT has to support them all?
17. Are there service level agreements, Business Continuity Plans or disaster recovery plans that contractors need to follow?
18. Does your business have your Business Continuity Plan in place to support the continued operation of your business in adverse conditions as: cyclone, fire, loss of telecommunications?
19. Does your organizations Business Continuity Management Plan include the contact details of a restoration organization with proven skill in electronic equipment protection and data recovery?
20. How do you ensure that auditing Business Continuity Plans is worthwhile, and whether they address the real continuity and disaster recovery risks that your organization faces?
21. Have service level agreements (SLAs) been established for critical service providers that your organization does business with to ensure they also have a tested Business Continuity Plan?
22. Does your organization have a written Business Continuity Plan and COOP to guide restoration of facilities and services following an emergency event?
23. Does your organization have an appropriate process in place to ensure that it receives all updates to any of your organizations Business Continuity Plans in a timely manner?
24. What business continuity and data recovery plans are in place to ensure that service can be maintained in the case of a disaster or an emergency?
25. Does your organization have the technology, resources, and a plan in place to meet today's business continuity requirements?
26. Does your business continuity and IT disaster recovery plan include steps required to resume operations driven by the botbased digital workforce?
27. Is a crisis management policy defined and implemented?
28. To what extent do your business continuity and disaster recovery plans account for Internet availability, and have you tested them?
29. Do you have a written Incident Recovery or Business Continuity Plan in force for network security incidents and network outages?
30. Does your BCP include the business continuity of the application infrastructure to protect the applications and the associated risks?
31. Has the IT disaster recovery plan been integrated with other applicable plans (e.g., business continuity or resumption plan, occupant evaluation plan, etc.)?
32. Does your organizations Business Continuity Plan require each department or function to maintain written business continuity and/or disaster recovery plans?
33. Has your organization addressed cyber terrorism in your Business Continuity Management Program and related Business Continuity Plans, Disaster Recovery Plans, and/or Crisis Management Plans?
34. Does business continuity and disaster recovery readiness have support of top management in your organization?
35. Is the system contingency plan coordinated with related plans, as the disaster recovery plan, the Business Continuity Plan, and the incident response plan?
36. Do you thoroughly review a copy of the vendors business continuity and disaster recovery plan that covers the availability and restoration of both your data and the vendors services that you use?
37. The goal of Business Continuity Planning is to ensure resiliency, and what if your recovery comes to a grinding halt because a critical vendor does not have a tested recovery plan?
38. Are tests or exercises conducted with organization groups responsible for associated plans (for example, contingency plans, disaster recovery plans, and Business Continuity Plans)?
39. Do you have a mission assurance plan in place that addresses business continuity and operational and disaster recovery?
40. Do your cloud service providers have proper compliance certifications, data protections, and Business Continuity Plans required for how you are using it?
41. Does your organization have a comprehensive Business Continuity Plan to protect its staff, data, and property?
42. What changes if anything regarding business continuity / disaster recovery processes or plans if the system is unavailable or data has been lost/corrupted?
43. Does your organizations Business Continuity Plan (BCP)/Disaster Recovery Plan (DRP) include plans to recover from a major malware incident?
44. Do you know if your material or equipment suppliers have their own emergency plan to ensure the business continuity if affected by an emergency?
45. Does your organization exercise the business continuity and disaster recovery plans at least once per year?
46. How does the critical service providers business continuity and disaster recovery plans address cyber attacks?
47. Does your organization periodically review its disaster management and Business Continuity Plans and implement improvement measures if necessary?
48. Are IT recovery and continuity plans aligned and consistent with Business Continuity Plans, have they been tested and are they consistent with business security, impact and risk?
49. Does your country have a law or policy in place that requires industries to have business risk management and continuity planning in place?
50. Has your organization developed emergency management plans to be able to ensure employee safety and business continuity in the event of a crisis or economic downturn?
51. Do you have a process where you could work together with vendors on Business Continuity Planning and disaster recovery, including testing to provide assurance?
52. Have external contractors/suppliers robust Business Continuity Management Plans in place to ensure the continuity of service?
53. Has specific responsibility been assigned for the execution of business continuity and disaster recovery plans (either within or outside of the information security function)?
54. How does your organization formally test the effectiveness of its Business Continuity Plan on a periodic basis at least once a year and maintain evidence of that review?
55. Does your organizations Business Continuity Plan (BCP) have a pandemic preparedness and response plan component?
56. Who is responsible for the backup and recovery plan?
57. Does the business continuity and/or disaster recovery plan address customer notification when incidents occur?
58. Does your organization have resilience, emergency, business continuity and escalation plans which have been formulated and tested with the appropriately trained staff?
59. How can a disaster recovery system ensure business continuity to the maximum and make zero service interruption and zero data loss available?
60. Does the outsourcer have Business Continuity Plans in place in the event of a natural or man made disaster or public health emergency?
61. In which stage of the Business Continuity Planning lifecycle does your organization identify critical business processes and assign recovery priorities?
62. Do you have defined leadership, management and governance over your Business Continuity Plan (BCP)/dr/crisis management program?
63. Are business continuity (BC) and disaster recovery (DR) plans in place to address remote working at scale and allow for potential infrastructure failures?
64. What proportion of departments have a documented Business Continuity Plan that has been reviewed within the last 18 months?
65. What is the amount that is budgeted for the comprehensive Business Continuity and Disaster Recovery plan services?
66. Response plans (incident response and business continuity) and recovery plans (incident recovery and disaster recovery) are in execution of the service continuity plan?
67. The final approval of the disaster recovery plan (DRP) and Business Continuity Plan (BCP) rests with which group?
68. How do you ensure to link Business Continuity Planning with existing risk management in your organization?
69. Are policy, process and procedures defining business continuity and disaster recovery in place to minimize the impact of a realized risk event and properly communicated to tenants?
70. Does the service provider formally test its business continuity and disaster recovery plans on a regular basis?
71. Do you or your organization ask key suppliers whether they have business continuity arrangements in place?
72. In the event of political fallout, do you have Business Continuity Plans in place across IT that could trigger the transfer of data, IT services and staff resources back to your or another country?
73. When developing your business continuity plan (BCP), which tools are used to gain an understanding of your organizations business processes?
74. Does your organization know the disaster management and business continuity status of suppliers that supply its essential materials and parts?
75. Can existing data backup and disaster recovery systems meet the needs of your organizations Business Continuity Plan?
76. How are the business continuity and disaster recovery plans of the critical service provider regularly assessed with your organizations expectations?
77. Do any departmental Business Continuity Plans (BCP) and/or Disaster Recovery (DR) plans exist, and when were they last updated?
78. Have the business continuity / disaster recovery plans and procedures been tested to validate effectiveness?
79. Who has responsibility for activating the Business Continuity Plan for your organization and who is that persons back up?
80. As fast as your organization is moving, how are business continuity and crisis management plans keeping pace?
81. Does internal audit or an independent third party provide regular assurance on the effectiveness of your organizations Business Continuity Plan and incident management process?
82. Is your organization a member of any professional body, as the Business Continuity Institute, Disaster Recovery Institute International or Emergency Planning Society?
83. To what extent has the head of your organization nominated key personnel and identified them in documented Business Continuity Plans / Major Incident Plans (BCP / MIP) or similar?
84. Do those responsible for BCPs have the right knowledge, skills and access to assess and plan continuity from a holistic and strategic business perspective?
85. How satisfied are you with how your crisis management and Business Continuity Plans have dealt with the pandemic?
86. Have business continuity / disaster recovery plans and/or procedures been initialized and disseminated to relevant stakeholders?
87. Does your organization implement and maintain processes for updating, reviewing and testing incident response and Business Continuity Plans that address cyber threats involving extortion?
88. How does your Business Continuity Management plan interact with other management plans and where lies division of responsibility?
89. What training do you provide in support of your cybersecurity Incident Response Plan, Business Continuity Plan, Emergency Operations Plan Cyber Incident Plan, or other related plans?
90. As your business operations become more streamlined with automation and intelligence, how do you leverage to plan for, manage through and come out of your business continuity event?
91. How do you decide if an incident can be dealt with as a day to day management issue or does the Business Continuity Plan need to be invoked?
92. How well do your organizations leaders oversee development of the Business Continuity Plan and ensure it is tested in accordance with your organizations risk profile and appetite?
93. How do you keep Business Continuity and Disaster Recovery plans current and updated?
94. What percentage of the service staff are contractors?
95. What is the process to review and monitor the Business Continuity Plan and recovery resources of your subcontractor(s)?
96. How does your organization review key vendor planning for business continuity compliance with industry best practices?
97. Do your suppliers Business Unit Continuity Plan or IT DR Plan identify critical business processes and the recovery priority?
98. Does your organizations Business Continuity Plan include long term remote working and remote management of essential operations?
99. Does your organization use sufficient exercise and test methods to evaluate the effectiveness of the BCP and to validate the continuity and resilience of business functions?
100. Have measurable business continuity (BC) objectives been established, documented and communicated throughout your organization with a plan to achieve them?

718
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing Business Continuity and Disaster Recovery.md Normal file
View file

@ -0,0 +1,718 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/does-your-organization-have-plan-framework-business-disaster-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: February 22, 2022
Retrieved on February 22, 2022
Relevant ISO 27001 clauses/controls:
- [ISO 27001 A 16.1 Management of information security incidents and improvements](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2016.1%20Management%20of%20information%20security%20incidents%20and%20improvements.md)
- [ISO 27001 2013 C 9.2 Internal audit](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%202013%20C%209.2%20Internal%20audit.md)
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
Related:
- [BCP_Bedrijfscontinuïteitsplanning](../../Information%20Security/BCP_Bedrijfscontinuïteitsplanning.md)
# Does your organization have a plan or framework for business continuity management or disaster recovery management?
1. Does your organization have a plan or framework for business continuity management or disaster recovery management?
2. Does the cloud service provider have a disaster recovery plan in place to recover the applications and data that are running in the facility?
3. Has your organization customized its business continuity and disaster recovery plans or is a generic plan in place?
4. Does your organization ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks?
5. What are your disaster recovery and business continuity plans now that you have a cloud infrastructure?
6. Can existing data backup and disaster recovery systems meet the needs of your organizations business continuity plan?
7. Does your organization have an up to date disaster recovery plan that sets out how it would deal with a major IT problem?
8. Is the system contingency plan coordinated with related plans, as the disaster recovery plan, the business continuity plan, and the incident response plan?
9. Does your organizations business continuity plan require each department or function to maintain written business continuity and/or disaster recovery plans?
10. What is the plan for disaster recovery and business continuity in case of an incident impacting your organizations assets and/or data?
11. How does the critical service providers business continuity and disaster recovery plans address cyber attacks?
12. Do you have any challenges with your current disaster recovery solutions or business continuity plans?
13. Does the business have appropriate emergency, business continuity and disaster recovery strategies in place?
14. Will business processes need to continue during disaster recovery or will anyone need to see the data files during the recovery?
15. Does your organization exercise the business continuity and disaster recovery plans at least once per year?
16. Does your organization have a disaster recovery plan or strategy for desktop computing or client computing?
17. Are disaster recovery and business continuity programs based upon your organization impact analysis?
18. Does the service provider have disaster recovery plans and/or technology in place to ensure system availability?
19. Does the business continuity and/or disaster recovery plan address customer notification when incidents occur?
20. What is your disaster recovery and business continuity plan and how often is it tested around cloud?
21. Does the vendor have data backup and disaster recovery plans, and are the plans consistent with industry standards?
22. How much value would the use of KPIs add to your business continuity and disaster recovery programs?
23. Has a comprehensive backup and disaster recovery plan been created, and have key employees been trained on it?
24. Can people fill the gap to mitigate risk during technology failures and how should your organization view people as part of disaster recovery and business continuance process?
25. How long should it take to run through the disaster recovery procedure and recover data, how much data does your organization afford to lose, what is acceptable to the business?
26. Has management reviewed the adequacy of recovery team coverage for the disaster recovery and business continuation plan and the frequency of reviews?
27. Does a disaster recovery plan exist for your organization and does it consider interruption to, or failure of, critical it systems?
28. Have the business continuity / disaster recovery plans and procedures been tested to validate effectiveness?
29. How frequently does your organization carry out full scenario testing of its disaster recovery plan involving relevant people, processes and technologies?
30. Management has reviewed the adequacy of recovery team coverage for the Disaster Recovery and Business Continuation plan and the frequency of corresponding reviews?
31. Have business continuity / disaster recovery plans and/or procedures been initialized and disseminated to relevant stakeholders?
32. Are business continuity and disaster recovery plans established by the vendor for your organization?
33. Does your organization have the negotiating leverage necessary to require its consent to any changes in the vendors disaster recovery plan?
34. Are your business continuity and disaster recovery programs subject to regular audits to ensure compliance with industry leading practice?
35. Does your organization have an incident response and disaster recovery capability, with suitably trained staff?
36. What actions start the master disaster recovery plan (DRP), business recovery plan (brp), and emergency recovery plan (ERP)?
37. How do you get started with business continuity disaster recovery planning in your area?
38. What is business continuity planning, and how it is different from disaster recovery and backup planning?
39. Does the architecture of the solution include disaster recovery and business continuity capabilities?
40. Are critical systems typically delivered to that meet business continuity and IT disaster recovery requirements?
41. How long does your business operate without access to crucial files in case of a disaster recovery effort?
42. How to make a disaster recovery plan project management training when disaster occurs, will you be prepared?
43. How do you ensure your cloud workloads have a reliable recovery option in the event of a disaster or unplanned downtime incident?
44. Which is a component of a disaster recovery plan for your organization that expects a site to be rendered non usable during a disaster and needs a nearly transparent transfer of operations?
45. What is the maximum allowable distance from the Primary production data site for your organization to a Disaster Recovery Data site?
46. How do you handle business continuity and disaster recovery in your business?
47. Should businesses leave disaster recovery and business continuity to IT departments, or is it better to bring in a specialist?
48. Are you backing up your data appropriately for purposes of disaster recovery and business continuity?
## Organized by Key Themes:
- Security
- Management
- Operations
- Continuity
- Risk
- Data
- Disaster
- System
- Maintain
- Technology
### Security
Are audit trails available that identify databases that are filling up, and are reports available on a daily basis?
Work cross functionally with leadership and (internal) client teams to define and implement business impact assessments, coordinate and lead business continuity and disaster recovery tabletops and exercises, identify, and prioritize remediation, and track completion, partner with (internal) client team and functional leads to implement and maintain disaster recovery plans and metrics to ensure the security and integrity of (internal) client technology and data, and identify program improvements. 
Which is defined as the maximum acceptable time period prior to a failure or disaster during which changes to data may be lost as a result of recovery?
Be confident that your company refocus execute various other reviews of IT management policies and procedures such as change management, business continuity planning disaster recovery and information security to ensure that controls surrounding these processes are adequate. 
Does the recovery plan reflect your financial goals (for example, the return on investment you want to achieve)?
Make sure your workforce develops strategies and provides support for initiatives to continuously improve enterprise data security and invest in the development and regular testing of the enterprise business continuity and disaster recovery plans. 
Do you research why some organizations that seem well prepared fail when disaster occurs while others survive?
Be certain that your company liaisons with the business continuity management team to validate security practices for both disaster recovery planning (DRP) and business continuity management (BCM) testing and operations when a failover occurs. 
What occurs if web collaborative software or web development solutions fail or its related data are lost?
Certify your design coordinates with Information Security, or delegate(s), in the development and monitoring of security practices, including physical safeguards, data integrity, business continuity and disaster recovery procedures. 
Does the board have continuity/disaster recovery/contingency plan in place in case unexpected risk that may occurs?
Liaise with the business continuity management team to validate security practices for both disaster recovery planning (DRP) and business continuity management (BCM) testing and operations when a failover occurs. 
Does your cloud provider meet regulatory and Recovery Time Objectives (RTOs) requirements for your business?
Initiate information systems security documentation, such as system security plans, risk assessments, disaster recovery plans, IT business continuity plans, and checklists to meet appropriate system and regulatory compliance. 
Is the system developed and documented for the ongoing evaluation process being applied completely and consistently?
Develop an overall risk management strategy with key business and IT stakeholders, including enterprise integration of risk management into operational, regulatory/statutory, financial, technical, and security processes, and creation of disaster recovery and business continuity program. 
How do you communicate and deploy your strategic objectives, action plans and performance measures?
Participate in the development and implementation of disaster recovery and business continuity plans, to ensure that appropriate information technology security measures are addressed. 
How do you balance the disaster recovery risk and investment equation?
Liaison so that your company partners with the Sys VP Information Security regarding information security and IT risk management including disaster recovery and business continuity management. 
### Management
Does your organization have an established change control process in place to keep the continuity / recovery plan current with process, organizational and technology changes?
Perform various other reviews of IT management policies and procedures such as change management, business continuity planning disaster recovery and information security to ensure that controls surrounding these processes are adequate. 
Which disaster recovery tests includes the operations that shut down at the primary site, and are shifted to the recovery site according to the disaster recovery plan?
Make sure your workforce is involved in Business Continuity Management processes and best practices, which includes information technology infrastructure concepts, emergency planning concepts and disaster recovery concepts. 
Is the contractor to design, operate, and maintain a management information system to contain all the information and data for the projects?
Collaborate and consult with Chief Information Security Officer (CISO), Chief Information Officer (CIO) and firm management to ensure that robust security, disaster recovery and business continuity plans are in place and functional across all locations. 
What building uses need to be re established quickly in order to facilitate organizationwide recovery?
Evaluate and implement systems to enhance data security and facilitate risk management, disaster recovery and business continuity planning. 
Does current staff have subject matter expertise necessary to undertake recovery activities, develop new programs, and organize complex long term projects?
Make sure your operation develops and oversees effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals, with the realization that components supporting primary business processes have to be outside the corporate perimeter. 
Is there a way to copy the initial full backup to an external drive and bring it onsite to your location?
Work with organization Business Continuity management to ensure that the Disaster Recovery (crisis management) and Business Continuity Plans drive disaster recovery (DR) strategy procedures. 
How do you reduce your maintenance costs and achieve better data TCO?
Secure that your staff develops and leads enterprise-wide IT disaster recovery strategies for restoring critical business systems; provides recommendations and solutions on how to mitigate the exposure to potential risk and develops risk management tactics and plans to prevent business disruptions; estimates budget and planning costs associated with the implementation of the strategy. 
How is disaster logistics aligned with disaster planning, response, and recovery functions in your organization?
Make headway so that your staff develops and oversees effective disaster recovery policies and standards to align with the business continuity management (BCM) program goals. 
What will happen to your business if you have to go for a prolonged period without your critical applications?
Develop and oversee effective disaster recovery plans to align with the enterprise business continuity management (BCM) program goals, with the realization that components supporting primary business processes have to be outside the corporate perimeter. 
Is there a way to copy the initial full backup to an external drive and bring it onsite to your location?
Oversee DBA staffs work with Business Continuity/Disaster Recovery management to ensure that the disaster recovery (crisis management) and business continuity plans drive disaster recovery (DR) strategy and procedures. 
### Operations
How do you prepare and mitigate risks and possible disasters?
Ensure your staff defines and implements business continuity protocols, disaster recovery strategy plans, and IT processes and procedures to minimize disruption to business operations in the event of emergency situations or data loss, assess points of failure in the infrastructure, and develops plans and implements actions to mitigate risks. 
How are hazard risks considered throughout recovery, with risk reduction and resiliency measures integrated into recovery actions, investments, and decisions?
Confirm that your organization oversees and establishes cybersecurity mitigation measures, disaster recovery and business continuity operations policies and processes for headquarters and overseas. 
What, if any, exceptions exist for disaster recovery, evaluation, installation, test/development, and migration activities?
Develop experience working with business continuity planning and disaster recovery operations. 
How will your community be able to ensure community stakeholders participate in shaping the community wide recovery, providing input to key decisions and plans?
Lead business continuity exercises for business operations and participate in broader disaster recovery exercises. 
Who verifies critical information is actually recorded on the backup media and ensures the data is usable?
Certify your staff manages daily operations and support of technology, matures operational processes and capabilities, manages operational staff, addresses (internal) customer support issues, ensures the stability and performance of the technology platforms, ensures recovery of the technical environment, ensures disaster recovery and communications in response to disasters. 
Is there a process for releasing a new asset into the operating environment and updating the inventory of information assets?
Warrant that your operation is assisting in updating disaster recovery plans and testing continuity of operations. 
Does the vendor have services other than disaster recovery, and if so, what is the ratio of the business?
Make sure your organization is involved in comprehensive disaster recovery architecture and operations, including storage area network and redundant, highly available server and network architectures. 
What is the most efficient way to invest new financial resources made available in response to the natural disaster?
Perform data backups and invest in disaster recovery operations. 
Do supervisors and managers have the discretion to flexibly provide support for employees based on needs?
Develop, own and manage ongoing operations compliance items, including backups, vulnerability tests, penetration tests, disaster recovery exercises, among others. 
Does your organization have an incident response and disaster recovery capability, with suitably trained staff?
Develop the disaster recovery plan for IT Operations and ensures it is communicated, rehearsed and measured. 
### Continuity
Can disaster recovery, continuity of operations, and monitoring be met through a cloud hosting solution?
Be confident that your group manages technological security including monitoring access to network and data and ensuring compliance with organizational IT security policy, maintaining Disaster Recovery Plan that aligns with Business Continuity Plan and monitoring security administration for the organization. 
Does your organization need the support of all its employees to successfully implement a disaster recovery plan?
Confirm that your strategy collaborates across the organization to design and implement business continuity and disaster recovery strategy and plans to ensure the availability, security, and integrity of organization data, databases, information systems, and technology. 
Does license accommodate your disaster recovery plan and ability to use third parties to host or maintain the software?
Ensure your design establishes policies, standards, practices, and security measures to ensure effective and consistent information processing operations and to safeguard information resources, including a Business Continuity Plan and a Disaster Recovery Plan. 
What will be your organizations goal and objectives for assisting local government in planning and managing recovery?
Establish that your organization serves as liaison to the Information Technology and Services Disaster Recovery Program and is responsible for assisting with integration of the Business Continuity and Disaster Recovery Programs. 
Is there a way to copy the initial full backup to an external drive and bring it onsite to your location?
Collaborate with Business Continuity team to ensure that the disaster recovery and business continuity plans drive disaster recovery (DR) strategy and procedures. 
Are your business continuity and disaster recovery programs subject to regular audits to ensure compliance with industry leading practice?
Be confident that your personnel supports the business line managers via the Operations Resilience Lead and Business Recovery Coordinator network to ensure your organization is meeting both (internal) client and regulatory requirements related to Business Continuity and Disaster Recovery. 
Does the hosting package include firewalls, vulnerability scanning, file integrity monitoring, daily log review, and backup/disaster recovery?
Ensure IT data security, risk management, disaster recovery and business continuity planning processes are in place and receive regular review for currency and adequacy. 
How does the critical service providers business continuity and disaster recovery plans address cyber attacks?
Confirm that your design participates in business continuity and disaster recovery plan creation and maintenance as well as technology maintenance activities to prepare for upgrades to recovery plan and technology resources. 
Have you performed your organizational needs assessment to determine the recovery time objective (RTO) and recovery point objective (RPO) for your information systems?
Develop and perform security audits, configuration backup procedures, and other recovery processes in accordance with your organizations disaster recovery and business continuity strategies. 
Are business objectives and strategy clearly defined to help determine which activities are critical for the managing the prosperity and continuity risk strategy?
Oversee that your workforce works with third party providers to properly link IT Disaster Recovery service targets to organization Business Continuity Plans and defined priorities and recovery requirements. 
### Risk
What constitutes a disaster for purposes of triggering the disaster recovery services provided by the vendor?
Make headway so that your strategy is responsible for performance of risk analysis and development of processes and procedures designed to constitute basis of organization disaster recovery and business continuity program. 
Does your organization have a process in place to encourage and support the engagement and inclusion of all people impacted by a disaster?
Warrant that your operation is responsible for performance of risk analysis and development of processes and procedures to support your organizations disaster recovery and business continuity program. 
What is your organizations approximate/estimated annual budget for contingency related program expenses?
Develop disaster recovery and business continuity plans for critical processes and systems core to the organizations business operations in the event of a disruption with the goal of minimizing risk to your organization and its stakeholders. 
Does your organization ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks?
Assure your personnel oversees information security, disaster recovery and business continuity planning, risk assessment, penetration and vulnerability testing, incident management and problem resolution. 
Did you identify and plan for a Recovery Site, where can staff relocate in case your facility is shut down or destroyed/damaged?
Check that your organization is utilizing Fusion RM Enterprise software, develop contingency disaster recovery and emergency management plans to mitigate risk and to deal with organizational emergencies including recovery decision making and communications, continuity of critical departmental processes, or temporary shut-down of non-critical departments to ensure continuity of operation and governance. 
Which considerations should be taken into account while selecting risk indicators that ensures greater buy in and ownership?
Make sure the Manager, Risk and BC, ensures that current business continuity and disaster recovery goals of your organization are met while planning for additional resilience in the future. 
Do all employees responsible for the execution of the BCP/DRP receive ongoing training in Disaster Recovery and Emergency Management?
Establish IT Business Continuity Plan (BCP) and Disaster Recovery (DR) testing methodologies and lead regular IT DR and BCP exercises in partnership with the Risk Management function. 
### Data
Will your organization be responsible for providing necessary hardware redundancies for its desired level of disaster recovery?
Warrant that your organization coordinates Disaster Recovery, Business Continuity and Incident Response planning to ensure effective protection and recovery of information services, organization data and business operations. 
Does it support change when VMs are moved to other storage locations or when you want to do a migration?
Secure that your group architects, installs, and maintains data backup and disaster recovery technical processes in support of overall business continuity strategy. 
Do you have a unified data management operation that supports efficient governance, compliance and discovery on demand?
Assure your staff supports the development of business continuity and disaster recovery (BC/DR) strategies by working closely with department leaders and providing data center insight and expertise. 
Is there an official procedure for administering an exception to the application of information security?
Interface so that your organization is involved in data protection, business continuity and disaster recovery options, configuration and execution. 
Who is responsible for overall operational execution emergency preparedness and communications plans during a critical event?
Make headway so that your team is responsible for Business Continuity and Disaster Recovery data centers and network/system designs. 
How have the associated technologies and strategies around disaster recovery evolved over the last few years?
Verify that your group develops and implements business continuity and disaster recovery protocols to minimize disruption to business operations in the event of emergency situations or data loss. 
Who is responsible for communicating with your staff, customers, investors and the press about the changing situation?
Be sure your staff is responsible for Business Continuity and Disaster Recovery data centers and network/system designs. 
Is the person responsible for implementing information security given the appropriate allocation of resources to manage and ensure compliance with the information security program?
Be sure your process is responsible for Business Continuity and Disaster Recovery data centers and network/system designs. 
Has your organizations staff, responsible for disaster recovery continuity plans, been trained in the procedures to be followed in case of an incident or disaster?
Certify your group is responsible for Business Continuity and Disaster Recovery data centers and network/system designs. 
Have key personnel responsible for executing the contingency/disaster recovery plan been identified?
Safeguard that your company is responsible for Business Continuity and Disaster Recovery data centers and network/system designs. 
### Disaster
How do you plan or increase preparedness when were still recovering from disaster?
Be certain that your design designs and performs server and security audits, system backup procedures, and other recovery processes in accordance with your organizations disaster recovery and business continuity strategies. 
How do you control the increased access administrators have working in a virtualized model?
Confirm that your group participates in Disaster Recovery helping direct the development and execution of an Authority wide disaster recovery and business continuity plans. 
Does the solution provide for business continuity, resilience and disaster recovery implementation scenarios failover, replication, load balancing, etc?
Participation in applicable Disaster Recovery Business Continuity solutions and exercises. 
How do you coordinate operations once a disaster occurs?
Coordinate with relevant business units, as Information Technology, to ensure the Disaster Recovery (DR) plans are developed and maintained. 
How do you use data/information analysis to provide effective support for decisionmaking?
Support ongoing disaster recovery and business continuity efforts. 
Do you need website development services, or just someone to do the network connections to the new website?
Work with the IT technical staff to ensure that disaster recovery and resilience solutions are adequate, in place, maintained, and tested in the context of the regular operational life cycle. 
How do you complete the move without experiencing unacceptable downtime and while maintaining your data protection and disaster recovery profile?
Develop experience designing and maintaining high availability systems or infrastructure including building and maintaining disaster recovery environments. 
Is there a specific reporting system that you will be required to use to report outcomes, accomplishments, and expenditures?
Certify your organization works with (internal) client and IT teams to coordinate, monitor, track and report on disaster recovery testing. 
There is an individual or team responsibility to routinely ensure the alternate processing facility has the necessary hardware, supplies, and documentation to resume processing?
Develop integrated disaster recovery plans in conjunction with third party providers of virtualization, cloud computing, managed hosting, and disaster recovery outsourcing with alternate site vendors for seamless recovery and resilience. 
Do you have any challenges with your current disaster recovery solutions or business continuity plans?
Assure your staff develops, maintains and tests the IT Disaster Recovery Plan. 
### System
How do you translate organizational performance review findings into priorities for continuous improvement?
Design and perform server and security audits, system backup procedures, and other recovery processes in accordance with your organizations disaster recovery and business continuity strategies. 
As hybrid IT adoption leads to more infrastructure sprawl, where does the use of multiple backup and recovery solutions create problems?
Make sure your organization leads the IT team in disaster recovery preparation and response, system redundancy, and business continuity planning and testing. 
What types of technologies and devices exist to increase the level of redundancy and are technologies sufficient to mitigate disruption in day to day business operations?
Make sure your operation is developing and managing the overall disaster recovery plan and capacity of IT systems and infrastructure; ensure the continual functioning of mission-critical operations and mitigate the risk of negatively impacting the stability of the business environment. 
What is your disaster recovery and business continuity plan and how often is it tested around cloud?
Create, maintain, and verify system backups and regularly test for disaster recovery and business continuity readiness. 
What code is called via the overhead paging system to announce the disaster and trigger implementation of the institutions emergency management plan?
Check that your group prepares and works with the different stakeholders to implement business continuity, system wide disaster recovery and incident response plans. 
How would you design and operate one of the largest web sites in the world with the goal of world class availability and awesome resiliency?
Evaluate plans and procedures for system resiliency, disaster recovery and business continuity. 
What identifiable and proven measures are in place for disaster recovery, business continuity, and data restoration?
Define appropriate levels of system availability based on critical system functions and ensure that system requirements identify appropriate disaster recovery and continuity of operations requirements to include any appropriate fail-over/alternate site requirements, backup requirements, and material supportability requirements for system recover/restoration. 
What is your policy for coordinating customer disaster recovery testing with your own internal disaster recovery testing?
Warrant that your process recommends, develops and enforces policies and procedures for maintaining the security and integrity of the system and ensures the system meets availability and disaster recovery requirements. 
How are cyber incident scenarios incorporated in your financial organizations business continuity and disaster recovery plans?
Certify your strategy is responsible for preparing disaster recovery planning ensuring that each system the team develops/supports has a clearly documented and tested disaster recovery plan. 
How do you back up and restore web protection software?
Interface so that your process is involved in capturing requirements, documenting detailed system designs and related system test cases, executing system tests, documenting implementation plans, operations guides, and disaster recovery content. 
### Maintain
How do you build a disaster recovery plan for voice/data infrastructure assets?
Develop and maintain documentation for Business Continuity and Disaster Recovery Design and participate in Disaster Recovery exercises for Contact Center communications systems Manage documentation on all methods and processes to prevent technical issues or services outages. 
Which is a type of software that could be used by office planners in the design of an office layout?
Interface so that your group creates and maintains the enterprises Business Continuity Plan and Disaster Recovery Plan. 
How do you maintain requirements between production and recovery?
Develop and maintain disaster recovery and business continuity strategies. 
How do you make changes while maintaining your organizations secure posture?
Maintain application disaster recovery and business continuity plans. 
What applications directly generate revenue, maintain safety or are otherwise critical to business continuity?
Invest in maintenance of data integrity with backup, archive, and recovery processes and helps implement and maintain procedures for disaster recovery. 
Has your reconstructed financial records given you the necessary information and evidence to be able to complete returns?
Oversee DBA staff to ensure that disaster recovery solutions are adequate, in place, maintained, and tested in the context of the regular operational life cycle. 
How do you complete the move without experiencing unacceptable downtime and while maintaining your data protection and disaster recovery profile?
Develop experience maintaining backup and replication, including disaster recovery design and testing. 
How do you plan your next steps for your organization wide cloud strategy?
Create and maintain a data disaster recovery plan. 
Which person in your organization has the ultimate responsibility for managing the disaster recovery plan?
Confirm that your group develops, maintains and tests the IT Disaster Recovery Plan. 
### Technology
Are your organization leaders principally and officially responsible for the implementation of the information security program, including the establishment of related policies?
Verify that your operation is responsible for backup and disaster recovery capability for User Experience technology products to ensure business continuity and consistency with other business recovery plans. 
Does your organizations business continuity and/or disaster recovery plan (BCP/DRP) address the timely recovery of its it functions in the event of a disaster?
Secure that your organization is developing and implementing your organization information technology business continuity plan, including disaster recovery and emergency access to electronic health records. 
Should primary care providers and primary health networks be better integrated in natural disaster preparedness, response and recovery?
Integrate the business continuity plans with the disaster recovery efforts of information technology (IT) function. 
Does the plan require the savings association to participate in service bureau disaster recovery tests?
Manage Information Technology disaster recovery program and participate in Business Continuity Planning. 
How do departmental (e.g. payroll, financials, employee and medical) disaster recovery plans (DRP) correlate with the overall enterprise recovery plan?
Be sure your process oversees disaster recovery and business continuity as it relates to technology. 
How do you backup your data and what is your disaster recovery plan?
Check that your operation oversees disaster recovery and business continuity as it relates to technology. 
Does the business continuity and/or disaster recovery plan address customer notification when incidents occur?
Ensure your company oversees disaster recovery and business continuity as it relates to technology. 
Which data and reports are produced and verified during tests of the business continuity or disaster recovery plans?
Guarantee your workforce manages the activities of IT Disaster Recovery which includes planning, coordinating, ensures availability of staff and hardware to complete the annual IT D/R test and VoIP phone system D/R test; reviews D/R test results and ensures resolution of issues; maintains Information Technology Disaster Recovery Plan; creates D/R Test reports. 
How do you retrieve backups in the event of a disaster?
Invest in disaster recovery and business continuity as it relates to technology. 
Who is responsible for maintaining daily backup routines changing tapes or disks, monitoring logs etc?
Assign, change and delete user accounts, install/configure and support system/network security tools and technology, perform regular security monitoring, daily backups, creation and maintenance of archival files (tapes, disks) and testing of disaster recovery recovery/business continuity tools and processes.

573
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing Cloud Security – organized by themes.md Normal file
View file

@ -0,0 +1,573 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/cloud-security-ask-gerardus-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: January 31, 2022
Retrieved from on January 31, 2022
Relevant ISO 27001 clauses/controls:
All of them just to link this note somewhere:
- [ISO 27001 A 14 System acquisition, development and maintenance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2014%20System%20acquisition,%20development%20and%20maintenance.md)
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
Related:
- [Vendor security MoC](../..//Vendor%20security%20MoC.md)
- [ISO 27k family](../../../../iso27DIY-gis/reference/Examples/ISO%2027k%20family.md): ISO 27017, ISO 27018
## Organized By Key Themes: Security, Management, Risk, Cloud, Data, Software, Development, Technology, Network and Project:
### SECURITY:
**How do your organizations risks and controls align with the prospective vendors?**
Create a visionary architecture roadmap and organizational strategy to align cloud and security teams with engineering, product management and other business teams. 
**What are the policies and practices of the service provider for dealing with malicious tenants?**
Serve as point of contact to enterprise IT teams working through all phases of the System development life cycle to support the integration of information security requirements and best practices. 
**Are your encryption keys maintained by the cloud consumer or a trusted key management provider?**
Design and implement network intrusion detection (IDS), data loss prevention (DLP), cloud access security broker (CASB), and other relevant solutions to strengthen Information Security posture. 
**What do you recommend for users?**
Make recommendations to strengthen the security posture of your computing environment as well as recommend process and technology improvements to ensure timely response to future Data Leakage security incidents. 
**Does the solution support multiple instances of the same cloud app inside a organization?**
Lead engagement with IT stakeholders, business management, and other strategic partners to support the design, development, and deployment of enterprise Information Security solutions that span multiple technologies and disciplines. 
**How can organizations design and implement cloud security framework and architecture?**
Design, deploy and operate the Security-as-a-Service and work with product engineering, IT infrastructure, and business application development organizations to implement adequate security controls under guidance of corporate security policies and standards. 
**Are your employees bringing their own devices to work?**
Engage with other Product Management leaders across the Enterprise business to identify and bring innovative integrations that bring better security outcomes for your (internal) customers. 
**How is continuous monitoring conducted?**
Guarantee your group is working knowledge and good involvement developing/designing/operating data protection technologies to include: Data Loss Prevention, Cloud Access Security Broker, Data Access Governance, Encryption/Tokenization/Obfuscation/Masking, Rights Management, Database Security, Email Security, Endpoint Security, UEBA, Logging and Monitoring. 
**Are policies and procedures established for data labeling and handling in order to ensure the security of data and objects that contain data?**
Secure that your operation is working on a medium sized, closely knit team of experienced security professionals that are responsible for handling all aspects of information security, risk and compliance. 
**Do you have a process ensuring that the use of generic accounts is kept to a bare minimum?**
Provide structured and consistent support to IT project teams by ensuring all enterprise information security requirements and associated risks are addressed. 
### MANAGEMENT:
**What specific concerns do other organizations have when it comes to securing containers?**
Partner with business stakeholders to mitigate information risk management concerns. 
**What application tracks a process from start to finish?**
Lead a product management team and rationalize and collate requirements across multiple engineering tracks, through collaboration with other PM Directors. 
**What type of information is involved?**
Be certain that your strategy is involved in customer identity and access management platforms as Auth0, Okta, Ping, or similar. 
**Do the developers changes align to the system level requirements and architecture?**
Partner with the Product Management (PM) team in defining, testing, and documenting the solution which may require integration with other products and components, both from your organization and from your ecosystem partners. 
**How do you create a cloud roadmap that supports a seamless transition from your current IT?**
Support the executive management level for projects related to data management concepts. 
**What are the implications of rapid business changes on your technology infrastructure?**
Guarantee your process is involved in change management processes and functions. 
**What is the process that will be followed to resolve unplanned incidents?**
Follow risk management and compliance procedures. 
**Is the security design aligned with the business delivery model and AWS cloud architecture?**
Align IT risk management with enterprise wide risk management. 
**Which threats do you assess are most relevant to your organization and why?**
Assure your process expands its knowledge in privileged access management solutions, with hands on involvement in design, installation, and configuration. 
**What solutions will deliver the culture you need?**
Assure your team helps deliver presentations to (internal) clients and management teams. 
### RISK:
**Who is involved in the FedRAMP process?**
Oversee that your team is involved in risk quantification. 
**Have you decided what identity management approaches are acceptable and desirable?**
Secure that your team is accountable for ensuring residual risk is captured and owners are identified and accept the risks. 
**What notification timeframes are built into your incident reporting process?**
Liaison so that your team is reporting status and Risk Level. 
**Does your cloud security vulnerability countermeasures and network hardening tool enable a cloud best practice for its business continuity and growth in general?**
Document recommendations, root cause analysis efforts, risk assessments and manage remediation efforts where downstream work with priority. 
**What approach should be used to monitor and remediate cloud security threats?**
Identify renewal risk and collaborate with internal teams to remediate and ensure a successful renewal. 
**Do you understand your cloud security and compliance needs and gaps?**
Lead the compliance team with identifying, analyzing, and documenting risks and understand the importance of this process. 
**Do you have a continuous view of your cloud compliance posture to reduce the threat of a breach?**
Ensure your operation identifies opportunities to reduce risk and documents remediation options regarding acceptance or mitigation of risk scenarios. 
**How do departments wield the power of the cloud, expanding reach while guarding core assets?**
Research and design ways to achieve risk reduction objectives in creative ways, including expanding your current tool stack where appropriate. 
**What actions may be necessary to address highlighted risks and challenges?**
Be confident that your design is accountable for ensuring that key risks and issues are identified, addressed and resolved in a manner that satisfies the business. 
### CLOUD:
**How can the risk involved in online payment be reduced by internet governance?**
Make sure your organization is involved in software development, cloud architecture, vulnerability management, and risk management disciplines. 
**Is there any quantitative approach for cloud security?**
Ensure you partner with your (internal) customers to provide a custom solution-oriented approach through your advisory and technical capabilities in three main practice areas: Cloud native, Cloud Security and Cognitive Business Automation. 
**How does the system identify the users?**
Understand cloud security for access identify management to security groups. 
**Are the policies, standards and guidelines in a line with the industry standards?**
Advise and influence business partners from a cloud risk and control perspective on new processes products, initiatives and strategies; guide the business unit(s) through the various governance approvals and controls reviews related to new initiatives. 
**Does the service meet industry standard cloud security principles as the Cloud Security Alliance, NIST or UK Government Cloud Security Principles and SOC 2?**
Lead and influence teams on cloud risk and product related initiatives to meet corporate, divisional and business line objectives. 
**What strategies do you advise on mitigating risks in the cloud?**
Advise customer on cloud models, technology and risk management strategy. 
**Is the security team involved in cloud decisions?**
Safeguard that your strategy is involved in cloud security concepts. 
**How to demonstrate the users identities continually when performing delicate activities?**
Perform cloud security risk assessments and remediation recommendations. 
**What types of systems do you currently have in place to collect, analyze and correlate large quantities of security and event data?**
Analyze SaaS productivity tool workflows and design cloud access security broker (CASB) controls. 
### DATA:
**What policies exist to reduce the number of elevated/privileged access accounts?**
Make certain that your organization has involvement in designing and implementing technology and process solutions to reduce the potential risk of data compromise. 
**Do you offer training to your employees and staff on how to minimize insider security risks?**
Guarantee your team Designs/implements data strategy and data security methods. 
**What specific facilities and system components were included in the validation?**
Make sure the data could involve PII and could also include sensitive business information as pricing, financials, product plans, HR documents, design documents, and other IP. 
**Do you collect capacity and use data for all relevant components of your cloud service offering?**
Collect data for customer audits and security due diligence requests. 
**Does using a cloud provider give your organization an environmental advantage?**
Ensure you own the development and support of the underlying infrastructure allowing your applications to rapidly grow and evolve, enabling fast and reliable data pipelines, and ensuring the insights you provide to your (internal) customers are always available. 
**How does the provider monitor the applications?**
Invest in the analysis of data to help provide creative solutions on business issues. 
**Can the provider give reports for monitoring user access?**
Certify your organization is using log management tools, packet captures reports, data visualization, and pattern analysis. 
**Does the cloud services contract include appropriate retention and destruction commitments from the vendor?**
Guarantee your process is responsible for protecting information systems and data from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruct. 
**What are the main inhibitors of using Cloud-based Security Solutions?**
Develop experience implementing and using data management tools. 
### SOFTWARE:
**Who is responsible for developing information security governance?**
Develop experience implementing software security testing tools. 
**How do you control the increased access administrators have working in a virtualized model?**
Drive software process improvements that enable progressively increased team efficiency. 
**Is multi factor authentication supported for provider services?**
Develop experience executing software programs in support of a major compliance effort. 
**What determines the size of a group of servers sharing the same network range?**
Make sure your staff determines systems software design requirements. 
**What inhibitors has your organization encountered in adopting or fully utilizing your cloud security vendors technology?**
Provide technical support for both hardware and software issues your users encounter. 
**How can security keep up with DevOps that is already configuring and deploying on AWS?**
Lead an agile team using DevOps software. 
**How do you enable debugging without destroying the problem?**
Work with embedded testers to debug software issues and ensure robust software quality. 
### DEVELOPMENT:
**What is the experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first?**
Lead the development of new cloud security processes and procedures. 
**What is driving investments in third party cloud native application security controls?**
Invest in the development and maintenance of security compliance validations. 
**Are detail and summary records available for the audit period?**
Coach business leaders in the development of resistance management plans. 
**What is the track record of the cloud provider in implementing effective security practices?**
Invest in the development of security remediation efforts and track them to completion. 
**What happens when you upgrade network speeds, which does occur from time to time?**
Work with development team and QA to ensure requirements traceability and completeness. 
**Can the specific system components used by a client at a particular time be identified?**
Be confident that your process mentors development team members. 
**Are usage audits performed automatically or reactively?**
Certify your process has hands on involvement in front end development. 
**Can cost drivers override security?**
Help drive business development activities. 
**How do you meet the rapidly changing business demands for new applications and capabilities?**
Invest in tailoring the development process to meet the project needs. 
### TECHNOLOGY:
**What does a modern cloud enabled SOC look like for hybrid architectures?**
Ensure your information technology team operates as your business partner proposing ideas and innovative solutions that enable new organizational capabilities. 
**How does your organization understand and resolve its most urgent cloud security issues?**
Understand complex business and information technology management processes. 
**Do you have password policies for enterprise issued mobile devices and/or BYOD mobile devices?**
Make sure your team is leading considering business needs, gathering requirements, and recommending solutions that have to be technology and/or services focused. 
**What does successful implementation of security essentials look like?**
Develop experience consulting with business and technology stakeholders to build and implement secure solutions. 
**How do you control access to different cloud solutions?**
Oversee that your process understands client business functions and technology needs. 
**What do most CISOs think about cloud security policy?**
Ensure your success requires continuous collaboration with several other groups across the organization, including the Chief Technology Office, Chief Risk and Compliance Office/CISO, Corporate Technology, Engineering, Legal. 
**What is your organizations experience delivering other cloud security projects?**
Ensure you manage a unique culture, enabling your team members to be on the cutting edge of technology while delivering high quality solutions. 
**How much of your IT security budget is devoted to preventing, detecting and mitigating insider threats?**
Define, implement and support process and technology improvements related to preventing unauthorized disclosure, modification, removal or destruction of information. 
**What groups are directly involved in creating cloud security policies?**
Be certain that your team is involved in skills, application(s) and functions of the technology area. 
**How does your organization currently ensure compliance with record keeping requirements?**
Be confident that your team is involved in technology transformations. 
### NETWORK:
**What approach should be used to monitor and remediate cloud security threats?**
Lead across your organization to ensure a process is in place, adopted and performed to remediate all infrastructure, network and application vulnerabilities. 
**Do you need any additional security for the integrations in a hybrid environment?**
Invest in implementation and secure design of secure applications, software integrations, identity providers, and networks. 
**Does the firewall enable automated configuration of security policies?**
Provide third level support in troubleshooting of network performance issues. 
**How is the CSP security team involved in security upkeep?**
Make sure your group is involved in network protocols and deep packet inspection. 
**Does your organization have the appropriate controls to detect and prevent an insider attack?**
Collaborate with it teams to remediate any potential hardware or network issues that prevent detection capability. 
**How has the cloud saved you time, effort, and resources through enhanced security?**
Apply creative approaches and innovative thinking to the design of new and enhanced network architectures. 
### PROJECT:
**What about investigation Support?**
Provide cloud security guidance and support to project teams. 
**Who is accountable for what and is your data protected even if you change providers?**
Facilitate change management activities between the project team and IT service groups. 
**Which cloud security issue is most under researched?**
Support project research and implementation for your corporate security program. 
**What integrations and configurations do your security solutions support?**
Make sure your workforce provides technical support to project team members. 
**Has integration and interfaces with existing systems been fully considered?**
Make sure the project has just completed the process design phase. 
**How do you meet the need for business agility whilst ensuring security and compliance?**
Oversee that your personnel coordinates team activities to meet project milestones. 
**Who is responsible for delivering your organizations cybersecurity?**
Invest in the planning and delivering of Business Intelligence implementation projects.

739
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing Configuration Management.md Normal file
View file

@ -0,0 +1,739 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/do-you-have-effective-configuration-management-process-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: February 21, 2022
Retrieved on April 14, 2022
Relevant ISO 27001 clauses/controls:
- [a-8.9-Configuration-management](../../Standards/ISO27x/OST/27002/EN/a-8.9-Configuration-management.md)
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
# Configuration Management: Ask This;
1. How does software configuration management facilitate the changes that occur during various stages of a system development life cycle in your organization?
2. What Enterprise Content Management processes and supporting software tools does your organization use?
3. To what degree have information system configuration management policies and procedures been defined and implemented across your organization?
4. Does your organization have a documented effective configuration management and change management process defined?
5. Do you have an effective configuration management process in place for system software?
6. Are change control/ configuration management procedures followed for all software and hardware modifications of systems that process and store sensitive information?
7. Does your organization have formalized processes for IT support services, problem management, change management and configuration management?
8. For major system acquisitions and major projects, does the project office include a configuration management plan as a component of the project management plan?
9. Is a configuration management process in place that controls access to all software code and hardware components throughout the system lifecycle?
10. How much visibility does a client have into your internal processes, including Software Quality Assurance (SQA) activities, configuration management and testing?
11. Which software configuration management system (SCM) does your organization currently use?
12. Does your Incident and Change management integrate with a Configuration Management System (and CMDBs) to support and maintain the relationship of Release Records to associated CI Records?
13. How does your organization integrate hardware configuration management into your software compliance environments?
14. Are configuration management software tools used to control and track change activity throughout the software process?
15. Does your SDLC process have a tool that integrates with a Configuration Management System (and CMDBs) to gather, validate and graphically illustrate required information for release builds and deployment activities?
16. Does your organization have a formal, documented process for configuration management of your products?
17. Does the knowledge management tool and its data repositories form part of, or link to the configuration management system?
18. Are system developers required to perform configuration management, including change control and weakness management during system design, development, and implementation?
19. Are system developers/integrators required to implement and document a configuration management process that tracks security flaws?
20. Does the system developer create and implement configuration management plans that control changes to system during development?
21. How does your current endpoint security or configuration management software vendor support Network Access Control?
22. What configuration management system for change control of production programs is in use?
23. With regards to the Configuration Items (CIs) referred to within the Configuration Management Database (CMDB), who has financial control over which items?
24. Does the configuration management process track the number of changes to the software baseline(s)?
25. Which service desk software is currently used by your organization, and how is it integrated with the deployment of configuration management?
26. Do your suppliers have a configuration management process which controls and releases engineering specifications, part numbers, BOMs and other product documentation?
27. Is there a closed loop identification and resolution system for hardware and software configuration management problems?
28. How does software change and configuration management keep pace with your organizations application and infrastructure portfolios?
29. To what degree does the configuration management process integrate with the change management process and its associated tools?
30. Does the configuration management system require two authenticated users to process a change?
31. Does your suppliers have an established, documented and maintained configuration management process appropriate to each product type?
32. To what extent does the configuration management process encompass changes to key interfaces and their standards?
33. Which activities does service asset and configuration management ensure are performed on configuration items (CIs)?
34. How important is the Software Configuration Management system for your Agile environment?
35. Is there a configuration management library system as a repository for the software baselines?
36. Which configuration management system processes keeps track of the changes so that the latest acceptable configuration specifications are readily available?
37. What technologies are in place to automate and keep up with the latest patches, system vulnerabilities, configuration management and compliance monitoring?
38. Are project personnel trained to perform the software configuration management activities for which they are responsible?
39. Do you have an IT Service Management team or a Configuration Management Database (CMDB) manager?
40. Is the configuration management process integrated with each project plan and an integral part of the culture?
41. What information does Configuration Management provide to the IT management of your organization?
42. Do contractors employ a validated configuration management process to manage changes on your organizations projects?
43. Do teams have sufficient development infrastructure and tools to follow state of the art configuration management and testing practices?
44. Does your organization have configuration management solutions that increase productivity through intelligent automation?
45. Is application code managed in a secure configuration management system with access controls?
46. Does the configuration management process integrate with incident, problem and change management processes?
47. Are your version control and configuration management policies and procedures the same throughout your entire organization and for all your products?
48. Are all versions of all parts of your systems managed by a configuration management system?
## Organized by Key Themes: MANAGEMENT, SOFTWARE, SYSTEMS, NETWORK, SECURITY, DEVELOPMENT, DESIGN, CHANGE, DATA, PROJECT:
### MANAGEMENT:
Have test requirements for acceptance and integration testing and configuration management been developed?
Make headway so that your company is employing modern day software and hardware solutions to ensure system reliability, redundancy, sustainability, security compliance, and (internal) customer satisfaction; utilizing system engineering methods and standards such as traceability, system verification, system validation, baseline descriptions, configuration management and change control to develop first time quality system that is operable and maintainable. 
Do you have a comprehensive data management plan that defines goals and policies for the collection, structure, and management of data assets?
Liaison so that your company defines and allocates Configuration and Data Management requirements for product hardware, software and engineering design data systems throughout the product lifecycle. 
Are changes to the scope of functionality and/or work that may have an impact on the direction of the system appropriately managed?
Check that your design reviews released engineering change data and changes documenting activities to ensure adherence to configuration management procedures and policies. 
Does your SDLC process have a tool that integrates with a Configuration Management System (and CMDBs) to gather, validate and graphically illustrate required information for release builds and deployment activities?
Secure that your staff maintains the Software Configuration Management System including collection or distribution of code documentation, problem report and change request processing, software build documents, and delivery of software products to operational environments. 
How do you reuse assets to assist in reengineering?
Ensure you have system engineering involvement including large project requirements management, project management, cost effort estimation, build versus buy analysis, asset management reuse, configuration management, subcontractor management and complex solution design architecture. 
Do you have a plan/process for dealing with variances between cost performance and the baseline?
Safeguard that your operation ensures Service Asset and Configuration Management (SACM) processes and Configuration Management Database (CMDB) effectiveness, facilitates change management process and tool design, and drives the identification of Critical Success Factors and KPIs to measure ITSM improvement. 
Has a managed and controlled process database been established for process metrics data across all projects?
Make sure your design establishes service asset and configuration management processes and tools to input CIs, maintains CMDB to established quality standards, implements automation and discovery tools to ensure CI/CMDB quality. 
What are the rules defining how that components access control list should be configured?
Support configuration management of version control systems for code management, test plan and pipeline development from Jira, user acceptance testing, review and prioritization of defect backlog for allocation to releases and sprints, requirements elicitation and validation sessions, development and refinement of requirements, release planning activities and schedule from a requirements perspective, and sprint planning and execution from a requirements perspective. 
Have all mechanisms that can lead to temporary or permanent changes to facility configuration been identified?
Guarantee your process conducts change control and device configuration management activities on all IAM technologies, including inspection or reviews of peers changes, as well as implementation of changes and support of changes related to the IAM Platform. 
Does the deployment use the incident management system for reporting issues and problems?
Establish that your team oversees Claims Operations and Configuration Information Management and works collaboratively with Corporate business owners to ensure the health plan processes for claims and encounters, aligns with regulatory requirements for each applicable line of business. 
### SOFTWARE:
Does the automated system create and maintain a system record of rejected guarantee requests?
Invest in development, execution and oversight of software and hardware asset and configuration management processes aligned with ITIL best practices required to support the needs of the organization and ensure process compliance by responsible teams to maintain data quality. 
Are standard reports documenting configuration management activities and the contents of the baselines developed and made available to affected groups and individuals?
Liaison so that your team products include software plans (Software Development Plan, Configuration Management Plan, Verification and Validation Plan); requirements specification; design documents, source code; test plans, procedures, cases, and reports; physical configuration audits and functional configuration audits. 
How do you do maintenance on released versions without interfering with your current development work?
Collaborate with Cross-Functional Teams to design, build, implement, and maintain deployment automation for various applications from code check-in to production Software Configuration Management Support with Branching and Merging strategies, Version Control Systems, Integration Management, Build/Release Management and Requirement Management. 
Is the testing done with the team, independent of the development organization, verifying expected results?
Be confident that your workforce is setting up and managing the operation of project development and test environments as well as the software configuration management processes for the entire application development lifecycle. 
Has the use of commercially available products and other products in every system development process been reviewed from a technical perspective with involvement by experts?
Certify your team is involved in modern software development processes, including software configuration management tools, defect tracking tools, peer review, and agile development life cycles. 
Which lifecycle stage ensures that the impact of service outages is minimized on a day to day basis?
Make sure your staff ensures compliance with Configuration Management Standards, Software development Standards and Procedures and the Software Development Life Cycle Process. 
Which instructional support features should be included in a simulator or embedded training application?
Be confident that your design provides Configuration Management (CM) support for the (internal) customers software baseline control efforts. 
What are the providers procedures for configuration management, patch installation and change management for all servers and PCs involved in delivery of contracted services?
Ensure your team is involved in software configuration management and streaming strategies for large parallel development teams. 
Is there a defined and documented process for collecting, recording, processing, maintaining, and reporting configuration data necessary for the program?
Maintain best practices of software configuration management by working in docker containers using git version control and maintaining frequent communication with team members. 
### SYSTEMS:
What processes and standards do you follow for incident management, problem management, change management, and configuration management?
Oversee that your process develops, implements, and maintains a series of IT processes to ensure the integrity and availability of information resources by overseeing the development and implementation of configuration management and systems quality assurance. 
Is the allocation of responsibilities for configuration management and monitoring of performance defined?
Liaison so that your process is involved in operating systems life cycle management and configuration management for example Print Management, Account Management, System Imaging, Hardware Modernization, Performance Monitoring. 
Is there a process in place to ensure that the project plan is updated as changes occur?
Be sure your process provides configuration management support in accordance with compliance and policies and procedures, using configuration management systems to record, track, monitor, and update component configurations and configuration items and changes and account for assets. 
How do you identify effective change management processes?
Recommend and implement process and tool improvements to improve the efficiency and effectiveness of your organizations change management and configuration management processes and systems. 
What strategies and best practices promote agile and effective configuration management?
Make headway so that your workforce is involved in closed loop corrective action systems, nonconforming material control system and configuration management practices. 
Does your Incident and Change management integrate with a Configuration Management System (and CMDBs) to support and maintain the relationship of Release Records to associated CI Records?
Oversee that your process helps implement and support a new configuration management system for a simplified orchestration workflow focused on applications, while phasing out legacy configuration management systems. 
How should companies evaluate existing and emerging technology to maximize server returns?
Secure that your group maintains professional and technical knowledge by tracking emerging trends in systems engineering, configuration management and enterprise technology. 
Does formal monitoring of security logs take place to identify and address potential intrusions or inappropriate use of data assets?
Oversee and participate in design, implementation, administration and support of platform systems, including Windows, Linux, AIX, Active Directory, Exchange, Group Policy, identity and access management products, monitoring products, configuration management products and applications. 
Is there a procedure for maintaining traceability between requirements, design, code, and tests as requirements are added or modified?
Make sure your workforce follows processes for maintaining infrastructure configuration management across enterprise IT systems. 
Does the automated system provide an automated interface with the core financial system to record the outlay of subsidy from the program account?
Secure that your strategy is supporting systems in the maintenance phase including configuration management and optimizing existing code. 
### NETWORK:
Does your support center participate in most IT processes and has that participation been formally defined?
Assure your organization is involved in assessment and implementation of policy-driven change and configuration management to support Network Virtualization, Network Function Virtualization (NFV) and Software Define Networking (SDN) adoption. 
What are your reasons for implementation of the selected models, approaches, or standards?
Assure your workforce is maintaining configuration management in the implementation of software upgrades, network services, equipment and devices. 
Is the test and analysis data available and are the variances to the test results identified and updated?
Make sure your strategy conducts advanced and state-of-the-art assignments such as network design optimization, technical trade studies, specification of equipment configurations, technology assessment, technology insertion planning, capacity planning, and configuration management. 
What technologies are in place to automate and keep up with the latest patches, system vulnerabilities, configuration management and compliance monitoring?
Assure your workforce is responsible for infrastructure components and configurations, including servers, directory services, configuration management, monitoring, and networking configuration. 
How do you consolidate your monitoring tools into a single management system?
Work with network architect to recommend and implement improvements to overall performance and reliability, including installing, upgrading/patching, monitoring, problem resolution, automation, and configuration management. 
Do you track every configuration change made to routers and switches in your network and who made them?
Make headway so that your team has knowledge and involvement using and installing networking equipment as switches, routers and firewalls. 
Will contractor innovation and technology insertion be incentivized through delegation of increased responsibilities as configuration management?
Be sure your team is responsible for troubleshooting network and platform issues from a server side perspective. 
Have you considered project management activities as planning, meetings, and managing people?
Interact frequently with network an transport services providers to resolve network anomalies and performance issues, as well as to determine future products to meet the (internal) customers strategic initiatives for services. 
How do you fix the program in the best possible way?
Provide expertise, support and direction on corporate network issues including active directory, DNS, DHCP, virus prevention, backup issues, email concerns and general network permission structure. 
Are the documented processes available and effectively disseminated to all Organization personnel?
Evaluate network designs to determine if requirements are met efficiently and effectively. 
### SECURITY:
Does the automated system provide an automated interface with the core financial system to initiate and record disbursements for interest supplement payments?
Interface so that your operation is involved in monitoring and managing Cloud security operations, including identity and access control, secure configuration management, network security, enforcement policy scripting, workload security, data security, and logging, or public key infrastructure (PKI) management and data encryption for data-at-rest and data-in-transit. 
Have organizations consisting of customers, development teams, and partners been established and held?
Maintain system baselines and configuration management items, including security event monitoring policies in a manner determined and agreed to by the (internal) customer TM, ensuring that changes are made using the established approval process. 
Does the configuration manager have a complete record of all the changes made and the current configuration of the test environment?
Develop experience working in Cybersecurity engagements with one or more multiple domains including (Cloud, Workforce Management, Risk Management, Industrial Control Systems, Asset Management, Configuration Management Data Loss Prevention, Supply Chain Management, and Change Management). 
How do you keep track of all versions, dependencies among components, approval records, etc. etc. etc.?
Be confident that your design develops core documents such as System Security Plan, Contingency Plan, Incident Response Plan, Standard Operating Procedures, Plan of Actions and Milestones, Remediation Plans, Configuration Management Plan, etc. 
Is configuration management provided for test databases, data files, and external programs?
Provide assistance and guidance in drafting and reviewing Configuration Management Plans, System Security Plans, Incident Response Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations, Information Assurance Vulnerability Management Plans, Network Diagrams/Topology, Physical Security Plans, Personnel Security Policy and Training Plans. 
Is there a procedure for delivering the product to the configuration management organization?
Certify your design is involved in incident handling response, endpoint security capabilities, security monitoring capabilities, Secure Configuration Management (SCM), Assured Compliance Assessment Solution, Continuous Monitoring and Risk Scoring. 
Have the unresolved problem reports and change requests been reviewed for trend information?
Lead the development and maintenance of security documentation such as the System Security Plan, Privacy Impact Assessment, Configuration Management Plan, Contingency Plan, Contingency Plan Test Report, POA and M, annual FISMA assessment, and incident reports. 
Does the system have any intrusion detection or real time monitoring software installed?
Make sure the security architecture work includes all areas of Information Security such as IAM Authentication/access management, threat management, incident response, forensics, logging, monitoring, application security, data protection, vulnerability management, and configuration management in relation to multiple Cloud Service Providers. 
How do you track what changes were made to the application?
Make sure the ISSO is responsible for the configuration management (CM) for information system security software, hardware, and firmware and manages changes to system and assesses the security impact of those changes. 
How can one avoid the common approach to design records of capturing any and all data that may be considered relevant?
Make sure the SDLC security engineering requirements consists of, but may not be limited to activities related to threat modeling, risk identification, security/controls requirements, design, development, integration, testing, deployment, operations and maintenance (O and M), vulnerability management, remediation, configuration management (CM) and risk management for both traditional and agile environments. 
### DEVELOPMENT:
Is the configuration management plan clear about who needs to approve changes to any baseline?
Confirm that your design is working with cloud providers, development operations tools, configuration management, and cloud system architecture (load-balancing, auto-scaling, security groups, secrets management and key management). 
Who on your staff understands the entry and exit criteria for each task the contractor has defined?
Safeguard that your process understands software development process and experienced in IT project management methodologies (Agile, Waterfall, hybrid) and IT solution delivery processes, procedures, and toolsets (DevOps, configuration management). 
How are configuration baselines and configuration checks integrated into the policies, configuration management process, and software management process?
Make sure the DevSecOps Configuration Manager leads and supports day-to-day configuration management operations for program related configuration items to include documentation, reports, system configurations, and software development/deployed baselines. 
Does the automated system provide an automated interface with the core financial system to record the collection?
Provide software process management and configuration management throughout the software development life cycle. 
To what degree does the configuration management process integrate with the change management process and its associated tools?
Enforce organization policies in the areas of development methodology, architecture, security, change and configuration management and compliance. 
How do you automate the steps involved without implementing so many additional tools that the solution becomes part of the problem?
Liaison so that your team is involved in configuration management and/or quality assurance in automotive product development. 
Has the service been built and tested to ensure that it meets the capacity requirements?
Develop experience working with application development tools and practices, such as version control, defect tracking, build management, test management and other activities related to configuration management. 
Are errors and mistakes documented and used to modify upcoming changes or the overall process?
Make improvements in the methodologies used for configuration management and development of software that helps to find ways to use in configuration management. 
Is the configuration control board active and responsible in evaluating and approving changes?
Be certain that your personnel is responsible for software configuration management (SCM) of developmental and operational systems. 
Which role would you MOST expect to be involved in the management of Underpinning Contracts?
Warrant that your personnel is involved in agile development, configuration management and continuous integration processes and methodologies. 
### DESIGN:
How do you determine the requirements and justification for configuration management when all the benefits come from improvements to the other processes?
Ensure your company ensures compliance with quality and regulatory requirements by applying design control processes as risk management, configuration management, requirements management and verification testing. 
Are there procedures for ensuring that developmental prototypes are developed in accordance with standard software development practices?
Guarantee your process is designing technical architecture and Develop cost-effective solutions using various configuration management tools to make infrastructure compliant with the companies cloud policies along with ensuring high availability. 
How do you keep track of all corresponding versions, dependencies among components, approval records, etc. etc. etc., and still assure quality?
Contribute towards creation of software design history file, risk management documentation, issue tracking, configuration management, etc. 
Can the service be deployed in a manner that meets organizational security standards and requirements?
Design and implement short and long term strategic plans to meet current and future requirements around engineering and operations of Infrastructure Configuration Management (currently with Puppet and Ansible). 
Do the service designers understand the standards and tools used for releasing and deploying services?
Assure your team is designing and developing automation solutions for deploying and managing Micro services and web applications on cloud resources with configuration management and Continuous Delivery. 
What are the strategies, processes and best practices that enable effective software configuration management?
Ensure the integration of safety, reliability, operability, constructability, and configuration management practices into final products/designs/processes. 
Does your support center participate in most IT processes and has that participation been formally defined?
Provide guidance on, and participate in software development activities including design and code reviews, requirements analysis and tracing, defect tracking and configuration management. 
Does your organization ensure that invoices are generated promptly and that efficient mechanisms are in place to collect and record payments and to provide support for loan servicing?
Provide support related to all aspects of software analysis, design, development, documentation, and configuration management. 
Are changes requested by the business side of your organization able to be accommodated?
Make sure your strategy approaches code design and implementation with a security lens and actively looks for vulnerabilities both in the code and when providing code reviews. 
What is your current comfort level with automated approval versus software centric automation?
Make sure your strategy documents include detailed specifications, implementation guides, architecture diagrams or design documents. 
### CHANGE:
How do you trace changes on a machine back to the decision process that caused it?
Make sure your workforce is involved in Risk Process, Engineering Requirements documentation, Request For Change Documentation, Configuration Management Programs. 
How do you put all of your changes in a configuration management system?
Define, implement, and improve operational models; including 24x7 Operations and On-Call, Event Management, Incident Management, Problem/Escalation Management, Configuration Management and Change Management Processes. 
How do you effectively gain control of the configuration changes to know what is really happening to your contact center systems?
Analyze and coordinate proposed changes of product design and quality system processes to determine effect on overall product and system, coordinating with change owners, providing feedback. 
How do you do maintenance on released versions without interfering with your current development work?
Make headway so that your strategy is responsible for leading the enterprise change control business process and the release technician group. 
Which supporting design techniques do you adopt to enable configuration management practices?
Check that your design has involvement leading Change through process re engineering and valuation/implementation of best practices and leading technologies. 
Are manufacturing, inspection, manufacturing planning, and procurement notified of an initial release or an approved change?
Establish that your staff supports the change process so that only approved and validated changes are released to manufacturing. 
What types of changes to the information system or operating environment should be documented?
Identify and champion organizational and process changes that support automated cloud provisioning; invest in the creation and maintenance of standard cloud computing policies, operating procedures, and overall documentation. 
Does the automated system apply collections received from the debt collection center according to organization application rules?
Warrant that your process communicates changes, enhancements, and modifications of business requirements verbally and through written documentation to project managers, sponsors, and other stakeholders so that issues and solutions are understood as well as potential ramifications. 
Are updates completed in accordance with configuration management policy and procedures?
Make sure your company is responsible for gathering all business requirements and managing (internal) client changes in order to successfully launch a new (internal) client asset or update an existing (internal) client asset. 
### DATA:
Which is a testing related aspect of configuration management most likely to have broken down?
Establish that your team is involved in Test Planning, Test Estimation, Test Strategy, Work Load Design, Test Cases Design, Test Environment Setup, Test Data Setup, Defect Management and Configuration Management. 
What activities should the information system owner conduct when a system is decommissioned?
Develop experience developing and implementing tools to conduct requirements management and traceability, configuration management, risk management, and data management. 
Do you need a built in survivability solution that ensures communications continue during outages?
Certify your team is responsible for developing processes and providing configuration management protocol for technical data products. 
Have the various types of reports, the content, and frequency of reporting been defined?
Ensure proper configuration management and change controls are implemented to preserve the integrity of the data and the quality of the reporting packages provided to the end user. 
Are there particular difficulties in the area of configuration management and change control?
Operationalize the product data structure, configuration management, and change management of the product. 
How can utilities evaluate vendor solutions for applicability to respective deployments?
Utilize, alter, and/or create staffing models to evaluate manpower requirements across multiple areas under Wilton Configuration Management and Master Data groups. 
Which specifies access privileges to a collection of resources by using the URL mapping?
Work with Development, Configuration Management and other teams to classify the risk level of all applications using PHI, PII or other confidential data. 
How do you improve security of images being deployed?
Oversee the Technology Asset Management function, including the Configuration Management Database, and logical and physical asset management and tracking. 
Does formal monitoring of security logs take place to identify and address potential intrusions or inappropriate use of data assets?
Verify that your strategy is involved in Data Ops concepts and tools around workflow orchestration, monitoring, version control, CI/CD and configuration management. 
Does your organization achieve a dramatically more effective return on its development and operational assets by implementing common change governance and administrative processes?
Guarantee your workforce is involved in Linux and Windows infrastructures, database SQL and NoSQL, CI/CD tools, Configuration Management, development languages like Go, JavaScript, PHP, Python, Perl, Ruby. 
### PROJECT:
Do all network infrastructure devices require PKI based authentication/credentials for login?
Certify your organization manages changes to the requirements as they evolve during the project by using the Configuration Management procedure Maintains bidirectional traceability among the requirements and the work products. 
Has the difference between the plan and the actual situation been analyzed at the right timing when the most accurate estimation can be obtained?
Manage project plan, risk plan, QA plan, requirements management process and configuration management process for project with priority. 
Has a configuration management plan been prepared for each project according to a documented procedure?
Create and manage project plan components including project schedule, risk management plan, requirements management plan, configuration management plan, staffing plan, and others with priority. 
Does the automated system provide data to support corrective action plans as penalties and/or sanctions?
Be sure your operation develops configuration management documentation based on enterprise and project requirements. 
How do you find the reporting functionalities of the software?
Adhere to project development processes including documentation, defect tracking, software configuration management, and status reporting. 
Are system developers/integrators required to implement and document a configuration management process that tracks security flaws?
Confirm that your process works closely experienced in Project Planning, Project Assessment and Control, Decision Management, Risk Management, Configuration Management, Information Management, and Measurement. 
Do drawings comply with Customer requirements for drawing format, reproduction, storage and delivery?
Comply with Asset Management, Configuration Management, Project Governance and Project Controls Policies and procedures. 
Which configuration management system processes keeps track of the changes so that the latest acceptable configuration specifications are readily available?
Develop experience directly implementing and maintaining project change/configuration management policies, plans, and procedures. 
Which function supports a customer who would like to have a predefined work plan for repetitive maintenance work?
Support CM Boards and Project Teams through activities and deliverables such as project status reports, design documents, design validation, migration planning, service delivery guidance, and implementation support documents. 
Do you create configuration management reports from the configuration management system?
Will work closely with (internal) clients and members of the Information Assurance Team to both create detailed specification documents with clear project deliverables and timelines, and to ensure timely completion of deliverables.

24
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing Cyber Operations.md Normal file
View file

@ -0,0 +1,24 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/cyber-operations-ask-gerardus-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: January 25, 2022
Retrieved from on January 26, 2022
The following Key Themes are identified for cyber security operations:
- security
- cyber
- systems
- operations
- data
- network
- intelligence
The rest of the article is a haphazard collection of 'shoulds'.
Not very interesting.
Relevant ISO 27001 clauses/controls:
- [ISO 27001 C 5.3 Organizational roles, responsibilities and authorities](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20C%205.3%20Organizational%20roles,%20responsibilities%20and%20authorities.md)
- [ISO 27001 A 6.1 Internal organization](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%206.1%20Internal%20organization.md)
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)

743
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing Cyber Threat Intelligence.md Normal file
View file

@ -0,0 +1,743 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/does-your-organization-have-cyber-threat-intelligence-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: March 1, 2022
Retrieved from on March 3, 2022
Relevant ISO 27001:2013 clauses/controls:
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
- [ISO 27001 A 16 Information security incident management](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2016%20Information%20security%20incident%20management.md)
- [ISO 27001 A 12.4 Logging and monitoring](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2012.4%20Logging%20and%20monitoring.md)
- [[ISO 27001 A 13.1.1 Network controls]]
Relevant ISO 27002:2022 clauses/controls:
- [a-5.7-Threat-intelligence](../../Standards/ISO27x/OST/27002/EN/a-5.7-Threat-intelligence.md)
Related:
- [Threat Intelligence](../..//Threat%20Intelligence.md)
## Cyber Threat Intelligence: Ask This;
### TLDR: Ask This;
1. Does your organization have a Cyber Threat Intelligence program and attack monitoring/alert process ?
2. How does your organization share Cyber Threat Intelligence reputation data?
3. What tools does your organization use to receive Cyber Threat Intelligence from other companies?
4. How will you share ratings and Cyber Threat Intelligence information with stakeholders?
5. How is your system used to accurately model your organizations Cyber Threat Intelligence maturity level?
6. What security measures does your organization employ to keep your threat intelligence secure?
7. What Cyber Threat Intelligence sources do you rely on to get information about the issues facing your organization?
8. Who is responsible for implementing a threat intelligence program that integrates across your security technologies, teams, and executive cyber risk decisions?
9. How do you share information Cyber Threat Intelligence between public and private sectors?
10. How does the Cyber Threat Intelligence provider measure performance?
11. Do you utilize a security command center platform to update and manage your firewall and related Cyber Threat Intelligence services?
12. How is Cyber Threat Intelligence incorporated into your security processes?
13. How does your organization evaluate the impact of threat intelligence sharing platforms?
14. How is collaboration of users on managing Cyber Threat Intelligence data supported?
15. Does your organization have a role in verifying the quality of threat intelligence sent or received?
16. Do you have metrics to evaluate the quality of the threat intelligence provider and the information received?
17. Does your organization consolidate threat intelligence data from multiple solutions?
18. How do you aggregate Cyber Threat Intelligence with internal data?
19. What contextual intelligence does the vendor provide to enrich threat and indicator data?
20. Does your organization receive regular intelligence from the Chief Information Officer/Head of Security on who may be targeting your organization, methods and motivations?
21. What data sources corroborate threat intelligence to ensure accuracy?
22. Is the threat intelligence updated when new information is learned or knowledge changes?
23. Does your organization have a formal threat hunting program with assigned staff?
24. How does your organization integrate relevant and actionable intelligence into security operations?
25. What vulnerabilities are being researched by cyber threat actors?
26. What personnel controls does your organization have in place when conducting security clearances, background checks?
27. Does your organization have cyber insurance and which incidents are covered?
28. How does your organization allocate staff for your information security function?
29. Do you store knowledge of assets affected and exploits used along with the relevant threat intelligence indicators involved?
30. What kind(s) of data does your security organization collect and analyze?
31. Who has the authority to release cyber defence related information to external partners?
32. Do you correlate internal activity with relevant threat intelligence beyond your perimeter to more quickly identify advanced attacks?
33. What is the value of your organizations information and information flows to potential threat actors?
34. How does your organization determine what pieces of intelligence are relevant to them?
35. How serious does your organization consider the current threats to control system cybersecurity to be?
36. Does the threat intelligence incorporate vulnerability analysis?
37. What exposure does your organizations senior management have into your cybersecurity practices?
38. What percentage of threat intelligence alarms on a weekly basis are false positive?
39. How does the enterprise define the threat environment, in terms of mission and business operations?
40. Does the threat intelligence cover all of the critical digital forensics domains?
41. Does your organization have the human bandwidth available on staff to build the desired capability?
42. Do your email security solutions integrate with your other security tools to seamlessly work across threat vectors and protect against blended attacks?
43. Who within your organization needs what information, and in what formats, to help drive more effective cyber risk management investments?
44. Does your organization have a risk assessment for its information assets?
45. What external digital threat management tasks do you outsource to managed security service providers?
46. How does your response plan match up with your threat intelligence?
47. Which non regulatory approaches do you use to share information on cyber incidents?
48. What is the process to gather and analyze threat and vulnerability information from multiple sources?
## Organized by Key Themes: SECURITY, CYBER, SEARCH, THREAT, DATA, MANAGEMENT, NETWORK, INTELLIGENCE, DEVELOPMENT, INCIDENT:
### SECURITY:
How do you extend your internal security controls to your vendors and help reduce your organizations risk?
Combine cyber threat intelligence with vulnerabilities to simulate relevant threats, evaluate (internal) client incident response (IR) capabilities, help security operations teams prepare for worst-case scenarios. 
How do you collect timely, relevant, and actionable cyber intelligence data?
Lead a team of cyber professionals responsible for infusing collaboration, security meta data and threat intelligence into operational workflows laterally across all technical service functions. 
How will advances in technology (e.g., artificial intelligence, Internet of Things, etc.) or other factors affect the cybersecurity workforce needed in the future?
Interface so that your strategy is involved in security technologies such as automated penetration testing tools, Security Information and Event Management (SIEM), IDS/IPS, Data Loss Prevention (DLP), Proxy, Web Application Firewall (WAF), Endpoint Detection and Response (EDR), Anti-Virus, Sandboxing, network- and host-based firewalls, Threat Intelligence, etc. 
How are you involved in your organizations Cyber Threat Intelligence activities or process?
Manage and grow a best-in-class cyber threat hunt team to compliment the ethical hacking program to aid in proactively identify security risks in systems/applications/networks using cyber threat intelligence to think like an adversary. 
Did the team establishing them understand whether the metrics were achievable?
Oversee that your staff manage all enterprise cyber, data protection, and insider threat programs, including establishing incident response, 24x7 security operations center, and security engineering, architecture and intelligence teams. 
Did your organization include bottom up input in establishing metrics?
Guarantee your personnel is involved in Cybersecurity programs, specifically Enterprise Security Architecture to include reference security architecture creation, security program assessment, security operations, incident response, forensic analysis, threat intelligence, identity and access management, data protection, penetration testing, Web application security testing, vulnerability and risk management. 
What incentives are needed to support proactive measures to strengthen cybersecurity?
Oversee enterprise functions such as the Security Operations Center, technical security design and project management, threat and intelligence analysis and management, and executive support and protection. 
What is the system support needed to make surrogate use seamless and minimally intrusive for a user?
Develop and maintain requirements and standards for capabilities that support security operations, threat detection, intelligence and incident response functions. 
How will you know if an attacker got any kind of unauthenticated access to the system?
Make headway so that your workforce conducts research regarding the security of critical infrastructures, particularly using advanced AI based cyber threat intelligence systems for attack mitigation in industrial environments. 
When conducting a security risk assessment, what does your security risk assessment include?
Lead a team of you and Offshore information security professionals to conduct security assessments, incident response/forensics, security architecture to include cloud, threat intelligence and third party security capabilities. 
### CYBER:
What sources does the team use to determine when a compromise has occurred?
Lead the teams to provide cyber threat intelligence expertise to support the major incident response activities that can occur through insight on threat actors and tradecraft. 
Which best reflects the maturity of your SOC in addressing emerging threats?
Liaison so that your design is providing intelligence support, expert knowledge and insight into compliance, cyber hunt, incident response, risk and vulnerability assessment, and emerging cyber threat requirements. 
Do the threat actors pose an indirect risk, as attacks on the enterprise supply chain?
Perform cyber threat analysis and reporting on information from both internal and external sources and appropriately apply gathered cyber threat intelligence to defending the enterprise network. 
Which standards or frameworks is your CTI information adhering to?
Analyze cyber threat data and synthesize the analysis with cyber threats impacting your organization; identify, escalate, and fill intelligence gaps. 
What roles, responsibilities, and business processes are assumed to be present?
Conduct multi intelligence, all source analysis and cyber threat intelligence on past, present, and future cyber threats to network systems. 
Why is it so difficult for the system to identify whether the anomaly has to be classified as good or bad?
Confirm that your operation is building, leading, mentoring, and supporting teams of incident responders and cyber threat intelligence analysts who specialize in the prevention, detection, response, and recovery of cyber incidents. 
How can attack attribution play a role in deterring cyber attacks?
Make sure your process is involved in Cyber Threat Intelligence principles to include indicators of compromise (IOC) types, indicator pivoting and indicator attribution strength. 
How do you keep and grow your cybersecurity staff?
Ensure you leverage the latest technologies including an array of deployment and management tools as well as several cyber threat intelligence networks to keep your systems running smoothly around the clock. 
Should large companies sever business ties with mid size and small vendors and suppliers in favor of others that in reality may be no more cyber secure?
Confirm that your company performs research and analysis of APT infrastructure and malicious binaries, external cyber threat intelligence reporting and production. 
Does your threat hunting system currently generate automated alerts and perform pattern matching?
Integrate Cyber Threat Intelligence to inform (internal) customer on newly discovered threats and vulnerabilities associated with the technologies used in the enterprise for the purpose of developing hunt analytics. 
### RESEARCH:
What is threat intelligence, and how does it differ from antivirus research, and security research?
Make headway so that your staff is involved in cyber threat intelligence, security research, security operations, and/or incident response. 
What are the known, unpatched, vulnerable hardware on your organizations production networks for which exploits are publicly available?
Liaison so that your strategy is performing threat intelligence research into current trends, vulnerabilities, and exploits. 
What technical problems did the research team encounter by trying to share CTI information?
Research and propose strategic research directions for threat intelligence based on signals from the threat landscape. 
Do you have an incident response plan to react to an attack and mitigate exposure?
Research emerging threat actors and threat scenarios and aligned testing approaches to detect and mitigate those threats. 
How useful have the research results proven as measured by implementation to improve the security of your computing and networking environments?
Establish that your strategy research and design integration solutions by documenting individual modules and/or components to account for the function, responsibility, and execution per business requirements. 
How long does it take to detect the intrusion after the attackers first gain access?
Ensure your organization researches topics and interview stakeholders to understand communication product requirements; analyzes business problems and helps prescribe communication solutions. 
What preventive action do you take and who are the rising stars in cybersecurity?
Make sure your strategy is showing Respect Research issues and incidents with internal teams, business partners and (internal) customers in a collaborative manner that includes professional, honest and transparent communication. 
What vulnerabilities are being researched by cyber threat actors?
Research and train in all aspects of a secure software development lifecycle, from requirements to design to implementation. 
What is threat intelligence, and how does it differ from antivirus research, and security research?
Make sure there is business development capabilities needed to build and grow a new research practice area. 
How useful have the research results proven as measured by implementation to improve the security of your computing and networking environments?
Assure your process is involved in virtual currency transactions, research, and analysis. 
### THREAT:
Do you have systems in place to identify new security vulnerabilities in your technology?
Collaborate with other Threat Analysis team members to identify and design new areas for intelligence collection and storage. 
What are the ideal outcomes of intelligence support to the stakeholder?
Provide threat intelligence support to vulnerability management and incident response teams. 
Who provides support to cyber threats and groups who wish to attack or exploit your organization?
Support incident response and threat hunting activities to include providing intelligence context, analysis support, industry expertise, and recommendations around remediation and countermeasures. 
What are the key functions to support cyber information sharing and analysis?
Assure your strategy support SOC operations, malware analysis and network/endpoint threat hunting teams with actionable intelligence products. 
How do you reduce turnover of your highly skilled security and IT professionals and maintain an engaging and innovative culture?
Make sure the Manager, Threat Management works closely with Red team members to plan, coordinate, execute, and report on sophisticated ethical hacking exercises to identify cyber vulnerabilities and reduce the risk posture of enterprise systems. 
How do you get to the point where organizations offer information rather than just consume it?
Hunt for and identify threat actor groups and their techniques, tools and processes utilizing threat intelligence, analysis of anomalous log data and results of collaborative team sessions to detect and eradicate threat actors on the network. 
How can attack attribution play a role in deterring cyber attacks?
Produce and deliver TTP focused intelligence to support defensive activities including threat hunting, Incident Response, attribution workflows and Red Team engagement. 
What venues for cyber defender actions are represented or assumed?
Conduct analysis and research on the latest advanced cyber threats to provide actionable threat intelligence, including adversary indicators of compromise (IOCs), technique, tactics, and procedures (TTPs), behaviors, and trends to help defend the (internal) client agency and larger public and private sectors. 
Have your control system cyber assets and/or control system network ever been infected with malware or purposely breached by internal or external parties?
Participate in hunt missions using threat intelligence tools, analysis of anomalous log data and results of brainstorming sessions to detect and eradicate threat actors on networks. 
What is your process for ensuring that risks identified through your detective controls are remediated?
Check that your strategy contributes to Incident Response activities by providing contextual Threat Intelligence Package related to IOC(s) identified. 
### DATA:
What are the main human rights concerns when dealing with cybersecurity?
Ensure you have applied knowledge across all critical elements and common data types used in threat intelligence analysis, including malware used in targeted adversary campaigns; host and log forensics including methods of data collection and analytic techniques; and network forensics including common protocols and how those are used in adversary operations. 
Which classification techniques are appropriate for authorship analysis?
Secure that your staff is identifying, triaging, and remediating threats based on threat intelligence and active analysis of log data. 
How have employers been involved in your program in the past year?
Be sure your organization is involved in issues around data security and consumer privacy compliance issues. 
Does the information you receive enable your organization to prioritize threats?
Use APIs to create integrations to enable data enrichment and incorporation of threat intelligence sources. 
Are you using existing data effectively to drive your security decisions?
Use business intelligence tools to create reporting and maintain metrics using collected data. 
How do you conceptualize cyber crime?
Analyze information requirements to develop reporting systems including the systems specifications, data gathering and analytical techniques, and systems evaluation methodology. 
What are the front companies or Internet properties supporting any cyber threat?
Warrant that your process is involved in vulnerability scanning tools to include those supporting operation system, web application, database assessments. 
How is an information exchange structured to ensure that it delivers the greatest value?
Work with stakeholders and Product Managers to understand data model and business requirements and translate those requirements into solutions and acceptance criteria that deliver business value. 
What emerging risks in the financial lines space are you most concerned by?
Make sure the team leverages a variety of unconnected data sources to identify fraudulent activity related to emerging trends, fraudster tactics, and anomalous activity. 
### MANAGEMENT:
How can the asset management industry improve its approach to tackling cyber threats?
Integrate internal and external threat intelligence data in SOC functions and tools to improve the efficacy of vulnerability and threat management. 
What knowledge and skills are currently needed in the cybersecurity workforce?
Interface so that your team is involved in incident handling, vulnerability management, hacking tools, intelligence gathering or kill chain methodology. 
How well trained is staff concerning potential attack vectors an active adversary may use?
Make headway so that your personnel is understanding common cybersecurity concepts as vulnerability management, risk management, cybersecurity frameworks (NIST, COBIT), attack vectors, threat intelligence. 
How can security be positioned as an enabler of the established goals of control systems operators?
Make headway so that your team provides overall management support for the contract to ensure all projects are synchronized toward established goals and objectives. 
Who is responsible in your organization to assist in preparing for and responding to a data breach?
Make sure your organization develops and executes continuous process improvement for vulnerability management and risk reduction. 
Do you develop learning methods for learning from adversarial data?
Confer with management staff and other organization personnel to determine program requirements and availability of resources and develop criteria and standards for program evaluation. 
How effectively is your organization communicating metrics, incentives and expectations?
Provide direction and support of operational tools and processes for identifying and communicating vulnerable items for Vulnerability Management Infrastructure (VMI). 
Who at your organization is responsibility for assessing and mitigating breach-related risks?
Proactively support program management of multiple projects and facilitate your organization needs in depth working groups to identify credible threats, relevant vulnerabilities, and assess operational impacts. 
Is your organization committed to developing and maintaining an information security-aware culture?
Be confident that your group is maintaining effective regional cyber crisis management processes and activities. 
Does the alert apply to your organizations information technology assets?
Lead Department management in planning and organizing resources needed to deliver the departments objectives Review and monitor all aspects of shift operations and coordinate closely with counterparts to ensure smooth operations and reliability of the plant functions Ensure all actions are taken for the safe shut-down/start-up of the plant in line with standard operating procedures. 
### NETWORK:
Is there someone in your organization that might understand the risks involved better than you?
Be sure your workforce is involved in host and/or network log analysis as applied to incident response threat hunting. 
Do you store knowledge of assets affected and exploits used along with the relevant threat intelligence indicators involved?
Check that your company is involved in threat hunting on a large, enterprise network both as an individual and leading hunting exercises with other team members. 
Are you required to provide specific consumer protection services as identity theft insurance and/or credit monitoring?
Analyze host and network forensic artifacts and identify patterns and behaviors related to threat actors. 
Who is most responsible for deciding what threat intelligence sources are used?
Be confident that your operation is responsible for securing all information and information systems assets of your organization network infrastructure. 
What types of reports, outputs, data and deliverables should systems and analysts be expected to produce?
Make headway so that your organization monitor several tools and report network incidents and threats in real time. 
Do you determine what kind of data has been compromised/stolen/ made unavailable?
Interface with Dev/QA/OPS teams to identify root cause analysis and re instrument triggers to prevent future network degradation and outages. 
Are roles and responsibilities for information sharing set at your organization?
Guarantee your group is involved in application support, server support, network support or similar skill set. 
Are system owners willing to adjust logging policies to meet SOC needs?
Make sure your strategy analyze network data for trends and anomalies to compare and adjust machine learning models. 
Does your organization check compliance requirements in IT systems?
Develop experience working with monitoring devices, network and host intrusion detection systems, web applications, AV, WAF, Proxy and operating system logs. 
What type of management tools are you using to aggregate, analyze and/or present CTI information?
Guarantee your company is involved in developing and using testing methodology for cloud based and networked systems. 
### INTELLIGENCE:
Do you have a Data Protection Officer that reports at board level?
Develop experience conducting intelligence and network threat analysis to produce statistical reports and analytical products. 
Is asset management integrated into other security and business processes?
Have a strong understanding how enterprise endpoint and network components operationalize Threat Intelligence and adversary detection. 
Is performance data from other equipment leveraged in determining equipment optimization?
Perform threat hunting for suspicious activity based on anomalous activity and indicators of compromise from various intelligence sources and toolsets. 
How do you extend your capabilities?
Incorporate threat intelligence into countermeasures to detect and prevent intrusions and malware infections. 
What would you do if any of the parties involved were the subject of a cyber-attack?
Safeguard that your design is involved in managing and mentoring Business Intelligence development teams. 
Which options help to reduce undesirable consequences of cyber activities?
Establish that your process is providing intelligence analysis in order to identify threats, quantify vulnerabilities, and reduce risk to the client. 
How is your business/organization involved with cybersecurity?
Be certain that your group is involved in program and project management, specifically in the Business Intelligence area. 
Does the intelligence product meet the needs of its intended purpose?
Develop internal relationships with stakeholders to better understand the business needs for varying departments, subs, and affiliates to ensure intelligence collection and reporting meet their requirements to make informed business decisions. 
Who within your organization needs what information, and in what formats, to help drive more effective cyber risk management investments?
Develop experience using intelligence to drive vulnerability management, testing, incident response, investigations, and other digital operations. 
### DEVELOPMENT:
What are the top use cases for your Cyber Threat Intelligence data?
Oversee that your team applies leading edge principles, theories, and concepts while also contributing to the development of new and innovative threat intelligence workflows. 
What are the most serious cyber risks to critical infrastructure?
Make sure the process automation team is responsible for the resolution of automation problems, implementation of process control, data collection techniques, and troubleshooting in compliance with System Development Life Cycle (SDLC), GMP, safety, and environmental regulations. 
Are all the infected systems related to a specific type of user or department?
Be confident that your strategy works with various departments to identify workflow and system integration requirements as they relate to IT system development and deployment. 
How many people work at your organization, either as employees, contractors or consultants?
Be sure your design directs development of program safety measures and implementation of standard workplace safety practices, to mitigate injuries and foster a healthy work environment for staff. 
How is collaboration of users on managing cyber-threat intelligence data supported?
Lead development and monitoring of service level agreement compliance for production support ticket system. 
How is collaboration of users on managing Cyber Threat Intelligence data supported?
Support business case development related to implementation of future HR Service Delivery Model. 
Who are the threats who are interested in buying confidential organizational data?
Certify your group fosters the development of an information sharing culture through direct leadership, expert training and continuous collaboration. 
How well do the metrics drive achievement of organizational objectives?
Support the development and communication of (internal) customer improvement strategies dependent on new services/features to drive financial results. 
Does the tool allow for the creation of customized intelligence reports for management or sharing with other stakeholders?
Manage the development of cybersecurity standards and capabilities. 
### INCIDENT:
How are you involved in your organizations Cyber Threat Intelligence activities or process?
Guarantee your personnel is involved in Endpoint Detection and Response (EDR) tools with a focus in incident investigation and/or threat hunting. 
What reports are provided to your board on cyber events and trends?
Perform trend analysis and develops metrics and reports on intelligence and incidents for management. 
What do you do when off the shelf tools and exploits fall short?
Ensure your design is involved in red/purple teaming, penetration testing, exploitation, incident response (hunt), or blue teaming. 
Is the equipment uniquely identifiable and addressable locally within a network?
Coordinate and work closely with internal and external stakeholders to understand business objectives and advise on mitigation strategies during the incident response work. 
Is the CEO highly technical and thus likes reading full on reverse engineering reports?
Establish that your company is involved in writing clear and concise technical documents, specifically event analysis and incident handling documentation/creating formal incident reports. 
What tools and resources does the team use in handling an incident?
Develop experience conducting your organization needs in depth investigations, digital forensics, and/or incident response handling. 
How is collaboration of users on managing Cyber Threat Intelligence data supported?
Invest in optimizing and auditing content development in support of incident detection and investigation capabilities. 
How will advances in technology (e.g., artificial intelligence, Internet of Things, etc.) or other factors affect the cybersecurity workforce needed in the future?
Provide custom metrics reports including incident category types, tools used, number of indicators, time opened at each step, trending statistics, service availability, system utilization, etc. 
Are your appsec practices prepared to scale with your development practices?
Develop experience conducting incident response activities and seeing incidents through to successful remediation. 
Does your posted privacy policy align with your actual data management practices?
Guarantee your operation performs scoping activities during incident response for incidents escalated from the vertical specific analyst teams.

117
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing Cybersecurity.md Normal file
View file

@ -0,0 +1,117 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/cybersecurity-audit-checklist-gerardus-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: January 3, 2022
Retrieved from on January 10, 2022
Relevant ISO 27001 clauses/controls:
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 A.18.2 Information security reviews](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.18.2%20Information%20security%20reviews.md)
Related:
- [Checklist for auditing GRC](Checklist%20for%20auditing%20GRC.md)
- [Checklist for auditing the ISMS process](Checklist%20for%20auditing%20the%20ISMS%20process.md)
- [External audits](app://obsidian.md/External%20audits)
- [ISO 27001 audit process](app://obsidian.md/ISO%2027001%20audit%20process)
*Basically, what follows is a list of questions that (probably) covers most of the ISO 27001. Can be used as example questions.*
1. Where cloud services are already being used, does your organization have processes for checking performance against agreed security practices?
2. Does the vendor have designated cybersecurity personnel, as a Chief Information Security Officer, and does the vendor require its staff to undergo cybersecurity and data privacy training?
3. What types of cybersecurity policies, plans, and/or protocols does your organization have in place for the control system network to detect, respond to, and/or recover from a cyber incident?
4. How often should your organization conduct tests and what factors should go into determining the frequency of tests?
5. What network safeguards does your organization have in place to continue the delivery of key services during an attack?
6. How much impact would a real time security measurement service have on your confidence of security in moving services and data to a public cloud?
7. What physical security measures, processes, and monitoring capabilities does your organization have in place to prevent unauthorized access to its data centers and infrastructure?
8. Does your organization have or will soon have specialized staff regarding data privacy and and/or cybersecurity issues to complement existing expertise?
9. Does your organization have current information to understand cyber risks and whether its data use could be criticized?
10. What sort of program does your organization have in place to monitor the level and robustness of the administrative privileges that it gives to its employees and executives?
11. How does your organization view the security of public cloud environments to host and deliver its business applications and data assets?
12. What processes and controls does the vendor have in place to ensure that engineers only use the right software for each customer?
13. Do you have any personal or confidential data on your system that a hacker would want and could gain unauthorized access to?
14. How does your organization maximize data security when various employees store and access data on the cloud server?
15. Does the cloud provider have enterprise performance management cloud services that can quickly bring your organization into compliance with your financial processes?
16. Do you use or does someone in your organization use machine learning technologies / techniques with alternative data sets as text, social media, specialist limited access datasets or images?
17. Does your organization have the capacity and capability to analyze security data made available by the cloud provider?
18. Is the cloud provider solvent and reputable, and does it have a credible performance record, especially regarding security and privacy compliance issues?
19. Does your organization have a cyber risk management program and what is being done to ensure it is evolving to keep up with evolving threats?
20. Do you have physical and logical security controls around information systems and databases to avoid unauthorized access and detect/prevent potential data leakage?
21. Does your organization have the right people/ resources to effectively lead cybersecurity and data privacy strategic planning and implementation?
22. Does your organization have confidentiality agreements with any third party service providers with access to your organizations information technology systems?
23. Does your organization have a policy that requires the use of security safeguards as a condition to using certain cloud computing applications?
24. Do you have a comprehensive incident response plan in place to use in the event of a security incident or data breach?
25. Does your organization have backup and recovery capabilities to restore information, if necessary, after a security breach or loss of data due to a ransomware attack?
26. Does your organization have policies and procedures that define criteria for the protection of customer PII data stored?
27. What impact does the diversity of regulations have on the ease of adoption of cybersecurity practices or the ability of industry members to collaborate on cybersecurity issues?
28. Do you have an engaging and effective information security awareness program in place across your organization designed to influence and drive new cyber resilient behaviors?
29. How does the use of cloud applications and/or IT infrastructure services affect your organizations security posture?
30. Does your organization have a comprehensive data management plan that defines goals and policies for the collection, structure, and management of data assets?
31. How does your organization ensure that network operations meet the data regulations and compliance requirements?
32. Does your organization have confidentiality agreements with third party service providers that have access to your information technology systems?
33. Does your organization have any corporate policies, compliance regulations, or legal requirements concerning storing data in the cloud?
34. Do you have assurances that your staff, suppliers, cloud providers, contractors, overseas subsidiaries and partners can be trusted to safely access your critical information and data assets?
35. Is your data being adequately protected by your employees, business partners and third-party vendors who have access to it?
36. Does your organization have a budget for achieving convergence with cybersecurity, functional safety and data privacy?
37. Does the system have auditing capabilities as archived reporting and activity logs to help your organization reduce compliance risk?
38. How frequently does your organization report to executive management on the implementation and effectiveness of your organizations cybersecurity program?
39. Does your organization have a long term plan concerning its cybersecurity strategy, including plans to mitigate any IT system gaps resulting from merger/acquisition activity?
40. How does your organization address the possibility that email or traditional communication channels will be unavailable during a cyber incident?
41. Does your organization have procedures on how to decide if cloud applications using sensitive or confidential information should be allowed?
42. Will cloud based technologies provide broad enough tools to address the full scope of GDPR, or will you have to switch to other capabilities over time?
43. Do you have a centralized mobile device management solution deployed to all mobile devices that are permitted to store, transmit, or process organization data?
44. Does your organization have a governance and risk assessment program for the key areas of your cybersecurity program?
45. Should your organization have a formal chief risk officer and a risk management function to manage the day to day risk management processes?
46. Do you have the staff to support your application interface, IoT hardware, software, data analytics, data comms/aggregation and cybersecurity needs?
47. How does the cloud service provider handle resource democratization and dynamism to best predict proper levels of system availability and performance through normal business fluctuations?
48. Does your organization have coordinated and measurable information security and cybersecurity awareness programs?
49. What types of knowledge or skills does your organization need or value as it builds its cybersecurity workforce?
50. Are employees who have offices or do business in multiple jurisdictions subject to different standards or requirements with respect to cybersecurity, data privacy or business continuity?
51. Does the board/executive management team have a comprehensive understanding of information security to fully evaluate cyber risks and preventive measures?
52. Did your organization have a cybersecurity incident that resulted in a significant disruption to your organizations IT and business processes?
53. Does your business have technologies, processes, and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access?
54. Does your organization have its own business continuity arrangements in place to deal with disruptions caused by cybersecurity incidents?
55. Do you have a unified data management operation that supports efficient governance, compliance and discovery on demand?
56. What type of internal training does your organization provide regarding information security, and are policies and procedures enforced?
57. Does your organization have a testing program to validate the effectiveness of your organizations incident detection processes and controls?
58. Does your organization have an improvement plan in place to ensure exposures are within your agreed-upon risk appetite?
59. Does your cloud security service provider offer other security services beyond DDoS, or does it only mitigate DDoS attacks?
60. Does your organization have appropriately skilled staff or ready access to resources to contain and mitigate cybersecurity incidents?
61. Does your organization have an over arching cybersecurity policy or equivalent which has been signed off by the board, if so, how often is it reviewed by the board?
62. How does your organization ensure safe sharing of confidential or sensitive information with cloud computing vendors?
63. Does your organization have a map with critical physical supply, distribution and service hubs/ nodes and interrelated flows to help you visualize the IT supply chain?
64. Where does your organization permit cloud computing resources to be deployed without vetting or evaluation for security risks?
65. Is your organization planning to approach network security in the cloud in the same manner as it does with its on premise security operations?
66. Does your organization have an independent testing program that includes comprehensive penetration testing of its perimeter network and application security controls?
67. When does a cyber threat become real and tangible enough for your organization to stop being reactionary and dedicate sufficient resources and talent to get ahead of it?
68. Do you know what is in your network that may be end of support or have issues that may compromise the security of your network?
69. Do you have a good sense of progress in terms of best practices and the operations metrics of how securely your organization is using cloud services?
70. How does your organization determine that all appropriate security requirements are met before deploying cloud computing resources?
71. How does the overall security posture for your organizations cloud services compare to your on premises security?
72. What sort of cybersecurity expertise does your organization need and what type of expertise do you already have?
73. Can your cloud defenses provide continuous security assessment policy checks, so organization cloud data storage always requires access credentials or MFA?
74. Do you have the talents and capabilities to feedback data and insights to improve machine learning and decision making?
75. Does your organization have written procedures to ensure that backups of information are conducted, maintained, and tested periodically?
76. Do you have a defined incident response team that has high level participation from all pertinent business functions and has clearly defined roles for response team members?
77. How does your organization ensure that it has a sufficiently robust understanding of future technological developments and scenarios to inform its strategic planning?
78. How does management monitor whether there has been unauthorized access to digital/electronic assets and assess the impact on financial reporting?
79. What do you believe would help make your organizations cybersecurity and data privacy program stronger/more secure?
80. Does the board have regular briefings on the evolving Cybersecurity threat environment and how the Cybersecurity risk management program is adapting?
81. Can the security products correlate user actions and data analysis across multiple cloud services to identify high risk incidents and behavior?
82. Does the accountable officer have sufficient authority to drive your organization and IT culture that builds suitable controls into the business and IT processes?
83. What proprietary and industry standard machine learning algorithms and data science techniques does the technology vendor incorporate?
84. What security measures does the service provider use to protect data, and is there a means to audit the effectiveness of measures?
85. Which challenges has your organization experienced with regard to monitoring the security of applications, workloads, and data residing on cloud infrastructure?
86. Do you have documented policies and procedures demonstrating adherence to data retention periods as per legal, statutory or regulatory compliance requirements?
87. Does your organization have a process for establishing and maintaining security for the system built and operated in the cloud?
88. How does your risk framework align to your business model, customer base, product offerings and jurisdictional footprint?
89. How does your organization ensure effective governance and compliance whilst managing the risks of cloud computing?
90. Who does the most senior person in your organization responsible for information security/cybersecurity report to?
91. How does your internal audit department add value by helping your organization avoid the pitfalls associated with cloud adoption?
92. How does obtaining visibility into network traffic within public cloud environments compare with traffic visibility within your physical data center?
93. Do you believe your internal resources have appropriate skills and knowledge to manage and use cybersecurity technology efficiently?
94. Does your organization have established incident response and event management procedures to quickly detect security events?
95. How is your organization exposed to cyber incidents in the supply chain, and how have suppliers own cybersecurity measures been assessed?
96. What principles have been developed for determining whether the response to a particular cybersecurity incident will involve which authorities?
97. Does your IT team have the necessary skills to oversee the implementation, the security of your approach, and the load balancing between your organizations on premise and cloud presence?
98. Do you have the support systems in place to assist staff working from home, including technology support and appropriate cybersecurity?
99. Does your organization have cybersecurity guidelines that cover production/product risks and the extended enterprise in addition to traditional IT Security?
100. Does your organization have written policies, procedures, or training programs in place pertaining to safeguarding client information?

754
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing DLP technologies.md Normal file
View file

@ -0,0 +1,754 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/dlp-technologies-ask-gerardus-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: March 22, 2022
Retrieved from on March 23, 2022
Relevant ISO 27001:2013 clauses/controls:
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
Relevant ISO 27002:2022 clauses/controls:
- [a-5.7-Threat-intelligence](../../Standards/ISO27x/OST/27002/EN/a-5.7-Threat-intelligence.md)
## DLP Technologies: Ask This;
1. Which tactics does your organization use to ensure that employees comply with your data protection/data loss prevention policies?
2. Which data loss prevention strategies are used to ensure that unauthorized users cannot access information stored in specified fields?
3. Do you have redundant power sources to reduce the risk of data loss in case of interruption of power?
4. Which data loss prevention policies for which services do you need to implement to ensure compliance with industry regulations moving forward?
5. Does your organization have policies in place preventing employees from copying client data to mobile devices, external media, or forwarding it to third party email?
6. Does your organization have effective measures in place to protect against various methods of data loss?
7. When configuring data loss prevention agents, what does the file recovery area location setting determine?
8. Have you implemented a DLP solution to protect data from leakage by users working remotely on high risk processes?
9. Do you have more than one tech savvy person who can manage data recovery from physical media under the extreme pressure of a data loss emergency?
10. Is your cybersecurity team monitoring DLP alerts and investigating the potential loss of sensitive data leaving the network boundary?
11. How does compliance affect your decision to buy or consider a comprehensive data loss prevention product?
12. Have you implemented a cloud DLP solution to protect data from leakage, based on your data classification schema?
13. Does your solution provide DLP support for unstructured data stored in non file formats?
14. Do you have an intrusion detection system to give visibility to potential data security breaches?
15. When inspecting data using DLP policies, is information as user name or file name where the violation occurred stored in your solution?
16. What is the main difference between data loss prevention and other security technologies?
17. How do you prevent sensitive data from leaving your network when employees have access to webmail?
18. Does the DLP solution your organization uses have the ability to integrate with enterprise active directory servers to determine users and build user, role, and business unit policies?
19. Does the DLP solution combine identity and content awareness to protect your sensitive data based on who is accessing it?
20. Can your cloud defenses apply DLP policies to cloud services and app data at rest and in motion?
21. Have you set up data loss prevention policies and/or set applicable restrictions on external file sharing?
22. Do you enforce DLP policies in real time as data is uploaded or shared without impacting end user experience?
23. Is host based data loss prevention in use to limit what content can be transferred to authorized removable media devices?
24. Which aspect of cloud computing serves as the biggest challenge to using DLP to protect data at rest?
25. What are your organizations plans to adopt data security and information risk management technologies?
26. Are data loss prevention tools in place to monitor for inappropriate data sets entering or leaving the network?
27. Which interface provides single sign on access for the purpose of administering Data Loss Prevention servers, managing policies, and remediating incidents?
28. Do you have capability to logically segment and recover data for a specific customer in the case of a failure or data loss?
29. What detection methods do you have to determine if the data has been breached by an outside source?
30. How do you leverage previous resource investments and extend existing on premise data loss prevention policies to the cloud?
31. Which data loss prevention service is responsible for controlling the detection servers?
32. Is it permissible to collect IP addresses, behavioral data, log data, DLP and endpoint data, tracking data, data analytics for security purposes?
33. Do you have stringent policies and procedures in place to reduce exposure of data to unauthorized people?
34. Where is a DLP solution generally installed when utilized for monitoring data in transit?
35. How have you learned about the success or status of your organizations data protection efforts?
36. Will there be any impact on your transactional information or data loss as a result of the change?
37. What is the maximum amount of data loss that can be tolerated after a disruption has occurred?
38. How do you prevent copy/ paste, disable printing and enforce other data loss policies across files?
39. What is your organization doing to take advantage of automation to improve data & information integrity?
40. Which is a way to implement a technical control to mitigate data loss in case of a mobile device theft?
41. Do you have policies in place that regulate or expressly forbid storing PII or confidential data on personal laptops, removable media and/or smartphones?
42. Does the platform provide customer instance isolation, encryption, and data loss prevention?
43. How has the use of cloud resources affected data protection risks within your organization?
44. Do you know any organization that has successfully identified and secured all sensitive data sitting idle on its network?
45. How do you prevent data loss from causing business disruption?
46. Does the DLP solution your organization uses have the ability to integrate with digital rights management client & server?
47. What about data loss that occurs on the users end accidental deletion due to user error or sync malfunctions or malicious deletion from hackers or disgruntled employees?
48. Which controls can be implemented together to prevent data loss in the event of theft of a mobile device storing sensitive information?
**Organized by Key Themes: SECURITY, DATA, MANAGEMENT, RISK, CLOUD, DEVELOPMENT, PROJECT, TECHNOLOGY, SYSTEMS, NETWORK:**
## SECURITY:
Which configuration changes should the administrator make under the advanced server settings to include all cases?
Be sure your group is involved in cloud network security technology (which include intrusion monitoring, threat detection and prevention systems, firewalls, and DDOS prevention solutions), and/or data protection technology (which include encryption, key management, data loss prevention, and hardware security modules), and/or identity management systems (which include directories, access servers, authorization services, identity provisioning and governance systems). 
Does your organization have perimeter scanning/monitoring agreements with managed network services providers?
Develop experience managing security information and event management (SIEM) systems, threat intelligence platforms, security automation and orchestration solutions, intrusion detection and prevention systems (IDS/IPS), file integrity monitoring (FIM), data loss prevention (DLP) and other network and system monitoring tools. 
What impact might it have on the success and trajectory of a reform coalition when your organization initiates coalition activity?
Interface so that your strategy is involved in security technologies such as automated penetration testing tools, Security Information and Event Management (SIEM), IDS/IPS, Data Loss Prevention (DLP), Proxy, Web Application Firewall (WAF), Endpoint Detection and Response (EDR), Anti-Virus, Sandboxing, network- and host-based firewalls, Threat Intelligence, etc. 
Does the DLP solution your organization uses have a quarantine that includes the ability to collect reports into cases?
Optimize threat detection products commonly deployed in corporate and cloud environments including solutions for Web Proxies, Data Loss Prevention (DLP), Security Information and Event Management (SIEM), advanced email protection, Endpoint Detection and Response (EDR), Antivirus, Intrusion Detection/Protection (IDS/IPS), and other standard industry security technologies. 
How do you determine if a system collects PII?
Make headway so that your personnel utilizes a variety of technologies, including security information and event management (SIEM), data loss prevention (DLP), intrusion prevention systems (IPS), endpoint detection and response (EDR), cloud access security broker (CASB) and other tools in designs. 
Is the it system or its information used to support any activity which may raise privacy concerns?
Lead application security solutions, data loss prevention solutions, insider threat solutions, enterprise vulnerability management and support business development (merger, acquisition, divestiture) security and IT solutions. 
Is there someone close by to whom the community or public officials can turn for action?
Be certain that your team is involved in intrusion prevention systems (IPS), vulnerability scanning/management, system hardening, security standards, data loss prevention (DLP) solutions, and endpoint detection and response (EDR). 
What compliance monitoring regime is envisaged and what are the implications of noncompliance?
Confirm that your operation is involved in IT security providing technical support/system administration for large corporate enterprise security tools such as file integrity monitoring software, web application firewalls, cloud access security brokers, file encryption, database activity monitoring, email security, data loss prevention, bot management, fraud and host based next-gen anti-malware/intrusion detection/advanced persistent threat software. 
What compliance monitoring regime is envisaged and what are the implications of non compliance?
Lead Service Delivery Team in delivering a wide array of cyber security solutions, including vulnerability/penetration testing, web application security, security information and event management (SIEM), file integrity monitoring, data loss prevention, and identity and access management. 
Does your solution allow multiple scans to occur simultaneously on the same scanning server?
Be sure your team is involved in developing your organization needs in depth security architecture standards, frameworks and design patterns in all aspects of the Cloud including the server, application, network, and data layers. 
## DATA:
Is available control/risk reporting data of sufficient quality to facilitate a full review?
Meet with the business and marketing stakeholders to understand their needs and work with the team to provide timely and quality solutions Mentor team members in development, requirements gathering, and software methodologies and process Construct and deliver long term plans, estimates Analyze application data and provide different metrics and analysis to management Present technology and project presentations to upper management for discussion and approvals Manage multiple initiatives simultaneously Identify product and project risks, communicate them to the team, and create mitigation plans Drive continuous improvements leveraging Agile methodologies Facilitate team communication, team building exercises, and morale. 
Does the agent perform detection locally, avoiding the need to transmit data over the network?
Perform triage of alerts from on-premises and cloud based security information and event management systems, intrusion detection systems, antivirus, cloud based services, windows servers, network infrastructure, data loss prevention systems, user behavior analytics systems and user submitted security inquiries. 
How do you get users and business units involved in the data clean up process?
Make headway so that your organization is involved in common security controls as data loss prevention (DLP), multi factor authentication (MFA), intrusion detection, encryption and mobile application management (MAM). 
Where is a DLP solution generally installed when utilized for monitoring data in transit?
Develop experience working with SIEM systems, Endpoint Detection and Response (EDR) solutions, threat intelligence platforms, security automation and orchestration solutions, intrusion detection and prevention systems (IDS/IPS), Data Loss Prevention and other network and security monitoring tools. 
How do you protect the data on lost devices and meet regulatory compliance?
Develop experience managing security technologies like Endpoint Detection and Response (EDR), CASB (Cloud Access Security Broker), Mobile Device Management (MDM), and Data Loss Prevention (DLP). 
Do you conduct external audits regularly as prescribed by industry best practices and guidance?
Monitor, detect, and enforce endpoint compliance and security posture including data retention policies and data loss prevention controls in accordance with industry best practices. 
How do you enable the inspection of outbound content for DLP?
Make sure your staff is responsible for the design, deployment, and configuration of endpoint security solutions that enable data security. 
How do you get users and business units involved in the data clean up process?
Oversee that your operation is involved in cyber technologies as Data Loss Prevention (DLP), Malware detection, User behavior analysis (UBA), and Endpoint Detection and Response (EDR) tools. 
Have you noticed difference in quality assurance test methods between different parties?
Continue to leverage and enhance User Activity Monitoring (UAM), Data Loss Prevention (DLP), and SIEM technology solutions to address risk as it relates to all aspects of Insider Threat risk. 
Does your organization provide connectivity information per location so that the vendors can determine what type of solution can be supported per location?
Support email security, data loss prevention and other security focused applications. 
## MANAGEMENT:
Is your cybersecurity team monitoring DLP alerts and investigating the potential loss of sensitive data leaving the network boundary?
Verify that your design is monitoring various information security systems including those for asset inventory, data loss prevention, endpoint protection, security incident and event management, and vulnerability management. 
What is your organization doing to take advantage of automation to improve data & information integrity?
Assure your group improve data protection, data loss prevention (DLP), and identity and access management technologies and procedures for on premise and cloud services. 
Did you alert the prominent individual that personally identifiable information had been compromised?
Make headway so that your group is responsible for your organizations network provisioning, circuit design, inventory management, and number procurement activities Make sure your organization is responsible for the departments standards and procedures and the design and management of all Transport tools and systems supporting companys transport service delivery. 
What compliance monitoring regime is envisaged and what are the implications of noncompliance?
Invest in review of system security monitoring and analysis tools, Identity and Access Management platforms, IT GRC platforms, and DLP systems. 
Is there a good vision for how the materials will be accessed by and delivered to researchers?
Proactively assess areas of potential risk or vulnerability and deliver recommendations to the Security and Risk Management Team. 
Are you doing adequate due diligence before contracting with third party providers particularly in regards to involving audit departments prior to contractual commitments?
Work closely with other IT team members and end users to provide solutions based on business requirements during all phases of the development and life cycle management process. 
Which jurisdiction will the employees affected by any shared or merged services report to?
Liaison so that your company performs data discovery, data classification, insider threat management and Data Loss Prevention (DLP) tasks. 
Can each user in the workflow be assigned to remediation of a certain set of incidents?
Migrate on-premises workloads to the cloud (AWS/Azure) Monitor application and infrastructure and identify opportunities to improve performance Work with developers and quality analysts to drive issues to resolution during application instability Identify weaknesses and be the driver of improvements Maintain and implement change management control procedures and processes for production, UAT and releases. 
Who is responsible internally for the protection and security of that critical information?
Confirm that your personnel is responsible for data loss prevention focused on compliance, data management rights, and data visibility. 
How do you get users and business units involved in the data clean up process?
Make sure your strategy is involved in risk analysis and the implementation of vulnerability management programs and related tools and systems. 
## RISK:
What is the minimum number of DLP policies and rules you must create to meet the requirements?
Identify and define data loss prevention classifications and work with business to classify all artifacts into specific categories, based on security and risk solutions that meet business needs. 
Which is an advantage of using group policy to redirect users local folders to networked drives in regards to data loss prevention?
Be confident that your team leads strategic infrastructure and security planning to achieve business goals by prioritizing keeping the lights ON efforts with newer enterprise system implementations, coordinating the evaluation, deployment and management of current and future infrastructure and security technologies using a risk-based assessment methodology. 
How does your organization identify relevant best practices regarding cybersecurity for its business model?
Operationalize establishing and maintaining internal control processes and practices which help ensure that the enterprise security risk management program remains current and incorporates/aligns with industry standards and practices including SOC 1, SOC 2, and ISO 2700X. 
How do you build the database architecture in order to meet the requirements?
Ensure your company works independently or as a member of cross functional teams on initiatives to meet enterprise security and information risk management goals and objectives. 
Will the deployment be applied to all of the traffic of data in use, or in motion, or at rest?
Develop experience working with Data Loss Prevention (DLP), insider threat detection and response, Cloud Access System Brokers (CASB), SIEM solutions, and User Behavior Analytics (UBA) to address risk as it relates to Insider Threat, sensitive data exfiltration, identity access management, and/or fraud. 
How do you manage outages and downtime?
Make sure the Security Risk Management Analyst invest in the day-to-day execution of governance, risk management, and information assurance processes and initiatives with a focus on supporting formal audit and compliance activities. 
How long does it typically take your organization to mitigate and stop an insider attack?
Collaborate with Security, Engineering and Data teams to incorporate strong security controls, apply security best practices in your development life cycle, and mitigate risks and security vulnerabilities. 
Do you conduct internal audits regularly as prescribed by industry best practices and guidance?
Create requirements for evolving Data Loss Prevention, DLP risks, DLP technical controls, DLP technologies, security best practices in conjunction with security architecture. 
Which individual in your organization should complete the self assessment for the specified contract?
Make sure the Information Security Cyber Assessment Team objective is to ensure that your organization can effectively assess cyber threats and risks against your organization. 
Does your organization have perimeter scanning/monitoring agreements with managed network services providers?
Be confident that your operation is working closely with the Vendor Management Office, supports the implementation and administration of a vendor security risk management program including assisting in performing vendor audits, assessments, and monitoring related corrective action plans. 
## CLOUD:
Are security components identified during each phase of the software development lifecycle?
Safeguard that your strategy has involvement in implementing security controls, including access control, privileged access management, data security, network security, data loss prevention, cloud security, vulnerability management, configuration management, privacy, and audits. 
Are there any administrative, regulatory, or bureaucratic barriers at your organization that inhibit your ability to secure your organizations networks and web applications?
Be sure your staff is designing a converged DLP strategy in addressing on-prem and Cloud web access governance and data loss prevention use cases for granular access control while still enabling business to externally collaborate and increased employee engagement with social media. 
How do you receive support for your implementation efforts or on behalf of your customer?
Be responsible for assessing tools and technology that support access, crypto, data loss prevention, and cloud solutions. 
Where in the application development lifecycle does your organization build in security features?
Develop experience leading high stress environments and existing related data protection infrastructure, including cloud DLP. 
How can non sensitive information be communicated to outsiders without creating covert channels?
Ensure you are creating an innovative, highly skilled, results oriented technology team with a deep commitment to building and implementing advanced network and cloud architectures. 
How the security gap is filled using the DLP technology compared to previous techniques?
Secure that your workforce is involved in developing server/(internal) client architecture using hybrid cloud environments. 
How do you protect data without impeding employee productivity or overloading your IT staff?
Secure that your staff is involved in developing cloud native applications in AWS/Azure. 
Do you feel ready to apply a variety of advocacy tools to develop your advocacy strategy?
Develop experience working with large, complex information systems and managing Cloud Operations at scale. 
How do you get users and business units involved in the data clean up process?
Warrant that your group is involved in native cloud DLP (GCP/AWS/Azure) or encryption solutions. 
How do you get users and business units involved in the data clean up process?
Certify your organization is involved in Agile and Cloud technologies, Continuous Integration/Deployment (CI/CD). 
## DEVELOPMENT:
How do you assure data isolation in a multi tenant environment?
Make sure your strategy analyzes business impact and exposure based on emerging security threats, vulnerabilities, and risks and contributes to the development and maintenance of information security architecture. 
Do you conduct network layer vulnerability scans regularly as prescribed by industry best practices?
Certify your group supports the development of coding standards and adheres to best practices and security guidelines. 
Does the DLP solution your organization uses provide the ability to delegate role based user administration by scope?
Operationalize development of use cases to automate and orchestrate security or business tasks. 
Are there any sectors or industries which you think are leading the way in how to approach the issue of latent errors?
Verify that your personnel assists IT Leadership Team and project leaders/managers in the development of feasibility analysis, tasks-environmental study, requirements definition, system conceptualization and cost-benefit study; develops general design of a system in accordance with specifications. 
How do you leverage previous resource investments and extend existing on premise data loss prevention policies to the cloud?
Liaison so that your workforce contributes to the development of Early Warning security policy and procedures. 
Will there be any impact on your transactional information or data loss as a result of the change?
Secure that your staff partners with the project management team to plan and coordinate project development activities across multiple teams. 
How do you get users and business units involved in the data clean up process?
Make sure your team is involved in leading teams in the design and development of full stack solutions. 
Are data loss prevention tools in place to monitor for inappropriate data sets entering or leaving the network?
Manage the SCRUM process and work closely with business analysts and development team to plan product releases and resolve issues. 
What are the primary features you would want in a DLP product, regardless of your current deployment plans?
Develop the detailed Project Management Plan for the enhancement, business process re engineering or development effort. 
Can each user in the workflow be assigned to remediation of a certain set of incidents?
Lead security engineers with development of workflow automations, analytics, and visualizations. 
## PROJECT:
Can your system provide custom report filtering across different variables and attributes?
Make sure the Information Security Analyst participates in projects and works with business units to provide requirements on implementation of controls. 
How do you manage application security?
Conduct or invest in vendor security and risk assessments providing recommendations to mitigate risks and manage resulting corrective action plans and projects. 
Is there a written safety plan, or behavioural contract in place which you are aware of?
Facilitate and participate in the delivery process for project deliverables including Project Plan, Business and Functional Requirements, Analysis and Design, QA, End User Testing, and Product Management deliverables. 
Does the DLP solution your organization uses have a quarantine that includes the ability to redact and/or highlight sensitive information?
Secure full brand cohesiveness on- and of-board Effectively communicate research findings, conceptual ideas, detailed design, and design rationale both verbally and visually Participate as a contributor to an interdisciplinary team that includes other designers, project management, business and brand strategists, and hardware and software developers. 
How is sox compliance achieved if in scope systems are deployed in the cloud provider environment?
Liaison so that your group is responsible for tracking project milestones, anticipating risks and issues, proactive risk mitigation and making recommendations to business and IT leadership to achieve successful outcomes. 
Does your solution target specific cloud folders for DLP scanning, and/or exclude folders from scanning?
Interface with cross functional teams to progress security projects and initiatives. 
How do you reduce the risk of data loss?
Confirm that your design defines project requirements, quality standards and time lines; determines and evaluates risks that may affect project; defines specific activities to be performed to produce project deliverables; evaluates deliverables and ensures project is ready to move on to its next phase; addresses any problems found in testing/piloting; ensures scheduled time frames are met; provides regular progress reports; determines and allocates resources and invest in budget planning; determines and evaluates testing and/or pilot program and/or project; oversees implementation schedule; manages and processes. 
How is sox compliance achieved if in scope systems are deployed in the cloud provider environment?
Guarantee your workforce is leading a diverse IT project team comprised of engineers with expertise in different subject matter areas, architects, cloud strategists, and project managers from initiation to production implementation, tracking project details to ensure expected results are achieved. 
Which network monitor configuration changes should be implemented to reduce the number of packets that are discarded?
Secure that your team is accountable for management of the projects scope for the project and gaining agreement and approval of scope changes with (internal) customer representatives and affected stakeholders. 
How do you get users and business units involved in the data clean up process?
Certify your process is involved in technical project management discipline and techniques. 
## TECHNOLOGY:
How do you get users and business units involved in the data clean up process?
Check that your staff is involved in technology solutions and tools used in data management and analytics. 
How do you determine that the security controls implemented are still enforced?
Review (internal) customer information with the technology team and implement technical initiatives for highly complex projects impacting multiple lines of business or across the enterprise. 
How do you know if the online data protection suite is working?
Secure that your design advises project teams and proposes solutions for complex and/or technical information governance and/or information technology issues. 
Is there a good vision for how the materials will be accessed by and delivered to researchers?
Make headway so that your team is collaborating with internal and external teams to deliver technology solutions for the business needs. 
How do you receive support for your implementation efforts or on behalf of your customer?
Oversee that your company partners with Business System Technology Architects to support Strategic Development and Execution. 
Does your architecture support remote sites and network users distributed across many different locations?
Be sure your organization is involved in distributed cloud systems technology (AWS needed). 
How do you drive innovation while mitigating risk, ensuring continuous compliance & maintaining security?
Collaborate with technology and process engineering teams to design best in class (internal) customer experiences while mitigating privacy risks. 
What is the expected server load in terms of generated flows from information exchanges?
Proactively manages changes in the industry, information technology governance and external risk compliance landscape. 
Did the plan consider opportunities for development within the context of the green infrastructure network?
Aid in the development and execution of Technology Finance and organization wide strategic initiatives, via specialized project work and/or project. 
How do you reconstruct the chain of custody for the data and how it was protected in the time frame, if the auditor wants that?
Lead or participate in managing and supporting the delivery of technology products and services of high profile business unit (internal) clients and operationalize large scale solutions planning related to Technology Business Services. 
## SYSTEMS:
Can your system provide custom report filtering across different variables and attributes?
Develop experience monitoring Content Filtering services to ensure availability and integration with other technical controls, services and components, such as firewalls, Data Loss Prevention, Advanced Persistent Threat Systems, email platform, incident response and/or Internet Services. 
How do you understand DLP provision in the contract?
Understand Data Protection Options including Data Loss Prevention and Encryption strategy for systems and applications. 
When a compliance issue hits, do you quickly and accurately gather the requested information?
Ensure your process provides technical guidance and support to other systems analysts Analyzes business cases in terms of the business environment, technical infrastructure, system capacity and business response time expectations when proposing solutions. 
How do you protect business data in your own data center or in the cloud with no downtime, outages or data loss?
Be sure your organization performs duties necessary to invest in establishing practices and system configurations to ensure the safety of information systems assets and to protect information systems from intentional or inadvertent access or destruction. 
Which command will you use to display all the disk groups that are currently imported on the system?
Be sure your team is involved in the Windows file system and registry functions or NIX operating systems and command line tools. 
When a compliance issue hits, do you quickly and accurately gather the requested information?
Work with Business Systems Analysts or work directly with users to gather information regarding requirements and specifications for the application. 
How do you reconstruct the chain of custody for the data and how it was protected in the time frame, if the auditor wants that?
Guarantee your design is setting procedures and guidelines to ensure that all information systems are functional, secure, and safeguarded throughout your organization. 
Does the DLP solution your organization uses provide the ability to prevent the forwarding of secure email?
Safeguard that your staff responds to outages with prompt and efficient resolution and communicates issues to via the proper support channels Gathers requirements and functional specifications from support teams in order to build monitors and dashboards that provide insight into the health and performance of systems. 
How do you get users and business units involved in the data clean up process?
Be certain that your organization is involved in cloud environments (AWS needed) and Linux containers and orchestration systems (Kubernetes needed). 
How quickly can the cloud provider restore data from a back up if it suffered a data loss?
Secure that your group interacts with vendor staff in the implementation of new systems and modifications to existing business applications. 
## NETWORK:
Do you allow tenants to opt out of having the data/metadata accessed via inspection technologies?
Be confident that your design is networking, topology, infrastructure specifically with IPv6 security requirements. 
Is your backup data center backed up regularly and ready to assume primary function at any time?
Be sure your staff researches and recommends network and data communications hardware and software. 
How do you empower your business units to protect data?
Oversee that your team develops and reviews system and network performance results, systems standards, strategies, and workflows. 
How are you identifying and responding to sophisticated attacks targeting your users email?
Check that your group defines solutions that balance network requirements and standards with business needs. 
Are there ways to identify how exposed organizations are before utilizing a DLP program?
Certify your operation is involved in endpoint and network focused forensics, incident response, and threat hunting utilizing both Deep Packet Inspection and NetFlow solutions. 
How do you check that the backup system works every time?
Interface so that your strategy is involved in configuring firewalls, access control list (ACLs), Network IDS/IP, Host IDS/IPS, DLP, etc. 
How do you get users and business units involved in the data clean up process?
Guarantee your design is involved in local area network and wide area network administration. 
How does your organization identify relevant best practices regarding cybersecurity for its business model?
Ensure your team is responsible for enabling (internal) customers through networking focused design practices. 
Is pgw looking for the vendor to implement social change and/or develop policy and procedures?
Develop experience crafting/building large scale data centers and IP/MPLS backbone networks. 
How do you prevent sensitive data from leaving your network when employees have access to webmail?
Establish that your team is troubleshooting system level problems in a multi vendor, multi protocol network environment.

748
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing Data Governance.md Normal file
View file

@ -0,0 +1,748 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/data-governance-ask-gerardus-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: March 16, 2022
Retrieved from on March 16, 2022
Relevant ISO 27001 clauses/controls:
## Data Governance: Ask This;
1. Does your organization have a documented information or data governance program that is used across the enterprise?
2. Does your organization have data governance guidelines in place to ensure ongoing data integrity?
3. Does your organization have an established data governance body with well defined roles and responsibilities to support data governance activities?
4. Are data quality risks considered as a priority to your organization and have you cascaded risks to your data governance operational frameworks to reflect priorities?
5. Does your chief privacy officer have the skill sets and authority to coordinate privacy and data governance efforts across your organization and impact client experience?
6. Does your organization have a data governance program in place that meets the demands of the GDPR?
7. Are the data definitions, option sets, and business rules for the new data element consistent with the requirements previously established with organization staff and data governance groups?
8. What formal or informal data governance processes do you have in place to ensure that spatial and business data are available across your organization?
9. Do you have data governance processes in place for preventing poor quality data from entering the system for all of your sources?
10. Which data governance tasks has your organization deployed for the protection of information assets in the file sharing and collaboration environment?
11. Do you have a plan in place to ensure adoption of data governance and new ways of working across your organization?
12. How do you organize a platform of data and information that makes organization wide governance possible?
13. Do you have full leadership commitment to programs that ensure data governance including security and appropriate, legal, and ethical uses of data?
14. What awareness is there of data governance enabling capabilities that have been purchased or developed?
15. How does information management maturity play a role in data governance and governance activities as a whole?
16. Is data governance and quality a small part of the job for many people across your organization who are the closest to the data and understand it in the context of the business?
17. How do data management professionals meet challenges and take full inventory of an enterprise data environment to deliver on data governance initiatives and maximize information utilization?
18. Are data management and quality control being executed according to the information governance framework?
19. How do you ensure that data rules meet corporate governance and security standards to protect against the risk of IP theft?
20. What benefits did your organization achieve as a result of implementing data governance and MDM?
21. Has a data governance and management process been created that supports value based care use case development?
22. What inherent risks exist for your organization considering using a particular chain with regard to data governance and compliance?
23. How does the platform support granular security and data governance when data is queried in bi tools?
24. Does your organization dedicate a full time individual to oversee data governance and data management?
25. How clear is the companies data governance initiatives and who in your organization is involved?
26. Which data management practices can best support your organizations data governance policies?
27. What data governance policies will need to be in place for classifying data; defining its relevance; and storing, analyzing, and accessing it?
28. Are you part of a regulated industry or are there professional data standards that will make compliance and data governance your highest priority?
29. Does the description of the data governance system provide sufficient background to the requirements for achieving an enabling environment?
30. How do you ensure data governance and security at each stage of the data management including ingestion, storage, preparation and ongoing analysis?
31. How do you make privacy and data governance a competitive business advantage?
32. How easy to understand is your organizations data governance strategy in support of the data warehouse?
33. How does the board consider and agree on data governance priorities and policies for your organization?
34. How will data governance ensure that ethical concerns are considered, heard, and addressed throughout each project?
35. How do data governance and control factor into your organizations cloud decision making process?
36. How can information governance capabilities transform your readiness, providing a framework for personal data management?
37. What governance structure is in place to define data requirements for accuracy, timeliness, and completeness?
38. Do your analytic tools enable the seamless integration of data governance polices, while allowing for sensitive personal information to be anonymized and protected?
39. Are you defining and automating master data governance in relation to your business processes?
40. Does the repository have appropriate expertise to address technical data and metadata quality and ensure that sufficient information is available for end users to make quality related evaluations?
41. Do data governance policies and processes make visibility simpler, easier, and more accessible throughout the enterprise?
42. What data governance policies need to be in place for classifying, storing, analyzing, and accessing data?
43. Is your IT strategy aligned to the business strategy and governed by an IT/data governance steering committee?
44. How do you design tomorrows data governance to maximize business agility?
45. Does an implementation plan need to include the selection and implementation of a data governance group?
46. How do you define policies that support specific data governance needs at your organization?
47. How do you improve the data quality and data governance processes?
48. Does your data governance plan include policies that can help you safely harness new innovations and data sources?
## Organized by Key Themes: DATA, MANAGEMENT, ARCHITECTURE, PROCESS, SECURITY, LEAD, TEST, SYSTEM, LEARNING, GOVERNANCE:
### DATA:
Have data quality best practices been defined and adopted as official organizational data policies?
Safeguard that your team partners with the data governance and quality operations teams to identify and define new business terms and key performance indications (KPI) relevant to the business group or functional area. 
Is the requested data for a project that supports the goals and mission of your organization and benefits your clients?
Partner with Data governance team to develop a framework for Data Quality Management which includes data quality thresholds and rules, data quality assessment, data quality issues resolution, data monitoring and control that supports business needs. 
How do you secure the future support and availability of technical competencies for your solution?
Secure that your organization partners with the enterprise data governance team to ensure solution adhere to the organizations data principles and guidelines Support in development of a comprehensive credit data warehouse/infrastructure. 
How are you monitoring your assets performance throughout its life cycle and mitigating associated risks?
Be certain that your group is involved in data governance and management processes and applications, including process mapping, metadata, data quality monitoring, and data lineage tool sets. 
Will management provide financial and organizational support for the program over the long term?
Make sure the Manager, Data Governance works multi functionally to support master data efforts across the enterprise by serving as an expert in master data management and related business processes. 
How effective are the supporting departments in anticipating potential issues or decision points?
Make headway so that your staff is responsible for supporting and assisting in establishing the vision and execution of the system data and analytics data governance strategy by researching and documenting data policies and standards, developing and populating metadata artifacts, maturing data quality initiatives, and supporting the activation of data stewardship. 
Why have platforms become the dominant mode of organization and imagination in the digital society?
Confirm that your process is responsible for developing strategies, governance, architectures, and technologies that support modern, cloud-based, foundational, data management and data analytic, and artificial intelligence and machine learning (AI/ML) capabilities and ensures a holistic, enterprise approach is taken that enables the FDIC and IT organization to become more agile, innovative, and responsive to business needs. 
How does the decoupling scenario for production orders in combination with a product cost collector work?
Make headway so that your workforce collaborates with partners across your organization in developing and maintaining the data governance and data quality structures ensuring a balance among business need, quality, risk, and cost. 
Does your roadmap plan allow for alternative approaches to instantiating the big data environment?
Partner with key stakeholders to develop, communicate, and own a unified strategy and business plan articulating the expected business outcomes and required inclusive of an execution roadmap (near and long term), enterprise data governance strategy, data security, advanced AI strategies and data integration. 
Do you monitor and quantify the types, volumes, and impacts on all information security incidents?
Collaborate on the development of a long term enterprise data governance implementation roadmap to ensure continued delivery of business value. 
### MANAGEMENT:
Do you know what are the data liability risks and what are the data accountability and ownership practices?
Liaison so that your organization is involved in data management and data governance practices and processes at scale. 
Who are the people, advisors and stakeholders involved in the value proposition and its maintenance?
Secure that your staff is involved in data governance and Metadata management tools. 
Is it developing and maintaining constructive relationships with customers, vendors and others?
Establish that your process is developing and implementing a data governance model for digital data management. 
What is the benefit of getting involved for each of the intended organizations or individuals?
Make headway so that your group is involved in Data Management and Data Governance. 
How do you control, manage, and source big data and big data infrastructure services?
Lead data management and analysis to produce procurement and supply chain key performance indicators. 
How do you confirm that data has been sourced according to best practices?
Warrant that your staff is understanding and promoting data governance, data reuse and good data management practices. 
Are your research and development activities focused on meeting emerging client requirements?
Develop experience maturing and managing a Configuration Management Data Base (CMDB). 
What is the path forward to improve month end financial consolidation and management reporting?
Ensure strong data management skills to develop appropriate analytics and reporting. 
What are the stakeholders different motivations for being involved in or opposing the project?
Make headway so that your process is involved in leading strategy development and Project management with priority. 
How do you know if changes to your policies, procedures or protocols have improved patient outcomes?
Produce expected results locally in line with Corporate standards through improved processes, visibility to performance, data governance, and exception management. 
### ARCHITECTURE:
Has a data governance and management process been created that supports value based care use case development?
Make sure the data architect should support identifying and capturing the different data security classification and related access controls and ensure that architecture supports compliance with (internal) customer and regulatory data governance and protection policies like GDPR. 
What benefits did your organization achieve as a result of implementing data governance and MDM?
Be sure your staff is creating alignment to achieve process driven end to end business architecture. 
How will you manage the data, access and regulatory requirements associated with the automation program?
Manage integration of solution(s) into enterprise technical architecture and business environment. 
How to deal with governance challenges related to procurement, contracting, supervision, transparency, corruption, where several actors are involved?
Make headway so that your design is involved in architecture practice and methodologies. 
What technical architectural strategies do you use over time to maximize scalability, availability and throughput while reducing and / or minimizing infrastructure costs?
Utilize cost/benefit models with mapping architecture to business KPIs. 
How do you use data in your work?
Assure your process follows architecture standards. 
Are meetings effectively focusing key decision makers on problem solving, and are formats efficient?
Assure your staff is creating connectivity architecture using MuleSoft API. 
How do you maintain data governance?
Establish and maintain architecture standards, processes and constraints across your organization. 
Should the em have more granularity and refinement of business rules that your organization currently requires?
Work with Principal Development Consultants to refine development and architecture skills. 
Is your IT strategy aligned to the business strategy and governed by an IT/data governance steering committee?
Ensure you are able to converse work with architecture/technical teams to steer direction/solutions. 
### PROCESS:
How clear is the companies data governance initiatives and who in your organization is involved?
Be confident that your staff is involved in data governance processes for data development. 
Is there a single point of contact or a workflow for ensuring data accuracy and completeness?
Develop experience ensuring data quality and implementing data governance processes. 
What capacity do the people available to support the assessment have in terms of time and technical skills?
Safeguard that your team conducts process analysis and performance reporting in support of internal (internal) client needs. 
What methodological approach should be used for analysing and designing data governance systems?
Ensure your staff is involved in documenting processes, developing training materials deliver approach and business case. 
Are tools only acquired after requirements have been analyzed, or are major purchases sometimes made to use up year end money?
Oversee that your staff has end to end business process thinking. 
How do you support the effective deployment of innovative data based technologies in infrastructure?
Support definition and utilization of IT governance processes and policies. 
How do you evaluate if clinical handover processes are effective or improving?
Evaluate business gaps and process requirements for users/functions. 
How do you protect personal data from inappropriate access by privileged user credentials as system administrators?
Make sure your process contributes your organization or process perspective during design reviews. 
Is the cloud providers privacy policy consistent with your organizations business requirements?
Guarantee your staff is responsible for partnering with key stakeholders and driving process compliance. 
How do you find the right vision and roadmap to use information to a competitive advantage and support enterprise goals?
Secure that your workforce develops processes to support system wide initiatives and key operational areas. 
### SECURITY:
How do you enable appropriate access to data for your employees and partners, yet protect against threats?
Partner with technology, security, privacy, and business teams on the enterprise strategy for data governance. 
Do you need to appoint a dedicated lead to coordinate and drive your smart organization initiatives?
Plan to create synergies and drive the data governance program with business, security and technical teams. 
Which data management practices can best support your organizations data governance policies?
Invest in the execution of the Information Security Program, Data Governance practices, and Privacy assurance. 
How developed is the toolset that supports data governance activities and how consistently is that toolset utilized?
Support Security Team in investigations. 
Are users made aware of the responsibilities for maintaining a safe and secure working environment?
Ensure your workforce upgrades system by implementing and maintaining security controls. 
Do you have sustainable processes and technology to ensure proper data governance, including line of business data access, data privacy, security and compliance?
Verify that your process determines security violations and inefficiencies by conducting periodic audits. 
How do you decide how leadership roles are filled?
Oversee and lead the implementation of all security solutions. 
How do you find the right vision and roadmap to use information to a competitive advantage and support enterprise goals?
Coordinate and support cybersecurity assessments by external firms. 
What type, frequency, content will reports to data users, sponsors and partner organizations take?
Report any breaches in information security or policies. 
How do you keep track as the data comes in?
Identify security issues and track to closure. 
### LEAD:
Have there been points at which your frequency or type of contributions changed significantly?
Lead and advocates for the building and maintaining data governance, including governance bodies, taxonomy, data quality, and measurement, risk assessment, leading change, and stewardship networks, across the enterprise. 
How do you collect data on a regular basis?
Check that your team partners with business leaders on workforce planning and organizational design efforts. 
What tools and technologies does your organization use to enable data governance and management?
Make headway so that your workforce has leadership in executing plans successfully that enable business capabilities or business priorities. 
What etl tools are in use to manage the transfer of data from sources to the data storage layer?
Be certain that your group works with business leads to define and manage operational readiness. 
How do you securely share information and communicate effectively to move your mission forward?
Develop experience working effectively with business teams and leaders. 
How do you monitor the workflow?
Develop experience leading re organization and uniting teams to work collaboratively. 
How does large scale social production coordinate individual behavior to produce public goods?
Ensure strong leadership skills with involvement managing people in complex business environment. 
How do you find the requirements?
Make sure there is involvement in building productive working relationships with functional and/or business leaders. 
How are your organizations cyber risks communicated to the board, by whom, and with what frequency?
Collaborate with leadership across various disciplines, provide guidance, direction, or recommendations to address a wide range of business needs with an emphasis on optimized, timely and successful delivery. 
Does your employer provide you with the opportunity to work flexibly to any significant level?
Lead and provide technical guidance and mentorship to other team members. 
### TEST:
How does your organization believe the implementation of large IT projects should be evaluated?
Test and monitor data governance controls and procedures to evaluate the ongoing effectiveness of the privacy program. 
Do you have well defined data governance including dedicated roles with tested resources, policies, procedures and monitoring?
Execute test plans to ensure quality delivery using test code and unit tests. 
Are data governance groups involved with determining the processes for collecting the new data?
Ensure your company is involved in implementing Unit Testing. 
How do you decide what data your governance program should address?
Check that your design is preparing and maintaining diagrams, test plans and user guides. 
How do you optimize your IT operating model to deliver the required business capabilities?
Liaison so that your process verifies that all requirements are testable and generates testing objectives. 
Does the description of the data governance system provide sufficient background to the requirements for achieving an enabling environment?
Work with the QA team so they can provide regression testing of the solution. 
Do you understand your data landscape, your most important data initiatives and how to overcome challenges and meet objectives?
Respond promptly to requests from Validation/Test team for documentation or bug fixes. 
Are there any standardised data quality reports or expressions that can be associated with data either directly in database, or as part of metadata?
Guarantee your strategy writes programs, appropriate test artifacts, ad hoc queries, and reports. 
Can a penetration test of the service be performed to ensure that it has been securely deployed?
Make headway so that your company executes test scripts/cases and monitors testing results. 
How do you interpret data for other stakeholders?
Ensure your workforce works with the Analysts to interpret testing needs as requirements are being developed. 
### SYSTEM:
How do you optimize the performance of your building systems?
Ensure your company is involved in data governance, data architecture, data flow and system architecture to optimize the same. 
Who is responsible for addressing biennial review findings and tracking improvement activities?
Review business and technical requirements against system capabilities. 
How do you ensure that data rules meet corporate governance and security standards to protect against the risk of IP theft?
Make sure your design ensures that system and related processes meet all applicable compliance requirements. 
Does the solution track, audit, and report on the changes that impact file systems without native auditing enabled?
Safeguard that your organization maintains technical system documentation, including documentation of technical changes to the system. 
How do you further reinforce a data driven culture via ongoing releases for key capabilities?
Check that your team is conducting UAT (User Acceptance Testing) for various system releases. 
Is the data system/process supporting easy discoverability of the data to all relevant parties/stakeholders?
Certify your operation develops and maintains documentation supporting system and board configurations. 
What are cities doing to build more transparency, accountability and trust in the smart organization agenda?
Certify your company improve the work system and current ways of doing things. 
How do you identify structured data collections?
Proactively works with stakeholders to identify future system opportunities and enhancements. 
Do you have anti malware programs installed on all systems which support your cloud service offerings?
Be sure your workforce determines system access rights and secure information. 
Should there be limits on certain customer data types, collection approaches and uses by businesses?
Be sure your group understands and assesses issues by utilizing a systemic thinking approach. 
### LEARNING:
How do you develop, test and deploy analytical models promising to generate business value?
Develop experience working with Learning and Development data problems. 
How do you inform staff about information/Data Management decisions?
Liaison so that your company is learning organization and governance design. 
How do you determine and measure the outcomes and benefits from improved data governance?
Be confident that your organization is learning Point of Contact (POC) for a line of business supported by GO. 
Which methods allow a customer to assign plan costs more accurately to the different activity types per cost center?
Certify your strategy develops and implements curricula and learning paths for management and employee development. 
Have you determined which applications should move into the big data infrastructure platform?
Safeguard that your team is learning Strategy Operations Manager. 
How do you find the right vision and roadmap to use information to a competitive advantage and support enterprise goals?
Oversee that your design is learning transformation strategy and roadmap development. 
How do you justify the cost of implementing a mobile solution in your organization?
Establish that your team is learning Curation Strategy and Execution. 
How do you monitor data movement and comply with appropriate governance regulations?
Be sure your team is facilitating learning and development through individual and team coaching. 
What is the greatest challenge you have encountered/expect to encounter when trying to govern big data?
Establish that your operation administers the electronic Learning Management and Training Management request system. 
How do customer relationship management systems help organizations achieve customer intimacy?
Create a learning organization to help staff achieve the highest potential. 
### GOVERNANCE:
Will source data be available day one of the project to be modeled and prepped from conversion?
Interface so that your design develops business case and ROI for implementing information governance enterprise wide. 
How do the strategic factors of implementing cloud align with a product master data strategy?
Safeguard that your team works across business units and IT to align governance and business strategies. 
How do you integrate with data governance programs?
Confirm that your operation is involved in organizing governance and building relationships with key executives across your organization. 
How to develop an effective approach to manage, identify and understand integration requirements towards other corporate systems when adopting new SaaS application?
Manage best in class quality and simplification methodology and governance of process management. 
Do you have internal and external risk management programs for ongoing oversight and monitoring?
Check that your personnel is defining governance metrics and monitoring process for analytics. 
How do you find the right vision and roadmap to use information to a competitive advantage and support enterprise goals?
Verify that your company is organizing a governance structure responsible for platform strategic roadmap planning. 
Are there champions from other departments who will use the technology to help drive the change?
Engage with the industry to learn about standard methodologies, gain insightful competitive and regulatory intelligence to help in building excellence in your governance and quality initiatives. 
Do you currently maintain data governance processes for data integration, reporting, analysis, and/or planning?
Operationalize the AI/ML governance strategy as it pertains to overall governance activities and tools. 
How do you engage disparate technologies to locate data and protect it across different environments, while providing appropriate levels of security?
Collaborate cross functionally to develop and implement governance policies, balancing centralized control and standardization with decentralized speed and flexibility. 
What are the critical success factors that enable self service business intelligence success?
Serve as the technical lead to enable the governance tools across the enterprise.

714
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing DevOps IoT.md Normal file
View file

@ -0,0 +1,714 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/how-iot-applications-deployed-multi-cloud-using-devops-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: March 3, 2022
Retrieved from on March 3, 2022
Relevant ISO 27001 clauses/controls:
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
- [ISO 27001 A.14.2 Security in development and support processes](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.14.2%20Security%20in%20development%20and%20support%20processes.md)
Related:
- [OT Security](../../Information%20Security/OT%20Security.md)
- [DevSecOps and ISO 27k](../../Various/Business%20processes/DevSecOps%20and%20ISO%2027k.md)
## DevOps IoT: Ask This;
1. How are IoT applications deployed to the multi cloud using the DevOps approach in your organization?
2. Where does DevOps introduce more security threats, or does it have a more risk reducing impact?
3. What managed services does your IoT vendor offer?
4. How does DevOps influence Information System development performance in your organization?
5. Does your service provider have a strong vision for services across the IoT value chain?
6. How much security and data privacy does your system require?
7. How do your testing tools evolve to meet the QA needs for applications built on AI and IoT technologies?
8. Do you frequently check your detailed billing, does your app need all the allocated CPUs and RAM, or will it run on less?
9. How does your test data management fit in with DevOps?
10. To what extent have your developers embraced continuous delivery practices and the DevOps culture to increase the effectiveness of the software development and release process?
11. How does the IoT fit into a your digitalization strategy?
12. Does your IoT platform support data sharing and cross tenancy?
13. Does your IoT platform support open APIs and consistent data structures/models?
14. Are your IoT devices capable of being patched and upgraded?
15. For the primary application or service you work on, how often does your organization deploy code to production or release it to end users?
16. Are edge data centers as a solution solution to IoT and advanced analytics needed?
17. Have you developed a strategy for helping your business unit leaders use cloud services without creating security or compliance risks?
18. How do your IoT devices use AI to enhance security?
19. How do you manage releases so that each release has an acceptable level of risk?
20. What assets do you already have and want to exploit in developing your IoT system?
21. Which standards are used for the design, build and support of your IoT devices?
22. Do your IoT initiatives have c level sponsors beyond the CIO?
23. What level of business threat does your organization face?
24. Does the logical model provide enough components for IoT apps deployment?
25. Does the pipeline provide enough components to enable IoT app deployment on multi cloud?
26. Do you need a DevOps team to manage cloud deployments?
27. Where does your strategy for automation in testing get affected in the case of testing software in a regulated environment?
28. What does IoT do to your brand, your products, your customers, and the way you do business?
29. What IoT deployments have transformed your industry?
30. How much business value does your monitoring solution deliver?
31. How are you protecting the DevOps tool chain and processes, which are being given elevated access privileges that can be easily exploited?
32. What does the Line of Business want from IT?
33. Is sensitive and confidential data being used?
34. How does a customer get help at the right technical level?
35. How does the Internet of Things change the role of your testers?
36. Which tools are being used to monitor the applications deployment?
37. What tools are you using to improve security in your software delivery pipeline?
38. Do your IoT devices expose network based remote management functions as snmp or ssh?
39. Which vendor is primarily in the lead to coordinate your IoT Solution development?
40. How do you create the data or the environments today to test use cases?
41. Where does business analytics contribute to business value?
42. Do you have enough raw data with sufficient detail?
43. Given the stronger data privacy laws, how do your QA practices evolve?
44. How long does it take until a system or user is notified to take corrective actions?
45. What data do you want to collect and how do you want to use this data?
46. Where does the work get done?
47. Does your pipeline provide enough components to support multi cloud deployment?
48. How well encrypted will the data be kept and transmitted?
## Organized by Key Themes: ARCHITECTURE, DESIGN, MANAGEMENT, PRODUCT, PROJECT, SECURITY, SYSTEMS, APPLICATIONS, FUTURE, DEVELOP:
### ARCHITECTURE:
What data drives good decisions?
Be close to each team architecture and code to provide adequate cross system solutions to drive your business goals. 
What actually constitutes the setup of an IIoT project?
Make sure the team typically conducts IoT discovery consulting with (internal) customers to lay out the (internal) customer use cases and create overall solution architecture and at the same time, identify what constitutes a POC (Proof of Concept). 
How do your testing tools evolve to meet the QA needs for applications built on AI and IoT technologies?
Evaluate package solutions and participate in selection of solutions to meet business needs and architecture standards. 
Is requirements engineering research delivering what it promised?
Secure that your operation communicates system architecture to technical and business audiences. 
What are the expected roles of manufacturers of IoT devices associated with updates and patches?
Be sure your process is involved in service oriented architecture (SOA) and external integrations. 
How many unique users were involved with the authorization process?
Verify that your group is involved in Microservice Architecture pattern implementations. 
How many unique users were involved with the authorization process?
Confirm that your organization is involved in large scale application modernization including Kubernetes/container architectures and deployment. 
How do you go about delivering complete solutions for your customers?
Interface so that your organization is involved in defining, documenting, and delivering Application Architecture. 
Does the pipeline provide enough components to support DevOps?
Act as a trusted advisor partnering with the (internal) customer on its strategy positioning and end to end architecture on multiple domains. 
### DESIGN:
How do customers get in touch with you for support in the first place?
Make sure your workforce performs Business Process Reengineering (BPR) including assessment of existing business processes (As-Is Assessment), determination of future state (To-Be Assessment and Requirements), BPR gap analysis and assessment, and the general and detailed system design activities needed to support the business systems. 
Is there a clear purpose for the EA defined?
Drive your engineering team to utilize teamwork and collaboration skills with product managers, project managers, key stakeholders, architects and UX designers to define requirements, solutions and risk mitigation plans for project delivery. 
Can the prospects view application delivery logs on the cloud?
Certify your workforce is involved in gathering detailed business requirements, interpreting (internal) customer business needs, and translating needs into technical design requirements with priority. 
Where will you see trends concretely?
Ensure your team monitors architecture and design creation process and reviews the project artifacts. 
How satisfied are customers with the solution and the vendor?
Work with key stakeholders, develop product specifications and design criteria, ensure all (internal) customer requirements are satisfied. 
What criteria should meet successful solution for data streaming?
Partner with internal application stakeholders, solutions architects, network service managers and market IT leads to define requirements, develop strategy and design network infrastructure and services to meet the needs of the business. 
What is the role and responsibility?
Certify your workforce is developing enterprise level applications and custom design integration solutions (SOA) including major enhancements and interfaces, functions, and features. 
### MANAGEMENT:
How do you audit the data sovereignty at any time?
Encourage collaboration between teams and System and Solution Architects/Engineering Work with Product and Solution Management, Product Owners, and other stakeholders to help ensure strategy and execution alignment Improve the flow of value through value streams by improving and assessing the practices Assists with managing risks and dependencies and addressing critical bottlenecks. 
Are stakeholders notified if procedures or instructions change?
Make sure the (internal) customer office manages internal business functions, solution architecture services, security compliance and monitoring capabilities, application-level services, infrastructure capabilities and change management synchronization. 
Which factors might offset the cost of offline access in the hybrid application?
Secure that your workforce collaborates with product management and (internal) customer delivery teams to ensure product requirements are clear on what (internal) customers expect and what the delivery teams should set as the right expectations with the (internal) customers. 
What aspect of securing IoT concerns you the most?
Assure your design keeps management team apprised of work progress and is proactive in communicating any concerns or opportunities for better project delivery. 
Why should organizations implement changes early?
Warrant that your organization is involved in using IT Service Management process and tools for managing incidents, service requests, and configuration changes. 
How to track cloud cost changes?
Follow and use IT Service Management process and tools to manage various components of service delivery including incidents, service requests, IT work orders, and configuration changes. 
Can reduced trust relationships be exploited?
Apply project management standards ensuring obstacles and risks are identified, tracked and escalated and communicates to team members and PM/Manager/Supervisor promptly. 
Where do you start applying DevOps practices in brownfield environments?
Ensure you are able to communicate clearly progress reports, identify critical issues, track them and drive to resolution Able to apply relevant project management methodologies and tools, including Scrum/Agile, to ensure efficiency and quality expectations are met. 
How to perform network connectivity test?
Assure your personnel dfss knowledge and involvement or statistical test design and analysis knowledge or critical parameter management. 
### PRODUCT:
Does the project understand its growth?
Interface with business-oriented leaders from enterprise (internal) customers to communicate product and solution value, understand business pain, and ensure that technical solutions address the (internal) customer business problems. 
Does a change break the running software?
Help manage day-to-day operations of multiple work streams for the involvement team Help understand business needs, bridge the gap between involvement, product, and dev team Ensures alignment across disciplines and run sync and retro meetings. 
Is there a communication/reporting strategy of the EA model defined?
Find ways of improving services, systems and code and work with the team to define future product features. 
How many stages ideally you can have in automated delivery pipeline?
Guide and coach the scrum team on how to use agile practices and principles to deliver quality products and business value. 
What data transmit and receive profiles do you require to support your devices?
Make headway so that your organization acts independently or as member of a highly skilled technical team responsible for resolving production support service level impacting issues. 
Where and how to start with IoT in your organization?
Review and develop technical product strategy with the CTO and leadership team and define key strategic priorities, objectives, goals, action plans, and measures. 
How do you go about delivering complete solutions for your customers?
Work with project managers, on shore/off shore delivery team to deliver product in an Agile, DevOps environment. 
Which network resources can be load balanced?
Work with multiple departments across the business to ensure DevOps processes and technologies are integrated into the entire product lifecycle. 
Does the conceptual model provide enough components for Cloud?
Warrant that your organization is assisting with the plan/strategy to ensure the team is on track for key deliverables, milestones and content is aligned to product scope/goals. 
What face of cloud computing helps to guard against downtime and determines costs?
Confirm that your company communicates the feature or product strategy effectively to key stakeholders and team members. 
### PROJECT:
How many unique users were involved with the authorization process?
Collaborate with Solution and Enterprise Architects, Business analysts, DBAs and others to understand business requirements Provide suggestions and guidance to different MI/BI projects, based on best practices, optimal solutions, and project standards Lead complex discussions and engagements that may involve multiple project teams from client. 
How do improvements improve quality and time to market?
Make sure your staff collaborates with business partners, IS team members, and vendors to support projects and accomplish goals. 
How to create a serverless function in cloud?
Oversee that your process is collaborating on and delivering strategy and transformation projects including leading small teams and workstreams, identifying roadblocks, and integrating feedback from (internal) clients and team members. 
How many unique users were involved with the authorization process?
Safeguard that your company is involved in project and solution estimation and team structure definition. 
How are you governing user access to your overall development environment and ensuring a least privileged posture?
Equip the delivery team to use the methodologies and tools you have determined are best for the project while coaching your team members to develop new skills. 
Do you identify as part of a visible or invisible minority in your organization?
Collaborate with the external stakeholders project teams to gather functional and non functional requirements and identify the business requirements. 
Do you identify as part of a visible or invisible minority in your organization?
Collaborate with external stakeholders project teams to gather functional and non functional requirements and identify business requirements. 
Does your IoT platform support open APIs and consistent data structures/models?
Work with regional leadership team members to support (internal) client project requirements across all services. 
How do you recognize an incident?
Gather detailed user requirements, analyze and develop functional and technical specifications, evaluate and develop project cost and benefit estimates, coordinate implementation, create test plans and test scripts, and conduct system and user testing for implementation of application. 
How do your testing tools evolve to meet the QA needs for applications built on AI and IoT technologies?
Make sure the developer needs to understand the business and functional requirements of the projects and develop code to meet those requirements. 
### SECURITY:
How do customers rate the relationship between the price and perceived value of the solution?
Engage with functional teams as both advisor and contributing team member to enable building security into complex systems across the entire product lifecycle (from concept through deployment and use), including conducting security reviews and coordinating penetration testing. 
Is implementing the IoT solution financially viable?
Collaborate with business leaders, engineering teams, security teams to gather requirements and translate them into standards with timelines to implement. 
Which is the most important client to back up in the cloud?
Create innovative solutions using concepts as infrastructure as code, deployment orchestration, and automation that aligns with security best practices while empowering engineering teams. 
Which scalability techniques are you using for stores?
Certify your design tests security solutions using industry standard analysis criteria. 
Are your servers/workstations patched for all critical patches?
Guarantee your operation assigns and monitors work of technical personnel, implements quality control and reviews system functionality to ensure delivery predictability, efficiency, security and maintainability. 
How is the compliance of the development process assessed?
Work with relevant product managers, product architects, and business managers to champion and help deliver and assess security related initiatives. 
Do you need to think about the diversity of who is using your product?
Liaison so that your process provides product security engineering recommendations and resolves integration and testing issues. 
How to ensure that each implementation still behaves as specified?
Establish that your process analyzes new IT solutions and IT-related vendor service offerings, identifies potential security threats, develops approaches that can be used to mitigate identified risks, and works with IT to implement recommendations. 
How many unique users were involved with the authorization process?
Make headway so that your workforce is involved in windows system administration and windows security policies. 
### SYSTEMS:
How do your testing tools evolve to meet the QA needs for applications built on AI and IoT technologies?
Be confident that your team projects typically include problem definition, evaluation of requirements, and implementation of systems to meet business and user requirements. 
What do you find most frustrating or challenging about automating the network?
Certify your team functions as the primary liaison between end users and technical teams Analyzes requests for new or enhanced systems by reviewing documentation and consulting with end users and technical personnel to assess user needs and to determine the feasibility of automating solutions to user problems. 
What is the attitude towards sharing vulnerability information within the software ecosystem?
Oversee that your process is involved in microservice based IoT architecture components including RESTful APIs, gateways, messaging systems and containerization technologies as Docker. 
What characterizes networking in large scale distributed projects?
Liaison so that your team is involved in distributed systems, complex user interfaces or other challenging engineering problems. 
How many unique users were involved with the authorization process?
Establish that your team is involved in Building Automation systems and the BACnet Protocol. 
How many unique users were involved with the authorization process?
Make headway so that your team is involved in RDBMS systems (Specifically PostgreSQL and MySQL). 
What should be the overall strategy for the asset to optimize business objectives?
Create and implement successful and innovative solutions based on (internal) clients business requirements that integrate, run, manage, and optimize (internal) clients key business systems. 
How are quality requirements distributed in a requirements specification?
Safeguard that your team is involved in highly available distributed systems at scale. 
Does each model view follow a clear layout?
Incorporate monitoring of systems and applications to prevent system disruptions and ensure that required Service Level Objectives (SLOs) Agreements (SLAs) are met. 
Which cloud concept is related to pooling and sharing of resources?
Make sure your personnel supports business process improvements or systems analysis for missions, systems, and fiscal requirements. 
### APPLICATIONS:
How much business value does your monitoring solution deliver?
Interact and work with application and business team members to provide the optimal environment for applications to deliver business functionality. 
Are there success stories supporting the methodology?
Make headway so that your design is working with key business user in testing, training and supporting business applications. 
How many stages ideally you can have in automated delivery pipeline?
Be sure your organization is involved in automated testing of web applications in an agile and continuous delivery environment. 
How can the application features be deployed to the multi cloud using DevOps?
Safeguard that your staff is involved in container based applications and DevOps practices using Kubernetes and Docker. 
How many unique users were involved with the authorization process?
Make headway so that your organization is involved in modern C applications (CI/CD, instrumentation). 
How do you better control costs in software development and sustainment?
Participate in a team oriented environment to develop complex web based applications. 
What are the benefits of using DevOps practices in IM?
Certify your staff is responsible for automation of different applications using Agile methodology. 
What about the development of test cases?
Invest in the creation and maintenance of your organization requirements and test cases for applications. 
Is requirements engineering research delivering what it promised?
Analyze and improve efficiency, scalability and stability of applications while delivering impactful business value. 
Which module is used to run a node application on a web browser?
Develop experience working on applications that leverage Service Oriented Architecture (SOA). 
### FUTURE:
Can the device request confirmation?
Secure that your workforce is involved in defining both business and functional level requirements, user stories/use cases, present state and future state process flows. 
How many unique users were involved with the authorization process?
Make sure the Business Consultant have to be involved in the strategic planning of an engagement or helping the (internal) client make decisions about the future IT direction. 
Do you intentionally deviate from defined policies?
Assess current state, identify (internal) customer requirements, and define the future state and/or business solution. 
What are the most popular types of processors, operating systems, programming languages, and tools?
Liaison so that your group is assessing business capability maturity and defining future state business operating models. 
Are the ea model elements clearly named?
Plan the work participate in the Scrum process so you can have good work planned for each sprint and out into the future. 
How have service providers taken feedback and incorporated that feedback into offerings?
Warrant that your staff is writing and disseminating after action reports capturing key events, actions taken, and future mitigation plans. 
What is the value of achieving the vision?
Enable solutions that realize iterative value while directionally achieving future state vision. 
Are the goals of the EA model view clearly defined?
Lead and define the architecturally definition of your organizations future EHR strategic solution. 
How do you support the quality requirements engineering across the portfolio lifecycle?
Ensure you adhere to your brand promise to make the complex simple, the future predictable. 
### DEVELOP:
How do you improve sdo & organizational performance?
Safeguard that your staff works with the team to develop test plans (user story acceptance criteria), accepts each story and potentially features and participates in team demos and retrospectives to validate quality, provide feedback to team and improve team processes. 
Are monitoring and observability the same thing?
Be confident that your operation is involved in DevOps concepts Developing monitoring architecture and implementing monitoring agents, system status dashboards. 
How many stages ideally you can have in automated delivery pipeline?
Oversee that your organization is working with testers and the DevOps team to define and develop innovative end to end automated testing and deployment solutions. 
How do you use AI to achieve a competitive advantage?
Be sure your staff is pricing and Packaging Develop strategies for developing compelling pricing and plan tiers that make sense to (internal) customers and achieve business goals. 
How many unique users were involved with the authorization process?
Develop positive relationships with the business and other functions involved in downstream technical solutions and processes. 
Does the visualization provide guidance through visual clues that prompt action?
Verify that your workforce develops effective, defect free source code that meets business requirements and standards. 
What assets do you already have and want to exploit in developing your IoT system?
Develop your organization architecture strategy based on a situational awareness of various business scenarios and motivations. 
How the levels of controller imbalance influence the system performance?
Verify that your process is involved in enterprise account based marketing and developing and executing marketing plans for complex accounts. 
Are there success stories supporting the methodology?
Develop close networks with key (internal) customers, CIOs, CTOs developing outcomes based solutions and supporting business results. 
How do you make your SIM more secure so that it cannot be misused in another device?
Secure that your strategy develops application architecture and blueprints aimed at reflecting enterprise business logic.

114
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing GRC.md Normal file
View file

@ -0,0 +1,114 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/auditing-governance-risk-compliance-ask-gerardus-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: January 7, 2022
Retrieved from on January 10, 2022
Relevant ISO 27001 clauses/controls:
- [[MyVault/👩🏼‍⚖️ Standards and Regulations/ISO 27001 2013/ISO 27001 C 9 Performance evaluation]]
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
Related:
[External audits](../../Sparks/External%20audits.md)
[ISO 27001 audit process](../../Standards/ISO27x/ISO%2027001%20audit%20process.md)
1. Can you assess the impact any pending regulatory change will have on your business including governance, compliance and risk management frameworks?
2. If effective, pan organization risk management goes beyond compliance and IT risk, what steps should your organization take to ensure early and ongoing GRC success?
3. If your organization chooses a vendor for GRC automation, is your organization more at risk when its compliance data resides in a public or private cloud setting?
4. What are the key principles of Enterprise Risk Management and how does this link to Corporate Governance compliance requirements?
5. Is your organizations approach to governance, risk management and compliance integrated, holistic and organization wide across all components of strategy, processes, people and technology?
6. What added value can eternal GRC frameworks bring to your organizations risk management program?
7. Is risk management (culture, process and structures) in your organization connected to corporate strategy, and is it driven from the board and not seen as a compliance exercise?
8. If a substantial portion of the reporting process is handed over to machines, will management judgment be forced to take a back seat in matters of risk management, compliance and overall governance?
9. Have you reached a point when some directors and boards and some governance, compliance and risk management practices have become a hinder rather than a help?
10. How do you ensure that IT GRC works?
11. Is cybersecurity addressed in your organizations enterprise risk management strategy or your organizations GRC program?
12. What key advantage does a Governance Risk and Compliance framework offer when compared to retaining separate and independent risk control functions?
13. With sophistication / complexities defining GRC programs, is your organization equipped to deal with governance, risk and compliance on its own?
14. A discipline that deserves attention in the GRC domain is the choice of the communication medium. Does the risk report always have to be an Excel matrix or a force ranked hierarchical list?
15. How do you persuade your organization that there is value in bringing in a GRC system when you are talking to business owners who simply see it as a regulatory or compliance requirement?
16. How does compliance with a particular external governance requirement impact organizational risk and value delivery?
17. With what industry standards do your providers comply in terms of its security governance, risk and compliance systems and policies?
18. Since developing an Enterprise Risk Management program, has your organization realized which benefits from the ERM program?
19. Will millenials knuckle down and follow organizational GRC (governance, risk management and compliance) rules that control how and what business related material is transmitted via text?
20. How have your organizations risk management objectives and activities changed as a result of market turmoil?
21. Are your compliance and risk management governance programs robust enough for this era of heightened regulatory scrutiny?
22. Do your organizations management information systems capture and provide reliable, timely and relevant information sufficient to support effective enterprise risk management?
23. What is your organizations level of integration of processes and technology for governance, risk management and compliance?
24. How can your organization keep data costs contained while still meeting Governance, Risk and Compliance (GRC) objectives such the 2018 European GDPR regulations?
25. How does your organization ensure that it only conducts business with entities that are not listed on some type of high risk or sanctioned party list?
26. What are your top 10 risks?
27. What do you do to strengthen your data security to enable governance, risk management, retention, Cybersecurity and compliance with privacy regulations?
28. What provisions does your monitoring plan provide regarding partner compliance with any risk mitigation measures established in agreements?
29. Has management adopted an appropriate and cost effective array of risk responses at the activity level of your organization to reduce inherent risks to levels in line with established risk tolerances?
30. Are issues, risks, exceptions/acceptances, and top risks monitored in an issue management system; IT governance, risk, and compliance (IT GRC) tool; and/or risk register?
31. Does your organization have an overall risk framework that addresses the risks your organization is exposed to, how it views those risks, and how it manages them?
32. Is it clear that a review covers all material controls including financial, operational and compliance controls, and risk management systems?
33. Are you confident that there are no gaps in risk coverage and that they have visibility into how issues roll up and impact the strategic mission or business risks?
34. What roles are held within your organization by the primary buyers of Governance, Risk and Compliance (GRC) solutions?
35. Do you need security services that include tracking Governance, Risk Management, and Compliance (GRE/GRC) with controls?
36. Have you added value and reduced risk to your engineering processes through the policies, procedures, and standards adopted in compliance with external governance requirements?
37. How can compliance and IT managers ensure GRC automation processes integrate smoothly with existing organization processes?
38. How do you assess the adequacy of maintenance project management standards, methodologies, and practices. Does your organization have adequate maintenance standards and controls?
39. How can operational risk management principles be leveraged to improve corporate governance, compliance and reputation management?
40. Is the effective management of risk a value add / organizational advantage to your organization?
41. How will this really pay off in the end?
42. How do you improve the audit management process in your organization by documenting artifacts, organizing work papers, and creating audit reports?
43. Has management taken a portfolio view to assure that the selected risk responses have reduced the entitys overall residual risk to a level within the identified risk appetite for the organisation?
44. Do you develop a higher degree of productivity, risk reduction, and compliance through the implementation of changes to your governance solution?
45. What are the highest impact actions that will overtly demonstrate a strong and significant governance, risk and compliance culture?
46. What should be the level of collaboration between your vendors and the BPM organizations risk and compliance function?
47. How confident are you that your governing authority (board or other oversight committees) get adequate information about risk and compliance to use in determining success in achieving objectives?
48. Do you have an effective integrated software solution for managing and reporting compliance, ethics, governance and risk issues?
49. How can your organization address the growing gap between needs and current capabilities when it comes to managing risk and implementing a compliance framework?
50. How concerned is your organization about the level of security or IT risk in adopting technologies or technology initiatives?
51. What percentage of the Data Governance, GRC or Access Control management budget will be allocated for controlling access to unstructured information?
52. Are IT governance, IT risk management and IT compliance managed by a central body within your organization?
53. What are the implications of integrating governance, risk and compliance in Business Intelligence systems on corporate performance management?
54. If data risks are detected, can this risk be managed in an automated way to assure data for compliance and governance?
55. Will your GRC investment enhance functionality and deliver business value?
56. How do you assess the security and integrity of system and application software. Does your organization have adequate quality assurance and testing programs?
57. In what ways is your organization adversely impacted by redundant or inconsistent processes for governance, assurance and/or management of performance, risk and compliance?
58. Is your organizations risk appetite consistent with the risk management philosophy and aligned with business strategy?
59. How well are your organizations policies and objectives on risk and compliance understood throughout your organization?
60. Is any GRC tool is required for automation for compliance reporting and audit management?
61. What change has there been to the cost of your governance, risk and compliance efforts over the past two years, and what change do you expect over the next two years?
62. What can risk and compliance professionals do to help bridge the gap and inspire everyone in the business to own risk?
63. How do your organizations risk professionals build trust with your peers and other leaders across the business to help them know you are protecting your organization and supporting them in the role?
64. How do you communicate about risk management so that people in your organization are all concerned about the same thing?
65. How are risk management and the design and operation of control activities monitored by those charged with governance ?
66. What is the degree of convergence between governance, risk and compliance across entities in your organization?
67. Do you enhance risk management effectiveness using other nontraditional risk data points, for example, with data from external data and information providers?
68. Would you have a single centralized tool, for all your organizations to use?
69. Are more mature results for IT GRC related to better business results, better data protection, and regulatory compliance results?
70. How seriously do you think the challenges of governance, risk and compliance are taken at board level in your organization?
71. Has your organization completed a comprehensive risk assessment that considers regulatory, market, reputational, operational, and technology exposure?
72. If data governance, GRC or access control management is specifically earmarked in the budget for it then what is its approximate percentage of this within the total security budget?
73. Does a vendor providing the software have sufficient experience, financial stability, and support infrastructure to ensure the success of the software?
74. How do you enable collaboration on GRC across business functions, and instill an effective risk assessment and mitigation discipline?
75. How do you assess the quality of any open source code system documentation. Does your organization have appropriate system design and coding standards?
76. How do you ensure it actually provides the next generation of business process and ROI that would justify the significant risk and costs?
77. Which cross border data transfer governance components maximize in control cloud benefits and reduce the risk of regulatory non compliance?
78. How does your organization effectively account for internal and external network connectivity, and boundaries and functions of security domains in its risk assessment?
79. How does your organization decide whether the benefits of implementing a second generation GRC solution outweigh the cost?
80. Which smart grid focus areas are considered to be top priorities at your organization from a regulatory compliance and governance perspective?
81. If your organization uses enterprise Governance, Risk, and Compliance (eGRC) tools, what benefits or returns has your organization realized?
82. Can GRC be approached systematically, or does it need to be approached at a people and process level first, and automated later when the technology is available to support it?
83. How do other organizations choose the right tools for complex organizational tasks like environmental management or risk management?
84. How are other organizations evaluating the business case for GRC technology enablement to safeguard assets, prevent fraud, enable GRC processes and comply with increasingly complex regulations?
85. Is there a need for greater governance and dialogue within your organization to ensure that compliance with complex issues is achieved?
86. Does the generally high level of confidence that the risk identification process will identify emerging risks suggest that your organization is over confident in processes?
87. How do you rate how well your organization manages all areas of organizational risk exposure (strategic, financial, operational, compliance, reputational, etc.)?
88. Does your organization have appropriate project documentation standards?
89. Should Governance, Risk Management, and Compliance be tackled as one problem, or does your organization have scope creep?
90. What is the relative significance of reputational risk and peer competition in driving compliance with a corporate reporting requirement?
91. What do you consider to be the most significant barriers to greater convergence of governance, risk and compliance at your organization?
92. Does your organization have adequate development standards and controls?
93. How does an integrated approach improve your day to day operations?
94. What benefits or returns has your organization realized from its Governance, Risk, and Compliance tools?
95. Is there a uniform framework to align the various risk specializations regarding governance, risk, and compliance assessments so you can reduce the cost burden on the business?
96. Where does GRC currently fit into the broader concept of your organizations program of self-defense and how do you see it developing going forward?
97. How do you assess your organizations enterprise-wide data storage methodologies. Has your organization appropriately planned its data storage process?
98. What security features, and what kind of HR policies, are you putting in place within your organization to get technology to take off from a GRC perspective?
99. Are your board and senior management knowledgeable about the content and operation of your compliance program and do they oversee and monitor its implementation and effectiveness?
100. Does your organization have a code of conduct, and how does it enforce compliance?

757
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing ISO 27001.md Normal file
View file

@ -0,0 +1,757 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/iso-27001-ask-gerardus-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: March 22, 2022
Retrieved from on March 23, 2022
Relevant ISO 27001:2013 clauses/controls:
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
## ISO 27001: Ask This;
### TLDR: Ask This;
1. How do you increase information security management automation in the context of the ISO 27001 process model?
2. Does organization has an access control policy that shall be established, documented and reviewed based on business and information security requirement?
3. How does your organization place confidence in the actual information security controls of business partners?
4. Do you have agreement with the suppliers about information security requirement for mitigating the risk associated with suppliers access to your organizations assets?
5. What are the minimum protocols of your organization for information security management standards?
6. Has your organization ever asked business partners to implement information security measures?
7. Are information security policies that provide management direction defined and regularly reviewed?
8. Is the security of information and data exchanged within your organization and with any external entity maintained?
9. Does your organization implement security countermeasures required for information system operation?
10. Do you modify your information security controls in response to changes in risk acceptance criteria?
11. Is management able to determine whether security activities delegated to people or implemented by information security are performing as expected?
12. Does top management review the information security management system at planned intervals?
13. Do you modify your information security controls in response to changes in business processes?
14. Do you modify your information security controls in response to changes in business requirements?
15. Is the information security risk assessment process sufficient to identify risks associated with loss of confidentiality, integrity and availability for information within the scope of the ISMS?
16. Has the information security risk treatment plan been implemented and documented information retained?
17. Have you defined and applied an information security risk treatment process to select risk treatment options, determine controls, formulated a treatment plan and including risk owners?
18. Is the information security management system integrated in an existing management system?
19. Are information security risk assessments carried out at planned intervals or when significant changes occur, and is documented information retained?
20. Has information about the information security risk assessment process been documented and is available?
21. Has an information security risk assessment process been established to include risk acceptance criteria?
22. Have you determined internal and external issues that are relevant to your organization as relevant to information security management?
23. Has your organization implemented appropriate measures to protect audit and logging facilities and log data against security attacks?
24. Have you considered external and internal issues, the requirements of interested parties and determined the information security risks and opportunities that need to be addressed?
25. Do you modify your information security controls in response to changes in your levels of risk?
26. Do you modify your information security controls in response to changes in contractual obligations?
27. Do you modify your information security controls in response to changes in legal requirements?
28. Do you modify your information security controls in response to changes in regulatory requirements?
29. Do you retain documented information of the results of the information security risk assessments?
30. Have you defined and applied an information security risk assessment process that establishes risk criteria, identifies risks, analyses risks, evaluates risks?
31. Is there policy for information security that has been reviewed in a planned time interval?
32. Have you planned, implemented and controlled the processes needed to meet all information security system requirements?
33. How can needs be addressed through proper information security management practices?
34. Is there a consistent and effective approach applied to the management of information security events?
35. Has the information security risk assessment process been developed to be repeatable?
36. Does your organization have a policy that distinguishes the need for security professionals?
37. Who is responsible for implementing the continuous monitoring process for individual information systems or common security controls?
38. Does the information system developer create a security test and evaluation plan, implement the plan, and document the results?
39. Are information security events and weaknesses associated with information systems communicated in a manner to allow timely corrective action to be taken?
40. Are information system developers required to implement and document security functional and assurance requirements?
41. What information security risks exist in the environment in which your business operates?
42. Does your organization have the level of security control, you really need or expect?
43. Have you implemented an audit programme, ensured results are reported to management and retained documented information as evidence of the audit program and audit results?
44. Does your organization have a procedure describing how to implement and enforce security policy?
45. Do you ensure your providers adhere to your information security and privacy policies?
46. Has a process for identifying, assessing, and treating information security risks been established?
47. Is the security of organizations information and information processing facilities maintained when corresponding are accessed, processed, communicated to or managed by external parties?
48. Do you provide antimalware training specific to mobile devices as part of your information security awareness training?
## Organized by Key Themes: SECURITY, RISK, MANAGEMENT, DEVELOPMENT, DATA, COMPLIANCE, SYSTEMS, INFORMATION, QUALITY, INDUSTRY:
### SECURITY:
Did the requirements permit updating security requirements as new threats/vulnerabilities are identified and as new technologies are implemented?
Work with the Information Security Risk and Compliance team to support the development and updating of your (internal) clients security policies and standards and ensure the ongoing compliance with both regulatory obligations and internally developed policies and standards that are in alignment with industry standards. 
What attitude changes are needed to cause smes to take a strategic approach to information security?
Make sure the cybersecurity risk management services support the CSO Information Security and Cyber Protection Program by providing a structured approach to integrating risk management and information security into the System Development Lifecycle (SDLC) of IT systems and services. 
Is there a formal process for monitoring, reviewing and regularly updating the programme?
Secure that your organization is responsible for proposing, implementing, and maintaining systems which support information security and compliance measures, including network/server infrastructure, monitoring platforms, collaboration tools, and identity management systems. 
Do the isms objectives compatible with the strategic direction of your organization?
Certify your workforce is supporting the development, documentation and maintenance of policies, procedures, and standards across the organization ranging from Information Security and Data Protection to Quality Management and Environmental. 
What information security risks exist in the environment in which your business operates?
Make sure the information security risk and compliance is responsible for supporting and maintaining the information security program to ensure that information assets and associated information systems are adequately protected in the digital ecosystem in which the client operates. 
Do you follow operational standards or frameworks for managing Information Security/cybersecurity?
Establish that your operation works collaboratively with all team members to collect Quality Management System (QMS) and Information Security Management System (ISMS) input, update existing process, procedures, work instruction and guidance documentation. 
Have security measures been implemented upon receipt or sending of the information or data?
Ensure your operation is responsible for proposing, implementing, and maintaining systems which support information security and data compliance measures. 
Does the pandemic tech solution comply with the values, standard and policies of the project owner?
Warrant that your organization is involved in common Information Security Compliance standards and frameworks as, ISO 27001/2, PCI, SOC 1/2/3, and NIST etc. 
Does your organization have perimeter scanning/monitoring agreements with managed network services providers?
Make sure the security architecture work includes all areas of Information Security such as IAM Authentication/access management, threat management, incident response, forensics, logging, monitoring, application security, data protection, vulnerability management, and configuration management in relation to multiple Cloud Service Providers. 
Have you implemented segregation of duties for tasks that may have security implications?
Oversee that your design plans, implements, and maintains the IT security risk management program capabilities and collaborates with Compliance ERM. 
### RISK:
Do you conduct internal audits regularly as prescribed by industry best practices and guidance?
Support the design of independent technology risk oversight program which defines the engagement and integration with various risk management programs, including Process Risk Self Assessments, Business Continuity Management, New Product Approval, Mergers and Acquisitions etc. 
Do you generate decisions and actions to improve the effectiveness of your organizations ISMS?
Secure that your strategy conducts in-depth inquiry and data analysis to understand complex cyber and technology operations, assess risk based on industry risk profile, and develops project scope for complex and cross-functional process areas, leveraging business knowledge and expertise. 
Does the research plan set out the affiliation of each person involved in the research?
Check that your organization is involved in data governance, vulnerability, DLP, and risk management systems. 
What standards, guidelines, best practices, and tools is your organization using to understand, measure, and manage risk at the management, operational, and technical levels?
Clearly understand the on premises and cloud technology and operational risk to the Information Technology Services organization as well as related laws, regulations, and industry standards, specifically as related to internal and cloud technology solutions. 
Is there any information about possible additional ISMS processes in the other standards?
Be confident that your team follows written legal risk and compliance policies and procedures for business activities. 
Are all program changes and effective dates recorded in a manner which preserves an accurate chronological record of the system?
Warrant that your team is ensuring that relevant information risk and governance policies and objectives are maintained in line with your organizations risk appetite and with changes to organization, legislative, regulatory, group and operational requirements. 
Is key management in place to support your organizations use of cryptographic techniques?
Support GRC solutions as Risk Management, Enterprise Management, Business Continuity Management, Audit Management, Compliance Management, Incident Management, and Vendor Risk Management. 
Does the property topography provide security or reduce the means of attack or access?
Ensure your process oversees and conducts risk assessments and regular audits on information assets, both IT and non-IT, analyze findings, and develops and proposes solutions to mitigate risks; develops, implements, and monitors controls to reduce unacceptable risks. 
Do you have capability to recover data for a specific customer in the case of a failure or data loss?
Confirm that your workforce is participating in vendor management and review processes to ensure key vendors do not expose your organization to unnecessary risk. 
Do you provide antimalware training specific to mobile devices as part of your information security awareness training?
Be part of incident management and risk mitigation processes of your organization to do root cause analysis, report generation and provide mitigation solutions. 
### MANAGEMENT:
Has the information security risk assessment process been developed to be repeatable?
Assure your strategy works closely with all departments to understand their critical operations, analyze business continuity requirements, help them assess key technology and compliance risks and ensure the consistent application of policies and standards across all technology projects, systems, and services including, privacy, risk management, compliance, business continuity management and incident response. 
What measures are included in the standards for the logistics of industrial projects?
Interface so that your staff analyzes trends and changes in threat and compliance environment with respect to organizational risk; advises organization management and develops and executes plans for compliance and mitigation of risk; performs risk and compliance self-assessments, and engages and coordinates third-party risk and compliance assessments. 
Have past employees/ terminated employees been removed from having access to the property?
Be certain that your staff solutions define and deliver innovative compliance and risk management approaches to (internal) customers that help the customer understand how to move sensitive workloads onto the cloud faster. 
How integrated are environmental, quality and other standardized management systems?
Ensure your process maintains network configuration and security integrity through CI management and documented procedures. 
Have qualified staff been assigned to perform external dependency management activities as planned?
Warrant that your organization is understanding or previous involvement working with risk management and compliance frameworks as NIST, ISO 27001, PCI, GDPR, etc. 
Does your organization have the level of security control, you really need or expect?
Make sure your operation develops and oversees effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals, with the realization that components supporting primary business processes have to be outside the corporate perimeter. 
Did your organization require additional resources to implement and run the Toolbox?
Certify your process remains current on PCI DSS industry requirements and shares relevant information with management and applicable business units. 
Are os and antivirus patches also considered under change management/ patch management?
Safeguard that your personnel is documenting Application Access and Change Management procedures to ensure all systems and processes are documented in accordance with internal controls compliance regulations. 
Does your organizations incident management plan and processes include systems in the AWS environment?
Utilize GRC tools to manage list of external authoritative sources, information technology controls, corporate policies and procedures, vendor management system, and risk management workflows. 
Do you modify your information security controls in response to changes in contractual obligations?
Confirm that your organization is involved in Management of Change systems, as process and product validations. 
### DEVELOPMENT:
How do you satisfy yourself that audit quality is always the number one priority?
Be confident that your organization is involved in information system design, including application programming on large scale DBMS and the development of complex software to satisfy design objectives. 
Where nonconformities are identified, has your organization put in place appropriate processes for managing nonconformities and the related corrective actions?
Lend expertise to the product design, development, and engineering teams to ensure development specifications, quality standards and testing requirements are appropriately documented. 
How do you organizations system?
Manage the development and implementation process of a specific organization product involving departmental or cross functional teams focused on the delivery of new or existing products. 
Are rules defining how your organization information is protected at teleworking sites?
Ensure staff development is an ongoing focus of this operation including having team members work with each other to ensure the distribution of skill sets. 
Does the software provider or the user group manage the agenda and contents of the meetings?
Ensure the software development process and the final delivered product adhere to established standards and meet requirements and (internal) customers expectations. 
Has a process for identifying, assessing, and treating information security risks been established?
Ensure your strategy is participating in development of organization cyber scorecards to identify business strengths, weaknesses, and opportunities. 
Which contains references to expected Business Continuity Planning practices that other organizations must implement?
Collaborate with engineering leaders and teams across your organization to advance development of cloud enabled software, CI/CD, and related modern software engineering practices. 
Is there a standard set of tools and/or methods in use to identify vulnerabilities in assets?
Safeguard that your group participates in business planning, new service development, partnership development and other tactical processes and procedures to identify service enhancements. 
Does your organization have a methodology in place for the proper allocation of business resources to invest in, create and maintain IT standards?
Make sure the Cloud Architect is responsible for partnering with key stakeholders, IT and project teams for the overall development and design of robust, scalable, optimized cloud- based platforms and solutions. 
Does management decide on the criteria for accepting risks and the acceptable levels of risks?
Development of your (internal) customers by meeting the needs, including security services and products. 
### DATA:
Who does your organization, its staff and/or customers complain to if there is a privacy breach?
Warrant that your organization coordinates Disaster Recovery, Business Continuity and Incident Response planning to ensure effective protection and recovery of information services, organization data and business operations. 
How do you ensure that generated reports protect privacy?
Work closely with the development and data team members to implement the data model changes and provide validation support on the outgoing data reports. 
How do you obtain assurance over large volumes of sales transactions across the year?
Make sure the CISO directs the management of data; identifies and minimizes data and cyber risks; and proposes and implement solutions, oversees crisis management, third party arrangements and agreements, and compliance efforts relative to applicable data privacy and confidentiality laws and regulations. 
Is it possible for all relevant publicly available information to be analyzed and used for trading purposes in the stock markets?
Assure your personnel is conducting surveys, focus groups, and other accepted techniques for data collection in support of organization studies that specifically assess and analyze current organization states and management systems. 
How do you acquire leadership buy in and guarantee the necessary support for your ISMS objectives?
Make sure the billing analyst (project contract analyst) is responsible for data analysis of an internal portfolio of projects and the aggregation of metrics for ediscovery services; generating invoicing bill points, reports, and customer deliverables in support of the legal technologies sales, project management, and operations teams. 
What are your suggestions to make information security benefits more visible in your organization?
Drive the strategy to let every function in your organization leverage data in making key business decisions. 
Is there management oversight of the performance of the change management activities?
Warrant that your strategy is involved in data governance and retention (Retention policies/tags, data governance reports and dashboards, information holds, managing inactive mailboxes). 
Are users made aware of the responsibilities for maintaining a safe and secure working environment?
Work with Legal and Data Privacy teams to secure and properly process organization data. 
Is the process of documenting and reporting corrective actions formal and traceable?
Be certain that your process is involved in data design and modeling, ETL processing, Enterprise/Web Reporting, Query analysis and development. 
How do you acquire leadership buy in and guarantee the necessary support for your ISMS objectives?
Make sure the delivery of automated performance metrics and reporting that support data driven decision making and IV and V for quality, delivery, and testing organization wide. 
### COMPLIANCE:
How are the skills of personnel involved in conducting assessment activities established?
Establish that your organization is involved in full Governance, Risk Management and Compliance Lifecycle. 
Are there evidence of management commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS?
Safeguard that your operation monitors and enforces appropriate and consistent application of the IT General Control Framework - plans, organizes, and executes control monitoring and testing in a manner that meets reporting deadlines, performs impact assessments when weaknesses are identified, and provides training to various IT and business teams on proper application of IT controls to improve your organizations overall compliance posture. 
Are all the records protected according to identified regulatory, contractual and other requirements?
Interface with the Risk, Certification, and Accreditation team, and Compliance teams to ensure necessary changes reflected in policies to address the risks identified for critical information assets. 
Have you planned, implemented and controlled the processes needed to meet all information security system requirements?
Work with software development teams to build safe and secure public safety and communications SaaS products which modernize and scale in the cloud to meet local, state, overarching, and international compliance standards. 
Is there an effective internal process that ensures that identities are managed lifecycle?
Make headway so that your process ensures accurate identification, communication, and mitigation of risks, processes, and internal control gaps with potential adverse operational, financial, strategic and compliance risk implications. 
Are physical security practices formally governed, documented, maintained, and enforced?
Make sure the cfe regulatory compliance team facilitates adherence to internal and external cfe regulatory requirements and standards through control automation, control monitoring and embedding requirements into modern engineering practices. 
What are the risk management method phases supported by each analyzed software tool?
Identify, research, and evaluate new compliance requirements impacting the audit and assurance practice and analyze impact to your organizations (internal) clients and organization processes, policies and procedures. 
Are the controls, as defined in Annex A, adequate to protect us in the online sphere?
Secure that your group is involved in compliance requirements and industry standards like PCI, HIPAA, ISO 27001, NIST, CSF, ITIL, COBIT, Sarbanes Oxley and SANS 20. 
Have actions to control, correct and deal with the consequences of nonconformities been identified?
Make sure the GRC team is your organization enabler and is responsible for maintaining and executing a regulatory compliance roadmap. 
Are services prioritized based on analysis of the potential impact if the services are disrupted?
Act as an internal consultant on business and technology projects to ensure appropriate compliance considerations are prioritized and integrated. 
### SYSTEMS:
Is higher level management aware of issues related to the performance of change management?
Make sure your workforce oversees implementation of IT Security Policies as they relate to database systems security. 
How do you improve your auditing performance?
Establish that your staff supports introduction of new tools, systems and technologies to improve business process efficiency. 
What measures are included in the standards for the logistics of industrial projects?
Validate systems with specific emphasis on network operations and cyber tactics, techniques, and procedures focused on the threat to information networks; assess performance using evaluation criteria and technical performance measures. 
Has your organization determined the knowledge necessary for the already stated performing ISMS roles?
Make sure your team audits internally all systems and areas for compliance to AS9100 specifications. 
How is sox compliance achieved if in scope systems are deployed in the cloud provider environment?
Be confident that your process expands its knowledge in integrating diverse, sophisticated software systems and tools, and implementing operational workflows, processes and procedures to deploy capabilities across large, complex organizations. 
Do you have antimalware programs that support or connect to your cloud service offerings installed on all of your systems?
Devise and establish IT policies and systems to support the implementation of the overall organization strategies. 
Which automated work steps will occur during the processing of individual transactions?
Make sure your workforce leads and coordinates activities of other lower level information systems architects. 
Are resources available to establish policies and procedures to support the selected controls?
Be sure your organization is involved in infrastructure deployment, systems administration, support, and maintenance. 
Are information processing facilities implemented with redundancy to meet availability requirements?
Work with Stakeholders to understand requirements and iteratively design and develop applications and systems to meet the needs. 
What is the single most important benefit that ISO 27001 implementation has brought or will bring to your organization?
Make certain that your process is managing multiple disciplines (external and internal) to bring Industrial Control Systems from the design stage to production. 
### INFORMATION:
Do you generate decisions and actions to respond to changes in your organizations levels of risk?
Interface so that your organization researches, assembles, and/or evaluates information or data regarding industry practices or applicable regulatory changes affecting information system policies or programs; recommends changes in development, maintenance, and system. 
Does your organization support account lockout policies on the customers hosted site?
Oversee that your group delivers reliable and effective Information Technology services to organization (internal) clients in support of critical mission needs. 
Are change control procedures in place for application software and is source code protected?
Make sure the team determines through monitoring, control testing and business consultation that your organizations information resources are secure from unauthorized access, protected from inappropriate alteration, physically secure, and available to users in a timely fashion. 
Which properties of information should be maintained in the context of information security?
Ensure your operation works with standards team to include robust and updated information on privacy in the csf framework and helps to develop and maintain privacy certification. 
Do you aim for complying with ISO/IEC 27001, the international standard for information security management?
Ensure products and systems comply with requirements and organization information and cybersecurity standards through formal verification methods. 
Are resilience and recovery controls updated to reflect new, changed and retired systems?
Ensure the list of suppliers for the Flutter group is updated with accurate information including business relationship owners and the risk category. 
How do you maintain control over it?
Certify your staff works with organization administration, legal counsel, and other related parties to represent the organizations information privacy interests with external parties, including organizational bodies and other key stakeholders. 
How do you get comfort over the long term viability of the cloud service and the cloud provider?
Safeguard that your group identifies, designs, builds, and maintains metrics systems that provide high quality information to leadership, the Board of Directors, and regulatory departments. 
Are the corrective actions appropriate to the effects of the nonconformities encountered?
Be confident that your design performs or oversees information privacy risk assessment/analysis, mitigation and remediation. 
Has an access control policy been defined and reviewed, and is user access to the network controlled in line with the policy?
Ensure you are able to use the systems in accordance with organization policy to properly document service information in accordance with organization and manufacturer guidelines. 
### QUALITY:
How does your organization manage changes to IT systems involved in revenue generating activities?
Make headway so that your strategy is involved in the development of a quality manual and/or quality management system. 
Do you have a process for tracking and tracing your product while in development and manufacturing?
Make headway so that your organization manages and directs quality area functions ensuring product compliance from all aspects of manufacturing. 
Are aspects of information security considered in the different processes of your organization?
Warrant that your organization ensures employee performance adheres to the Quality Management System processes. 
How are you ensuring the integration of the ISMS requirements into its business processes?
Be certain that your strategy is leading and managing a team of Quality Engineers in ensuring product and process compliance. 
Do your service deliverables outline which services can be done remotely and which cannot?
Ensure you use a variety of technologies and approaches to deliver quality product and services to organization departments and technology companies. 
Does the policy relating to ethics, bribery and corruption cover only your organization?
Oversee that your team complies with all appropriate legal and regulatory requirements when reporting and to the requesting organization while relating all facts accurately with a high quality standard. 
Are there policies and agreements to maintain the security of information transferred within or outside of your organization?
Ensure the quality management system procedures and processes are implemented and maintained. 
Are management review improvement decisions and change requirements promptly implemented?
Manage and improve the quality business process for (internal) customer requirements. 
Does your organization have an identity management strategy that supports the adoption of cloud services?
Verify that your operation provides strategic quality direction in support of new business initiatives. 
Who is responsible for implementing the continuous monitoring process for individual information systems or common security controls?
Be confident that your workforce leads site standardization initiatives and will be responsible for compliance with the quality system. 
### INDUSTRY:
Has your organization implemented appropriate measures to protect audit and logging facilities and log data against security attacks?
Guarantee your operation monitors technological advancements to ensure that solutions are continuously improved, supported, and aligned with industry and organization standards as well as emerging business requirements. 
How do you get involved in the development of security standards?
Oversee that your team is involved in IoT and durable goods industry. 
Do you have confidence in the resilience of the systems and processes that manage payroll data?
Be certain that your group is involved in industry and networks of relationships across businesses of varying sizes. 
How might you be able to learn about if/how a group experiences systemic oppression?
Warrant that your process is existing relationships with key industry press with Crypto and Mainstream publications. 
How do corresponding practices relate to existing international standards and practices?
Develop and enforce IT policies based on industry standards and best practices to further secure computing resources. 
How do you keep up with developments to the ISO 27000 series standards?
Ensure you bring the necessary involvement to streamline and automate deployment pipelines, while driving the adoption of industry best practices to keep your infrastructure secure, scalable, and efficient. 
Are source code audits performed by someone other than the person or team that wrote the code?
Make headway so that your design redefining an age old industry. 
Is the policy been published and communicated to all employees and relevant external parties?
Be certain that your staff participates in industry wide conferences. 
Is higher level management aware of issues related to the performance of service continuity?
Secure that your workforce continues executive education to remain abreast of the changing financial industry. 
Has a program to ensure the ISMS achieves its outcomes, requirements and objectives been developed and implemented?
Keep track of new regulations, industry best practices, and implement continuous improvement.

696
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing IT Security.md Normal file
View file

@ -0,0 +1,696 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/security-ask-gerardus-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: February 7, 2022
Retrieved from on February 10, 2022
Relevant ISO 27001 clauses/controls:
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
- [ISO 27001 A.18.2 Information security reviews](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.18.2%20Information%20security%20reviews.md)
# IT Security: Ask This;
1. Does your management team have access to compliance reporting that illustrates your organization of your IT security preparedness?
2. How in control are you of the number of versions of CIs that are in use, and what is the impact that has on your ability to enforce IT security and protect your information assets?
3. Does your organization have a log management or security information and event management (SIEM) system?
4. How does your organization ensure the effective use of security controls and authentication tools to protect privacy for those systems that promote or permit public access?
5. Do your organizations IT modernization efforts result in an increase or decrease in the IT security challenges your organization faces?
6. Does your organization have a Chief Information Security Officer (CISO or equivalent title)?
7. Does your organization have approved information security policies, procedures, and controls?
8. As your organization has increased your investment in public infrastructure cloud (IaaS), how have IT security factors changed?
9. Does your organization have a formal security operations center or team that actively manages security incidents and events as they are generated?
10. Does your organization have appropriate IT Security policies governing user access that are effectively implemented?
11. Which tech trends will have the biggest impact on the IT security of your organization in the next two years?
12. Which strategies ensure that your employees can identify a threat to information security assets, and how is it ensured that employees will react to such situations?
13. Does your organization have a policy that requires HR to immediately notify either IT Security or access administration of terminations and transfers?
14. How does your organizations IT security compare to an established framework and have gaps been identified?
15. Are the outsourced service providers required to have the same security level as your organization requires of itself?
16. What percentage of the primary Cloud Computing services IT budget does your organization (plan to) invest in that services IT security?
17. Does your organization have a written incident response plan for localized IT Security incidents?
18. Are employees in your organization made aware of data security and sensitive information handling requirements?
19. Does your organization have an effective program for monitoring its IT Security governance controls and associated regulatory risks?
20. Does your organization have a dedicated IT security budget for incident investigation and forensic (Endpoint Detection and Response)?
21. Does your organization have an IT Security policy that addresses the use, creation, and processing of employee and customer information?
22. Do you have the IT security expertise on hand to assess IT security reports and properly manage any security incidents, are responsibilities within your organization clearly assigned?
23. Does your organization have an IT security awareness program, which informs all users of the established IT security policies?
24. When auditing your organization for compliance, what role does IT Security policies and an IT Security policy framework play in the compliance audit?
25. Does your organization have a dedicated threat hunting team within its IT Security function?
26. Does your organization have enough security budget to defend itself against current threats?
27. Do you have a cybersecurity/critical infrastructure protection (CIP) initiative distinct from the core IT security function, and what threats does it encompass?
28. As your organization embraces emerging technologies and information changes, does this expose your organization to new IT security risks?
29. Do you have the capability to continuously monitor and report on the compliance of your infrastructure against your information security baselines?
30. How does your organization determine the most appropriate method and resources to implement security audit in its development lifecycle?
31. Do you have a recruitment process in place that considers high level IT security access risks against each position description?
32. Does your organization have the in house expertise necessary for achieving a strong IT security posture?
33. What drivers or pressures in your organization have the most influence on security decisions and direction?
34. Does your organization have a dedicated internal IT Security auditing, monitoring and analytics group?
35. Does the IT security leader (CISO) within your organization have final authority over security related spending?
36. Does your organization request security audit reports from its information service providers?
37. Will you notify customers about information security incidents that have or are suspected to have impacted customer data?
38. Which IT security functions does your organization outsource to a managed security service provider (MSSP)?
39. How do you manage which challenges for your organizations security operations team during the COVID 19 pandemic?
40. How does your organization make the case for more IT security spending?
41. Does your organization presently deploy, or plan to deploy, AI based security technologies?
42. At what point in a project lifecycle does the business engage your IT Security or Identity and Access Management teams?
43. How does your organization gain assurance in the operation of the security features of commercial off the shelf (COTS) products?
44. Does your organization share information on information security attacks with third parties?
45. Which strategies does your organization practice to overcome the shortage of qualified IT security talent?
46. Does your organization have formally documented procedures for the management of security incident responses?
47. Do you have a process to review security audit logs in a timely, consistent manner and act upon any threats identified by reviews?
48. Are IT security and confidential usage policies in place covering use of all information communication technology devices within your organization?
## Organized by Key Themes: SECURITY, RISK, MANAGEMENT, TECHNOLOGY, DATA, SYSTEMS, COMPLIANCE, CLOUD, DEVELOPMENT, AUDIT:
### SECURITY:
How do you see the roles of IT Security, governance and compliance changing in the long term?
Make sure your organization reviews incoming projects for Information Security requirements, determines the scope of Information Security services needed to address project demands, performs quality control on Information Security threat and vendor risk management products, and mentors team members. 
How do you track changes to software versions on your servers?
Guarantee your design executes on various other reviews of IT management policies and procedures such as change management, business continuity planning disaster recovery and information security to ensure that controls surrounding these processes are adequate. 
What are the primary goals, objectives, and mission functions that the investment will support?
Make sure the IT Security Compliance specialization works with the Information Security Compliance team and your organization to support the security risk management program. 
Do cybersecurity professionals believe that other organizations are vulnerable to cyber attacks?
Interface so that your personnel provides technical expertise and support to (internal) clients, IT management and staff in cybersecurity threat risk assessments, development, testing and the implementation and operation of appropriate information security plans, procedures, and control techniques designed to prevent, minimize or quickly recover from cyber-attacks or other serious events. 
Do you regularly assess your current IT Security posture and align your security strategy with business goals balancing expense with potential cost of breach?
Make sure the IT Security Architecture and Engineering team develops and guides technology risk management in collaboration with teams across your organization to enable responsive, secure and cost effective solutions. 
Are site emergency and it disaster recovery plans maintained, up to date and tested on a regular basis?
Lead and facilitate meetings with system owners, executive management, staff, and contract partners and technical personnel to provide IT security guidance, define system boundaries, and establish and maintain information security standards and procedures in compliance with information security and risk management policies, standards, and guidelines. 
Are there any audit logs, reports or alerts produced if there are any suspicious activities?
Be confident that your process assists with monitoring and auditing of information systems activities and systems to confirm information security policy, compliance, and provide management with security policy compliance assessments and system monitoring reports. 
Which strategies ensure that your employees can identify a threat to information security assets, and how is it ensured that employees will react to such situations?
Make headway so that your group is advising on the conduct of internal reviews of IT security management information programs to identify needs, business process requirements and organizational infrastructure including staffing and financial commitments. 
Have prevailing conditions changed that result in the need to change the procedure regarding IT Security?
Develop recommendations to create or modify IT systems and various business supporting technology to solve complex, non-standard, unprecedented, and unusual problems considering IT system and business capacity and limitations related to various IT systems, IT general and application controls, and IT security and privacy consideration over IT applications, operating systems, databases, and IT infrastructures in virtual or physical client-server and mainframe IT environments including standard and wireless networks for various IT processes such as software development, IT system operations and change management, logical and physical access management, and IT issue identification and incident management. 
Are there mechanisms for immediate dissemination and implementation of access right changes?
Make sure your company develops IT security programs and recommends necessary changes to the information security team to ensure your organizations systems are fully compliant with all applicable regulatory requirements and privacy laws. 
### RISK:
Is there a particular solution that you feel will change the traditional solutions in your portfolio?
Assure your company projects goals could be focused around people, process, or tools concerning IT Service Management (ITIL), HR Information Systems, (internal) customer Service Management, IT Security Operations, IT Governance Risk and Compliance, Facilities, Project and Portfolio Management, IT Financial Management, Organizational Change Management, and or IT Operations Management Oriented topics. 
Is the service provider planning any major strategic/mission changes or anticipating any budget/financial viability issues during the period of performance?
Perform IT security reviews, technical risk assessments, and analysis to ensure compliance with IT security policies and standards. 
How much of your IT Security budget is devoted to preventing, detecting and mitigating insider threats?
Establish and continuously assess a Technology Risk Profile for Information and IT Security through regular status reporting of risk treatment especially on progress and success of risk mitigating initiatives. 
How are you involved in your organizations selection and/or management of government contractors that provide IT Security services and/or technologies?
Warrant that your operation leads the assessment of IT or business solutions against IT security requirements calling your gaps, risks, and corrective actions for both application and infrastructure solutions. 
Is confidential information deleted from data media or IT systems prior to maintenance and repair work?
Ensure you also provide consulting services focused on the IT side of the business and work closely with your IT Security and Risk Assurance teams. 
How does your organization determine how identified risks are mitigated in product offering design?
Develop, monitor, track and report against IT Security metrics and KPIs that help the Leadership understand threats, vulnerabilities and risks associated with protecting information across the enterprise and plans to mitigate those risks. 
How significant are challenges your organization faces in managing a multicloud environment?
Make sure your operation exhibits best practice risk management skills through effective IT security controls and improvement of risk management processes. 
Does interfacing the new product with the existing infrastructure introduce new vulnerabilities?
Verify that your team is evaluating Information and IT Security risks arising from control inefficiencies or lack thereof. 
How does your organizations IT security compare to an established framework and have gaps been identified?
Perform recurring internal IT Security audits and risk assessments in accordance with policies and procedures related HIPAA and PCI DSS. 
### MANAGEMENT:
Is it security risk assessment a regular agenda item on it management meetings and does management follow through with improvement initiatives?
Make sure your design serves as an IT Cybersecurity specialization on matters of inter-agency cybersecurity strategy, program, and project management that involves applying IT security processes to the short- and long- term planning, design and implementation of cybersecurity solutions to meet the organizational strategic and business requirements. 
Have staff members with knowledge of IT Security been consulted and included in the evaluation team?
Have a background or hands-on involvement in IT Security and Networking, Cloud environments (AWS), Fraud Prevention, HITRUST, SOC1 and SOC2 Compliance Implementation, Business Continuity, and Disaster Recovery assessments, and Risk Assessment and Management principles. 
Is cyber resilience awareness incorporated at all levels and operational elements across the enterprise?
Collaborate with stakeholders, including vendor managers and business partners in areas such as Procurement, Compliance, IT Security and Contracts Management to develop appropriate policies and procedures, tools and templates, and collateral materials to facilitate the management and execution of an effective third-party vendor oversight program. 
Who are most responsible for ensuring IT Security objectives are achieved within your organization?
Oversee that your strategy develops an appropriate governance structure and management processes for prioritizing and executing IT projects, overseeing IT security and ensuring business continuity. 
What level of security depth does its security operations staff possess, and for what support time frames?
Guarantee your staff provides support for IT security capabilities, products and services, incident management, communications, and training advanced joint multi organization cybersecurity strategies. 
Did your organization program official plan and budget for IT Security into all of the business cases?
Develop experience establishing and implementing Project Management, IT Service Management (ITSM) and IT security services. 
What is the best way to eliminate the fear factor when taking on something new like machine learning?
Make sure the contract supports multiple functional areas, including Desktop Virtualization, IT Service Management, Systems Engineering and IT Security Operations. 
How do you encourage workers to collaborate while minimizing risks of compromised information?
Collaborate with IT security team in security incident response planning, management, and remediation. 
What level of experience and expertise is needed to interpret the results provided by the tool?
Provide leadership and management of the IT Security Team, and 3rd parties providing IS Security services. 
### TECHNOLOGY:
Do the customer and user requirements include explicit changes to the operational environment?
Support efforts to turn leading edge concepts into the delivery of efficient, innovative, technology based solutions to include risk analysis and IT security compliance to address user business needs. 
Are training sessions conducted for all relevant personnel on backup, recovery, and contingency operating procedures?
Safeguard that your team is assessing IT security policies, procedures, and controls of your (internal) clients business applications, networks, operating systems, and other components of the technology infrastructure. 
Do you agree that IT security vendors/managed security providers should be offering a guarantee on the competence of the products?
Guarantee your personnel oversees all technology and IT security operations and projects for your organization to ensure 24/7/365 availability and uptime. 
How do you drive risk management into the daily activities of your people?
Manage technology associated with the critical functions and mission of the organization and work with IT Security staff to resolve technical issues. 
How do you see the roles of IT Security, governance and compliance changing in the long term?
Invest in developing long-term strategies and capacity planning for meeting future technology needs and operationalize the design, development, and implementation of strategic IT security projects and initiatives. 
How may an outsider misuse the information to advantage and to the detriment of your organization and its stakeholders?
Liaison so that your process stays abreast of current developments in IT technology, cloud services, IT security breaches, auditing standard updates and other emerging issues which may impact the audit process. 
Why is it important to understand the difference between IT security and information security?
Work closely with the Technology leadership team to identify solutions to meet or exceed business requirements and to understand the impact of service interruptions on respective business areas. 
How does your organization make the case for more IT security spending?
Liaison so that your process sources and negotiates Information Technology (IT) hardware, software and service contracts with the goal of lowering costs of goods, ensuring quality and service by leveraging total organization spending. 
Are technical support services included, and if so, what is the vendors commitment to timely response?
Interface so that your company assists CIO in the annual budgeting process for Information Technology to cost effectively provide needed information services and support. 
How do you leverage and integrate traditional infrastructure with public and private clouds to deliver the right performance at the right time and cost?
Make sure the function is strategically accountable for leveraging infrastructure technology solutions to enable the business to meet its goals, at an acceptable cost, and to deliver new systems at the right pace. 
### DATA:
What is the budget for acquisition and lifecycle support of intrusion detection hardware, software, and infrastructure, including staffing to monitor and respond to intrusions?
Liaison so that your process ensures infrastructure and support meets IT security and compliance requirements, establishing controls and processes in support of data security and regulatory requirements. 
Does your organization have a dedicated threat hunting team within its IT Security function?
Manage IT Security Program involving services to include cybersecurity operations, continuous monitoring, security information and event management, security architecture, security engineering, vulnerability scanning, endpoint security, security analytics, network access control, penetration testing, data forensics, security data ingestion and analysis, incident analysis, threat monitoring/hunt and security situational awareness. 
How does your organization determine how identified risks are mitigated in product offering design?
Make sure your workforce is working with IT Security and Data Governance to ensure that your organizations data analytics and integration products are effectively secured and that risks are mitigated. 
Is there someone in your organization that might understand the risks involved better than you?
Check that your company is involved in IT Security management, access policy and management, authentication and SSO, authorization, audit, secure communications and network protection, data protection and privacy, and security administration. 
How do you manage which challenges for your organizations security operations team during the COVID 19 pandemic?
Apply your data analysis and management skills to lead cybersecurity managers solve an IT security challenge regarding collection and analysis of important cybersecurity data. 
How does the vendor handle software and hardware maintenance, end user support, and maintenance agreements?
Work closely with the legal and IT security teams to support data incident response efforts. 
Why do so many organizations still fail to adequately assess the third party supplier IT Security risks and ensure the on going security and availability of the business critical information?
Implement and/or assess enterprise IT security controls, including data classification/governance, cybersecurity incident response process, patch management, data security/retention, and access controls. 
Are contents of system logs protected from unauthorized access, modification, and/or deletion?
Ensure all IT activities conform to IT security standards and all data and systems are properly protected. 
Which strategies does your organization practice to overcome the shortage of qualified IT security talent?
Develop a data infrastructure that supports improvements to IT security and cybersecurity controls for major Departmental IT systems. 
### SYSTEMS:
How transparent is the security rules/user account database made to the systems administrator by the security administrative application?
Ensure proactive compliance of IT security systems, processes and controls with organization information security program, security policies and regulatory compliance guidelines. 
Is there an automated alerting/notification process that is initiated when defined security thresholds are exceeded?
Coordinate and work with network engineers, systems engineers, solution architects, IT Security and/or an Implementation Managers (IM) to ensure to ensure timely delivery of defined project deliverables. 
How do you validate the integrity of the data being leveraged for evidence?
Respond to detected and reported problems and interface with vendor support service groups, network services, telecom, systems engineering, or IT security to ensure quick resolutions and appropriate notification during outages or periods of degraded performance. 
What do you believe to be the main causes for potential problems and harmful incidents related to IT?
Be certain that your personnel oversees implementation of IT Security Policies as they relate to database systems security. 
What industry standards or frameworks are being followed to ensure packaging is tamper evident?
Make sure your workforce is directing activities in response to cybersecurity incidents and vulnerabilities for IT security systems. 
Is your organizations security planning approach effective in managing security risks and achieving objectives?
Establish that your team provides application or infrastructure technical expertise, analysis and specifications for IT systems to meet business requirements in accordance with IT architecture policies and standards; translate requirements into technical specifications, create detailed solution design, coordinate construction, installation, configuration and testing of IT systems; and identifies, troubleshoots and resolves system technical issues. 
How do you ensure your staff are aware of IT Security threats?
Invest in the overall IT security by reviewing logs, monitoring, patching/updating, and scanning/reviewing existing systems and policies. 
How do you audit your validation processes?
Check that your design processes vulnerability and threat data from a variety of sources to provide actionable intelligence to internal consumers; implement countermeasures and maintain and enhance the defenses for your information systems and resources. 
Does the internal audit function get appropriate support from the CEO and senior management team?
Verify that your strategy is managing an organizations office automation efforts to integrate, maintain, and enhance the organizations information management and information technology programs to provide systems, tools, and analytical capabilities in support of the organizations mission and operations. 
### COMPLIANCE:
Do you have up to date, good quality malware protection installed, active and updated on all devices that access your network?
Make sure the Director, IT Security Governance, Risk and Compliance is responsible for understanding enterprise IT risks and creating strategic plans to mitigate risk on a priority basis and risks that are not remediated immediately must understood and accepted by corporate executives when appropriate. 
Are you confident that your enterprises business processes and supporting IT systems are free of functional or security deficiencies?
Make sure the IT Compliance Administrator is responsible for supporting existing IT security and compliance initiatives throughout your organization. 
Has the IT security office conducted a vulnerability scan, security review, or penetration test of critical departmental applications?
Oversee the operations of the IT organization including corporate/enterprise systems, commercial systems, R and D systems, infrastructure, and IT security and compliance. 
Should you build or buy new solutions and do any solutions already exist within your organization?
Ensure compliance of application or platform per IT Security recommendations and protocols. 
Is there an IT planning process in place that ensures that the IT solutions being developed comply with IT Security policy?
Certify your group responds to and remedies IT security incidents and ensures IT security related compliance. 
How can managers, CISOs and technicians be sure that network meets all relevant security requirements?
Ensure your company is accountable for working with Business Process Owner (BPO), IT Security, IT Infrastructure, and compliance teams to ensure the Windows product meets all policy and regulatory requirements. 
Do you have the IT security expertise on hand to assess IT security reports and properly manage any security incidents, are responsibilities within your organization clearly assigned?
Recruit reviews the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on operations and reports and whether the organization is in compliance. 
Is there a summary of the most important applications and IT systems and protection requirements?
Partner with teams across Samsara to enhance governance, protect (internal) customer and employee privacy, and ensure compliance with internal policies and external obligations such as SOC II audits, regional privacy laws, and industry guidelines (such as NIST CIS). 
### CLOUD:
Are network security boundaries defined and enforced to group users, services and information that require different levels of protection?
Work with developers, IT infrastructure and operations teams, and IT security teams to ensure alignment to cloud platform governance and security standards. 
Are you aware of security training practices performed by your sub suppliers to the personnel?
Work with the IT Security Team, Solution Architects, and Cloud Operations Team with any security related issues that arise and maintain a log of operational activities performed. 
Did your organization program official plan and budget for IT Security and integrate security into all of the business cases?
Check that your strategy ensures that all cloud solutions follow security, compliance controls, and conformance to companys IT security standards. 
How do your customers keep up with attacks when there is a shortage of IT Security skills and rising costs to secure data?
Make sure the team is responsible of maintaining your Cloud solutions with top performance, availability and service level, and also ensure that it runs in a cost efficient way. 
Does your organization presently deploy, or plan to deploy, AI based security technologies?
Be a trusted Enterprise vendor, Oracle is in the early stages to provide highly cost effective, highly performance compute, storage, and PaaS Cloud solutions to its (internal) customer base. 
How essential is IT Security to supporting innovation with minimal impact on the goals of digital transformation?
Make sure your team works with architecting, designing, and supporting cloud infrastructure and its solutions. 
As your organization has increased your investment in public infrastructure cloud (IaaS), how have IT security factors changed?
Oversee that your organization is involved in IaaS cloud infrastructure, Kubernetes, containers, and service oriented architectures. 
Are there certain devices or hosts which are more prone to security issues, causing increased risk?
Develop experience building and/or operating new products and services using cloud service providers. 
Have you an automated alert system to inform key IT personnel of unwanted behavior or activity on the network?
Support enterprise partners implementing automated and cloud application platform solutions. 
How does your organization gain assurance in the operation of the security features of commercial off the shelf (COTS) products?
Develop experience deploying applications in cloud environments and developing containerized applications. 
### DEVELOPMENT:
Which personnel would be involved in the containment, eradication, and/or recovery processes?
Make sure your team is involved in IT Security and compliance, operations and network services, and application development. 
Does the contract spell out audit provisions and specific details regarding who is responsible for security defects?
Operationalize overall strategy development related to IT security as well as IT more broadly and the business. 
What information is generated by, consumed by, processed on, stored in, and retrieved by the system?
Make headway so that your process collaborates with IT and Finance regarding standards for application development, upgrades, maintenance and compliance, security and span of control design. 
What do you expect of your service providers, infrastructures and services, in terms of quality?
Ensure strong grounding in fundamentals of web application development identity, security etc. 
Does the assessment of a risk include a perspective on your organizations capability to recover from that risk should it materialize?
Perform/arrange for static, dynamic, and penetration tests for development projects; work with project teams to evaluate the risk exposure of the findings; drive the effective design, prioritization, and implementation of remediating controls in collaboration with development teams. 
Do metrics support investment in technologies that address your organizations security risks?
Partner with Business representatives, Application Portfolio and Application Development, Engineering, Operations and Support, IT Security, Digital partners, IT Planning, and the Project Management Office. 
Which organizational challenges between the networking and IT security teams in relation to network security have you experienced?
Be confident that your group is defining, implementing, documenting, and maintaining the framework for system architecture design, software design and development, IT security, and performance testing platforms. 
How do you quickly and cost effectively respond to legal matters requiring information under your management?
Ensure you will provide support to ensure that the program achieves an optimum mix of cost, schedule, performance and system-supportability throughout its life cycle (design, development, testing and evaluation, production and disposition). 
Are there any measures in place that are aimed at raising the security awareness of the workforce?
Make sure there is involvement and your organization needs in depth knowledge with software development methodologies, CI/CD, and DevSecOps. 
### AUDIT:
When auditing your organization for compliance, what role does IT Security policies and an IT Security policy framework play in the compliance audit?
Serve as primary liaison between auditing bodies, IT Security Management, compliance and Business Stakeholders. 
How do you assess the effectiveness of your internal audit function?
Plan, lead, execute, and report on medium to complex IT general and application control audits, IT security and governance reviews, and drive control/process optimization to assess existence, effectiveness, and efficiency of the IT control environment. 
How does the vendor handle software and hardware maintenance, end user support, and maintenance agreements?
Certify your operation works in close partnership with internal peers and external service providers to recommend technologies or systems improvements that support organizational goals and ensure data center performance and operation is reliable and compliant with the respective Service Level Agreements, audit requirements and local regulations. 
How do you leverage and integrate traditional infrastructure with public and private clouds to deliver the right performance at the right time and cost?
Orchestrate the IT Audit Manager in planning audit projects by developing risk-based scopes, methodologies, and audit programs; prepares, researches and designs evaluations of programs, systems, controls, policies, procedures and other functions using audit and analytical techniques; executes complex information technology tests of controls associated with applications, system operations, and supporting infrastructure; and analyzes supporting evidence, draws logical conclusions and develops appropriate findings and recommendations. 
Are training sessions conducted for all relevant personnel on backup, recovery, and contingency operating procedures?
Check that your workforce refocus responsibilities which need to be in place include planning, executing, and reporting on internal control and internal audit engagements that develop, assess, or help improve the design and operating effectiveness of IT risk management and internal control activities. 
How do you go about finding the right partners who share your view of IT as your organization enabler?
Build audit and Assess internal organization systems as well as business partner/service provider information system. 
How do you conduct ongoing monitoring of the risk posture?
Orchestrate risk assessments over the underlying Technology applications of the WM/IM business area, conduct audit planning, test Technology general controls over distributed and mainframe environments, conduct reporting, and conduct closure verification of issues. 
How do you encourage workers to collaborate while minimizing risks of compromised information?
Collaborate with Internal Audit and business process owners, and system owners in the testing of new software capabilities, programs and applications requirements.

752
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing Incident Response Plan.md Normal file
View file

@ -0,0 +1,752 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/does-your-organization-have-cyber-incident-response-plan-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: February 14, 2022
Retrieved from on February 14, 2022
Relevant ISO 27001 clauses/controls:
- [ISO 27001 A 16.1 Management of information security incidents and improvements](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2016.1%20Management%20of%20information%20security%20incidents%20and%20improvements.md)
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
# Does your organization have a cyber incident response plan in place in the event of a data breach?
1. Does your organization have a cyber incident response plan in place in the event of a data breach?
2. Does the service provider have a formal incident response and management process and plans that clearly define how they detect and respond to information security incidents?
3. Does your organization have established Incident Response Training included as part of your organizations required Security Awareness Training (SAT)?
4. Does your organization have a security incident response team with clearly defined and documented roles and responsibilities?
5. Does your organization have an incident response plan for security breaches involving third parties?
6. Does your organization have a written incident response plan for localized IT Security incidents?
7. Have you implemented appropriate Cybersecurity governance, risk management, incident response and business continuity frameworks?
8. Do you have an incident response plan in place to minimize the cost and exposure of the data breach?
9. To what extent does your organization have an established incident response plan defining how to respond to the compromise of a networked device?
10. Does your organization have a formal, documented Computer Security Incident Response Plan, and when is the last time your CSIRP was updated?
11. Does your organization have an incident response plan to contain Cyber Incidents and applications and processes to ensure the alert and activation of the plan?
12. Does your organization test its incident response plan regularly and update it as needed based on Cyber Incidents that have occurred and Threat Intelligence?
13. Do you have security incident response procedures in place to manage occurrences of incidents as Denial of Service, website defacement, data breach and phishing?
14. Do you have a Security Incident Response Team (SIRT)?
15. Does the incident response plan provide clear steps to be taken to restore the security of any information systems compromised in a cybersecurity event?
16. Do you have a documented information security incident response plan that involves more than just IT staff?
17. If you have a cyber incident response plan, how often does your organization exercise the plan?
18. Does your organization formally measure security incident response time for management reporting or process improvement purposes?
19. Does the incident response team keep adequate documentation of security incidents and outcomes, which may include what weaknesses were exploited and how access to information was gained?
20. Does your organization have incident response and management plans in place to minimise the impact of an unauthorised disclosure?
21. Does your organization have an Incident Response team in place to detect, investigate, and contain ransomware attacks?
22. Does your organization have a formal incident response plan with provisions for insider threat attacks?
23. Which metrics are in place to evaluate the ROI on your security orchestration and incident response platform?
24. Does your organizations incident response plan have the in house expertise to respond effectively to a data breach?
25. How does your organization link cyber incident response and recovery with your organizations business?
26. Does your organization have an incident response plan in the event an AI solution damages your brand?
27. Do you have a documented Security Incident Response process covering physical security incidents?
28. Does your organization use SIEM during the incident response process and does your SIEM prioritize threat events?
29. Does your incident response team have high level participation from all pertinent business functions and does it have clearly defined roles for response team members?
30. If an incident response team must appear in court, can they obtain the information and evidence required when your organization needs it?
31. Do you have a governance structure and incident response structure in place in which accountabilities and responsibilities for ICS security are clearly stated and accepted by each of you?
32. What does your organization see as the greatest challenge in information sharing throughout the incident response lifecycle?
33. Now that you have moved to the cloud, how does the investigation or incident response process change?
34. How does your IT security department generate a computer security incident response plan (CSIRP)?
35. What training do you provide in support of your cybersecurity Incident Response Plan, Business Continuity Plan, Emergency Operations Plan Cyber Incident Plan, or other related plans?
36. Where does the CSIRT function reside in your organization?
37. Does your organization have meaningful operational metrics to measure the overall effectiveness of incident response activities?
38. Does your organization have an incident response calling tree that is provided to the Help Desk?
39. Do your vendors have a PSIRT/ Vendor CSIRT (Product Security Incident Response Team/Vendor Computer Security Incident Response Team), or equivalent?
40. Do you have a current Incident Response Plan defining steps to take and who is responsible if a breach or incident were to occur?
41. As part of testing the effectiveness and capability of your organizations incident response plan, does your organization perform simulated tests of a compromised device?
42. Does your organization train personnel in incident response roles and responsibilities with respect to the information system and provide refresher training?
43. How are you investigating the next generation endpoint security solutions and how they can save incident response time?
44. Does your organizations incident response team have clearly defined rules of engagement that enable them to act with autonomy in the event of a significant attack?
45. Do you have current information details about critical assets, key facilities, disaster recovery plans, incident response plans, and security configuration information?
46. Do you have an Incident Response Team and Plan that covers compromised privileged accounts and passwords?
47. Do you have automated incident response and event management workflows in place to mitigate successful intrusions before they propagate and have an impact?
48. Do your service providers provide its staff with appropriate training on incident response and management processes and plans to ensure that they respond to incidents in an effective and efficient manner?
## Organized by Key Themes: MANAGEMENT, SECURITY, DATA, DEVELOPMENT, PROCESS, SYSTEM, INCIDENT, CYBER, THREAT, PRODUCT:
### MANAGEMENT:
How do you perform security incident root cause analysis and incident response?
Oversee that your organization establishes architecture oversight and planning for information and network security technologies; leads development of an information security risk management program that includes business, regulatory, industry practices and technical environment considerations; establishes strategic vendor relationships for security products and services; develops enterprise-wide security incident response plans and strategies that includes integration with business, compliance, privacy, and legal constituents and requirements; provides advanced level engineering design functions; provides trouble resolution and serves as point of technical escalation on complex problems. 
Are information security managers adjusting the incident response plans to accommodate for apt attacks?
Establish and manage the Information Security and Risk Management Strategy, inclusive of the Incident Response Policy and Process in partnership with your IT Team. 
How do you safeguard sensitive or protected health information?
Oversee security areas as vulnerability management, identity and access management (IAM), endpoint detection and response (EDR), incident response, applications, and infrastructure security. 
Do you have a current Incident Response Plan defining steps to take and who is responsible if a breach or incident were to occur?
Ensure your IT Service Desk is not simply a helpdesk and is also responsible for Incident Response and Management as well as Information Security tasks. 
Does your organizations incident response plan include steps for recovering after a cyber attack?
Liaison so that your workforce maintains records of security monitoring and incident response activities, utilizing case management and ticketing system. 
Do you have a security operations center focused on detecting and responding to cyber threats?
Drive incident response and problem management exercises, bringing skills to effectively respond to critical production issues and security events in line with SRE incident response and problem management playbooks. 
Is your organization actively monitoring your network activity for signs of unauthorized activity?
Ensure your team is an extension and complement of your Risk Management and Incident Response Services and provides (internal) clients with long term monitoring and detection solutions. 
Does your organization participate in a program for sharing information with government and industry peers about data breaches and incident response?
Execute and improve threat management and cyber incident response processes SIEM response, blacklist management, Endpoint Detection and Response management, investigations, etc. 
How does the emergency/incident response crisis management structure change if key incident managers/ recovery leads are unavailable?
Verify that your team leads your organizations third party risk management program, vulnerability management and mitigation, incident response planning, and ongoing risk assessments. 
How does your organization note a reduction in margins and follow through by re building margin to boundary conditions in new ways?
Be certain that your group works with Incident Management and Threat management to follow incident response procedures to ensure proper detection, mitigation controls. 
### SECURITY:
How do you conduct ongoing monitoring of the risk posture?
Ensure your team is responsible for security incident response management, vulnerability management, sensitive data verification, cyber threat analysis, security information and event management (SIEM) and monitoring, and digital forensics. 
What role, if any, should authorities play in supporting your organizations cyber incident response and recovery activities?
Make sure the Information Security Incident Response team is responsible for managing the detection and reporting of information security and insider threat incidents, supporting all organization Business Units. 
What data sources might contain information regarding the identity of the vulnerability scanning host?
Devise develop cyber security modules based on network concepts, techniques, tools and procedures relevant to securing an organizations infrastructure, vulnerability scanning and management, risk assessments and remediation, threat intelligence, incident response and other cybersecurity topics. 
Does your organizational structure support key functional integration to ensure threat mitigation and rapid crisis response?
Confirm that your team is integrating information security incident response plans with higher level organization planning, including crisis management and business continuity. 
How do you determine that an incident has been handled and requires no further action?
Provide support to the Security Operations Center during incident response and threat hunting activities that includes cyber threat analysis support, research, recommending relevant remediation and mitigation. 
Which representatives of incident response team takes forensic backups of the systems that are the focus of the incident?
Be sure your design is responsible for the implementation and management of incident response plan and reporting requirements by the GRC team to address security incidents and events, and takes action on policy violations or complaints. 
Do you provide off site and remote stakeholders with sufficient training and communication to mitigate cyber risk?
Provide assistance and guidance in drafting and reviewing Configuration Management Plans, System Security Plans, Incident Response Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations, Information Assurance Vulnerability Management Plans, Network Diagrams/Topology, Physical Security Plans, Personnel Security Policy and Training Plans. 
What additional tools or resources are needed to detect, analyze, and mitigate future incidents?
Modify involvement in host-based and network-based security tools, analyzing alerts, and initiating the incident response process, working with operations team and management to analyze and categorize level of threat, take appropriate and timely actions to mitigate threat and associated vulnerabilities. 
Does your organization employ automated mechanisms to more thoroughly and effectively test the incident response capability?
Make sure the GIS Incident Response team is responsible for tracking, executing and/or ensuring all actions required for responding to any network security threat (direct or indirect) against your organization is conducted timely and effectively. 
Is your threat model significantly different enough from the standard vertical the enterprise is in?
Manage information security incident response activities, risk assessment and risk management activities, and vulnerability assessment and vulnerability management activities spanning multiple business units. 
### DATA:
How does your organization plan to maintain operations in the case of a large scale cyber attack?
Participate and coordinate Cyber Security Incident Response Team (CSIRT) with evidence gathering processing, cybersecurity incident investigation, attack malware remediation, forensic analysis, threat mitigation, vulnerability detection, and data leakage prevention. 
Is your main financial planning system and its supporting infrastructure vulnerable to manipulation?
Make headway so that your team is advising on potential liability and other legal aspects related to data privacy and data security incidents and supporting your organizations privacy and cybersecurity incident response programs, including supporting the investigation of potential incidents, identifying applicable legal obligations, and supporting incident response efforts. 
How do you effectively manage your log monitoring and anomaly detection capabilities?
Provide consulting services to review and improve cyber threat intelligence, vulnerability management, security monitoring, data loss prevention (DLP), forensics, and incident response capabilities. 
Does the incident response process include steps to identify root/cause and prevent reoccurrence?
Partner with Security Investigation, SOC, Threat Intelligence and Incident Response teams for ongoing situational awareness, intelligence and data signals to use as input to fraud investigation. 
What individual, office, or department coordinates and delivers your organizations messaging?
Check that your team coordinates Disaster Recovery, Business Continuity and Incident Response planning to ensure effective protection and recovery of information services, organization data and business operations. 
Who or what organizations have the policy lead in terms of roles, responsibilities and departments scope?
Develop and mature ICS Security Operations Center (SOC), identify anomalous behavior, perform data analysis, and lead incident response activities. 
How many active devices within the provided networks will be included in the network assessment?
Implement and/or assess enterprise IT security controls, including data classification/governance, cybersecurity incident response process, patch management, data security/retention, and access controls. 
What is the impact if the entire system had to be reloaded using disaster recovery backup procedures?
Interface so that your process is involved in cybersecurity operations processes and tools and working with cybersecurity datasets to inform incident response and/or hunt operations using cyber threat intelligence. 
Does the incident response plan establish a local incident response team; identifying key roles?
Support your organizations incident response program, including investigating potential incidents, identifying applicable legal obligations, and managing your organizations notification of and response communications to confirmed data security incidents. 
Does your organization have meaningful operational metrics to measure the overall effectiveness of incident response activities?
Make sure the analysis of application and service stack misconfigurations with priority by Incident Response team leadership in the process of determining sensitive data leakage. 
### DEVELOPMENT:
Is your incident response strategy and supporting practices aligned with your business strategy?
Operationalize the development, improvement and operational management of Security Operations, Monitoring and Incident Response practices, processes and solutions. 
Which is most important for an is auditor to confirm when reviewing the effectiveness of an incident response program?
Develop experience scoping and delivering consultative professional service engagements including development, review and tabletop exercises of Incident Response Plans, Disaster Recovery Plans and Business Continuity Plans. 
Who is responsible for activating or has authority to activate the cyber incident response personnel and under what circumstances?
Liaison so that your process provides insight and influence in determining the strategic direction for the development and deployment of threat detection capabilities and/or incident response plans. 
Does it outline requirements for regular testing and reviews/improvements to incident response capabilities?
Consult with development and architecture teams on Secure Development methodologies and best practices, including incident response and architecture, PCI certification and other audit and review processes. 
How do you go about establishing early the importance of governance?
Provide leadership for critical environments/data center portfolio transitions, technical due diligence, incident response, root cause analysis, personnel development and establishing technical training programs related to IT infrastructure and services. 
What are the legal responsibilities of your organizations likely to be involved in an incident response?
Certify your workforce is involved in GCP and/or container technology; building infrastructure, development, or incident response. 
Who is the most senior accountable officer for setting and monitoring your organizations cyber and information security strategy?
Lead by example, demonstrating best practices for Agile Development, unit testing, CI/CD, performance testing, capacity planning, documentation, monitoring, alerting, and incident response. 
Does your organization have an identity management strategy that supports the adoption of cloud services?
Check that your operation is coordinating research and development projects with the engineering team in support of future mission development. 
Is a security incident response plan formally documented and disseminated to the appropriate responsible parties?
Check that your workforce is responsible for leading the development and growth of organization wide process improvement efforts. 
Are responses to declared incidents developed and implemented according to predefined procedures?
Be sure your process collects and analyzes business requirements and transfers the same knowledge to the development team(s). 
### PROCESS:
What training do you provide in support of your cybersecurity Incident Response Plan, Business Continuity Plan, Emergency Operations Plan Cyber Incident Plan, or other related plans?
Establish that your group is executing the appropriate security controls in response to Incident Response processes when incidents relate to or impact RPA solutions. 
Does your organization regularly incorporate requirements relating to cybersecurity risk into its contracts with vendors/clients?
Make sure the Emerging Threats team is responsible for the monitoring, alerting and Incident response process for all Risk metrics and workflows and acts as the single point of contact for risk escalations. 
Do you have measures in place to shrink the attack window and block access to network assets post intrusion?
Develop experience building out workflows and processes related to severe user safety incident response and investigations including physical and online harms. 
How do you make certain that your organization is prepared for cyber risk from a people perspective?
Establish that your team processes incoming calls regarding delivery incidents and communicates vital information to key stakeholders for incident response. 
Will you be given visibility into the analysis and detection rules to see how exactly investigations and triage will be performed?
Ensure the process is operating as designed, information and data analysis is performed in a timely basis and key actions are completed. 
Do your vendors have a PSIRT/ Vendor CSIRT (Product Security Incident Response Team/Vendor Computer Security Incident Response Team), or equivalent?
Review processes (Routers, FMEA, operation standards, process control sheets and all other control documentation) to ensure design requirements have been met. 
What percentage of services in your data center would have benefits from elastic storage capacity?
Liaison so that your team is involved in leading and participating in formal continuous improvement utilizing problem solving techniques, LEAN, Kaizen, process control, etc. 
Who should determine how much effort should be put into attempting to recover the encrypted data?
Devise solutions to complex problems including fabrication of parts, system modifications to provide additional functionality, and perform analysis on existing systems to determine process capability. 
Have procedures for managing IT related security and privacy incidents been defined and documented?
Lead effort to develop RFPs by engaging project team members in the process in order to develop well defined requirements to potential vendors for proposed solutions. 
How far into the investigation is the vendor, and which incident response organizations are supporting the efforts?
Work with cross functional teams to establish, review and monitor standards as well as the systems and processes for supporting business performance. 
### SYSTEM:
What role will the CSP play in performing incident response, including attack analysis, containment, data preservation, remediation, and service continuity?
Flaws discovered during any sanctioned security assessments, continuous monitoring, incident response activities, or information system error handling event will also be addressed expeditiously. 
Do you have an incident response plan in place to minimize the cost and exposure of the data breach?
Make headway so that your team ensures effective system observability and rapid incident response to minimize (internal) customer impact and downtime. 
How do covered entities currently evaluate the incident response and cyber resilience capabilities?
Make sure your group supports incident response and forensics and participates in the incident response team with priority; preserves forensic system images. 
How do you know that an incident should be reported?
Manage effectively reported system, application and device vulnerabilities and through remediation and maintenance in adherence with incident response policies. 
Does the service provider have a formal incident response and management process and plans that clearly define how they detect and respond to information security incidents?
Establish and assess system baselines and serve as technical lead for Cyber Vulnerability Assessments(CVA), recovery/incident response plans, and any other security or reliability reviews, exercises, etc. 
Does it include an anti ransomware engine that monitors changes to files on user drives and identifies ransomware behavior as illegitimate file encryption?
Ensure strong background in system and network auditing, cyber incident response, Intrusion Detection/Prevention, and vulnerability assessment. 
Is there an online incident response status portal, which outlines planned and unplanned outages?
Make headway so that your organization is Willing/able to provide after hours, customer facing escalation support, including system outages and incident response. 
How do you track who has access to sensitive information?
Ensure you analyze issues, perform troubleshooting and incident response, work with system and network engineers to resolve, and track problems through to resolution. 
How frequently are your employees, contractors, and partners trained on your cybersecurity policies and expectations?
Develop system and process recovery plans to support resilience and reliability goals; ensure users are trained on appropriate response protocols. 
How do you resource incident response?
Oversee that your organization is involved in risk management Project management with security system installations and integrations. 
### INCIDENT:
What measures does your organization use to determine the effectiveness of the incident response process?
Invest in threat hunting activities in (internal) client networks through proactive analysis of log, network and system data including system image analysis to identify threats during active incident response and ensure mitigation measures are effective. 
How do you find an owner or responsible parties for systems under your protection?
Safeguard that your group leads the deployment of threat detection capabilities and/or incident response plans which include after hours support and coordination among responsible teams. 
Do you have an incident response plan in place in the event of a critical vulnerability disclosure?
Be confident that your strategy performs your organization needs in depth analysis in support of complex Incident Response operations and provides enhancement and recommendations. 
How do you get involved with working groups?
Liaison so that your workforce is involved in integration of threat hunting and cyber threat intelligence into the incident response process. 
Is the system contingency plan coordinated with related plans, as the disaster recovery plan, the business continuity plan, and the incident response plan?
Make sure the lead will provide leadership in process improvement and automation of incident response activities and coordinate efforts among multiple business units during response. 
Do you have automated incident response and event management workflows in place to mitigate successful intrusions before they propagate and have an impact?
Make sure the Cyber Incident Response Team (CIRT) is responsible for conducting investigations, responding to network intrusions, and providing electronic discovery services. 
What your organization considers support services and how services would be requested, scoped, priced, and delivered?
Collaborate with your Risk Management team to identify and consider privacy, compliance, regulatory, and legal issues in incident response cases. 
How difficult/costly will it be to enhance monitoring of access points in the supplier networks?
Lead the SOC Team in the maintenance and on-going improvement of all SOC processes and procedures, including the Incident Response Plan, IR Playbooks, Communications plans, SOC Monitoring, threat hunting, and SOC Metrics. 
Is there appropriate support for creating, sustaining and maturing a cyber disruption response plan?
Make sure the SOC Team Lead must have involvement in performing Incident Response engagements, developing SOC policies, and working to support a culture of continuous improvement. 
How do you minimize the impact to your organization from an incident?
Interface so that your personnel develops cross functional partnerships to support better asset context and business process understanding in the incident response process, while supporting playbooks that minimize impact. 
### CYBER:
When an incident occurs, are you confident in your organizations ability to minimize its impact?
Lead the teams to provide cyber threat intelligence expertise to support the major incident response activities that can occur through insight on threat actors and tradecraft. 
Does your progressive discipline policy adequately address your need for threat investigations involving poor performers and network stakeholders demonstrating suspicious or disruptive behavior?
Diagnose collaborate with your cyber intelligence team and partners to share threat intelligence and response methods to strengthen your defenses and invest in the development and improvement of incident response processes. 
Do your performance management and compensation strategies provide adequate support for your cybersecurity mission?
Propose further conduct purple team exercises with the Cyber Operations and Incident Response teams, including the maintenance and support of the Cyber Range. 
Do you have an incident response plan that includes documenting lessons learned and next steps?
Make sure your group is conducting post mortem review of incidents to support continuous improvement of the Incident Response Plan and related cyber incident runbooks. 
Does the center have an accident/incident response plan and periodic disaster response exercises to test plan?
Notify designated cyber team members of suspected cyber incidents and articulate the events history, status, and potential impact for further action in accordance with the organizations cyber incident response plan. 
Have you contacted your general counsel and external advisors to avoid mistakes, mitigate risk and establish a privileged environment?
Manage and perform incident response and recovery, cyber threat hunting, malware analysis and reverse engineering and develop protocols to eliminate and/or mitigate vulnerabilities. 
How far into the investigation is the vendor, and which incident response organizations are supporting the efforts?
Lead a team of cyber professionals responsible for enterprise wide cyber incident response functions supporting both everyday defensive and offensive countermeasures. 
How do you keep up to ensure that operational delivery systems meet the needs of your clients?
Run an integrated cyber fusion organization including the disciplines of cyber threat intelligence, detection platforms, proactive monitoring, incident response and red teaming. 
Is someone responsible for documenting and retaining the results of emergency plan practice runs?
Be confident that your operation is responsible for malware investigations, forensic analysis and investigation and cyber incident response in both on premise and cloud environments. 
Is your incident response strategy and supporting practices aligned with your business strategy?
Provide cyber threat summaries, to include all incident response activities directly affecting CND or supporting activities. 
### THREAT:
How do you ensure that your organizations culture and processes create the right environment for growth through innovation?
Provide a strategic point of view for threat monitoring and incident response operations that can be impacted by new technologies (cloud, mobility, virtualization), and business drivers (M and A, new business models). 
How many low level personnel are involved with public relations, media attention, or other incident response management?
Be certain that your workforce is involved in Threat modeling, Threat hunting and intelligence, Incident Response Tabletop exercise, and process automation. 
Does your query system support simple statistics like computing an average or standard deviation?
Support incident response and threat hunting activities to include providing intelligence context, analysis support, industry expertise, and recommendations around remediation and countermeasures. 
Which personnel would be involved in the containment, eradication, and/or recovery processes?
Assure your operation is involved in Threat modeling, Threat hunting and intelligence, Incident Response Tabletop exercises, and process automation. 
Does a formal information security incident response and escalation procedure exist that is reviewed, maintained and documented?
Ensure you coordinate with other Security Engineers to provide actionable intelligence to other security engineering teams including Incident Response, Threat Hunting, and Red Team adversarial simulations. 
Has a security official who is responsible for the required policies and procedures been identified?
Make sure your operation contributes to Incident Response activities by providing contextual Threat Intelligence Package related to IOC(s) identified. 
How do you possibly manage all your log data from all your systems?
Make sure the Incident Response Consultant is focused on working with (internal) customers on cyber threat hunting and cyber incident response efforts. 
Does your organization have established and documented terms and conditions for the use of personally owned devices?
Own your threat detection and incident response program, including investigation procedure, response and recovery playbooks, and automation. 
How is the data combined with other data to enable a decision, and do you automate that decision?
Design the requirements, select the technology, and build the processes that enable log management, threat detection, incident response and recovery, automation and orchestration, and threat hunting. 
Can your email, web, and other public services stay operational if under a denial of service attack?
Review threat intelligence, incident response reports, and malicious behavior noted from the SOC and develop detection approaches to counter those observed attacker techniques. 
### PRODUCT:
How do you use next generation technology to build your threat intelligence & incident response capabilities?
Warrant that your company works with the product development teams to continuously conduct risk assessments to understand the threats, define mitigations, monitor field deployments, and plan for incident response related to existing and new use cases of your product offerings. 
Are automated mechanisms used to increase the availability of incident response information and support?
Manage bid and proposal efforts across each integrated Product Team to identify material costs, risk and opportunities in the supply base and planning to support execution of bid. 
How does your organization ensure data practices comply with customer privacy notices/policies?
Warrant that your strategy manages employees who evaluate and ensure that products, services and processes comply with (internal) customer contract requirements, engineering requirements, organization procedures and organization regulations. 
Does your organization identify any mandatory cybersecurity standards that apply to your systems?
Safeguard that your strategy analyzes business process across all product lines to identify areas of improvement including leading organizational efficiency efforts. 
How can it best prepare for the inevitable need to perform digital forensic, incident response, or breach investigations?
Work hands-on with the product team to prioritize, plan, and deliver the product and ensure the backlog is populated with enough prioritized user stories that are ready to be estimated for the next two iterations. 
Does the incident response plan provide clear roles, responsibilities and levels of decision making authority?
Liaison so that your organization participates in assuring a high reliability and proper performance per product requirements. 
Do the incident management tools allow the escalation and transfer of incidents among groups?
Make sure your group serves as a key interface to engineering and advanced R and D teams to facilitate transfer to production and DFM activities. 
Does your security team lack a robust process for documenting and updating security incident response procedures?
Ensure your design works closely experienced in working with large and small teams and rapid delivery from prototype to finished product. 
What would improve intrusion detection, incident triage, incident response or post incident forensic in your organization?
Develop and deploy practical process standardization to realize efficiencies and measure and improve site productivity levels. 
How do you identify, investigate and manage privacy incidents?
Interface so that your personnel is providing estimates to the Product Manager on delivery timing based on feedback by engineering teams.

107
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing Network Security.md Normal file
View file

@ -0,0 +1,107 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/network-security-ask-gerardus-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: February 10, 2022
Retrieved from on February 10, 2022
Relevant ISO 27001 clauses/controls:
- [ISO 27001 A.13.1 Network security management](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.13.1%20Network%20security%20management.md)
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
- [ISO 27001 A.18.2 Information security reviews](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.18.2%20Information%20security%20reviews.md)
# Network Security: Ask This;
1. Is your organization logging any network events that would allow you to determine if a data security breach may have occurred?
2. Do you have insight in regular updates that shows all the latest security patches and the status of every machine on your network so you know your systems have been secured and updated?
3. Where business partners and/or third parties need access to information system is the network segregated using perimeter security mechanisms as firewalls?
4. To what extent has your organization implemented security controls to prevent data exfiltration and enhance network defenses?
5. Is a base network stack satisfactory (for a system locked in a secure area for example), or does a full featured network stack with a complete security portfolio make more sense?
6. Do your staff members have appropriate awareness, knowledge and skills to maintain the security of the network and information systems that support your delivery of essential services?
7. What wireless network security controls do you have in place to secure your network from hackers sitting in your parking lot and capturing your data?
8. Does your organization have a process to verify security policy compliance of all network connected devices?
9. Which technology and business factors does your organization use to structure network based security strategies?
10. Do your security systems detect insider misuse, misconfigured devices and unauthorized attempts to access internal network resources in real time?
11. When user access requirements increase because of business needs, what change management process is in place to modify the access controls.
12. BYOD environments pose capacity planning and security challenges, how does your organization track network access by non organization issued devices?
13. Does your organization employ a Network Access Control (NAC) solution to enforce security policies for remote users?
14. Does your organization have a process to deploy security updates to all network connected IT assets?
15. Where identified as necessary in your risk assessment, have you identified and segregated critical business systems and applied appropriate network security controls to them?
16. How do you know if the security controls implemented in your network have been configured correctly to protect your information?
17. Do you have a written Incident Recovery Plan for security incidents and network outages in force to avoid business interruption due to systems failure?
18. Does your organization perform (or have an experienced third party consultancy perform) external penetration tests at least quarterly and internal network security audits at least annually?
19. Does your organization have an independent testing program that includes comprehensive penetration testing of its perimeter network and application security controls?
20. Does your organization still need the sophisticated inspection capabilities of a standalone IPS?
21. How do you manage cooperation among networks to cope with natural faults and attacks where each network has its own policies with attendant security and privacy needs?
22. Are your network security vendors moving their portfolios in a direction that will allow you to fully exploit a Secure Edge or SASE architecture?
23. How many different platforms do you have to use to oversee your entire network security as well as your core networking capabilities?
24. Is your organization planning to approach network security in the cloud in the same manner as it does with its on premise security operations?
25. How does your organization position network security solutions to accommodate change while not, or at least not noticeably, impacting network performance?
26. Do you have recovery procedures documented for production and non production environments in the event of a service disruption?
27. Based upon your organizations business application plans and IT initiatives, how important is it for your organization to automate its network security operations in the future?
28. As more network traffic is encrypted, how concerned is your organization that your existing security monitoring practices/technologies will miss malware hidden in encrypted files?
29. Do you have a written Incident Recovery or Business Continuity plan in force for network security incidents and network outages?
30. What are the motive, means, and opportunity of each human threat actor who might use network access to violate the security requirements of your organizations critical asset?
31. How could using the vendors cloud infrastructure weaken your organizations existing network security posture?
32. What impediments do you encounter that prevent you from making greater use of network data for security detection and investigation?
33. If you are considering a large network service provider, system integrator or outsourcer for managed security services, whose staff will be monitoring or managing your security devices?
34. What is the difficulty in your organization of inserting malicious data into security related datasets in intrusion detection alerts, network packets and system logs?
35. How do you know if application and network security is sufficient to protect against data breaches?
36. Do the remote access security controls allow network devices to be isolated when there is a compromise?
37. Which organizational challenges between the networking and IT security teams in relation to network security do you have?
38. Have you automated network wide IPAM auditing processes with reports to show internal security standing and policy compliance?
39. What security credentials (e.g., for user access, network access or service access) are stored on each device?
40. Your organization changes, your network changes, and the threat landscape changes. How does your network security infrastructure adapt?
41. What have you done to validate that any network security controls are still effective with an increasingly remote workforce?
42. Which security operations management best practice is followed to enable appropriate network access for administrators?
43. What security priorities are most important for your organization to take as the number of staff in corporate locations/on the corporate network ramp back up?
44. How much time does the network security team spend on firewall audits, both in preparation and in the audit itself?
45. What policies are in place that address specific aspects of IAM as network security or physical access cards?
46. Does the integration of network flow capture with behavioral analysis and anomaly detection provide greater security intelligence in your organization?
47. What is the security posture of the systems (from file servers to databases, directory services and network devices) that support your most critical line of business?
48. Do your security policies address both internal and external access to the network for each technological device?

726
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing Security Operations.md Normal file
View file

@ -0,0 +1,726 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/security-operations-ask-gerardus-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: February 12, 2022
Retrieved from on February 14, 2022
Relevant ISO 27001 clauses/controls:
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
Related:
- [Checklist for auditing Cyber Operations](Checklist%20for%20auditing%20Cyber%20Operations.md)
1. If you have a help request system, does your help request system work with your security operations center?
2. Does your organization have a formal security operations center or team that actively manages security incidents and events as they are generated?
3. Do you have a need to build out a security operations center (SOC) or will you have a virtual SOC?
4. Do you have the appropriate certification(s); for example, certified to security operations management system standards as ISO 18788?
5. Do you have a dedicated threat hunting platform for your security analysts?
6. Does your system have a protocol to report threats or significant security concerns to appropriate law enforcement authorities?
7. How does your organization coordinate BCM and security operations response to a breach?
8. What level of security depth does your security operations staff possess, and for what support time frames?
9. Do you have a 24x365 security operations center monitoring all systems for potential security issues?
10. How long does it take your security operations team to investigate a threat?
11. How does your organization use intelligence to augment and improve your security and business operations?
12. If you are currently outsourcing security operations to a third party service provider, what benefits have you realized?
13. Based upon your organizations business application plans and IT initiatives, how important is it for your organization to automate its network security operations in the future?
14. How many SIEM/security analytics alerts does your security operations team investigate in a typical day?
15. What security measures does your organization employ to keep your threat intelligence secure?
16. Does your information security policy have the authority it needs to manage and ensure compliance with the information security policy?
17. Does each staff member within the security organization have an accurate job description?
18. How does the need for real time data impact the deployment of your security technology?
19. How do you know that your cybersecurity tools are effective?
20. Do your forensic and actionable intelligence networks integrate with your security information and event management (SIEM) and security operations center (SOC) infrastructure?
21. How has widespread remote work changed how your CISOs have approached the security strategy?
22. What security data is your security operations team gathering and why?
23. How does your organization integrate relevant and actionable intelligence into security operations?
24. How does your organization compare to industry peers based on benchmarking its security maturity curve?
25. How can your security operations workflows benefit from more integration of threat intelligence?
26. How does your organization use security operations products that feature machine learning (ML) and/or Artificial Intelligence (AI) technology?
27. Does your audit program take into account effectiveness of implementation of security operations?
28. What are the sources of external data that your Security Operations team can leverage to develop and maintain its context aware understanding?
29. How is the system integrated along with existing security operations centers and infrastructure, as security cameras, data connectivity, and display systems?
30. How do you actually know when an incident has occurred?
31. Have you developed an adequate public information and media relations plan as part of your event security operations plan?
32. What level of communication is taking place between your security operations team and the cybersecurity ecosystem of employees, senior executives, and third party vendors?
33. How is your organization managing the security operations center in avoiding threat fatigue?
34. Do you have a designated security team and response workflows for handling known threats?
35. How do you ensure that your security programs comply with all policies and requirements?
36. Does everyone with need to know understand your organizations security plan?
37. Do you have real time visibility and full control of your security and operations?
38. How do you know if your security operations are aligned with your organizations risk?
39. Do project teams have review checklists based on common security related problems?
40. Do you have an integrated security ecosystem to detect zero day threats and advanced malware?
41. With security threats growing in both volume and sophistication how does your organization keep up without aggressively ramping up the security operations team?
42. Is deception technology in use as an effective cybersecurity solution to help your organization?
43. Are the Incident Reponse plans, logs and helpdesk ticketing system currently integrated with each other?
44. Does your organization have regular intelligence on who may be targeting your organization, the methods and the motivations?
45. How have you addressed the human factors in ensuring security controls are effective?
46. How does your organization automate and orchestrate security operations tasks?
47. How has the shift to remote working and multi cloud environments affected your Security Operations Center?
48. Do you have full visibility into your security devices log reports?
## Organized by Key Themes: SECURITY, RISK, MANAGEMENT, DATA, OPERATIONS, DEVELOPMENT, INCIDENT, TECHNOLOGY, CLOUD, NETWORK:
### SECURITY:
What feedback mechanisms exist within your services to capture threat intelligence?
Administer and maintain security systems in the cybersecurity security operations center (CSOC) technology stack, including the security information and event management (SIEM) environment; Operational Technology (OT) and IT network intrusion detection systems (IDS); endpoint detection and response (EDR) tool; security orchestration, automation, and response (SOAR); cyber threat intelligence platform (TIP); and full packet capture (PCAP) servers across your service territory. 
How do you identify which assets are being compromised and what type of data is involved?
Warrant that your organization is involved in network security environment (Security Operations Center, Security Incident Response Team, or Cyber Security Incident Response) investigating targeted intrusions through complex network segments or Be certain that your company is involved in [OT Security](../../Information%20Security/OT%20Security.md) engineering and security concepts. 
Have external information aggregators been evaluated for value in API security operations?
Warrant that your design is involved in Security Event and Incident Management (SEIM), Security Operations Center (SOC), endpoint protection, log aggregators, zero trust, and network security processes and tools. 
What are the needs for knowledge based systems in the context of managing knowledge?
Provide support to the Security Operations Center during incident response and threat hunting activities that includes cyber threat analysis support, research, recommending relevant remediation and mitigation. 
What are the advantages offered by bug bounty programs over normal testing practices?
Check that your workforce is involved in including network operations or engineering or system administration on Unix, Linux, MAC(Message Authentication Code), or Windows; common security operations, intrusion detection systems, Security Incident Even Management systems, Penetration Testing, Web Application assessment, Secure Coding practices. 
Are development, test and operational facilities separated to reduce the risk of unauthorized access or changes to the operational system?
Interface so that your workforce is responsible for detection capabilities including log management SIEM, continuous monitoring network security monitoring, threat hunting, penetration testing, vulnerability scanning, web app scanning, data loss prevention, security operations center, threat intelligence. 
How can auditors create the own RPA routines to execute more controls efficiently?
Make sure the Cyber Security Operations (SecOps) Engineer operates, maintains, and streamlines the information security teams Incident Response Program (IRP), Security Incident and Event Management (SIEM), automation, and authentication tools. 
How do security professionals view AI in terms of its maturity and fundamental capabilities?
Oversee that your staff assists with performing engineering support and system administration of specialized cybersecurity applications, systems and networks in a Cyber Security Operations Center (CSOC) environment to include installation, configuration, maintenance, patching, and back-up/restore. 
Do you investigate incidents and actively hunt for emerging threats in the cloud?
Develop experience working with information security teams such as fusion centers, security operations centers, vulnerability assessment, vulnerability threat management, security incident management, cyber hunt, and big data analysis. 
### RISK:
How has the frequency of malware incidents changed over the past year within your organization?
Check that your organization projects goals could be focused around people, process, or tools concerning IT Service Management (ITIL), HR Information Systems, (internal) customer Service Management, IT Security Operations, IT Governance Risk and Compliance, Facilities, Project and Portfolio Management, IT Financial Management, Organizational Change Management, and or IT Operations Management Oriented topics. 
Are intelligence feeds integrated into your defense and response systems and, if so, how?
Safeguard that your operation is performing technical and competitive analysis of Risk, Controls, Third Party Management, Security Operations solutions, including integration with enterprise information security and information technology applications and data feeds. 
Is your organization gathering information on cybersecurity capabilities and incidents?
Contribute broadly to advance the capabilities of your Compliance Operations team through integration of governance risk and compliance systems with security operations systems to automate recurring compliance tests or audits. 
What are the sources of external data that your Security Operations team can leverage to develop and maintain its context aware understanding?
Certify your company directs strategy to assess and mitigate risk, manage incidents, maintain continuity of security operations and safeguard your organization. 
How would you grade your ability to communicate with upper level management, customers, and peers?
Make sure your workforce communicate to executive management on the effectiveness of Security Operations including policy violations, security risks, progress of all security related remedial actions and metrics. 
Do you have the appropriate certification(s); for example, certified to security operations management system standards as ISO 18788?
Partner with internal Security Operations and Engineering to ensure risks are well understood and proposed countermeasures are effective at mitigating risk. 
Who are most responsible for ensuring security objectives are achieved within your organization?
Make sure the CISO is directly responsible for Strategy, Security Operations, Cyber Risk and Cyber Intelligence, Data Loss and Fraud Prevention, Security Architecture, Identity and Access Management, Program Management, Investigations and Forensics, Disaster Response and Business Continuity, Regulatory and (internal) customer Compliance, Personnel, Budget, and Governance. 
Which personnel would be involved in the containment, eradication, and/or recovery processes?
Ensure strong technical knowledge required, including security operations, engineering and cybersecurity, endpoint protection, governance, risk and compliance, and identity management. 
Are responses to declared incidents developed and implemented according to predefined procedures?
Develop experience working across Security Operations, Risk Oversight, Audit is an asset. 
Does your organization have a formal security operations center or team that actively manages security incidents and events as they are generated?
Interface so that your company is responsible for the advancement of the information risk strategy to foster your organization environment that effectively manages information risk. 
### MANAGEMENT:
Are there work streams that might be better handled through alternative sourcing or managed services?
Invest in establishing a mature and optimized Security Operations Center discipline to support managed security services focused on client-facing vulnerability and security information event management engagements. 
How do you identify which assets are being compromised and what type of data is involved?
Make sure your organization is involved in security technologies including Video Surveillance, Access Control, and Incident Management Systems, Security Operations Centers. 
Is there password protection in place for employee access to all computers and electronic records?
Safeguard that your company is hiring, managing, and developing the operations management team including compute operations managers, engineering operations managers, logistics operations managers, and security operations managers. 
Do you have a security operations center focused on detecting and responding to cyber threats?
Guarantee your organization identifies, develops, and maintains the skills and capabilities of the public safety personnel and security officers at a best-practice level including implementing training programs regarding risk mitigation, security operations, threat assessment, investigations, use-of-force guidelines, and emergency management. 
How is the system integrated along with existing security operations centers and infrastructure, as security cameras, data connectivity, and display systems?
Ensure your process is consulting Expertise in (internal) customer Experience/Service, ITSM, HR Service Delivery, Enterprise Service Management, Business Application Development, or Security Operations. 
Is the risk reporting to the board balanced and does it reflect the present and potential future situation?
Make sure the contract supports multiple functional areas, including Desktop Virtualization, IT Service Management, Systems Engineering and IT Security Operations. 
How do you get the best work from your subordinates?
Drive strategic cloud operations and build Cloud Center of Excellence maturing management, operations, SLAs and KPIs for critical systems. 
Are appropriate implementation and performance measures identified, applied, and analyzed?
Be certain that your group collaborates with program management and facility administrators to establish goals and objectives and develop and implement guidelines, procedures, policies, rules, and regulations to enhance programs and services; uses data to direct decision-making processes; oversees and participates in the development and implementation of activities designed to ensure legislative and program performance measures are met. 
What are potential risks involved with implementing security cooperation activities?
Liaison so that your team provides guidance to and works collaboratively with compliance areas, Legal, IT, Planning and Project Execution Units, and the Enterprise Portfolio Management Office to identify and implement improvements in your organizations regulatory process. 
What areas/processes of the business represent the most impact to revenue if the service is lost?
Represent the Incident Response team for Proactive Threat Management triage and engagement. 
### DATA:
What is your management system around data isolation that would lead to data privacy?
Develop and mature ICS Security Operations Center (SOC), identify anomalous behavior, perform data analysis, and lead incident response activities. 
What would it cost to have an outside organization to perform monitoring of target systems?
Ensure strongly prefer involvement in assessing or building end-to-end cybersecurity solutions, including data protection solutions, security incident and event monitoring platforms, threat and vulnerability programs, security operations centers and other cybersecurity solutions. 
How do you keep up with real time monitoring, threat detection and malicious code detection without being flooded by false positives?
Interface so that your operation oversees the enterprise level components of the programs and partners closely to integrate with the Security Operations team on operational components of Application Security testing and monitoring and Data Loss Prevention tuning and monitoring. 
What happens when the endpoint is no longer connected to your corporate network or Internet?
Work closely with security operations in the identification, escalation, and resolution of all data security related incidents. 
Which background describes your role before you became involved in security awareness?
Ensure your design is involved in security operations, data analytics, forensic analysis, fraud detection, cyber intelligence. 
What level of security depth does your security operations staff possess, and for what support time frames?
Consume both qualitative and quantitative data sources to produce threat monitoring tactics and monitoring strategies to support the needs of technology and business audiences. 
How do you support audit/compliance requirements?
Support major M and A transactions and complex strategic initiatives to ensure accountability for both data and privacy legal/regulatory compliance and strategic advising; this includes providing advice on secure, confidential and compliant exchange of data during negotiations and due diligence, performing due diligence activities and advising on data and privacy related risks and possible remediation, provide input for agreements and support during negotiations, and advise on and support post-close remediation and integration actions. 
What processes are you using to detect vulnerabilities within your control system networks?
Liaison so that your process has involvement utilizing geographic information system and data visualization tools. 
What percentage of your organizations IT personnel support IT security operations?
Liaison so that your design designs and develops maintenance applications to support the data integration solutions. 
How has the severity of malware incidents changed over the past year within your organization?
Develop experience gathering and analyzing data to create metrics that support positive change and continuous improvement recommendations. 
### OPERATIONS:
How does your organization monitor its production database servers to detect suspicious activity?
Make sure the Security Operations Analyst is responsible for assisting with the full life cycle of security operations, including identifying and analyzing potential threats, supporting prevention and detection methodologies, assisting with incident response and monitoring functions, as well as continuously recommending improvements to security operations. 
How do you evaluate the effectiveness of your organizations cyber risk program?
Make sure the Tech Lead, IT Security Operations Engineer supports the Manager, Information Security Operations, IT departments, and Risk Management by researching technologies, remediating security vulnerabilities, oversight of system patching, and conducting security oversight functions. 
What are the licensing conditions that licensed cybersecurity service providers have to comply with?
Develop experience working with Security Operations and Engineering teams to provide input for regulatory and security audit items. 
How would you rate your vulnerability or risk posture against targeted threats and attacks?
Provide recommendations on analysis techniques and enhancements to security operations to identify and defend against attacks. 
Is the it system or its information used to support any activity which may raise privacy concerns?
Make sure the VP of Managed Services is responsible for overall quality of implementations, security operations, ongoing support, and related services for your (internal) customers. 
What controls are in place already that may mitigate the risk of the vulnerability?
Be sure your strategy is responsible for monitoring intelligence sources including news and social media to identify risks, build social intelligence, and mitigate risks to Company operations through communication and advisories to impacted business units. 
What factors affect your organizations decision to support that level of investment?
Provide direct support of management functions including Human Relations, Business Development, Operations and Finance, corrective actions, and adherence to organization policy. 
What support, either administrative or technical assistance, did you receive in your previous positions?
Be proactive during operations or crisis response to provide intelligence to support operations as well as to ensure that operations tracking systems are up to date during a crisis or event. 
How do you evaluate and optimize your data collection capability?
Be confident that your team performs routine (journey level) managerial work administering the daily operations and activities of your organizations business function, division, or department. 
How does the overall protection system operate to accomplish its routine and emergency tasks?
Interface so that your organization coordinates, monitors, and evaluates program activities and operations; ensures compliance with laws, rules, regulations, policies, procedures, and standards; oversees the preparation of and review of forms and records; oversees the preparation of or prepares management and operational reports; oversees the preparation of or prepares serious and critical incident reports and debriefing reports; collaborates with program management and facility administrators in establishing goals and objectives and in the development of guidelines, procedures, policies, rules, and regulations; develops schedules, priorities, and standards for achieving goals; uses data to direct decision-making processes; and assists with the development and evaluation of budget requests. 
### DEVELOPMENT:
How do you determine the required reaction times for services?
Support the development of Security Operations Center orchestration to reduce incident detection to response times. 
Can most project teams access automated code analysis tools to find security problems?
Serve as Integrated Systems Development Security Operations (DEVSECOPS) IT specialization responsible for developing and conducting automated testing. 
Do you have a segmented manufacturing network that controls devices that power and run the manufacturing operations?
Oversee that your workforce is responsible for the strategy, development and deployment of the comprehensive physical security operations program for your owned and leased facilities including offices, warehouses and distribution and manufacturing facilities. 
Is your organization retaining security data for longer periods of time now than it did in the past?
Invest in the development and maintenance of various security operations services including vulnerability scanning, configuration assessments, and anomaly detection. 
Does your organization have a written policy or process for each web privacy practices?
Operationalize the development, improvement and operational management of Security Operations, Monitoring and Incident Response practices, processes and solutions. 
Is your organization able to allocate appropriate resources to support current risk management policy and practice?
Be certain that your team is owning business partner relationship with IT development support team and any vendor relationships. 
Will there be a commitment from organization leadership to continue with AI systems?
Make sure your team is using applications and equipment knowledge to lead front line business development activities. 
What best defines your level of involvement in your organizations IT Security operations?
Manage the strategy, development and ongoing implementation of a Partner Support team that incorporates varying contract and program requirements. 
How do you assess the security of individual products relative to the security of the system as a whole?
Develop experience evaluating software development risk using relevant factors to assess the business impact. 
Have you paid for an outside organization to assist with incident investigations?
Make sure your process works at an enterprise level and in cross functional teams to invest in the development of strategic and enterprise plans. 
### INCIDENT:
Is there a current security plan in place that addresses policies for access control and emergency response?
Perform data modeling and data prioritization exercises in order to manage and forecast storage capacity requirements and performance for solutions critical to the Security Operations Centers and Incident Response. 
Does each project team have access to secure development best practices and guidance?
Liaison so that your organization work with the Incident Response and Automation organizations to improve detection capabilities proactively, from best practices, and lessons learned from post mortems and feedback. 
How do you optimally design, configure, and deploy a cloud environment to support your compute workloads with the most resilient, scalable, and cost efficient approaches?
Secure that your organization provides first contact and incident resolution to (internal) customers with H/W, S/W, and application problems include both (internal) customer telephone support as well as electronically submitted requests. 
How have you ensured a team understands how its work connects into the work of your organization?
Assure your team leads complex threat assessment and consults leadership on incident impact and risk exposure. 
How are you doing on the MFA front when it comes to securing critical cloud accounts?
Develop experience using open source tools and techniques to collect and analyze information pertaining to threat/risk assessments, personnel or incident investigations, and/or geopolitical developments. 
With security threats growing in both volume and sophistication how does your organization keep up without aggressively ramping up the security operations team?
Participate in an on call rotation with the Incident Handling team to ensure (internal) customers are fully supported. 
What are the main benefits of using a threat hunting platform for security analysts?
Interface so that your workforce is dispatching and coordinating response to incidents that occur on organization premises, or events, using the appropriate communication methods. 
How do you assess the security of individual products relative to the security of the system as a whole?
Invest in or perform incident response technical activities to minimize impact to your organization. 
How can auditors create the own RPA routines to execute more controls efficiently?
Set up, conduct, and execute after action activities for cross functional area incident response activities. 
Can commercial industry participate to help develop requirements for commercial components?
Develop experience or evident knowledge in Incident response, log analysis and PCAP analysis. 
### TECHNOLOGY:
Is your organization aware of the potential vulnerabilities in its ICS/SCADA environment?
Check that your design oversees all technology and IT security operations and projects for your organization to ensure 24/7/365 availability and uptime. 
Do access control procedures and policies exist to support the access control policy?
Guarantee your workforce develops, communicates and champions an effective and scalable framework for technology issue submission with measurable Service Level Agreements (SLAs) and Key Performance Indicators (KPIs) to support business strategy aimed at improving (internal) customer technology support in the organization. 
What mitigation measures or redundancies exist to protect the asset or the function it serves?
Safeguard that your team is accountable for technology incident management, problem management, change management serves as escalation contact for breached incidents and requests. 
Does your organization have a formal security operations center or team that actively manages security incidents and events as they are generated?
Make sure your team identifies, evaluates, and manages third party vendors, technology or processes for integration with information technology systems. 
What best defines your organizational role or function with respect to its cybersecurity program?
Establish that your staff owns the Technology Helpdesk strategy and execution, defines Key Performance indicators for infrastructure teams service delivery. 
Is most of your development staff aware of future plans for the assurance program?
Combine business needs, vendor roadmaps and technology trends to develop Enterprise Analytics platform and product roadmaps and future state architecture diagrams. 
What are the key drivers for producing performance reporting within your organization?
Ensure completion of Integration Facility testing and deployment of information technology requirements. 
How does your organization use intelligence to augment and improve your security and business operations?
Be sure your company is leveraging, developing, and/or managing technology solutions to enable and improve (internal) client solutions. 
### CLOUD:
How do you determine the right level of investment?
Expand an entity managing network Security Operations Center (SOC) operations as an engineer or operator, including firewalls, intrusion detection, encryption, monitoring, vulnerability scanning, and authentication solutions for traditional and Cloudhosted IT systems. 
Have you directly participated in a leadership role a Crisis Management situation?
Lead the Security Operations Branch on incident response actions for security incidents affecting the multi cloud environment. 
Are there designated people and procedures in place for monitoring the early warnings of increasing threat levels and an escalation of security efforts in response?
Interface with cloud DevOps teams and security operations teams for maturing cloud security monitoring operations. 
How do you reduce the cost and risk of your solution?
Implement modern, cloud specific processes for cloud service portfolio management, new service intake, cloud operations, cloud monitoring, cloud issue management, cloud cost management, cloud financial operations, security operations, cloud service assembly and cloud service catalog. 
Is employee and management training support provided to address changing security needs and emerging threats and enhance skill levels?
Partner with division and department leaders and partners to help establish governance processes to enable automation and support Agile delivery and migration to Cloud. 
How do you ensure the ethical development of AI?
Develop experience implementing network segmentation, firewalls, and cloud computing architecture designs. 
How do you provide metrics, as information about threats that have been blocked?
Provide leadership for the cloud architecture strategy and resolution of architectural issues. 
How do you know if your security operations are aligned with your organizations risk?
Confirm that your staff is skilled in Python and implementing Infrastructure or Policy as Code (CloudFormation, Terraform, OPA). 
Can project teams access automated code analysis tools to find security problems?
Monitor multiple cloud and on prem environments through manual and/or automated tools and processes. 
### NETWORK:
What specific technical areas do you have that can support deployment of AI technologies?
Proactively monitor, maintain, manage and support network and security operations infrastructure throughout the enterprise. 
How do you determine the required reaction times for services?
Implement event driven bidirectional data exchange capabilities between network and security devices to control network access and improve response times to cybersecurity incidents. 
Do you have an approved policy, strategy, plan and budget for securing the product/service?
Perform reviews and assessments, and make recommendations with respect to network security model in accordance with approved compliance standards. 
Are the majority of the protection mechanisms and controls captured and mapped back to threats?
Work with Network Operations Center Field Ops (internal) customer Support to drive accountability and recommend process improvement where necessary. 
How do you optimally design, configure, and deploy a cloud environment to support your compute workloads with the most resilient, scalable, and cost efficient approaches?
Ensure you have involvement with networking, topology, infrastructure specifically with IPv6 security requirements. 
How have you addressed the human factors in ensuring security controls are effective?
Integrate enterprise, regional, and local IT systems ensuring current network operations are sustained or oversee the recovery. 
Do reporting activities include the performance of security measures, procedures or controls?
Maintain a database of site and circuit information which can be used for incident management, circuit inventory management and reporting on overall Wide Area Network bandwidth capacity. 
Are development, test and operational facilities separated to reduce the risk of unauthorized access or changes to the operational system?
Guarantee your organization develops, promotes, and maintains standards for enterprise network systems, project management, technical system configuration, systems integration, testing, and training, and oversees these processes for implementations, upgrades, and other system changes. 
How do you balance human insight and machine generated prediction to optimize CX?
Oversee enterprise network architectural analysis, to include Analysis of Alternatives (AoA), for feasibility, thoroughness, security, reliability and provide recommended action to the organization program management team. 
How are big data platforms used to support the collection/analysis of network and endpoint data?
Assure your company coordinates resources to meet (internal) customer expectation for a portfolio of projects, change requests, maintenance activities and support tickets related to enterprise network systems.

671
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing Threat Intelligence.md Normal file
View file

@ -0,0 +1,671 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/threat-intelligence-ask-gerardus-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: February 13, 2022
Retrieved from on February 14, 2022
Relevant ISO 27001 clauses/controls:
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
Related:
- [Checklist for auditing Threat Management](Checklist%20for%20auditing%20Threat%20Management.md)
# # Threat Intelligence: Ask This
1. Does your organization have a cyber threat intelligence program and attack monitoring/alert process?
2. What threat intelligence information sharing protocols does your organization use to share and disseminate threat intelligence data?
3. How does your organization collect and share threat intelligence that may be useful in mitigating cyber threat risk?
4. What security measures does your organization employ to keep your threat intelligence secure?
5. How does your organization enrich the data collected with threat intelligence and GeoIP data to enhance the analysis process for higher fidelity and lower false positive alerts?
6. What tools does your organization use to receive Cyber Threat Intelligence from other companies?
7. How confident are you in the security of sending your organizations threat intelligence data to the cloud for analysis (i.e., log files)?
8. What value does threat intelligence bring to your organizations overall security strategy?
9. Who is responsible for implementing a threat intelligence program that integrates across your security technologies, teams, and executive cyber risk decisions?
10. What sources of cybersecurity threat intelligence does your organization receive?
11. By what percentage have security breaches been reduced because of using threat intelligence solutions?
12. Do you utilize a security command center platform to update and manage your firewall and related Cyber Threat Intelligence services?
13. What cyber threat intelligence sources do you rely on to get information about the issues facing your organization?
14. Does your organization have a role in verifying the quality of threat intelligence sent or received?
15. Does your threat intelligence inform and enhance security planning, vulnerability management, and incident response activities?
16. Do you have a robust, forwardleaning strategy to incorporate threat intelligence into your security approach?
17. How many cyber attacks that eluded traditional defenses have you been able to discover because of threat intelligence from internal and external sources?
18. How does threat intelligence support situation awareness in response to cyber attacks?
19. Many early threat intelligence services focused on general security data, identifying malware indicators and tracking malicious sites, how does that apply to your environment?
20. Do you have metrics to evaluate the quality of the threat intelligence provider and the information received?
21. Does your organization have dedicated threat intelligence analysts and researchers?
22. What effect on information security was due to the combination of threat intelligence and situation awareness?
23. How do you share information cyber threat intelligence between public and private sectors?
24. Which indicators of compromise and threat intelligence does your organization respond to first?
25. If your organization consolidates threat intelligence from multiple solutions, does the process utilize an automated platform?
26. Are regular threat intelligence briefings provided to onsite Information Security staff?
27. Does your cybersecurity include network, mobile, data, app, and IoT security relying on worldwide network threat intelligence based on petabytes of data?
28. Does your threat intelligence platform integrate data from the platform into an endpoint security system?
29. If you employ a SIEM, does it have a native threat intelligence solution or offer an add on for one?
30. How do you assess your organizations ability to operationalize, or employ threat intelligence within its cyber defenses?
31. How does your organization measure the quality of the threat intelligence it receives?
32. Does threat intelligence drive decision making within your organizations security operations center?
33. Does your organization integrate threat intelligence data with its SIEM and/or IDS/IPS?
34. How is collaboration of users on managing cyber threat intelligence data supported?
35. Are procedures in place to disseminate threat information and intelligence products to higher/subordinate activities and other organizations (during duty and non duty hours)?
36. Does your organizations threat intelligence influence your security awareness training decisions?
37. Is threat intelligence used to educate/brief your organizations board of directors about cyber risks?
38. Does your organization consolidate threat intelligence data from multiple solutions?
39. Does your organization test its incident response plan regularly and update it as needed based on Cyber Incidents that have occurred and Threat Intelligence?
40. Can investigatory teams seeking to establish operator identities and methods get access to more data from threat intelligence and incident response efforts conducted by specialist companies?
41. What threat intelligence activities and technologies are most important in your ability to plan preventive measures, detect threats, and resolve security incidents?
42. What is the single biggest deficiency of the threat intelligence upon which your organization currently relies?
43. Do you apply threat intelligence to customer security alerts as part of your process for vetting or determining if an alert should be escalated to security event status and action taken?
44. Is your organization using threat intelligence to enhance the security in real time or in post attack analysis?
45. How is your organization managing the integration of different threat intelligence data sources?
46. Is your security infrastructure integrated so that threat intelligence can be shared in real time across all security elements?
47. What threat intelligence feeds does the MSSP use that are relevant to your business, and can it tailor its threat intelligence to cover specific indicators you provide?
48. Does your organization have a dedicated threat hunting team within its IT Security function?
## Organized by Key Themes: SECURITY, DATA, MANAGEMENT, INTELLIGENCE, CYBER, THREAT, TECHNOLOGY, SYSTEMS, TOOLS:
### SECURITY:
How can existing information standards be used to support incentive based cyber trust?
Ensure your team is involved in these the following Information Security programs areas: Endpoint Protection, Risk Management, Threat Management, Incident Management and/or Security Engineering and Operations Support. 
Do you have bespoke software (for monitoring, collective, analysing, and sharing data)?
Be certain that your team executes and improves the core functions of incident response including: threat detection and prevention, incident response, systems and network security monitoring, forensics and vulnerability management at enterprise scale. 
Are all your Data Privacy policies updated on a regular basis and how do you check that some are effective?
Make headway so that your design collaborates with the Information Security organization, other Ascend technology teams and third party vendors to ensure threat intelligence is being shared and alerts, processes and technologies are updated accordingly. 
How difficult/costly will it be to enhance monitoring of access points in the supplier networks?
Develop experience working with a variety of security-related platforms and services, including: SIEM systems, Threat Intelligence platforms, Security Orchestration, Automation and Response (SOAR) solutions, and other network and system monitoring tools. 
Has threat changed significantly to require a re assessment/change to the modular design?
Be sure your process manages all aspects of security disciplines: Information security, software development, vulnerability assessments, threat analysis, incident response, threat modeling, security intelligence and forensic investigations. 
How can managed service providers, technology, and information security leaders within smb markets build a program that can quickly recapture costs and poor decisions?
Administer and maintain security systems in the cybersecurity security operations center (CSOC) technology stack, including the security information and event management (SIEM) environment; OT and IT network intrusion detection systems (IDS); endpoint detection and response (EDR) tool; security orchestration, automation, and response (SOAR); cyber threat intelligence platform (TIP); and full packet capture (PCAP) servers across your service territory. 
How will corresponding advances affect approaches to areas as cybersecurity and cryptography?
Be certain that your team analysis and response: collects and analyzes threat intelligence to prepare the rest of your security team against emerging threats and to optimally respond to security incidents. 
How frequently does your organization conduct full network active vulnerability scans?
Certify your organization advises on Cybersecurity defense and leverages solutions to deliver operational services, including network intrusion, detection and prevention, security events, data spillage, and incident response actions. 
How do you tackle the most complex business problems using data?
Assure your organization implements, and models security practices for enterprise and cloud environments using an intelligence and threat driven defense model. 
How do you focus on your people to develop organizational preparedness for an attack?
Develop experience integrating threat intelligence data into security operations teams. 
### DATA:
Are you required to provide specific consumer protection services as identify theft insurance and/or credit monitoring?
Develop experience working with SIEM systems, Endpoint Detection and Response (EDR) solutions, threat intelligence platforms, security automation and orchestration solutions, intrusion detection and prevention systems (IDS/IPS), Data Loss Prevention and other network and security monitoring tools. 
How would your capability change if the timeframe metrics were increased or decreased?
Be sure your team provides expertise and leadership to utilize threat intelligence and reporting capabilities to analyze data from multiple feeds to better detect and respond to cyber attacks and decrease risk to assets or data. 
How do you believe AI could improve your organizations cybersecurity?
Characterize and analyze threat intelligence data to identify potential cyber related information that could impact your organization. 
Is the role of your organizations personnel to keep track of all of the active threat actors, intentions and active attacks?
Identify and track targeted intrusion cyber threats, trends, and new developments by cyber threat actors through analysis of raw intelligence and data. 
What reporting mechanisms are there in place for staff to report any suspicious activity?
Operationalize Cyber Threat Intelligence data gathering, reporting, and analysis activities. 
How do you assess your organizations ability to operationalize threat intelligence?
Check that your team is authoring reports and generating complete, actionable, relevant, and timely threat intelligence from OSINT, organization, and vendor supplied information and data sources. 
How do you identify the devices on the Enterprise network?
Evaluate technical cyber intelligence and complex structured and unstructured data to identify malicious and foreign cyber threats targeting organization personnel, technologies, and networks. 
Does it practice good cyber hygiene, a set of steps and best practices it can take to prevent attacks?
Research repository: collaborate with corporate strategic development team to support the design, organization, development and safeguarding of an organizational knowledge management system for market and competitive intelligence data. 
How would you rate the value received from the integration of your organizations threat intelligence platform and SIEM?
Ensure you have applied knowledge across all critical elements and common data types used in threat intelligence analysis, including malware used in targeted adversary campaigns; host and log forensics including methods of data collection and analytic techniques; and network forensics including common protocols and how those are used in adversary operations. 
Do you correlate internal activity with relevant threat intelligence beyond your perimeter to more quickly identify advanced attacks?
Consolidate and conduct a comprehensive analysis of threat intelligence data obtained from classified, proprietary, and open-source resources to provide indications and warnings of impending attacks against unclassified and classified networks. 
### MANAGEMENT:
How will advances in technology (e.g., artificial intelligence, Internet of Things, etc.) or other factors affect the cybersecurity workforce needed in the future?
Create and manage cyber security strategy, programs and execution including threat management services such as vulnerability assessments, threat intelligence, analysis and response, security event monitoring and incident management, digital forensics etc. 
How do customers submit requirements and provide feedback to support more relevant intelligence?
Utilize and customize your threat management platform in order to provide a tailored intelligence involvement for your (internal) clients. 
How has the NIS Directive improved notification of cyber incidents in critical sectors and beyond?
Integrate internal and external threat intelligence data in SOC functions and tools to improve the efficacy of vulnerability and threat management. 
Which technique would you recommend to a multidisciplinary team that is missing a discipline?
Evaluate and recommend threat intelligence and vulnerability management options. 
Does your organization have cyber insurance that protects it from theft or misuse of electronic data, customer records, etc?
Safeguard that your design forensics Threat Intelligence Penetration Testing Vulnerability Management Purple Teaming etc. 
What tools does your organization use to receive Cyber Threat Intelligence from other companies?
Ensure you can also leverage the cloud to enhance security through simplified policy management and dynamic threat intelligence. 
What are other organizations doing to adapt the cybersecurity measures to the changing requirements?
Make sure there is involvement with Vulnerability Management and Threat Intelligence or Threat Modeling. 
How do you get started with the digital transformation as your organization leader?
Take the lead in form threat Intelligence, Incident Response and Vulnerability Management. 
Is there someone in your organization that might understand the risks involved better than you?
Verify that your operation is involved in threat intelligence and persistent threat identification/management. 
How do you meet the need for reporting that is accurate, timely, and helpful?
Provide recommendations, technical guidance, architecture, installation, configuration, and/or operation for solutions used across the entire lifecycle of vulnerability management including vulnerability identification, threat intelligence, assessment, patching and remediation, exception management, secure configuration management, and reporting as well as the integration of these various solutions and technologies. 
### INTELLIGENCE:
What should be considered from a market perspective when developing a long term business plan?
Make sure the Security Threat Intelligence Team is responsible for developing innovative detection capabilities for threats against identity. 
What types of reports, outputs, data and deliverables should systems and analysts be expected to produce?
Develop and operate a team which is able to produce higher value and more actionable security and threat intelligence than is otherwise available through market threat intelligence vendors. 
What is the quantity of threat intelligence that your organization currently receives daily in the form of threat indicators from your various feeds?
Safeguard that your design hunts for indicators of compromise using various toolsets, and provides initial analysis of security intelligence feeds relative to network traffic analysis, intrusion detection, offensive security, data science and predictive analytics. 
Are regular threat intelligence briefings provided to onsite Information Security staff?
Research includes developing techniques in analysis, visualization, testing, and representation of all aspects of network cybersecurity; applying new and emerging techniques to the open-source cyber intelligence domain; and maintaining a data and analysis infrastructure to provide unique insights into the evolution of techniques in malware design and network security. 
How do you get started with the digital transformation as your organization leader?
Lead agile team of software security researchers in the discovery, analysis, and capability integration for the cyber intelligence operations community. 
What percentage of the current years IT Security budget will go to activities relating to threat intelligence operations both internal and external combined?
Produce all-source cyber intelligence analysis using various industry and organization tools, available classified and unclassified data sets, and accepted methodologies for assessing network traffic; identify, investigate and analyze cyber events of intelligence significance; and collect data, analyze results, and prepare intelligence products relating to cyber mission objectives. 
What best practices enable organizations to respond to cyber incidents effectively?
Lead and perform investigations to respond to threat detection and intelligence requests utilizing threat hunting or intelligence analysis best practices. 
How do you perform root cause analysis?
Work with your Threat Intelligence feeds and solutions to identify threats, develop or recommend countermeasures, and perform advanced network and host analysis in the event of a compromise. 
Do you trust new digital opportunities & transform without compromising your critical assets?
Make headway so that your organization develops models for identifying incident-type activity, of malware or bad actors, using statistical/advanced analytic tools; shares indicators of compromise (IOC) models with trusted parties for validation and collaboration; synthesizes and places intelligence information into context; communicates the nature, impact and mitigations for applicable security vulnerabilities. 
Is there a way to give better tools to organization heads through policy than exist now?
Liaison so that your team partners with other Information Security teams to evaluate and advance capabilities in mutual teams and through intelligence initiatives drives enhanced security capabilities across your organization. 
### CYBER:
What is the system support needed to make surrogate use seamless and minimally intrusive for a user?
Develop experience performing focused research and analysis to write complete, accurate, relevant and timely cyber threat intelligence reports to support network defense. 
What is the claims investigation, if any, that you conduct following a cybersecurity incident?
Diagnose collaborate with your cyber intelligence team and partners to share threat intelligence and response methods to strengthen your defenses and invest in the development and improvement of incident response processes. 
Who has the authority to enter information into the system, and how will entries be audited?
Be sure your process has hands on involvement working with Incident Response and Cyber Threat Intelligence functions. 
How much of a concern should you have about protecting data from foreign adversaries?
Serve on a team of Cyber threat analysts responsible for the 24x7 analyses and response to Cyber threat activity to protect client information resources. 
Do you actively share [OT Security](../../Information%20Security/OT%20Security.md) threat related intelligence with your peers?
Maintain and drive the development of new reports of Cyber Threat Intelligence analysis to peers, management and (internal) customer teams for purposes of situational awareness and making threat intelligence actionable. 
Does ai represent a threat or an opportunity and what are the critical factors in its development?
Conduct multi intelligence, all source analysis and cyber threat intelligence on past, present, and future cyber threats to network systems. 
Did your organization sanitize the information that it provided to the external communities?
Make sure the Cyber Threat Intelligence Team Lead manages a team of Cyber Threat Intelligence Support professional who provide technical expertise in cyber adversary. 
How do you Determine the Risk of a Threat Actor?
Analyze cyber threat intelligence to identify threat actor Tactics, Tools, and Procedures (TTPs) and apply this knowledge to system design in order to determine the impact of successful TTP execution. 
Does your organization have a cyber threat intelligence program and attack monitoring/alert process?
Make sure the SOC consists of a variety of highly-skilled, technical staff performing Monitoring and Analysis, Cyber Incident Handling, Threat Intelligence and Hunting, non-compliance reporting, user activity monitoring, malware and forensic analysis, vulnerability assessments and penetration testing. 
### THREAT:
What are the Key Functions in your organization that support Cyber Information Sharing and Analysis?
Manage practical knowledge managing threat data and creating intelligence assessments in support of your incident response and threat hunting missions. 
How do you translate operational measurements into meaningful security metrics for the business?
Make headway so that your workforce is involved in understanding threats, the current threat landscape, and intelligence gathering with an analytical mindset in order to translate data into threat indicators faced by (internal) clients. 
How do you focus on your people to develop organizational preparedness for an attack?
Perform research and collection across the intelligence spectrum to support requests for information from internal teams and conduct trending and correlation across threat intelligence data to establish patterns, identify proactive mitigations, and develop countermeasures. 
Is your security infrastructure integrated so that threat intelligence can be shared in real time across all security elements?
Manage threat intelligence platforms and monitor feed sources for efficacy and work with security operations and engineering to integrate threat indicator sources with appropriate tools. 
Is it possible to secure your organization against both external and internal threats without causing undue friction?
Ensure you have intimate knowledge about information security threat intelligence and thrive on the details of threat analysis. 
What is the best approach to strengthening corporate governance of cybersecurity risk?
Ensure your strategy collects, assesses and analyzes intelligence reports from multiple sources and disciplines; reviews incident logs/records mining for intrusion patterns; manages documentation and tracking of relevant threats, threat actors TTPs. 
How does osint and dark web analysis compare with expensive, custom built intelligence feeds?
Interface so that your process ascertain and leverage trustworthy open and closed source cyber threat intelligence data feeds. 
Many early threat intelligence services focused on general security data, identifying malware indicators and tracking malicious sites, how does that apply to your environment?
Collaborate with other Threat Analysis team members to identify and design new areas for intelligence collection and storage. 
### TECHNOLOGY:
What are the different ways in which fidelity can be lowered for a broad range of applications?
Incorporate Threat Intelligence into the Information Security program, staying abreast of the latest information technology security trends and vulnerabilities. 
Do you utilize a security command center platform to update and manage your firewall and related Cyber Threat Intelligence services?
Utilize cutting edge cyber technology tools and threat intelligence in making secure design recommendations for ICS/OT and the admin network. 
How regularly do you review your threat model to determine what attack vectors are most likely?
Identify attack surface reduction opportunities via vulnerability data analysis, trends and asset metadata review as well as collaboration with threat intelligence and technology management. 
Does your organization have the appropriate controls to detect and prevent an insider attack?
Ensure your next-generation technology, which combines threat intelligence with machine learning, enables financial institutions and organizations to detect cryptocurrency fraud and financial crime with unprecedented scale. 
What effect on information security was due to the combination of threat intelligence and situation awareness?
Work with the Attack Surface Management team to conduct a penetration test scoping/kick off meetings with technology business stakeholders, document scope, and schedule testing window. 
What incentives are needed to support proactive measures to strengthen cybersecurity?
Ensure your team is involved in providing CI support to Technology Protection. 
How will the subject matter expertise developed by the program administrators be kept and shared over time?
Develop experience providing oversight of large, multi functional project teams, specifically in an information technology environment. 
Do you store knowledge of assets affected and exploits used along with the relevant threat intelligence indicators involved?
Make sure your organization is involved in all aspects of the RPA technology platform. 
How do you create personal incentives for disclosing cyber trust information?
Serve as a key resource for anomaly detection in protecting your Operational Technologies (OT)/ICS manufacturing assets, information assets and technology assets. 
Do you regard flexibility, scalability and security of the technological platform as important?
Evaluate automated and information technology systems and develop strategies to optimize and ensure the quality and stability of automation systems through future expansion, replacement, or upgrade. 
### SYSTEMS:
What impact, if any, have high profile cyberattacks had on IT security at your firm?
Make sure your staff carries out your organization needs in depth threat intelligence analysis to find the perpetrator, the type of attack, and the data or systems impacted. 
Do you demonstrate due diligence, ownership, and effective management of cyber risk?
Interface so that your team works with considerable independence, developing operating plans and related operational processes for own department and monitoring the flow of work between own department and others in alignment with broader business objectives, selecting and developing effective managers and work teams, and managing own organization through reliable systems and processes. 
How well trained is staff concerning potential attack vectors an active adversary may use?
Decrease leverages emerging threat intelligence to identify affected systems and scope of attack. 
Is the threat intelligence updated when new information is learned or knowledge changes?
Use threat intelligence as updated rules and Indicators of Compromise (IOCs) to pinpoint affected systems and the extent of an incident. 
Is the ceo highly technical and thus likes reading full on reverse engineering reports?
Document investigation and incident response actions taken in case management systems and prepare formal incident reports. 
How do you ensure that the board and senior management are regularly involved in managing Cybersecurity risks and resource allocation?
Certify your company is continuing development of professional knowledge and skills in Information Systems and Information Assurance. 
Do you have access to the latest, contextual intelligence available to rapidly adapt to the evolving threat landscape?
Ensure that ppl eu systems and data management protocols adhere to regulatory requirements. 
How serious does your organization consider the current threats to control system cybersecurity to be?
Install and organize information systems to guarantee organization functionality. 
What methods should be involved to identify vulnerabilities at the perimeter of critical networks?
Be certain that your workforce is involved in systems software development. 
Do you believe gathering and using threat intelligence is essential to a strong security posture?
Be sure your organization improving fundamentals and innovating engineering systems and process the team is using. 
### TOOLS:
How do you know when your organization is a cyber target?
Interface so that your staff is involved in methods, sources, tools, and subject matter pertaining to all source cyber threat intelligence collection and analysis. 
Do you carry out research and gather intelligence to become better informed about your core customers, to segment your markets and provide a more personalised service?
Become expert with third party threat intelligence tools with priority. 
What technology tools does your organization currently use to collect and analyze threat intelligence?
Ensure you focus on growing as a team to deliver the best support to your (internal) customers and use multiple resources for mentoring and learning new skills and tools. 
What value does threat intelligence bring to your organizations overall security strategy?
Ensure you support each other through success and failure, to bring the best tools to law enforcement, organization departments and corporate (internal) customers. 
How do you ensure that the board and senior management are regularly involved in managing Cybersecurity risks and resource allocation?
Ensure your operation is involved in forensic tools and investigations. 
Do you know the private sector entities in your jurisdiction that should be involved?
Confirm that your process is involved in wireless exploitation techniques and tools. 
What would you do if any of the parties involved were the subject of a cyber-attack?
Make headway so that your company is involved in container/orchestration tools. 
Have requirements for support from the intelligence collection management infrastructure been addressed?
Select and tailor approaches, methodologies and tools to support service offering or industry projects. 
What has the framework indicated in terms of the weaknesses in maintaining the accountability of intelligence departments?
Be confident that your strategy has involvement with analytical tools and processes. 
What is your process for ensuring that risks identified through your detective controls are remediated?
Work closely with tools engineering teams to prioritize and remediate vulnerabilities.

119
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing Threat Management.md Normal file
View file

@ -0,0 +1,119 @@
# Address Threat Management challenges, ensuring all the fragmented components of an organization are tied together
Relevant ISO 27001 clauses/controls:
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 C 6.1.2 Information security risk assessment](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20C%206.1.2%20Information%20security%20risk%20assessment.md)
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
- [ISO 27001 A.18.2 Information security reviews](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.18.2%20Information%20security%20reviews.md)
Related:
- [Assets, Vulnerabilities, Threats, Risks](../..//Assets,%20Vulnerabilities,%20Threats,%20Risks.md)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Retrieved from [LinkedIn](https://www.linkedin.com/pulse/address-threat-management-challenges-ensuring-all-tied-blokdyk) on January 9, 2022
1. Have you fully considered how cloud services and mobile working affects your risk and threat management models?
2. Does your organization have a Threat Management Team (TMT) to conduct threat evaluations?
3. Does your organization have a working, clearly defined security standards development process?
4. What are the top 3 future challenges your organization will need to address regarding overall IT security threat management in the next two years?
5. If your organization does not have forensic cyber threat analysis in-house, does local law enforcement have a resource?
6. Does your organization have a defined insider threat management program that involves cooperation among multi disciplinary areas of your organization as human resources, IT and legal?
7. Does your organization have integrated threat management and mitigation across client, server and edge?
8. Does your system have inventory control procedures for access badges, uniforms, and equipment?
9. Does your company have any routines about risk identification in conceptual design stages?
10. How do threat management services help you measure your overall security effectiveness?
11. By what percentage have security breaches been reduced because of using threat intelligence solutions?
12. Does your organization have a defined application development extranet security process?
13. Does your organization have procedures for investigation of all reported incident/ accidents?
14. Do you have good cyber threat management practices, including protective, detective and response capabilities?
15. What critical information does the cyber criminal already have on your organizations operations?
16. Do your service providers have structured protocols in place to assess and provide duty to warn and send notifications to your organization?
17. Do you need to show that your organization meets compliance obligations, and have procedures in place to control data access?
18. Does your organization have adequate and dynamic processes in place to identify existing and new risks faced?
19. Do you have the right gauges to measure the success of your cyber threat management program?
20. Does the person of concern have the means, knowledge, intent, motivation, and ability to carry out the threat?
21. Does the vendor have experience in producing high quality information security products?
22. Have all of your information partners been vetted to corporate security standards?
23. Does your organization have a standardized tool or system that should be used in all projects?
24. Which products/services have root access to IT networks, OT systems or sensitive platforms?
25. In a typical week, what percentage of your threat management time is spent with alert triage or reactive response to security threats versus engaging in proactive and innovative detection methods?
26. Does your organization provide employee training to raise information security awareness?
27. Do you support decision makers when they make risk decisions within the parameters you have previously set?
28. How are your organizations risk and threat management information used to guide in technical SIEM use case development?
29. Do the results of the security categorization process reflect the organizations risk management strategy?
30. Does your organization have the right balance of arrangements in place to deal with these risks?
31. Do your suppliers have procedures for secure maintenance and upgrades following deployment?
32. What benefits have you realized from outsourcing security to a third-party service provider?
33. Does your organization have dedicated privacy professionals whose primary responsibility is privacy?
34. What does it mean to your organization to have in place a risk-sensitive and risk-aware culture?
35. Does the persistent use of security technologies contribute to a reduced cost of cyber crime?
36. Does your organisation share information on information security attacks with third parties?
37. Is the exposure or uncertainty isolated or does it have multiple effects?
38. Does the supplier have the requisite experience, skills to ensure the supply chain delivers?
39. What administrative policies and procedures do you have in place for insider threat management?
40. Does your organization have a willingness to pursue security outcomes through disciplines other than security-specific solutions?
41. If you have an Intrusion Prevention System, is it tied into the rest of your security infrastructure for automatic response?
42. What percentage of external digital threat management tasks do you outsource to managed security service providers?
43. Does the security development process apply to all types of application development?
44. If HR tells information security that a person is going to leave and has turned in their resignation, can security look at what the person has been doing?
45. Does the firewall support your network security policy, or does it impose the vendors policy?
46. Just how capable does the enterprise want its risk management to be for each of its priority risks?
47. Does each program/project test, validate, and verify security in its software and system components?
48. Do you monitor and log privileged access (administrator level) to information security management systems?
49. Does your security infrastructure drain manpower and resources or does it make your staff more productive and nimble?
50. How much management of user-owned devices connecting to corporate resources does your organization want?
51. How does management develop a shared vision for the role of risk management in the organization?
52. Do you have visibility into where sensitive data resides and do you have the ability to quickly remediate issues as they arise?
53. Do any new features that may increase Cybersecurity risk also have an increased benefit?
54. Is the security console and control room adequate in size and does it provide room for expansion?
55. Where does lack of trained security experts in new and advanced threat management pose a caveat in your security fabric?
56. What impact will the mitigation approach have on the technical performance of your systems?
57. What is the function of security event data processed in real time for incident response and threat management?
58. Does your organization have the appropriate controls to detect and prevent an insider attack?
59. Do you have dynamic risk assessment processes to assess, manage and react to cyber threats?
60. What options do system and organizational managers have to reduce the risk present on the system?
61. Do your managers proactively support preventive security or is there a view that it will never happen to us?
62. Which departments take part as an ad hoc member of your interdisciplinary threat management team?
63. Have you identified your most critical assets and know where they are stored and transmitted?
64. Which users have access to sensitive and highly confidential data and the ability to download this data to devices?
65. What set of inputs, processes, and outputs does management use to provide oversight of an activity?
66. Who is responsible for managing security risk in your organisation and who do they report to?
67. Knowing what you know now about the COVID 19 pandemic, what is one thing you will do differently at your organization?
68. You have identified a number of uncertainties, how do you quantify them?
69. Do employees have round-the-clock security, or could someone gain access to the building after hours?
70. Does your organization have your business continuity plan that allows for continuity of operations?
71. Who are in your diverse workforce including remote / mobile users that need reliable access to applications?
72. Does the threat information tell you that you should focus on one Element more than another?
73. Do you have clear processes and procedures to obtain threat information in a timely manner?
74. Do members of the team have adequate knowledge of the organizations hardware and software?
75. Have your organizations personnel and partners been provided cybersecurity awareness training?
76. Do you have a capability to use system geographic location as an authentication factor?
77. What controls do you have to ensure that the integrity of your data is maintained?
78. Have minimum controls been identified for each system in accordance with NIST SP 800-53?
79. In circumstances where there is abundant supplement data, how much capacity would you have to deal with that data?
80. Which members of your organization are involved in the security system development life cycle?
81. Real time threat management goes beyond inspection of network logs and flow data alone. How is your organization improving network monitoring?
82. What actions are taken by project teams to help encourage risk management activities?
83. Does the SMS audit plan include the sampling of completed existing safety risk assessments?
84. How do you address threat management challenges, ensuring all the fragmented components of your organization are tied together?
85. What security procedures and practices are to be utilized in Operational Management?
86. Where are the firewalls physically located to ensure physical security and protection from disasters?
87. Does management involve the board when making decisions to accept or reject significant risks?
88. Have policies been developed for the procurement and use of evaluated products as appropriate?
89. What security advisory services are you outsourcing to a security service provider?
90. Where is your organization in terms of the maturity of your application security strategy?
91. Do your the service providers conduct criminal background checks on personnel they place in your workplace?
92. If you are not currently using a managed security service provider, what would drive you to do so?
93. Which devices have an expected end of support date for the software and how is this communicated?
94. Traditional hardware security, corporate firewalls, Unified Threat Management (UTM) and routers are good places to start to protect endpoints on the LAN, what else do you install in you organization?
95. What is the most critical barrier holding your organization back from implementing threat management more effectively?
96. Do you have the right products and technologies in place in each of your organizations functional network segments?
97. Do any of your suppliers or their suppliers manage or have access to your organizational data or systems?
98. Have new employees and users been given proper instructions for protecting data and systems?
99. Do you have the understanding required to make decisions potentially out of hours and under time pressure?
100. Does your cyber risk training focus on the technology, the organization and the individual?
Relevant ISO 27001 clauses/controls:
- [ISO 27001 C 8 Operation](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20C%208%20Operation.md)
- [ISO 27001 A 16 Information security incident management](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2016%20Information%20security%20incident%20management.md)
- [ISO 27001 A 17 Information security aspects of business continuity management](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2017%20Information%20security%20aspects%20of%20business%20continuity%20management.md)

758
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing Threat Modeling.md Normal file
View file

@ -0,0 +1,758 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/threat-modeling-ask-gerardus-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: March 11, 2022
Retrieved from on March 15, 2022
Relevant ISO 27001:2013 clauses/controls:
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
Relevant ISO 27002:2022 clauses/controls:
- [a-5.7-Threat-intelligence](../../Standards/ISO27x/OST/27002/EN/a-5.7-Threat-intelligence.md)
Related:
- [Threat Intelligence](../..//Threat%20Intelligence.md)
## Threat Modeling: Ask This;
### TLDR: Ask This;
1. What rules do you have that capture security objectives resulting from the process of threat modeling and are created with knowing what information in your design needs to be protected?
2. Do you develop cloud security standards, threat modeling methodologies, secure code practices, and processes in tandem with architects and system engineers?
3. How do you utilize threat modeling and quantitative risk analysis to formally specify and analyze the security of a self adaptive system under uncertainty at runtime?
4. When you audit your data using threat modeling, how much security is enough?
5. Do you incorporate threat modeling into the business requirements/design process of your SDLC?
6. Do you use threat modeling for new services, data and applications to find the ways business capability can be attacked?
7. What budget do you need or have to conduct a threat modeling process?
8. Is threat modeling integrated into your quality management systems?
9. How have threat models, use cases and security requirements been modified for your organization?
10. How does threat modeling keep security a step ahead of the risks?
11. Are your model components of cloud threat modeling different from non cloud threat modeling?
12. How do you use a threat model to drive security tests?
13. Is there an attack within the threat model that can violate the security goals?
14. How do you know if you are having a disruptive threat and have to innovate your business model?
15. Are there specific modeling languages and things that are being developed to make the threat modeling itself easier to do?
16. What are the components of your threat modeling and risk measurement approaches?
17. Do you currently use Threat Modeling to help build functional requirements?
18. What happens when a security requirement or a threat model changes?
19. During which phase of the software development lifecycle (SDLC) is threat modeling initiated?
20. How do you determine legitimate versus nefarious traffic?
21. Have you done architectural analysis, risk analysis and threat modeling on your software?
22. How does an external component change the threat model of the entire system?
23. What threat modeling process is used when designing software protections?
24. Do you bring attack trees into your threat modeling methodology?
25. What kinds of attacks and what kinds of attackers is a security measure meant to prevent against?
26. Which functionality need threat modeling and security design reviews?
27. Which of the threats listed in the threat model can be afforded by the attacker in consideration (based on the resources needed for the attack)?
28. Which risk response planning techniques do you use to shift the impact of a threat to a third party, together with the responses?
29. Is threat modeling being done to determine security requirements for each sprint ?
30. Are results from vulnerability tracking fed into the threat modeling process?
31. Do automatic threat modeling tools provide extra value to the security process?
32. Is the purpose of cloud threat modeling different?
33. When do you start threat modeling your application?
34. Which of the threats identified in your threat model apply to the code you are reviewing?
35. Is threat modeling part of R&Ds fabric?
36. How effective is Threat Modeling in reducing the redundancy of test cases?
37. Who do you think would want to tamper with it, and what resources do you think they want to bring to bear?
38. Is threat modeling too tough to produce actionable results?
39. What sort of skill sets or roles are assigned threat modeling tasks?
40. What are the classes of existing threat modeling methods?
41. Where do you use threat modeling for IoT?
42. How do you use a threat model at design time?
43. What is the process you use to conduct threat modeling, understand and measure cyber risk, and prioritize investments to mitigate?
44. Do your projects have a standard for threat modeling?
45. Do you have clear, effective policies that talk about insider threat or address it?
46. What will an attacker strive to accomplish?
47. How much time do you have to decide if a threat is credible or not?
48. How much time do you have to decide if a threat is possible or not?
## Organized by Key Themes: SECURITY, SYSTEMS, DESIGN, SOFTWARE, MANAGEMENT, SECURE, PRODUCT, THREAT, RISK, DEVELOPMENT:
### SECURITY:
Do you incorporate threat modeling into the business requirements/design process of your SDLC?
Lead architecture design reviews with development and product management to incorporate effective threat modeling and security standards and tools into product design and development. 
What have you learned from watching the operations?
Ensure your staff is involved in security activities throughout the software development lifecycle design reviews, threat modeling, fuzzing, code reviews, tooling, penetration testing. 
What types of attacks may be escaping your assessment tools?
Certify your personnel is involved in IaC (Infrastructure as Code) and performing threat modeling and design reviews to assess security implications and requirements for introduction of new technologies or products. 
Where does it fit in the system development lifecycle?
Develop experience working with IT Cyber Security Risk and Controls related to environments including Hosted (internal) customer Environments, Data Networking Design and Operations, Threat Modeling, Data Protection, Cloud Cyber Security Management, Vulnerability Management, Incident Management, Firewall and segmentation. 
What is the current size of the project, in terms of people involved?
Establish that your design is involved in architecture and security reviews, and threat modeling applications. 
Will performing the exploit permanently deplete the attackers resources?
Be sure your personnel is involved in security functions as understanding cloud architecture and performing design reviews, threat modeling, code and configuration reviews, and incident response. 
How do you get support to improve the breadth and depth of your security program?
Work closely with the S and C and Engineering teams to implement processes and execute on broader security risk reviews and threat modeling across the entire company (new products, acquisitions or service models, vendor integrations, etc. 
What is the current size of the project, in terms of people involved?
Certify your strategy is involved in threat modeling and security risk assessments. 
Which is the step that follows soon after identifying the threats in software threat modeling?
Make headway so that your design is involved in enforcing secure coding practices, threat modeling, identify and access management, and security incident responses and recovery. 
### SYSTEMS:
How should physical data be managed in workspaces?
Enhance threat modeling processes to produce convincing evidence self driving systems are reasonably free of security risk and that residual risks are managed. 
What is the current size of the project, in terms of people involved?
Assure your process is involved in risk assessments, threat modeling, vulnerability management programs, or software, systems and solutions development and delivery. 
How do you use a threat model to drive security tests?
Make sure the Signals and Systems Division engages in research related to advanced threat analysis, operational employment concepts, advanced EM spectrum management, test and evaluation, and knowledge management primarily through the application of modeling and simulation. 
Has the cloud service provider had comprehensive penetration testing performed?
Perform threat modeling and risk assessments for current and forward model vehicle systems. 
How does communication work within the development teams?
Plan and execute modeling and simulation systems development projects and design and develop simulation systems and modeling of simulation objects. 
Which high risk applications are developed and released without security testing?
Develop experience modeling and documenting software systems and business processes. 
How widely deployed is the vulnerable software or system?
Safeguard that your team applies deep expertise in causal modeling to develop large scale systems that are deployed across your organization. 
What is the current size of the project, in terms of people involved?
Ensure your design is involved in Linux based systems. 
What is the current size of the project, in terms of people involved?
Oversee that your team is involved in implementing radar, RF, and digital hardware concepts in physical systems. 
What threats are possible in the environment where the software will be operating?
Ensure your strategy is involved in Operating Systems and Networks. 
### DESIGN:
Does your organization have a process for monitoring and identifying new threats, vulnerabilities and changes in the environment?
Secure that your team is evaluating product design features and identifying security gaps via threat modeling. 
Do you identify and pinpoint evidence of attempted and blocked attacks down to the line of code?
Be confident that your personnel mentors developers and testers in security activities during the product lifecycle, such as secure design reviews/threat modeling, security code reviews, security test planning, and component security hardening, to identify potential security weaknesses. 
How do you effectively prioritize threat mitigation efforts?
Secure design methodologies and threat modeling. 
What is the current size of the project, in terms of people involved?
Safeguard that your organization is involved in API design and system architecture. 
Will the initial rollout include all secure development practices or a subset?
Implement best practices for Secure Design, Threat Modelling and heuristic/signature endpoint detection. 
How do you help development teams with remediation?
Develop experience integrating design workflows with agile product development teams. 
Are the pricing and licensing models different for deploying to virtual machines versus physical devices?
Secure that your strategy drives resolution of organizational effectiveness issues, including team and leadership development, organizational design, workforce analysis and planning, business process improvement and departmental restructuring. 
How do you integrate a providers identity meta system with your identity management processes?
Safeguard that your staff collaborates with leaders of business, design, research, development, and other partners to improve the visibility of Content Design and integrate content early in the product development process. 
How do you implement threat modeling?
Develop experience leading project teams to design and implement new solutions in areas of expertise. 
What are the components of your threat modeling and risk measurement approaches?
Follow a user experience design process from concept to execution; approach design from a users perspective, listening to users and balancing their needs alongside business goals and technical capabilities. 
### SOFTWARE:
What access privileges must an attacker have to be able to perform the attack?
Perform security threat modeling of your automotive software data distribution platform. 
What is the current size of the project, in terms of people involved?
Ensure your design is involved in Threat Modeling and Secure Software Design. 
What assets are most valuable, and what are values?
Consult software development teams in design and architecture of secure systems through Threat Modeling. 
Are there any risks that people should know about the setup process?
Make sure your strategy is involved in methodologies and tools, for threat analysis of complex systems, as threat modeling and software fuzzing. 
What is the current size of the project, in terms of people involved?
Be certain that your process is involved in statistical and data analysis and commercial data analysis software packages. 
What is used to specify who can access specific registry settings?
Safeguard that your personnel is developing lightweight SDLC processes to embed into Product Design and Software Engineering workflows. 
What is the maturity of the model used and how do you see it developing?
Guarantee your organization is involved in building software solutions (managing developing teams, writing code). 
Does the information resource use or process any other confidential or restricted data?
Warrant that your staff is involved in architecting and deploying secure software in defined and virtualized networks. 
How can organizations keep abreast of trends to identify and anticipate emerging threats and opportunities?
Make sure your group is involved in reverse engineering and software bug hunting. 
Does the firewall meet other security standards and best practices?
Develop system design and software best practices for engineering teams. 
### MANAGEMENT:
How is your business and revenue model supported by your API?
Engage with Product Management and Engineering Architects to proof out new product or offering concept from the security perspective; perform high-level threat modeling, support product compliance requirement analysis. 
How are threats and vulnerabilities included in the environment specification?
Develop experience executing project management skills including design review, threat modeling, and risk profiling while working across a large, complex, distributed, organization that is representative of a diverse IT community to include policy, regulations, and compliance requirements. 
What is the current size of the project, in terms of people involved?
Check that your personnel is involved in business continuity management, threat modeling and vulnerability management programs. 
Did the guidelines provide enough information to detect the flaw?
Provide expertise to engineering teams on SDL including threat modeling, secure design, secure development, secure testing, vulnerability assessments, and secure management for software and firmware development. 
How much time do you have to decide if a threat is possible or not?
Be certain that your group is involved in common SDLC tools: static and dynamic code analysis, open source management, threat modeling, etc. 
How will you determine if some threats or events require enhanced emphasis and investment or have already received sufficient focus?
Invest in threat and vulnerability management activities, including: triage of new vulnerabilities, root cause analysis, threat modeling and mitigation planning. 
Does the system track how many failed login attempts a user has experienced?
Establish that your team has involvement in designing and implementing secure mobile applications (Authentication, Encryption, Session Management, Least Privilege, Threat Modeling). 
Can an attacker assume the identity of a privileged user?
Establish and mature the enterprise threat management program to include threat aggregation, analysis, modeling, hunts, and insider. 
Does the firewall include software that can manage all of the firewall instances in the cloud?
Oversee that your team is involved in ethical hacking and vulnerability management reporting. 
What are the leading causes and risks in cybersecurity?
Lead business modeling and analysis efforts across all phases of the project management process. 
### SECURE:
What fraction of an attackers day is spent performing attacks?
Guarantee your design is involved in performing Threat Modeling and designing secure Architecture. 
What are the best practices adopted by agile software development teams?
Drive a secure SDLC program with the product and engineering teams, ensuring secure coding and threat modeling practices are adopted and taking place. 
Do you currently use Threat Modeling to help build functional requirements?
Ensure your operation is leading threat modeling and secure architecture reviews. 
What is the current size of the project, in terms of people involved?
Verify that your design is involved in code reviews and secure product design. 
Does the threat prevention service support behavioral analysis?
Create application threat models, perform secure code reviews, and ensure the use of secure coding practices, with the support of the Infosec team. 
What is the current size of the project, in terms of people involved?
Assure your strategy is involved in manual secure code assessments in a variety of common languages. 
Does your organization automatically disable dormant accounts after a set period of inactivity?
Make sure your staff is involved in designing and architecting secure cloud native web applications. 
What business process is being performed or supported?
Build and sustain secure design and architecture processes that support organizational goals and strategy. 
Are teams required to complete all of the secure development practices?
Make sure your workforce is involved in secure coding techniques and best practices. 
What will prevent the system from reaching mission requirements due to threats causing vulnerabilities?
Develop experience developing secure cloud resource deployment templates in Cloud Service Providers using infrastructure as code frameworks. 
### PRODUCT:
What technical security services do databases provide?
Make sure the team leads product threat modeling, measures and recommends BSIMM behaviors, and manages a highly visible security champions program. 
Does the user have to leave the normal flow of the application to perform the activity?
Partner with product teams to review new products and features, develop threat models and perform risk assessments. 
What kinds of architectures are able to mitigate risks to a reasonable level?
Liaison so that your operation is developing your overall threat model, and working to understand and mitigate risk across the spectrum your organization, the product, and the infrastructure. 
What needs to be done to assure delivery of the required services?
Coordinate, participate, and deliver threat modeling for products. 
Which functionality need threat modeling and security design reviews?
Interface so that your process supports technology architecture design review efforts for project and product teams. 
Is it threatening or is it transforming the traditional model?
Oversee that your design is involved in collecting, analyzing, and interpreting data from multiple sources, documenting the results and providing meaningful analytic products. 
Does your solution support risk modeling and prioritization?
Interface so that your company is involved in partnering with product and program management teams. 
What is the current size of the project, in terms of people involved?
Check that your process is involved in managing product vendors and associated budgets. 
How do you get support to improve the breadth and depth of your security program?
Participate in the corporate development process by evaluating potential acquisitions and then working on integrating companies, products and team members after an acquisition. 
When is more cost effective to build security in?
Collaborate across factory management teams, product, logistics, and FP and A functions to identify and record financial exposure related to slow moving or obsolete inventory, develop accounting flows for new business models, and create models as a basis for forward looking plans and forecasts (including ROI analysis for capital investments and validation of cost improvement projects). 
### THREAT:
What is the current size of the project, in terms of people involved?
Oversee that your team is involved in threat modeling or other risk identification techniques, and risk management. 
What is the current size of the project, in terms of people involved?
Make sure your organization is involved in threat modeling and asset risk analysis. 
What is the current size of the project, in terms of people involved?
Make sure your workforce is involved in threat modeling methodologies and risk frameworks. 
Are matters any better when there is no work for hire clause in the picture?
Make sure there is ability and involvement performing threat modeling data flow diagramming architecture risk analysis, identifying bugs and flaws and driving work items from such activities to resolution. 
Have you previously participated in the threat modeling process?
Participate in secure design considerations during threat modeling sessions, as well as participate in risk assessments. 
What is the current size of the project, in terms of people involved?
Confirm that your workforce is involved in threat modeling and risk identification. 
Does the app provide access to only necessary entities?
Secure that your design is involved in threat modeling for embedded and IoT systems. 
Is storage in the data store set to a known value after use?
Develop experience performing threat modeling and design reviews to identify new detection use cases. 
What is the current size of the project, in terms of people involved?
Confirm that your design is involved in application threat modeling and application architecture. 
How hard is it for users to deny performing an action?
Ensure your group is involved in performing threat modeling and designing secure mobile application architecture. 
### RISK:
What is the current size of the project, in terms of people involved?
Be sure your team is involved in the application of threat modeling or other risk identification techniques. 
What are the benefits of developing conceptual models?
Be sure your workforce is overseeing and developing a multi tenant risk based vulnerability and baseline management program and functional network threat modeling program. 
How do you allocate your budget for insider threat?
Liaison so that your organization assesses applications, design threat models, documents potential risk vectors, check for code vulnerabilities, recommends proportional controls and ensures risks are resolved expeditiously. 
Which portions of the project will require security design reviews before release?
Perform architectural risk analysis, threat modeling, secure design and source code review. 
What are the general security measures when using the internet?
Monitor the cyber landscape for emerging threats and the potential impact (risk ) to your organization using threat modeling analysis tools and resources. 
What are the most appropriate levels of granularity at which to perform threat modeling?
Learn threat modeling techniques and perform threat and risk assessments of your source code repository and cloud environments. 
What content does an effective security testing framework for database systems need to include?
Utilize corporate risk register to mature the threat modeling process for protecting your organizations high value assets. 
What decision processes drive the inclusion of threat actors?
Participate in and conduct application threat modeling exercises in order to identify and drive risk decisions, and influence technical designs and architectures. 
Who is responsible for implementing and maintaining security measures in the equipment?
Develop or support threat modeling (threat type, impact, risk rating, counter measures, residual risks, and gap analysis) for in scope products. 
What falls outside the scope of database security management?
Manage the methodologies for threat modeling and risk modeling. 
### DEVELOPMENT:
How have your modeling practices improved over the past year?
Ensure your workforce is integrating threat modeling practices into the product development life cycle. 
What facilities in the operating system can be used to implement security requirements?
Engage in the software development lifecycle (SDLC) to ensure secure designs and coding practices and integrate threat modeling, required tools, standards, and metrics into release processes as well as operating environments. 
How do you conduct a threat rating?
Lead and conduct threat modeling activities during Secure Development Lifecycle (SDL). 
What are leading causes and risks in cybersecurity?
Lead threat modeling, design reviews and code reviews in the context of the development lifecycle. 
Have the procedures and/or equipment prevented program/project problems?
Ensure you have involvement integrating threat modeling throughout the application development lifecycle. 
Have you previously participated in the threat modeling process?
Participate in architectural reviews, threat modeling of applications across development teams. 
What type of models did you use throughout the process?
Invest in formulating a threat modeling strategy; collaborate with development to influence and advance the same. 
Does the framework introduce any significant problems or complications?
Make sure your team works with business and development teams in recommending process or system design and enhancements. 
What is the current size of the project, in terms of people involved?
Make sure your design is involved in Agile software development methodologies. 
Are you familiar with secure software practices in your unit?
Secure development practices including threat modeling, architecture, design, vulnerability assessment.

756
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing Vendor Management.md Normal file
View file

@ -0,0 +1,756 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/what-information-do-your-vendors-have-regarding-how-secure-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: February 23, 2022
Retrieved on February 24, 2022
Relevant ISO 27001 clauses/controls:
- [ISO 27001 A 6.1.5 Information security in project management](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%206.1.5%20Information%20security%20in%20project%20management.md)
- [ISO 27001 A 15 Supplier relationships](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2015%20Supplier%20relationships.md)
- [ISO 27001 2013 C 9.2 Internal audit](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%202013%20C%209.2%20Internal%20audit.md)
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
Related:
- [Vendor security MoC](../..//Vendor%20security%20MoC.md)
## Vendor Management: Ask This;
1. Does your organization have a vendor management program designed to ensure the privacy and/or security practices of vendors will not threaten the integrity of your organizations privacy standards?
2. Does your organization have a risk management and due diligence process focused on vendor management?
3. Do you have a vendor management ecosystem in place together with effective sourcing governance?
4. What information do your vendors have regarding your organization and how secure is the data?
5. How do you ensure your organization understands and works to meet the objectives of your Vendor Management program, which involve onboarding, analyzing, and monitoring new vendors and current vendor relationships and the risks that could affect the business?
6. How do you manage details of vendor management for those who have any degree of network access or who hold your data by design, are audits of those vendors required?
7. Does your organization have the vendor management capability, time, and controls necessary to manage the provider and provider quality?
8. Which vendors will have the most impact on your organization if they suffer an interruption, and how quickly will the impact materialize?
9. Does your organization have supplier management related KPIs and are they visible to senior management?
10. Do critical vendors have your business continuity plan, not just for your data and for the larger business?
11. Do you have a vendor management program in place that includes contractual obligations and establishes management oversight activities for third parties with access to personal data?
12. Does your organization use vendor management inventory and collaborate planning, forecasting and replenishment?
13. Does your organization have a system in place to properly vet contractors and vendors before they are granted access?
14. Does your vendor management program include on site audits by your organizations internal resources?
15. How does a lack of vendor management resources impact service delivery and create stakeholder dissatisfaction?
16. To what extent does your organization have an established incident response plan defining how to respond to the compromise of a networked device?
17. When a third party project needs rework, what impact does it have on your organization and/or its customers?
18. How do you move beyond transactional vendor management to true supplier partnerships that will achieve savings and drive innovation?
19. What are the laws and industry regulations that apply to your organization with which your vendor will be required to comply?
20. What is your organization willing to undertake in terms of risk, and what resources do you have to manage it?
21. In the event of a vendor outage or a compromise causing an outage, how quickly would your organization need to recover before facing significant financial losses?
22. How difficult is it to secure business unit support for your vendor management program requirements?
23. How does your organization measure, monitor and report on its vendor footprint?
24. Does your organization have a defined workflow process in place to escalate identified risks for remediation?
25. What technical disciplines does your organizations audit team have to properly audit your vendors ability to build security into the code?
26. What policies does the vendor have to detect, prevent and mitigate incidences of identity theft?
27. Is there two way communication available between your organization and vendor staffing companies, and your organization and vendors themselves?
28. Does your organization have a formal negotiation and approval process for contract terms and conditions?
29. What policies does the vendor have to detect, prevent and migrate incidents of identity theft?
30. Does your organization have a standard level of security requirements based on the types of services/good provided by the vendor?
31. Does your organization have a clear view of all existing business unit IT spend and resources?
32. Has your organization created a dedicated team for vendor governance and performance management?
33. Are the right mechanisms in place with your current vendor management strategy to effectively manage cloud projects?
34. Are there individuals on your organizations staff who can perform the services if the risk or working with the third party proves greater than your organization would like?
35. Does your organization have plans in place in the event that labor rights concerns are identified in your supply chain?
36. What subcontract or affiliation arrangements does the vendor have that involve your information?
37. As part of your vendor management review, do you review Business Continuity Planning and/or testing?
38. Does your organization have an action plan in place to address recommendations made in audits?
39. Are there any existing tools your organization expects the vendor to use and for what purpose?
40. How do you handle change management within your organization when systems are upgraded, and resource training on the new systems and technology is significant?
41. Does your organization have procedures in place for sustainable sourcing (including transportation)?
42. When a crisis hits, how do you know that your vendors resiliency matches your own?
43. How are you going to manage software that is developed (and/or managed) by a third party, are you augmenting vendor management to reduce risk?
44. Do you have a continuous improvement program for your contracting organization and sourcing teams?
45. Does the vendor have an ongoing development process against a model of practitioner competency?
46. Are the vendor contracts deliverables based, with specific service level agreements (SLAs) including penalties and liquidated damages?
47. Does your organization have a defined procurement strategy for its strategically important categories?
48. Are data retention and deletion standards included in vendor agreements or as part of a vendor management program?
## Organized by Key Themes: VENDOR, MANAGEMENT, SECURITY, DATA, RISK, TECHNOLOGY, PROJECT, PRODUCT, SYSTEMS, PROCESS:
### VENDOR:
Has your organization established formal governance and controls to protect the sensitive data?
Verify that your team is responsible for oversight and management of complex vendor relationships to ensure vendors are accountable to established performance metrics, contracts and joint business planning goals. 
How does a lack of vendor management resources impact service delivery and create stakeholder dissatisfaction?
Manage vendor risk appropriately and drive and create best in class management strategy and program for the Technology organization and your organization. 
Does your solution generate program performance reports that supports service level agreements?
Support business owners in the due diligence phase of vendor management including development of vendor risk assessments, review of control reports, and contract administration. 
What stakeholder is now responsible for assessing the solution scope to determine the project scope?
Be certain that your strategy is responsible for developing, implementing, administering, training, maintaining and annually assessing all aspects of your organization wide Contract and Vendor Management Program. 
What performance metrics are currently in place with other customers that would be relevant to measure customer satisfaction?
Manage technology vendor management team, provide direction, coaching and performance management to ensure team development and attainment of goals. 
How do you implement best practices around processes, operations and vendor management?
Oversee that your team is responsible for supporting the ongoing development and implementation of vendor management tools, processes and best practices across your organization. 
Have you effectively integrated the latest tools and technologies into your critical workflow processes?
Make sure your strategy ensures that the subcontractors and vendors comply with all local licensing requirements and are approved by organization Vendor Management before the commencement of work. 
How do you measure the new processes are being managed effectively?
Develop, implement and execute a vendor management program scalable to support vendors managed by leaders in BOW business units. 
Do you have a vendor management program in place that includes contractual obligations and establishes management oversight activities for third parties with access to personal data?
Establish that your organization provides the vision, strategy and direction for Strategic vendor management which includes Technology Asset Management and Telecom Expense Management. 
Which departments or functional groups need to be involved in system design and who will use it?
Safeguard that your organization is involved in Procurement and/or Vendor Governance including implementation of vendor management policies and new processes. 
### MANAGEMENT:
How can local businesses better utilize IT outsourcing trends to enhance business performance?
Build and maintain working relationships with business partners as well as support staff to enhance process knowledge and compliance towards following vendor management meeting process performance KPIs. 
Does it provide reporting and metrics, and more specifically, does it provide the the ability to measure exactly what your organization needs it to?
Guarantee your design leads the execution of various vendor management programs, such as quarterly business reviews, semi-annual organization Programs portfolio reviews, vendor scorecards, as well as other performance management activities and reporting with priority. 
How will the role of IT, its leadership and its ecosystem of vendors and providers, need to change?
Certify your group is involved in procurement, strategic sourcing and vendor management practices, including financial management, performance management, relationship management, contract management, and risk management in cGMP manufacturing environment with familiarity in quality change management systems. 
Are software metrics formally captured, analyzed and used as a basis for other project estimates?
Ensure your personnel is assisting in managing Vendor Management compliance process, including maintaining and storing updated contracts, contract renewal dates are communicated to responsible business unit leaders beforehand, and vendor service level agreement performance is tracked and analyzed. 
How do you create a unique advantage and avoid leveling the playing field?
Be certain that your workforce is responsible for ensuring capacity planning and vendor management of the enterprises data center facilities, server, networking, storage, end user computing, and backup infrastructure and support are delivered and leveraged in proactive planning to avoid business disruption. 
Does your organization have a defined workflow process in place to escalate identified risks for remediation?
Check that your team is involved in vendor management systems (VMS) to support your organization workflow. 
Will the contractor be responsible to perform discovery sessions with various business line stakeholders to understand and create messaging and website content?
Ensure your organization is responsible for all Business Relationship Management activities, Vendor Management, Systems Strategy, Platform Integration, and Execution for your Planning systems. 
Have you ever had a staffing supplier refuse to participate in your vendor management program?
Make headway so that your organization represents the needs of the business and/or your organization and actively participate in contract negotiations and enterprise vendor management governance meetings. 
Is your organizations culture promoting employee behaviors that are consistent with priorities?
Interface so that your team is running vendor management process to ensure your organizations data security. 
How do you see the new supplier evaluation and selection process?
Safeguard that your design manages third party supplier relationships with companies that invest in delivering products to (internal) clients, to include leading and managing partner management staff, developing and maintaining relationships with supplier executives, negotiating supplier contracts, leading and managing vendor management controls, and optimizing business opportunities with third party supplier partners. 
### SECURITY:
How do you define third party risk?
Oversee the vendor management process to include assisting the legal team and other business partners define security requirements for your organizations third party vendors and partners. 
Are key, relevant vendor controls mitigating your organizations key risks validated during due diligence visits?
Invest in coordinating vendor assurance activities with Vendor Management as it relates to Information Security, Physical Security, Cybersecurity, and Business Continuity related controls and compliance efforts, to include visit coordination to all Tier 1 vendors and periodic site visits to Tier 2 vendors on a rotational basis. 
How do you ensure your organization understands and works to meet the objectives of your Vendor Management program, which involve onboarding, analyzing, and monitoring new vendors and current vendor relationships and the risks that could affect the business?
Interface so that your design is supporting Vendor Management activities to ensure 3rd party software and development meet security standards. 
How difficult is it to secure business unit support for your vendor management program requirements?
Work with vendor management and risk to ensure that information security requirements are included in contracts to manage third party risk. 
Which companies are most successful delivering against managed service and outsourcing agreements?
Partner with the Vendor Management group to execute an ongoing vendor monitoring program to ensure technology and security risks are managed on an ongoing basis. 
How does a leader get involved to ignite the shift from procuring on premises to SaaS or cloud for infrastructure?
Oversee that your strategy is involved in IT security risk assessments, vendor management and audits. 
When a third party project needs rework, what impact does it have on your organization and/or its customers?
Work with your organizations Legal and Fiscal Affairs Department to ensure that information security requirements are included in contracts by liaising with vendor management and procurement organizations. 
Does the vendor have a stable and proven history of providing effective content marketing solutions?
Be confident that your operation is involved in developing and administering information security and vendor management programs. 
How should soc reports be used as a part of initial due diligence and ongoing vendor management?
Ensure your team maintains records for vendor management program including security control reports and supplemental documentation. 
How well aligned is the overall distribution of risks you are undertaking with your risk appetite?
Partner with Contracts and Legal Teams on contract reviews, teaming agreements, and vendor management plans to align with data security, regulatory, and compliance requirements. 
### DATA:
Does your organization have a standard level of security requirements based on the types of services/good provided by the vendor?
Liaison so that your operation coordinates with the Compliance and Legal teams to ensure that the requirements of the privacy program are implemented through the organizations vendor management program and ensures that the organizations contracts have appropriate data security and privacy terms. 
How do you are negotiate vendor contracts to incorporate new regulatory requirements when the vendor has no interest in re negotiating?
Advise on data privacy and information security legal requirements for your organizations vendor management program, including reviewing, drafting, and negotiating data privacy and security provisions in agreements with service providers and business partners. 
Do you focus your onboarding efforts on identifying ways the vendors can increase strategic fit?
Guarantee your team works regularly with Information Technology team regarding the development, implementation and monitoring of effective vendor management technology systems to drive maximum automation and increase data quality and integrity. 
Which technology and business factors will enterprises use to structure network based security strategies?
Make sure your process aggregates data received from vendors and vendor managers to enter into the vendor management tracking system. 
Does the procurement function lead or is actively involved in demand definition and management?
Verify that your process is involved in various relevant areas of compliance (GLBA, SOC II, information security models and risk assessments, IT audits, vendor management, data breach, and incident management). 
Do you have a vendor management program in place that includes contractual obligations and establishes management oversight activities for third parties with access to personal data?
Certify your team establishes and records all program metrics and data to ensure goals are being met. 
How do you maximize impact and drive adoption across your recruiting organization?
Ensure your proprietary data and tradecraft, combined with an audience first approach, enables you to drive better business outcomes on behalf of organization partners and (internal) clients. 
How do you identify, measure and track your process improvement initiatives?
Understand the important data and reports from your delegated network partners and work with your team to identify trends that could be used to improve such partnerships. 
How do you ensure your organization understands and works to meet the objectives of your Vendor Management program, which involve onboarding, analyzing, and monitoring new vendors and current vendor relationships and the risks that could affect the business?
Oversee that your team understands software development, data operations, and information security technology. 
Do organizations use risk matrices to identify everything that can potentially go wrong and what to do in the event of any of occurring?
Provide Information Security awareness training across the organization creating a calculated approach to possible data breaches and security incidents by anticipating new threats and providing awareness to actively prevent incidents from occurring. 
### RISK:
Does the vendor have an ongoing development process against a model of practitioner competency?
Make headway so that your personnel has involvement as a vendor manager working directly with vendors to monitor and manage vendor performance and risk and/or working in a vendor management office setting to develop and oversee an enterprise governance and oversight program for third-party vendors. 
What processes were followed and how long did it take to bring the system back on line after a major system or facilities disaster?
Set procurement and vendor management standards by researching good business practices and techniques that facilitate sourcing and risk mitigation, collecting and disseminating this knowledge and defining a consistent set of processes and procedures for staff to follow. 
Have your vendors past audits exposed any vulnerabilities, or has your vendor been breached in the past?
Confirm that your workforce is participating in vendor management and review processes to ensure key vendors do not expose your organization to unnecessary risk. 
Does your organization support any custom software or engage in any custom software development?
Assure your staff is involved in vendor management, including applicable contract execution, third party risk management activities, and support of third party execution activities. 
How do you send services to the cloud while ensuring that services remain compliant with regulations?
Establish strong, collaborative relationships with key internal and external stakeholders to strategically manage, optimize and implement vendor management program governance, policies, procedures and tools to achieve performance objectives while ensuring effective risk management of third parties. 
What efforts, if any, are underway to review or improve existing performance management systems?
Make sure your design manages third party vendor management programs by defining security controls based on tiers of vendors, performing risk assessments for new and existing vendors, and partnering with legal to review contracts for new and existing vendors. 
Does your solution generate program performance reports that supports service level agreements?
Warrant that your company supports the Third Party Risk Management Oversight, and collaboration with Vendor Management Manager, and business stakeholder. 
What data control processes are in place in order to control the ability for users to enter or adjust prior period data within the costing and time reporting systems?
Ensure your team prepares reporting of Vendor Management risk indicators (KRIs) to your organizations Enterprise Risk Management Committee and Board of Directors. 
How do you incorporate sustainability into sourcing and procurement practices?
Develop third-party risk identification, assessment and monitoring plans and protocols to sustain transparency into third-party residual risks for the entire vendor management process from procurement to renewal/termination. 
Do you need help defining, developing, measuring, and maintaining strategic vendor relationships?
Make sure the SVP Enterprise Risk Management is responsible for directing, executing, and developing your organizations Enterprise Risk Management (ERM), Vendor Management and Model Risk Governance program. 
### TECHNOLOGY:
How close was the level of vendor technical expertise to what was needed to support the service?
Support phases of Marketing Technology roadmap build and solution implementation including project plan development, impact analysis, cross team collaboration/delegation, software setup and configuration, reporting, training, system validation, go live, post implementation support, vendor management and (internal) client relationships. 
How is data captured into the existing timekeeping, leave balance, and performance management systems?
Verify that your process is responsible for preparing, evaluating, and selecting technology and solution partners including working with the sourcing and vendor management teams and commercial stakeholders to negotiate and manage contracts and SOWs. 
What stakeholder is now responsible for assessing the solution scope to determine the project scope?
Make sure the Technology Analyst for the consulting practice is responsible for working with team members, partners, and (internal) clients implementing Vendor Management Systems (VMS) technologies. 
What stakeholder is now responsible for assessing the solution scope to determine the project scope?
Be responsible for vendor management activities including service agreements, staff augmentation and technology contracts. 
Did/do you have a plan for implementing acquisition reform and innovative commercial contracting practices?
Establish that your organization leads technology resource planning, procurement, vendor management and capacity planning. 
How do you select and manage vendors for developing, implementing and managing your business applications?
Be confident that your group leads the technology vendor management and procurement function with a focus on maximizing cross enterprise leverage and developing managing strategic vendor relationships. 
How do you ensure clinic staff follows proper issuance procedures?
Safeguard that your design follows Information Systems and Technology project management protocol. 
How do you manage the technical aspects of implementations and upgrades?
Manage and apply resources to execute the technology initiatives, including vendor management. 
Does your solution generate program performance reports that supports service level agreements?
Oversee that your strategy develops and maintains a technology roadmap that supports business objectives. 
How does an international developer prepare a product to be easily adaptable for multiple locales?
Partner with business leaders to transform how your organization leverages data and technology. 
### PROJECT:
How do you handle changes in the economic environment?
Perform a broad range of project management duties including (internal) customer requirements definition, system analysis, development of detailed of project charter, project plan and approach, project communication, budget and forecast, change and risk management, vendor management and other project management duties with priority. 
How do you help clients with successful structuring governance in outsourcing deals?
Make headway so that your strategy defines, leads ad executes successful vendor management capability across the various projects and programs. 
Does supplier currently manufacture parts or provide service for the regulated medical device industry?
Provide project management and vendor management mentoring to (internal) client and other vendor staff with priority. 
Do employees understand what the roles and responsibilities are in managing an outsourced relationship?
Make headway so that your personnel has involvement with vendor management and integrating outsourced teams/consultants for large project implementations. 
What are the asset management and software licensing implications of BYOD, and how can the costs and risks be minimized?
Guarantee your group includes the planning and tracking of projects both (tactical and strategic), cost effectiveness, communication, risk analysis, quality assurance, team and vendor management, and implementation of highly visible, sensitive and multi-faceted projects. 
Which contract, relationship and vendor management practices lower the total cost of ownership?
Be sure your group is responsible for project management of your product team with regards to cost, schedule and scope. 
How do you review purchase order information?
Develop project business cases, vendor contracts and purchase orders associated with projects/process activities. 
Has the director previously been involved in the industry in which your organization operates?
Liaison so that your company is involved in large, complex software projects including vendor management. 
Are the models implemented properly utilizing industry available interest rate and volatility data?
Check that your group is skilled in Vendor Management, Project Management, Enterprise Implementation, and Application Development. 
Is there an effective process for reliable reporting on risks and risk management performance?
Be experienced in Negotiation, Vendor Management, Risk Management, Project Financials, KPI and Reporting. 
### PRODUCT:
How do you successfully incorporate managerial judgment into plans suggested by the models?
Partner with Product team to create an effective, two way system for communicating product knowledge and (internal) customer feedback in effort to incorporate (internal) customer experience feedback into the Product Development and Vendor Management Processes. 
How are you going to manage software that is developed (and/or managed) by a third party, are you augmenting vendor management to reduce risk?
Develop experience managing product teams leveraging JIRA or similar application lifecycle management tool. 
When appropriate, is there an IRM function that oversees the risk activities of your organization?
Be certain that your organization oversees the performance of new programs, products, and services. 
How do you apply due diligence requirements to suppliers/vendors?
Be certain that your company is involved in innovation and bringing (internal) customer oriented products to market. 
Do you have real time, seamless, and multimodal communication and collaboration across your value network?
Implement and improve team wide practices to facilitate a productive and collaborative work environment. 
Does your organization establish, maintain, and effectively implement system, and data backups?
Certify your team develops product concepts and specifications, and translates into focused scientific activities. 
Does your solution support tracking service duration by individual resources between engagements?
Negotiate new product pricing with vendors utilizing your legal department for support and guidance. 
How do you take advantage of the disruptive technology and business changes impacting the market for IT and business process services?
Ensure your staff brings key skills and knowledge in new product ideas/concepts and troubleshooting. 
Are direct data changes to database prevented, are strong passwords used in the operating system?
Secure that your company is designing, developing, and operating key system products and services. 
Has the directorate put in place a governance structure to monitor and track project management?
Establish that your staff manages analytical, environmental, micro, and product testing at all locations. 
### SYSTEMS:
How do you drive performance and value from your vendors?
Lead Vendor Management to ensure Third Parties hosting systems containing organization confidential data are appropriately vetted and recertified annually for SOC 2 Type 2 compliance. 
Did your organization receive training in acquisition reform and innovative commercial contracting practices?
Make sure your workforce manages integration management systems for security systems, availability, administration, operational processes, vendor management, and best practices across the enterprise. 
Are the outsourcing objectives aligned with the overall business strategy and the target operating model?
Design server, and security related solutions, including equipment, software, operating systems, and vendor management for the entire enterprise across all locations. 
How are you going to manage software that is developed (and/or managed) by a third party, are you augmenting vendor management to reduce risk?
Certify your strategy is responsible for vendor management, partner governance, and oversight to deploy systems which are complete, designed and managed over life cycles. 
Does the senior leadership relevant to the change visibly and continually support the PSM change?
Provide expertise in both the business process and the systems that support that process. 
How do you get involved with other business units?
Make sure your operation is involved in professional engine control and data acquisition systems, hardware, and software tools. 
Does the need to report externally encourage managers to devote more attention to risk management?
Make headway so that your design manages data, systems, and programs for performance and learning management. 
How do you monitor, track, delegate or revoke access?
Establish that your staff is integrating requirements with current systems and business processes. 
Is there an adequate number of authorized vendors operating in the area to meet participant demand?
Confirm that your strategy sets up, install and repair hardware, software, or peripheral end user equipment, following design or installation specifications ensuring proper installation of cables, operating systems, and appropriate software. 
Is the vendor operating like a strategic partner working with you to transform your IT infrastructure?
Ensure your organization performs vulnerabilities remediation on Operating Systems and application environments. 
### PROCESS:
How do changes in procedures and support systems affect people and structures in your organization?
Develop and lead strategy for workflow automation, project management support, vendor management, and governance process around learning operations. 
Does the system allow for methods that provide ease of navigation through it for public users that is intuitive?
Safeguard that your group manages process design and documentation methodologies, and design and production of quality deliverables, process and use case modeling, business case development. 
How do you differentiate among failures due to poor implementation, failures due to process changes that were flawed or inappropriate, and failures due to poor contractor performance?
Make sure your organization develops and maintains documentation related to business process or system changes. 
Have any contracting positions been upgraded to reflect the more sophisticated skill levels required to implement acquisition reform and innovative commercial contracting practices?
Be certain that your team learns to participate in brainstorming sessions to develop process streamlining initiatives and improve business practices. 
How do advantages stack up against a production system that has been optimized for throughput?
Collaborate throughout your organization to ensure the purchasing process is streamlined, turn around times optimized, and level of service best in class. 
How do you differentiate between failures due to poor implementation, failures due to process changes that were flawed or inappropriate, and failures due to poor contractor performance?
Coordinate the implementation of system and process changes, quality controls and audit recommendations to ensure compliance with legislation, policies and procedures and continuous improvement. 
Can a practice work with more than one health IT vendor to meet the requirements of the model?
Partner with business/operations/product and program teams to consult, develop and implement KPIs, automated reporting/process solutions and data infrastructure improvements to meet business needs. 
Do you have a process in place to identify if unapproved changes are occurring to production data?
Be confident that your design facilitates the approval, prioritization and sourcing process for organization approved capital items. 
What industry standards or frameworks are being followed to ensure packaging is tamper evident?
Confirm that your strategy ensures standard policies, process, procedures are followed to ensure efficient and effective operation of delegated functions and compliance with regulations. 
How do you monitor and track anomalous product or service behavior?
Make headway so that your process benefits and impact on other business processes and/or system priorities.

112
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing Zero Trust approach.md Normal file
View file

@ -0,0 +1,112 @@
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Retrieved from [LinkedIn](https://www.linkedin.com/pulse/define-zero-trust-approach-cybersecurity-gerardus-blokdyk/) on January 8, 2022
Relevant ISO 27001 clauses/controls:
- [[ISO 27001 C 9.2 Internal audit]]
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
Related:
- [Zero Trust](../../Information%20Security/Zero%20Trust.md)
1. Does your organization have a hybrid cloud/colocation design, and does a Zero Trust software defined perimeter security option secure your organizations new expanded perimeter?
2. As more of your organization moves to a hybrid cloud model, how does the Zero Trust model and identity and access management technologies ensure that data is protected?
3. Can access rights be modified in near real time to reflect the current trust level of users and devices?
4. Do you have your business aligned Zero Trust strategy supported by an architecture and set of processes that enables users to seamlessly access both on premise and cloud applications?
5. What does your organization need to do to transform to a Zero Trust Remote Access platform for DevOps?
6. What security measurement practices and data does your organization use to assist product planning?
7. Were does the rise of cloud acceptance in your organization mean trust based perimeter centric security models are falling short?
8. CISOs need a way to communicate cyber risk to your organizations management team: does the current security posture align with common security standards?
9. When you look at your organization and you are evaluating the technical solution, do you see a moat there, or does there even need to be a technological moat?
10. Have you fully considered how cloud services and mobile working affects your risk and threat management models?
11. Are you creating a Zero Trust model, embedding security and streamlining compliance everywhere, including mobile, applications, and cloud platforms?
12. Which measures has your organization implemented or does it plan to implement within the next six to 12 months to help address concerns with data security?
13. Do you have IAM in place for not only internal and external data repositories for Big Data, cloud, and DevOps?
14. Do you have a program in place to assess the impacts of an attack by an aggrieved employee with access to your business and customer critcal data or your network?
15. Will you have an explicit trust model, where all participants are known and authenticated business models, or do you need something closer to the Zero Trust Bitcoin model?
16. What devices do you have and how are they communicating so you can easily implement better segmentation and Zero Trust policies?
17. What are your organizations biggest cybersecurity concerns, and what cyberdefenses does your organization have for protecting its assets?
18. Do you really trust the entire workforce to comply with security protocols now that they are not physically in the office?
19. To what extent do you and your organization plan to move Zero Trust access capabilities to SaaS?
20. How can having persistent data security controls help your organization to adhere to data protection responsibilities?
21. If your organizations devices are not seen as secure, if data is not protected or devices are hacked and used maliciously, how does your organization recover from scenarios and stay in business?
22. How does the solution or technology work in order to secure the humans that are using the network and business infrastructure?
23. How can departments create multi cloud security governance, centralization, and orchestration with human centric security policies to enable your Zero Trust environment?
24. How do applying a Zero Trust strategy through the implementation of Zero Trust principles mitigate each wave of potential attacks?
25. What is your level of confidence in the ability to provide Zero Trust with your current security technology?
26. How can Zero Trust improve your identity and access management practices when moving to a hybrid cloud model?
27. Are network access control and Zero Trust (software defined perimeter) solutions acceptable as either equivalent or mitigating controls for your organization?
28. Which identity access/Zero Trust controls will you prioritize for investment in your organization within the next 12 months?
29. Has COVID-19 and the remote working economy accelerated Zero Trust Security as a priority at your organization?
30. Approximately how many data and/or security incidents has your organization experienced over the past 12 months?
31. How does Zero Trust secure your cloud environment, especially in multi-cloud environments?
32. Does your organization use managed security services in its cybersecurity and privacy programs?
33. What is the role for MPC based authentication in the IoT security landscape for your organization?
34. How many different security technologies do you use to protect your endpoint, network and cloud environments?
35. How does your organization take up Zero Trust with a granular and phased approach, without having to redesign the entire internal IT and network security?
36. What are key drivers for your organization initiating/augmenting an identity access/Zero Trust management program?
37. Where does the corporate perimeter really end if personal devices are storing corporate data and accessing organization resources?
38. To what extent are PKI and digital certificates essential to your organizations Zero Trust security architecture?
39. What authentication mechanisms are required to provide a sufficient level of trust to allow an individual to access information?
40. Is it possible to augment your secure access architecture to achieve a Zero Trust model without the extreme of throwing out your existing investments?
41. Where does SaaS provision of business application introduce any new security considerations for your organization?
42. How far have your security practitioners come in their effort to bring better security controls to your cloud workloads?
43. How do your organizations security training programs need to change to reflect the new realities of cyber risk?
44. Do you employ a Zero Trust policy so that devices that connect to the network are not trusted by default?
45. As your organization consolidates, how does Zero Trust help reduce risk when integrating infrastructures?
46. How are your security leaders trying to change the privacy and data security message to one of opportunity and business enablement?
47. Which cloud delivered security service provides instant access to community based threat data?
48. Do you apply robust access security policies across all your users cloud and web destinations?
49. Do you have a clear mobile device and application strategy that provides your employees clear guidelines on using personal (and organization owned) devices?
50. Are you currently taking a piecemeal, reactive, tactical approach to security, or do you have an orderly, structured, strategic plan for achieving your security objectives?
51. Do users really understand Zero Trust technologies and where they fit?
52. Does the technology or solution provide useful analytics and data points and eliminate dark corners of systems and infrastructure?
53. Which types of security breaches or attacks pose the greatest threat to your organization on a daily or weekly basis?
54. Zero Trust is about trust no one, about individual nodes within your data center being able to be compromised, how do you keep it from spreading?
55. How concerned are you with the security of the applications and data in your public cloud environment?
56. What are your organizations plans to adopt network security and security operations technologies?
57. What will the future ubiquity of orchestration bring, how will less than Zero Trust evolve, and what do you learn from the past to help you prepare?
58. With traditional perimeter security lacking, how does your organization protect applications, data, and workforce from ever increasing, high profile cybersecurity threats?
59. What is the risk and is it worth the expense associated with the Zero Trust Network approach?
60. Do you look for traffic patterns that might represent an attack and dynamically re-configure the network to repel or at least counter a security threat in a mobile centric world?
61. What are the key business benefits your organization achieves through adopting network virtualization?
62. How does your organization maximize security and enable effective real time response without slowing down employees and disrupting the business?
63. How well are your organizations security experts understood, or do the IT and security teams speak a different language than the business people?
64. How does your an enterprise security team determine whether a given cyber insurance policy is a good deal?
65. What impact does the rapid growth of technological innovations have on happiness at your work?
66. How does your organization manage all of the different capabilities in concert in order to achieve a Zero Trust Architecture?
67. Do you establish granular policies that create a Zero Trust safe zone for how workloads behave, limiting privileges, access to resources, and behaviors?
68. Which tools are most important to integrate with an IAM solution to support Zero Trust security?
69. Do your users have the required level of accreditation to access your applications?
70. What were, or are, your organizations top concerns around implementing network virtualization or the barriers your organization had/has to overcome in adopting network virtualization?
71. What kinds of attacks is trust negotiation vulnerable to, and to what degree can they be mitigated?
72. Can security analysts ensure workers are using trusted applications on a secure mobile device?
73. Where does your cloud infrastructure complicate data protection by making visibility tougher to obtain?
74. Where should Zero Trust be in the network model?
75. Are representatives from the security team included in every business planning meeting that is being held?
76. How so you remain compliant and prevent security breaches with automated access rights recertification campaigns?
77. Is proper security being implemented across your organization, not just in the data center or the SOC?
78. Where are you making an investment in using data, and what part of your organizations mission does it drive?
79. Do you get the right key to the right place at the right time while also meeting your security and compliance requirements?
80. If someone is connecting from a mobile device, does your organization do anything to try to protect that mobile device?
81. How does senior business management prioritize cybersecurity against general business objectives?
82. Which security profile will provide the best protection against ICMP floods, based on individual combinations of a packets source and destination IP address?
83. Does a solution offer a single interface for performing security tasks, or will analysts be forced to divide the attention among multiple interfaces?
84. Does your enterprise currently trust on premise users more, less or the same as off premise users?
85. How does your organization rightsize security solutions to dynamically fit changing work from home requirements?
86. Are there any common business roadblocks that prevent security practices from being implemented?
87. In a hybrid cloud environment, how do your security leaders protect sensitive data, especially as it moves from on-premises to your service providers infrastructures?
88. What would happen to your organization if one of your privileged users had its identity compromised?
89. How has COVID-19 and the remote working economy accelerated Zero Trust as a priority at your organization?
90. How do you protect your Zero Trust control plane systems, and what happens if one is compromised?
91. How do you know if the CISOs security program has accounted for all the components to be effective?
92. What reasonable controls do you have in place to detect unusual and unusually high data movement?
93. How does your organization deal with identity and access management for a geographically dispersed workforce using a myriad different devices?
94. Do you have disparate processes for different privileged systems (for example, Windows versus UNIX/Linux or data center versus cloud)?
95. Do you have the visibility and monitoring capabilities you need to comply with internal and external regulations as your business is changing?
96. What top challenges is your organization facing when it comes to securing access to applications and resources?
97. Are the solutions in place based on the Zero Trust principles of authentication and authorization for all transactions?
98. Does the current security policy include how remote employees should handle bring your own device (BYOD)?
99. How do you effectively protect and segment your Building Management Systems, HVAC, physical security and other nontraditional IT systems from your systems infrastructure?
100. How has the focus on remote work accelerated the priority of Zero Trust projects at your organization?
101. Which PKI and certificate management capabilities are most important in your organization to a successful Zero Trust strategy?
102. What is the likelihood that vulnerabilities would be addressed by applying software defined perimeter/hybrid IT Secure access technology?

115
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing the ISMS process.md Normal file
View file

@ -0,0 +1,115 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/what-include-process-audit-checklists-ask-gerardus-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: January 4, 2022
Retrieved from on January 10, 2022
Relevant ISO 27001 clauses/controls:
- [ISO 27001 C 9 Performance evaluation](app://obsidian.md/ISO%2027001%20C%209%20Performance%20evaluation)
- [ISO 27001 A 18 Compliance > A 18 2 Information security reviews](app://obsidian.md/ISO%2027001%20A%2018%20Compliance#A%2018%202%20Information%20security%20reviews)
Related:
[Checklist for auditing GRC](Checklist%20for%20auditing%20GRC.md)
[External audits](app://obsidian.md/External%20audits)
[ISO 27001 audit process](app://obsidian.md/ISO%2027001%20audit%20process)
1. Does your audit organization have any specific internal procedures in place to deal with ethical dilemmas?
2. What can internal audit do to support your organizations cyber and IT risk management program and objectives?
3. Do you feel that your risk, compliance, and audit processes need to be improved in order to address critical risk management challenges?
4. How does your audit organization begin to take advantage of the new technologies and techniques?
5. How would management know if your organization level controls provide a strong control environment?
6. How can management and directors be assured that risk and risk process information is being effectively communicated?
7. How does your organization know that it has the right arrangement in place at the front end?
8. What percentage of time does the IT audit function spend on assurance, compliance and consulting activities?
9. Why do the reasons that brought about the change to a new business risk audit approach matter?
10. How does outsourcing of various functions change the risk environment and expose your organization to new risks?
11. Does a third party audit process audit promote cost savings within your organization?
12. What controls should management have in place to mitigate the risks associated with revenue transactions?
13. Should an internal audit function coordinate its efforts with your organizations Chief Risk Officer?
14. How does your organization track and monitor training requirements for all team members?
15. Does the audit trail need to support scheduled system maintenance and archival procedures?
16. Does your organization have content that is kept in different clouds, folders and other ways all over the place?
17. Does your organization have operational capabilities that are consistent with what it claims to be the scope of its business?
18. Do your facilities have a preventative maintenance program and are logs kept for ordered maintenance work or repairs, which are signed off when the work is completed?
19. Is your risk management process coordinated and consistent across the entire enterprise?
20. Is the frequency of process monitoring carried out as per control plan / work instruction?
21. What procedures do you carry out in order to ascertain whether the audit was effective?
22. What should the role of internal audit be in evaluating your organizations use of outsourced services?
23. Has your organization stabilized the work program to ensure the timely and systematic completion of projects?
24. How does your organization want employees, the general public, and key stakeholders to perceive it?
25. Is there a documented system for dealing with complaints/feedback from consumers and buyers and organization responses, including corrective actions?
26. Do you have a method or plan for ensuring customer requirements are determined and met?
27. How do you assess risk and gather audit evidence in a way that is valuable and transformative to traditional approaches?
28. What are the problems or complaints you have heard from your back office staff regarding the receipt & processing of customer orders?
29. Is there evidence that quality objectives and targets affected by this process are being achieved?
30. What IT processes/functions does your organization outsource/use a third party provider for?
31. Do you have strong controls in place to ensure contracts receive the right approvals?
32. Do you feel comfortable that the senior management and the auditors have an open dialogue?
33. What combination of audit types and what audit information is needed to meet an audit objective?
34. How important is it for an auditor to meet standards related to post audit activities?
35. Do process control and monitoring records indicate that the process were controlled within the specified process parameter?
36. Do you have mechanisms in place to validate the effectiveness of transaction monitoring detection scenarios?
37. Do all process audits contain procedures that evaluate application configuration settings for the applications that automate the processes?
38. Do you have mechanisms in place to monitor compliance with applicable record keeping regulations?
39. Is the level of experience required to undertake the agreed audit plan reflected in the cost?
40. Who conducts process audits to verify and certify that certain standards or regulatory requirements comply with the processes?
41. How does the program consider and implement security requirements throughout the development?
42. Which challenges have you experienced in gaining access to data within your organization?
43. Do your auditors have the right skills to effectively evaluate digitalization risks and controls?
44. Have process improvement opportunities been identified based on process performance data?
45. Are there defined work routines and patterns of interaction for your process personnel?
46. Should your organization enter, expand, contract or withdraw from any business segments?
47. Do you measure and monitor activity by key manufacturers and products your organization needs to focus on?
48. Does the supplier provide material with major impacts on product safety or customer satisfaction?
49. Is there a product coding system that can identify products and can the system track products back to the source?
50. Who in your organization has responsibility and accountability for managing the changes?
51. Has it been demonstrated that actions taken have no adverse effects on products or services?
52. What mechanisms are in place to complicate attacks your organization is concerned about?
53. What standard should be used for process audits and what competencies should an auditor have?
54. Are monitoring and verification information reviewed and considered at management level meetings?
55. Are layered audit results incorporated into the layered audit countermeasure process?
56. Have alternative risk management strategies been identified for all of the identified the top risk areas?
57. What is the process to disseminate updates and/or changes to all personnel?
58. Has your business impact assessment been conducted for the services moving to the cloud?
59. Are procedures documented and implemented to ensure contract terms can and will be met?
60. Do you have a designated safety officer that manages periodic safety inspections/audits and corrections?
61. Does your organization impose upon employees a continuing affirmative duty to disclose any misconduct?
62. Are desired auditing outcomes clearly defined, understood, and aligned with organization objectives?
63. Is your organization tracking its performance in assessing and collecting financial assurances?
64. What do you see as the appropriate trade off between audit effectiveness and audit efficiency?
65. Will the audit seek to assess the suitability and competence of individuals within the leadership team?
66. Have there been significant changes in the process recently or since the previous audit?
67. Which staffing vendors are providing services to your organization, and do you have an active contract?
68. Do reviewers have the enough time, space and expertise to conduct the systematic review?
69. Are there analytical methods used to demonstrate that process outputs meet requirements?
70. Is receiving inspection performed per documented procedures and detailed work instructions?
71. Does the team member know the quality standards of the job, key points & reasons for major steps?
72. Is a product safety policy documented and communicated to all levels of your organization?
73. Are there instances when change orders are approved after the initial work has been started or completed?
74. Who cares if you followed all your procedures if your customers are unhappy or your product is unsafe?
75. Is pricing accurate and does order routing and execution meet best execution requirements?
76. Are the operating models across your organization aligned in addressing resilience risks?
77. Has your organization developed an effective positioning and marketing mix for each target segment?
78. Has management implemented monitoring to detect strategic risks before a disaster hits?
79. Has your management team provided time, funding and resources to support the innovation program?
80. Has improvement of one process caused conflict in the achievement of other objectives?
81. Is your organizations work concentrated in areas of high risk, judgment and sensitivity?
82. What competencies and process advantages must the client possess to create targeted value?
83. Are regulatory inspection procedures documented and are inspection records available for review?
84. Does the board receive adequate information about the internal risk assessment process?
85. Are customers notified of low yield production lots or issues that affect product reliability?
86. What organizational structure do you need to put in place to support your analytics strategy?
87. Are there processes in place to ensure internal consistency between the source code components?
88. Is there a system in place for the proper handling, segregation, and storage of raw materials?
89. Is there an effective preventive maintenance program in place for all significant equipment?
90. Is the quality assurance department adequately staffed to perform product evaluations?
91. What are the key elements of a holistic maintenance and reliability management system?
92. What other teams / processes would be impacted by changes to the current process, and how?
93. Is material properly identified in the work area with suspect/non conforming material isolated?
94. Do possible external environment changes threaten achievement of your organizations strategy objectives?
95. Is the use of nonconforming material is documented under a formal waiver or concession system?
96. Is the reporting mechanism adequate to provide management with reliable and timely information?
97. Does the supplier understand and follow the quality control instructions for cleanliness?
98. Is there clear linkage of technology risks to IT processes/services and business services/processes?
99. What functional areas of the business are involved either directly or in a supporting function?
100. Should risk measures be formally incorporated into planning performance measurement and compensation?

115
Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for security product vendors assessment.md Normal file
View file

@ -0,0 +1,115 @@
Source: [LinkedIn](https://www.linkedin.com/pulse/assessing-security-product-vendors-ask-gerardus-blokdyk/)
Author: [Gerardus Blokdyk](https://www.linkedin.com/in/gerardblokdijk/)
Publication date: January 2, 2022
Retrieved from on January 10, 2022
Relevant ISO 27001 clauses/controls:
- [[ISO 27001 A 14.1.1 Information security requirements analysis and specification]]
- [ISO 27001 A 15 Supplier relationships](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2015%20Supplier%20relationships.md)
- [ISO 27001 2013 C 9.2 Internal audit](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%202013%20C%209.2%20Internal%20audit.md)
- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
Related:
- [Examples of vendor selection questionnaires](../../Information%20Security/Examples%20of%20vendor%20selection%20questionnaires.md)
# Assessing Security Product Vendors? Ask this:
1. When a faulty product is to be returned, what processes does the vendor have in place to ensure that no customer data exists on disks or storage before it is sent to one of return centers?
2. What security measurement practices and data does your organization use to assist product planning?
3. Does your organization have a software assurance program?
4. What release criteria does your organization have for its products with regard to security?
5. What processes does the vendor have in place to assess the conformity of the suppliers to any security clauses or agreements?
6. What capabilities does the practice have in terms of security knowledge and expertise?
7. What governance structure does the vendor have in place that demonstrates that cybersecurity is a core strategic and operational focus of the business?
8. How much will you have to clean your data for it to be used by your software?
9. What data does your organization use to prepare against a cyber attack?
10. Is there out of the box data integration or does the vendor need to create a program interface?
11. How does your organization predict how many problems there will be in a given time frame?
12. Did the vendor have to make any system and process changes to support GDPR?
13. Do you currently have a personal data security breach management policy and procedures?
14. Who will have access to your organizations data?
15. How does the data collected from your devices need to be governed?
16. Where and how does the data need to be stored?
17. How does the vendor trace all defects and ensure that the defect has been fixed in every product that might use that component?
18. Do you have a formal incident response and data breach notification plan and team?
19. How does the data get from the source to the end recipient?
20. How many staff have been trained on GDPR and data privacy?
21. How does your organization have data driven conversations with vendors?
22. Do you have a policy for dealing with data protection issues?
23. Does loss or misuse of the data have the potential to affect an individual?
24. Does your organization have contact information sorted and identified for each type of incident?
25. Does your organization have a documented information security strategy?
26. How does the supplier help the customer integrate products and services into existing infrastructure safely and securely?
27. How does the vendor ensure that sales only sells products and services that comply with local laws and regulations, including any export controls or trade sanctions?
28. Does your organization have a process in place to ensure the safe and proper use of internet and email?
29. Does your organization have a portion of its IT budget specifically allocated for information breach detection, response and notification costs?
30. How much training data do you have that is relevant to your desired application?
31. How does the vendor ensure that the service or support engineers cannot tamper with installed software or install vulnerable or malicious software?
32. When introducing new technologies, does your organization assess potential information security risks?
33. Do you have a process to manage access to sensitive information which includes timely account termination?
34. What approach does the vendor take to ensure that every part of the business considers the impact of security?
35. Does your organization own the physical data center where the institutions data will reside?
36. Does the vendor have the ability to provide support to users?
37. How much ownership will you have over your solution?
38. What type of information does your organization maintain about itself and others?
39. How much system downtime does your organization tolerate?
40. Does the vendor have experience in producing high quality information security products?
41. Do you have a vendor risk management process in place for your critical vendors?
42. Is redundant power available for all data centers where organization data will reside?
43. What information specifically was or may have been compromised?
44. Where does the service store the data, and who has access to it?
45. How will data be returned to your organization and in what format?
46. How could information sharing with other organizations have been improved?
47. Will the licensor have to perform which set of security audits when the system goes into production?
48. How does the incorporation of AI impact the performance your product and its use of enterprise and endpoint resources?
49. What services does the incident response team provide?
50. Do you have vendor maintenance support for software products?
51. How will the vendor help you respond to data subject rights requests?
52. Do you have a security patch management cycle in place to address identified vulnerabilities?
53. What impact could heightened physical security controls have on the teams responses to incidents?
54. Do you have documented and tested plans for business continuity and information recovery?
55. What procedure and technology does the vendor use to ensure the right components are used at the right time?
56. Do your vendors have appropriate governance, organizational design, policies and procedures to support the strategies?
57. Which security leadership roles does your organization have?
58. How does your organization determine how identified risks are mitigated in product offering design?
59. Does your organization have the appropriate controls to detect and prevent an insider attack?
60. How does your security help drive broader business outcomes?
61. Do you have a contingency plan in place to handle emergency access to the software?
62. Does your organization have a budget formally allocated for any AI initiatives and if so, how much?
63. What have you done to protect your organization against third party cyber risks?
64. What does your organization consider in its cyber risk assessment/measurement?
65. How long does it typically take your organization to mitigate and stop an insider attack?
66. Does your software or system have automatic logoff for inactivity?
67. Do you have a cyber focused mindset and cyber conscious culture organization wide?
68. How would remote work impact the cost of a data breach?
69. Do you have an approved and documented information security strategy in place?
70. How does your organization measure/monitor whether its security controls are working?
71. Does the vendor have the right to use your data?
72. How does the nature of the product or service implicate information security?
73. Does your organization have a dedicated budget for the effort?
74. How long does it typically take your organization to detect an insider attack?
75. How does your organization keep abreast of software vulnerabilities?
76. How would remote work impact your ability to respond to a data breach?
77. Does the vendors product or service have a mechanism for user authentication and authorization?
78. How does your organization simultaneously protect employee rights/privacy and reassure clients?
79. Will a single support analyst be able to address issues across the vendors entire product range or will different products require separate, time consuming conversations?
80. What role does a service mesh play in security policy?
81. How does access to the device need to be managed?
82. Does your organization have a CISO or equivalent?
83. What does your organization do to gain software assurance?
84. Do you have security experts that work with developers for every application?
85. Does the vendor have a product lifecycle strategy that ensures the product is maintained from a security perspective over its life?
86. Do you have an incident response team ready to help your customer?
87. Does the vendor have a realistic business continuity or disaster recovery plan?
88. Do you have a plan to log and store historical predictions if a consumer requests access in the future?
89. How does your organization monitor its production database servers to detect suspicious activity?
90. How does your organization communicate the policies to all staff, vendors, and customers?
91. What training resources does the vendor provide as part of the product?
92. Do you have a process to identify new laws and regulations with IT security implications?
93. How does your organization keep up with compliance maintenance?
94. When does your organization ask people for sensitive information?
95. What vendors does your organization utilize for complementary services/products?
96. Do you have a list of the most common vulnerabilities/bugs that need to be eliminated?
97. Do you have an enterprise wide, independently budgeted cyber risk management team?
98. Do you have a process for tracking and tracing your product while in development and manufacturing?
99. How does the ecosystem advance ideas about the need for and value of assurance?
100. Does the vendor have the mechanism to allow external stakeholders or the delegated organizations to conduct the audit?

15
Corpus/Literature/Defensive Security Handbook/Def_Sec_Handbook.md Normal file
View file

@ -0,0 +1,15 @@
# Defensive Security Handbook
Defensive Security Handbook: Best Practices for Securing Infrastructure by Lee Brotherston, Amanda Berlin
[Chapter 1 - Risk Management](Def_Sec_Handbook_Chapter_1.md)
[Chapter 2 - Asset management](Def_Sec_Handbook_Chapter_2.md)
[Chapter 3 - Policies](Def_Sec_Handbook_Chapter_3.md)
[Chapter 4 - User education and awareness](Def_Sec_Handbook_Chapter_4.md)
[Chapter 5 - Incident Response](Def_Sec_Handbook_Chapter_5.md)
[Chapter 6 - Disaster Recovery](Def_Sec_Handbook_Chapter_6.md)
[Chapter 7 - Physical Security](Def_Sec_Handbook_Chapter_7.md)
[Chapter 8 - Microsoft Windows Infrastructure](Def_Sec_Handbook_Chapter_8.md)
[Chapter 9 - Endpoints](Def_Sec_Handbook_Chapter_9.md)
[Chapter 10 - Password Management and Multifactor Authentication](Def_Sec_Handbook_Chapter_10.md)
[Chapter 11 - Vulnerability Management](Def_Sec_Handbook_Chapter_11.md)

64
Corpus/Literature/Defensive Security Handbook/Def_Sec_Handbook_Chapter_1.md Normal file
View file

@ -0,0 +1,64 @@
# Chapter 1: Risk Management
Source: Defensive Security Handbook: Best Practices for Securing Infrastructure by Lee Brotherston, Amanda Berlin
NIST Risk Management Functions:
- Identify
- Protect
- Detect
- Respond
- Recover
## Software Engineering Institute: OCTAVE Framework
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=309051
## Security Baseline
Information to gather:
* Policies and procedures
* Endpoints desktops and servers, including implementation date and software version
* Licensing and software renewal, as well as SSL certificates
* Internet footprint: domains, mail servers, dmz devices
* Networking devices: routers, switches, APs, IDS/IPS, and Network Traffic
* Logging and monitoring
* Ingress/egress points: ISP contacts, account numbers, and IP addresses
* External vendors, with or without remote access, and primary contacts
## Assessing threats and risks
Risk management is often split into four steps:
- identify
- assess
- mitigate
- monitor
### Identify
- Focus on industry trends and industry specific risks:
Information Sharing and Analysis Centers (ISACs) / National Council of ISACs https://www.nationalisacs.org
- Overall trends: OWASP top 10 and CIS 20 Critical Security Controls
### Mitigation options
- Avoid risk, e.g.: stop storing Social Security numbers if they are unnecessary for the process
- Remediate risk, e.g.: turning off open ports, implementing stricter firewall rules, and patching endpoints
- Transfer risk, e.g.: outsourcing credit card processing to a third-party
- Accepting risk (last resort!)
## How Attackers Work
Intrusion Kill Chain / Cyber Kill Chain:
* Reconnaissance: research, identification, and selection of targets, e.g. crawling internet websites for email addresses, social relationships, or information on specific technologies.
* Weaponization: coupling a remote access trojan with an exploit into a deliverable payload, such as Adobe Portable Document Format (PDF) or Microsoft Office documents.
* Delivery: transmission of the weapon to the targeted environment, mostly by email attachments, websites, and USB removable media.
* Exploitation: triggering intruders code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code.
* Installation: installation of the trojan or backdoor on the victim system.
* Command and Control (C2): establish an outbound beacon to an internet controller server; intruders now have “hands on the keyboard” access inside the target environment.
* Actions on Objectives: intruders take actions to achieve their original objectives, e.g. data exfiltration, violations of data integrity or availability, use as a hopping point for further infiltration
Use cases to create and implement security-controls, see Table 1-1. Ransomware use case, also includes links to resources.
Hold fire drills: https://www.fema.gov/media-library/assets/documents/26845

13
Corpus/Literature/Defensive Security Handbook/Def_Sec_Handbook_Chapter_10.md Normal file
View file

@ -0,0 +1,13 @@
# Chapter 10: Password Management and Multifactor Authentication
See also: [Identity and Access Management (IAM)](../../Information%20Security/Identity%20and%20Access%20Management%20(IAM).md), [Roles in Identity and Access Management (IAM)](../../Information%20Security/Roles%20in%20Identity%20and%20Access%20Management%20(IAM).md)
## Password practices
Password complexity and brute force cracking:
* 8 characters at only lowercase equals 26 ^ 8. Extremely easy, will crack in < 2 minutes.
* 8 characters at upper-and lowercase equals 52 ^ 8. Still not the best, will crack in < 6 hours.
* 8 characters at uppercase, lowercase, and numbers equals 62 ^ 8. A little better, will crack in < 24 hours.
* 10-character passphrase with uppercase, lowercase, numbers, and symbols 94 ^ 10. Approximately 600 years.
Tools and password dictionaries (comprised from most used passwords obtained from previous hacks) are readily available on the Internet.

1
Corpus/Literature/Defensive Security Handbook/Def_Sec_Handbook_Chapter_11.md Normal file
View file

@ -0,0 +1 @@
# Chapter 11: Vulnerability Management

31
Corpus/Literature/Defensive Security Handbook/Def_Sec_Handbook_Chapter_2.md Normal file
View file

@ -0,0 +1,31 @@
# Chapter 2: Asset management
Source: Defensive Security Handbook: Best Practices for Securing Infrastructure by Lee Brotherston, Amanda Berlin
Each asset or group of assets must be assigned an owner and/or a custodian.
* Asset owner: point of contact for the asset
* Custodian: responsible for the stored information
Categorize the assets into different levels of importance based on the value of the information, and the cost to the company if an asset is compromised.
## Information classification
1. Identify data sources to be protected (uses tools where possible).
* include description, location, existing protection measures, data owners and custodians, and the type of resource.
2. Classify: identify information classes and label them.
1. Define critical assets (incl. firewalls, connections, etc.).
3. Map protections to set information classification levels.
4. Protect.
5. Audit yearly.
## Asset mgt implementation
Each department or person involved in each step should understand when and how assets are tracked at every point of their lifecycles.
* Procure
* Deploy
* Manage, e.g. moved to storage, upgraded, replaced, returned, or change of users, locations, or departments.
* Decommission
Track changes, monitor and report

12
Corpus/Literature/Defensive Security Handbook/Def_Sec_Handbook_Chapter_3.md Normal file
View file

@ -0,0 +1,12 @@
# Chapter 3: Policies
SANS offers a template library: https://www.sans.org/security-resources/policies
# Standards and Procedures
Standards and procedures bring policies to life. Policies describe “what” we are trying to achieve, standards and procedures form the “how.”
Example: a policy states that access be authenticated by use of a password.
A **Standard** provides more detail as to what constitutes a password, like complexity requirements, the process for changing a password, storage requirements, ability to reuse passwords or otherwise, etc.
**Procedures** describe specific steps in order to achieve those standards at a technology level.

30
Corpus/Literature/Defensive Security Handbook/Def_Sec_Handbook_Chapter_4.md Normal file
View file

@ -0,0 +1,30 @@
# Chapter 4: User education and awareness
See also: [ISO_27002_2022_6.3_OT Information security awareness, education and training](../iso27diy-corp/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.3_OT%20Information%20security%20awareness%2C%20education%20and%20training.md)
Repetition. Not only train, also educate.
- Establish Objectives
- Establish Baselines
- Create Program Rules and Guidelines
- Implement and Document Program Infrastructure
- Positive Reinforcement for reporting incidents
- Gamification
- Define Incident Response Processes
See appendix A for training templates.
https://www.csoonline.com/article/2134189/how-to-create-security-awareness-with-incentives.html
## Meaningful metrics
Here are some common totals to track:
* Emails sent
* Emails opened
* Links clicked
* Credentials harvested
* Reports of phishing attempts
* Emails not reported on
* Hits on training sites

24
Corpus/Literature/Defensive Security Handbook/Def_Sec_Handbook_Chapter_5.md Normal file
View file

@ -0,0 +1,24 @@
# Chapter 5: Incident Response
See also:
- [SANS Incident Response Plan](../../Standards/SANS/SANS%20Incident%20Response%20Plan.md)
- ISO 27002 5.26
## Pre-incident process
Recognize potential incidents, and initiate the response process. Leverage existing processes (check with support desk). Define what constitutes as an incident.
## Incident processes
- Appoint an Incident Manager
- Define internal communications
- Open a War Room
- Have a Conference Bridge to the war room
- Allocate the task of communicating to internal stakeholders
- Define external communications
- Determine key goals; see Disaster Recovery
- Prepare for longer lasting attacks
## Post-incident process:
- hold a lessons-learned session
- Use this session to update documentation, policies, procedures, and standards

55
Corpus/Literature/Defensive Security Handbook/Def_Sec_Handbook_Chapter_6.md Normal file
View file

@ -0,0 +1,55 @@
# Chapter 6: Disaster Recovery
* Business Continuity Planning (BCP): continuation of business via alternative plans.
* Disaster Recovery (DR) is the set of processes used to reach the objectives of the Business Continuity Plan.
* Key security aspects CIA: Confidentiality, Integrity, Availability
## Pre-disaster process
Have a process in place to determine what is and is not a disaster, and when to invoke the plan.
## Setting objectives
* Recovery Point Objective (RPO): the point in time that you wish to recover to. What is acceptable: seconds before the disaster strikes, the night before, or the week before? The shorter the RPO, the more costs and complexity.
* Recovery Time Objective (RTO): time permitted to reach the RPO.
These should be driven by the business owners!
## Recovery strategies
- Have regular backups
- Warm standbys
- High-availability systems
- Fail-over scenarios:
- Use alternative systems (e.g. if VoIP crashes, use cellphones)
- System Function Reassignment: repurposing noncritical systems to replace critical systems (e.g. use an acceptation-environment as a production environment; requires that the two environments be separated enough that a disaster affecting one will not affect the other).
- Have a process for switching back
Test regularly!
**tot hier verwerkt**
## Understand Dependencies
Map them. Example: if you have an email server with an RTO of 1 hour, and yet the network on which it depends has an RTO of 3 hours, irrespective of how quickly the email server is up and running, it may not be resuming operation in any meaningful sense until 3 hours have elapsed.
## Develop Scenarios
For testing your procedures and training staff.
A few broad categories of scenarios useful to consider:
* Hardware failure of mission-critical platform
* Loss of a data center
* Pandemic
## Pre-disaster process
Have a process in place to determine what is and is not a disaster, and when to invoke the plan.
One of the most effective routes is to have a list of named individuals or roles who are authorized to determine when the organization is in a disaster situation and that the plan needs to be executed.
The process for anyone who is not authorized to make this determination is to escalate to someone who can.
## Security Considerations
* Secure Data at Rest
* Secure Data in Transit
* Patching and configuration management on backup systems
* User access
* Physical security on secondary sites

24
Corpus/Literature/Defensive Security Handbook/Def_Sec_Handbook_Chapter_7.md Normal file
View file

@ -0,0 +1,24 @@
# Chapter 7: Physical Security
See also:
- ISO 27002 A 7
## Physical properties
Social engineering remains to this day a very effective way of accessing the inside of a network.
- Access restriction
- Surveillance
- Authentication Maintenance (e.g. change door access code after change in staff)
- Secure physical media (e.g. lock door where backup tapes are stored)
## Operational properties
- Identify Visitors and Contractors
- Visitor and contractor actions (sign-in/ escort/ sign-out)
## Training and awareness
- Tailgating
- Badge cloning
- Malicious media
- Social engineering (pretexts)

14
Corpus/Literature/Defensive Security Handbook/Def_Sec_Handbook_Chapter_8.md Normal file
View file

@ -0,0 +1,14 @@
# Chapter 8: Microsoft Windows Infrastructure
## Active Directory Domain Services
Key concepts:
- Trusts
- Domain Controllers and FSMO roles
- Organizational Units
- Groups
- Accounts
- Group Policy Objects (GPOs)
- Enhanced Mitigation Experience Toolkit (EMET)
- MS-SQL servers

12
Corpus/Literature/Defensive Security Handbook/Def_Sec_Handbook_Chapter_9.md Normal file
View file

@ -0,0 +1,12 @@
# Chapter 9: Endpoints
## Key protection measures
- Software / OS updates
- Desktop Firewalls
- VPN
- Disk Encryption
- Mobile Device Mgt
- Endpoint Visibility (vs. privacy)
- Centralize resources

46
Corpus/Literature/Jaquith - Security Metrics/Jaquith_2007_1_Defining_Security_Metrics.md Normal file
View file

@ -0,0 +1,46 @@
# Defining Security Metrics
A metric is a consistent standard for measurement.
Business leaders will ask the following:
- How effective are my security processes?
- Am I better off than I was this time last year?
- How do I compare with my peers?
- Am I spending the right amount of money?
- What are my risk transfer options?
Therefore, Good metrics:
- Incorporate measures of time or money
- Are well understood across the company
- Are well understood across industries and are consistently measured. That means they lend themselves to benchmarking
- Are calculated mechanically and can be gathered in an automated way
Differently put, good metrics:
1. are simple to explain and straightforward to calculate, clear and unambiguous. Their transparency facilitates adoption by management.
2. are all expressed in terms of time, money, or a measure derived from these.
3. readily lend themselves to benchmarking.
A good metric should be
- Consistently measured, without subjective criteria Different people should be able to apply the method to the same data set and come up with equivalent answers.
- Cheap to gather, preferably in an automated way
- Expressed as a cardinal number or percentage, not with qualitative labels like “high,” “medium,” and “low”
- Expressed using at least one unit of measure, such as “defects,”“hours,” or “dollars” making it easier to compare.
A good metric should also ideally be Contextually specific: relevant enough (and informative enough) to decision-makers so that they can take action.
“Traffic light” inputs (red-yellow-green) are not metrics at all. They contain neither a unit of measure nor a numerical scale. Traffic lights colors can be used, sparingly, as a presentation strategy to supplement numerical data or draw attention to outliers.
Metrics ought to be computed at a frequency commensurate with the processs rate of change. For most security processes “often” is better than “sometimes.”
## Reservations toward ISO 17799
My reservations about using the ISO as a metrics framework:
- ISO 17799 portrays information security controls as things to be assessed, selected, and implemented. But it makes almost no practical recommendations about how to manage, monitor, and measure the effectiveness of these controls.
- The recommendations are never firm; interpretation is an exercise left to the reader
- Insufficient attention to measurement
## Reservations toward Annualized Loss Expectancy
Security events are low frequency and high severity. That makes them hard to model.
ALE is securitys spherical cow. It encourages practitioners to think about dollar impact on an aggregate, averaged basis, in spite of the fact that losses do not gravitate to the middle; they cluster on the far edges.
Second, practitioners of ALE suffer from a near-complete inability to reliably estimate probabilities or losses. The same is true for loss estimation.
The third strike against ALE relates to the lack of probability-and-loss data.
The real tragedy of ALE: its really just a funny little model that anyone can game for his or her own purposes.

43
Corpus/Literature/Jaquith - Security Metrics/Jaquith_2007_2_Diagnosing_Problems_and_Measuring_Technical_Security.md Normal file
View file

@ -0,0 +1,43 @@
# Diagnosing Problems and Measuring Technical Security
Using Metrics to Diagnose Problems: A Case Study 41
Defining Diagnostic Metrics 44
Perimeter Security and Threats 46
E-mail 49
Antivirus and Antispam 50
Firewall and Network Perimeter 50
Attacks 51
Coverage and Control 52
Antivirus and Antispyware 58
Patch Management 59
Host Configuration 62
Vulnerability Management 65
Availability and Reliability 68
Uptime 69
System Recovery 71
Change Control 72
Application Security 73
Black-Box Defect Metrics 75
Qualitative Process Metrics and Indices 77
Code Security Metrics 83
Summary
In security, metrics help organizations:
- Understand security risks
- Spot emerging problems
- Understand weaknesses in their security infrastructures
- Measure performance of countermeasure processes
- Recommend technology and process improvements
## Defining Diagnostic Metrics
Diagnostic metrics are used to assess security posture, diagnose issues, and measure security activities associated with infrastructure.
This chapter focuses on technical metrics that quantify each of the following:
- Perimeter defenses
- Coverage and control
- Availability and reliability
- Application risks
A large number of organizations and industry initiatives have begun creating metrics lists, notably the Corporate Information Security Working Group (CISWG), NIST, ISSEA, US CERT, and my own initiative, securitymetrics.org.

24
Corpus/Literature/Jaquith - Security Metrics/Jaquith_2007_3_Measuring_Program_Effectiveness.md Normal file
View file

@ -0,0 +1,24 @@
# Measuring Program Effectiveness
Using COBIT, ITIL, and Security Frameworks 91
Frameworks 91
Not Useful: Asset Valuation 95
Planning and Organization 98
Assessing Risk 99
Human Resources 101
Managing Investments 102
Acquisition and Implementation 104
Identifying Solutions 104
Installing and Accrediting Solutions 107
Developing and Maintaining Procedures 111
Delivery and Support 112
Educating and Training Users 114
Ensuring System Security 117
Identifying and Allocating Costs 120
Managing Data 122
Managing Third-Party Services 123
Monitoring 126
Monitoring the Process 127
Monitoring and Evaluating Internal Controls 128
Ensuring Regulatory Compliance 129
Summary 130

52899
Corpus/Literature/Jaquith - Security Metrics/Security Metrics - Andrew Jaquith.pdf Normal file
View file

File diff suppressed because it is too large Load diff

14
Corpus/Literature/Jaquith - Security Metrics/Security Metrics by Andrew Jaquith 2007.md Normal file
View file

@ -0,0 +1,14 @@
[Defining Security Metrics](Jaquith_2007_1_Defining_Security_Metrics.md)
[Diagnosing Problems and Measuring Technical Security](Jaquith_2007_2_Diagnosing_Problems_and_Measuring_Technical_Security.md)
[Measuring Program Effectiveness](Jaquith_2007_3_Measuring_Program_Effectiveness.md)
## Shift Left: Relative Cost to Correct Security Defects, by Stage
Stage | Relative Cost
--- | ---
Design | 1.0
Implementation | 6.5
Testing | 15.0
Maintenance | 100.0

19
Corpus/Literature/Jaquith - Security Metrics/Security Metrics that Count – for Twilio.md Normal file
View file

@ -0,0 +1,19 @@
# Security Metrics that Count
Harini Rangarajan of Twilio (a customer engagement platform) has published a [blogpost](https://www.twilio.com/blog/security-metrics-count) on 30-11-2021 called 'Security Metrics that Count'.
They found (by using metrics!) that different audience groups within Twilio were interested in different kinds of security metrics:
- Executive-level leadership wanted to understand the security posture across the organization
- VPs wanted to understand the security posture of their specific business units
- Product managers wanted to understand the security posture of their products
- Engineering managers wanted to understand how many open vulnerabilities were present and which ones their teams should prioritize fixing.
They distinguish metrics that capture the 'health' of the organization (security wise) and metrics that capture the maturity of the security program. These metrics are shown in a table in the blogpost.
To establish the current security posture of their products, they added extra fields to their (development) ticket managing system Jira for Vulnerability Category, Vulnerability Source and Business Unit.
They then used this data to generate dashboards for different audiences.
Related:
- [[MyVault/👩🏼‍⚖️ Standards and Regulations/ISO 27001 2013/ISO 27001 C 9 Performance evaluation#9 1 Monitoring measurement analysis and evaluation]]
- [ISO 27001 A 12.4 Logging and monitoring](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2012.4%20Logging%20and%20monitoring.md)