Draft Audit Plan: ICANN SSR Workshop 9-10 October
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
IDTopicQuestionsICANN PersonnelDateTime
ICANN Personnel
DocumentsRecommendations
2
1Perform an assessment of ICANN's Information Security Management System.
3
1.1ISMS in general
4
1.1.1Does ICANN utilise a formal ISMS (Information Security Management System)?
5
1.1.2Are the general ISMS objectives compatible mapped to the ICANN strategic plan and ICANN’s identified enterprise risks?
6
1.1.3Is there a formal training plan in place to ensure all staff are aware of the policies and operating procedures of the ISMS?
7
1.2Leadership and responsibilities
8
1.2.1Are the general ISMS objectives compatible with the strategic direction of ICANN?
9
1.2.2Does Information Security Policy exist with objectives or framework for setting objectives?
10
1.2.3Is Information Security Policy communicated within the company?
11
1.2.4Are roles and responsibilities for information security assigned and communicated?
12
1.2.5Is there a formal training plan in place to ensure all staff are aware of the policies and operating procedures of the ISMS?
13
1.3Resources, competence, awareness, and communication
14
1.3.1Are adequate resources provided for all the elements of ISMS?
15
1.3.2Are required competences defined, trainings performed, and records of competences maintained?
16
1.3.3Is the personnel aware of Information security policy, of their role, and consequences of not complying with the rules?
17
1.3.4Does the process for communication related to information security exist, including the responsibilities and what to communicate?
18
1.3.5Does the process for managing documents and records exist, including who reviews and approves documents, where and how they are published, stored and protected?
19
1.3.6Are documents of external origin controlled?
20
1.3.7Are all relevant employees and contractors being trained to perform their security duties, and do the awareness programs exist?
21
1.4Access control
22
1.4.1Does policy for physical access to hardware and equipment exists?
23
1.4.2Does policy for Logical access control to protect data and software from unauthorised access and misuse exists?
24
1.5Physical and environmental security
25
1.5.1Is there physical methods to control access
to information processing facilities?
26
1.5.2Is there protecton of equipment from
security and environmental threats and hazards?
27
1.5.3Does equipment facilities have continuous power supply?
28
1.6Operational security
29
1.6.1Are Operational Procedures and Responsibilities established across organization?
30
1.6.2Does Operational Procedures and Responsibilities comply with security policy?
31
1.6.3Is there protection from malicious software?
32
1.6.4Is there dokumented Backup procedure?
33
1.6.5Are the rules been established for use of mobile devices and removable media?
34
1.7System acquisition, development and maintenance
35
1.7.1Are there security requirements that new applications or all enhancements to existing systems must meet?
36
1.7.2Are there security controls for aplication development or aquisition?
37
1.7.3Does formal procedure to control changes to information systems exist?
38
1.7.4Is there a policy on the use of cryptography?
39
1.8Supplier relationships
40
1.8.1Is the policy on how to treat the risks related to suppliers and partners documented?
41
1.8.2Are suppliers regularly monitored for compliance with the security requirements, and audited if appropriate?
42
1.8.3Do the agreements with suppliers include security requirements for ensuring the reliable delivery of services?
43
2Perform a comprehensive assessment of ICANN's Business Continuity Management System.
44
2.1Business Continuity Objectives and Plans
45
2.1.1Is there a documented Corporate (organization) BCM Strategy that has been signed-off by top management?
46
2.1.2Does the organization have a documented business continuity operational planning and control process?
47
2.2Operational planning and control
48
2.2.1Have the operating procedures for IT processes been documented?
49
2.2.2Is installation of software strictly controlled; do procedures exist for that purpose?
50
2.2.3Is it clearly defined who should be in contact with which authorities?
51
2.2.4Is it clearly defined who should be in contact with special interest groups or professional associations?
52
2.2.5Are information security rules included in every project?
53
2.2.6Are audits of production systems planned and executed in such a way that they minimize the risk of disruption?
54
2.3Business Continuity Strategies
55
2.3.1Is there a documented Corporate (organization) BCM Strategy that has been signed-off by top management?
56
2.4Prioritized Activity Recovery Strategy
57
2.4.1Have the Recovery Time Objective (RTO) for each prioritised activity been identified and agreed?
58
2.4.2Has the organization identified the dependencies and resources needed to maintain, restore, resume and/or recover each of its prioritised activities to an acceptable level of functionality and performance (MBCO)?
59
2.5Resource Recovery Strategy
60
2.5.1Is there a documented Resource Recovery Strategy for critical business activities and their dependencies that has been signed off by top management?
61
2.5.2Is the strategy based upon and consistent with the resource recovery requirements identified within the current BIA in respect of the organization's prioritised activities their support services and dependencies recovery profile?
62
2.5.3Have the resource requirements to implement the business continuity strategies been identified and provided?
63
2.6BC Procedures - Incident Response Structure
64
2.6.1Does organization have an Emergency Management/Evacuation Plan?
65
2.6.2Does the organization have an incident management structure, procedures and arrangements that provide overall control of the response to a disruptive incident?
66
2.6.3Does the organization have a documented Corporate Crisis Management Plan (CCMP)?
67
2.6.4Does the organization have predefined Incident Management Team(s) for co-ordinating and/or managing differing types of incident e.g. business, technical service delivery, site, building, corporate?
68
2.7Business Continuity Plans (BCP)
69
2.7.1Does the organization have documented business continuity plans in respect of each of the organization’s prioritised activities and their dependencies?
70
2.7.2Does each plan identify roles and teams that have the necessary seniority, authority, capability and competence to take control and manage the incident and communicate with stakeholders?
71
2.7.3Has each plan and its component parts been successfully tested and/or invoked at least once within the last 12 months to ensure they can achieve its aim and objectives within the required timescales?
72
2.7.4Does each plan contain predefined task checklists that includes mandatory and discretionary tasks together with individuals/roles/teams responsible for their completion and a process for tracking there completion within an allocated timeframe ?
73
2.7.5Is there a documented and funded maintenance cycle and programme for the plan and its component parts to ensure it remains appropriate (fit for purpose), plausible and capable of meeting its objectives and required outcomes?
74
2.8Evaluation of Business Continuity Procedures
75
2.8.1Does the organization conduct performance evaluations of its business continuity procedures, arrangements and capabilities in order to verify their continued suitability, adequacy and effectiveness?
76
2.8.2Is a post incident review undertaken in the event of an incident that disrupts the organization’s prioritised activities or requires an incident response?
77
3Perform a comprehensive assessment of ICANN's Risk Management Methodology and Framework.
78
3.1Risk Assessment Process, Risk Acceptance Criteria and Criteria for Risk Assessment
79
3.1.1Is there an information risk assessment process documented, including the risk acceptance criteria and criteria for risk assessment?
80
3.1.2Are the risks identified, their owners, likelihood, consequences, and the level of risk; are these results documented?
81
3.2Risk Management and Risk Treatment
82
3.2.1Is the risk treatment process documented, including the risk treatment options?
83
3.2.2Does Risk treatment plan define who is responsible for implementation of which control, with which resources, what are the deadlines, and what is the evaluation method?
84
4Perform an assessment how effectively ICANN has implemented its Security Incident Management and response processes to reduce (pro-active and reactive) the probability of DNS-related incidents.
85
4.1Security Incident Management Process
86
4.1.1Are procedures and responsibilities for managing incidents clearly defined?
87
4.1.2Are all information security events reported in a timely manner?
88
4.1.3Are employees and contractors reporting on security weaknesses?
89
4.1.4Are all security events assessed and classified?
90
4.1.5Are procedures on how to respond to incidents documented?
91
4.1.6Are security incidents analyzed in order to gain knowledge on how to prevent them?
92
4.1.7Do procedures exist which define how to collect evidence that will be acceptable during the legal process?
93
4.2Security Incident Response Process relating to a global incident (DNS-related)
94
4.2.1Does ICANN have a documented incident response plan, with processes and resources identified
95
4.2.2Does ICANN maintain contracts with third parties to potentially assist in major incident responses
96
4.2.3Is this incident response plan tested on a periodic basis?
97
4.2.4Does ICANN have a vulnerability management process?
98
4.2.5Does ICANN have a vulnerability disclosure policy?
99
4.3ICANN operational responsibilities (L-Root)
100
4.3.1Are there technical and operational requirements for hosting L-Root node?
Loading...
Main menu