| B | C | D | E | I | J | K | |
|---|---|---|---|---|---|---|---|
1 | GÉANT Security Baseline Assessment: For | ||||||
2 | |||||||
3 | Instructions | ||||||
4 | Interview an individual based on the questions below organized according to GÉANT Security Baseline Requirements. | ||||||
5 | There are three guidance questions for each requirement, which indicate the degree of achievement of the objectives. | ||||||
6 | Select the best answer from the multiple choice drop down selections in the answer column: None (No), one/two (Partly) or all guidance questions are covered (Yes) | ||||||
7 | Use "Not applicable" only if the subject on a requirement does not apply to your organization, e.g. if an orgainsation does not own federated metadata, it's not possible to sign it. | ||||||
8 | Document additional information such as how and why in the "Interview Notes" column. | ||||||
9 | Once the assessment is complete, go to the "Scorecard" sheet and view a summary of your results. | ||||||
10 | |||||||
11 | organisation: | ||||||
12 | Project: | ||||||
13 | Interview Date: | ||||||
14 | Interviewer: | ||||||
15 | Persons Interviewed: | ||||||
16 | |||||||
17 | Policy and Leadership | ||||||
18 | Management Commitment and Mandate | Answer | Interview Notes | Rating | |||
19 | MC1 | Member of organisational leadership team is given a direct mandate for security. | 0.00 | ||||
20 | Guidance: | There is member of top management responsible for security (CISO or equivalent). | |||||
21 | Guidance: | Security is a regular agenda item for executive / board level meetings. | |||||
22 | Guidance: | Executive teams receive regular briefings on security topics from next-level management / operational staff. | |||||
23 | |||||||
24 | Security policy and objectives are established and clearly linked to organisational strategy. | ||||||
25 | Guidance: | Security is clearly addressed in the organisational strategy documentation. | |||||
26 | Guidance: | Each department of organisation has security topics, applicable to department, in it's charter or equivalent workplan. | |||||
27 | Guidance: | It is ensured that all employees are familiarized with security part of organisational strategy. | |||||
28 | |||||||
29 | Budget and resources for security are clearly defined and set annually. | ||||||
30 | Guidance: | There is an annual budget dedicated to security. | |||||
31 | Guidance: | It is possible to provide a figure from previous guidance. | |||||
32 | Guidance: | The planned and realised budget are aligned. | |||||
33 | |||||||
34 | |||||||
35 | MC2 | Support is provided for the creation and approval of controls to meet GÉANT Security Baseline. | |||||
36 | Guidance: | CISO or equivalent organises a regular meeting that covers harmonisation with GÉANT Security Baseline. | |||||
37 | Guidance: | There is dedicated person who takes care of harmonisation with GÉANT Security Baseline. | |||||
38 | Guidance: | There is part of the annual security planning dedicated to harmonisation with GÉANT Security Baseline. | |||||
39 | |||||||
40 | Regular reporting of security controls to top management is in place | ||||||
41 | Guidance: | CISO at least quarterly reports to top level management on security. | |||||
42 | Guidance: | Top level management at least quarterly discuss technical security issues. | |||||
43 | Guidance: | Top level management at least quarterly discuss legal or organisation security issues. | |||||
44 | |||||||
45 | |||||||
46 | MC3 | The goals for information security and data protection are communicated annually by the top management. | |||||
47 | Guidance: | CEO at least annually addresses all employees concerning security (could be jointly with other topics). | |||||
48 | Guidance: | CISO at least annually addresses all employees specifically about security. | |||||
49 | Guidance: | There is at least one annual security related all hands event (meeting, workshop, webinar…) lead by CEO or CISO. | |||||
50 | |||||||
51 | The security program is compliant to a national or international standard. | ||||||
52 | Guidance: | Organisation is certified according relevant national standard. | |||||
53 | Guidance: | Organisation is certified according relevant international standard. | |||||
54 | Guidance: | Organisation is subject to required re-assessment audits to confirm compliance. | |||||
55 | |||||||
56 | Internal Security Policy | Answer | Interview Notes | Rating | |||
57 | SP1 | Information security policy has been approved by management and it is implemented in the NREN. | Yes | 3.00 | |||
58 | Guidance: | IS policy has been approved by top management. | |||||
59 | Guidance: | Organisation have documented plan for implementation of IS policy. | |||||
60 | Guidance: | There is member of management responsible for implementation of IS policy. | |||||
61 | |||||||
62 | The information security policy is implemented for new and legacy services and systems. | Yes | |||||
63 | Guidance: | IS policy is implemented for all new services and systems. | |||||
64 | Guidance: | IS policy is implemented on at least 75% of legacy services and systems. | |||||
65 | Guidance: | There is plan to implement IS policy to all legacy services and systems. | |||||
66 | |||||||
67 | Physical security and use of mobile and personal devices are addressed in the information security policy. | Yes | |||||
68 | Guidance: | Physical security is addressed in IS policy. | |||||
69 | Guidance: | Usage of mobile devices is addressed in IS policy. | |||||
70 | Guidance: | Usage of personal devices is addressed in IS policy. | |||||
71 | |||||||
72 | |||||||
73 | SP2 | Violations of the Internal Security Policy are investigated and dealt with by the security officer. | Yes | ||||
74 | Guidance: | There is a contact point known to all employees where they can report security incidents. | |||||
75 | Guidance: | There are other means of detecting incidents (e.g. monitoring, helpdesk, IDS…). | |||||
76 | Guidance: | All reported or detected incidents are resolved, security officer is informed about and he/she acts when necessary. | |||||
77 | |||||||
78 | Information security policy is continuously updated (at least once per year). | Yes | |||||
79 | Guidance: | IS policy has been reviewed and updated in last 12 months. | |||||
80 | Guidance: | Approximate time of next review has been fixed. | |||||
81 | Guidance: | There is a person responsible for coordinating of IS policy review and update. | |||||
82 | |||||||
83 | |||||||
84 | SP3 | Reliable mechanisms for monitoring information security policy implementation are in place and results are regularly presented to the top management. | Yes | ||||
85 | Guidance: | IS officer have regular meetings with service owners concerning implementation of IS policy in their services. | |||||
86 | Guidance: | There is monitoring in place to detect violation of IS policy (monitoring, log analysis, IDS…). | |||||
87 | Guidance: | Status of implementation of IS policy is regularly presented to the top management. | |||||
88 | |||||||
89 | Internal security policies are accessible to other NRENS or R&E organisations. | Yes | |||||
90 | Guidance: | Organisation's IS policy has been shared upon request with at least 2 other NRENs. | |||||
91 | Guidance: | There was at least one meeting/discussion with another organisations about IS policy. | |||||
92 | Guidance: | Results of discussions has been reviewed and implemented in IS policy if applicable. | |||||
93 | |||||||
94 | Acceptable Use Policy | Answer | Interview Notes | Rating | |||
95 | AU1 | NREN have AUP based on security policy. | 0.00 | ||||
96 | Guidance: | Organisation has an AUP in place. | |||||
97 | Guidance: | AUP has been aligned with internal security policy. | |||||
98 | Guidance: | AUP is updated with update of internal security policy. | |||||
99 | |||||||
100 | The AUP has been signed or accepted by all users of information system including new users. | ||||||