Information Security Management Benchmark - The Self-Assessment Tool for Security Measures -

In this self-assessment site you will be asked 27 questions about information security measures in part I and 19 questions regarding your company profile in part II. This document shows the 27 questions regarding information security measures so that you will know what you will be asked and prepare your answer in advance. The 27 questions are categorized in the following 5 groups. 1. Organizational approaches to information security 2. Physical (Environmental) security countermeasures 3. Operation and maintenance controls over information systems and communication networks 4. Information system access control and security countermeasures during the development and maintenance phases 5. Information security incident response and BCM (Business Continuity Management) Q1: Organizational approaches to information security The questions Q1-(1) to Q1-(8) are asking about the organizational approaches to information security. Answer the questions by selecting one of the options 1 to 5 provided below which you think is the most appropriate for your company. Options for Q1-(1) to Q1-(8) 1.

The management is not aware of its necessity or no rule and control has been established even though they are aware of its necessity.

2.

The management is aware of its necessity and they are proceeding to formulate and disseminate the rules and controls, but only some part of them is implemented.

3.

The rules and controls have been established with the approval of the management, and they are disseminated and implemented company-wide, but the state of implementation has not been reviewed.

4.

The rules and controls have been established under the leadership and approval of the management, and they are disseminated and implemented company-wide with its status reviewed on a regular basis by the responsible person.

5.

In addition to those described in item 4 above, your company has improved it to become a good example for other companies by dynamically reflecting the changes of security environment.

Q1-(1) Does your company have any policies or rules for information security and implement them? (It is important to establish policies/rules based on your company’s business and operational risk, rather than just applying a simple copy of a sample or template. To ensure the enforcement of those policies and rules, you need to make them known to everyone within the company, check the state of implementation, and review them on an as-needed basis.) 1/7 Copyright © 2016 Information-technology Promotion Agency, Japan (IPA)

Q1-(2) Does your company evaluate dangers and vulnerabilities regarding the security of vital information assets within your organization in deciding security rules and countermeasures? (Such procedure is named "risk assessment". It is important to establish procedures for information security risk assessment and review the risk and countermeasures regularly for implementing cost-effective and efficient countermeasures.) Q1-(3) Does your company have an organizational framework which includes the management to promote information security and compliance with law and rules? (To build a framework to promote information security, it is important for the management to exercise their leadership and clearly state the responsibilities assigned to each person in charge, including auditors. To ensure the enforcement of those policies and rules, everybody within the company needs to understand them fully and clearly.) Q1-(4) Are the key information assets (information and information systems) classified based on the level of importance? And are there any rules to manage and present such assets based on the level? (To manage information assets in an appropriate manner, the assets should be classified into multiple groups based on the level of importance, rules have to be established to manage and present such assets, and a person in charge of information management needs to be assigned.) Q1-(5) Does your company exercise appropriate security measures to protect key information (including personal data and confidential information) in each phase of the information life cycles, including acquisition, creation, utilization, saving, exchange, provision, deletion and disposal? (Appropriate information management includes clarifying operational procedures and the person responsible for the operation, limiting operators who can perform a specific operation, recording operational history and checking operations etc. These tasks need to be implemented regardless of whether the operation is performed manually or by means of information systems.) Q1-(6) Are information security requirements included in your company’s written contract, which is exchanged when you outsource your business operation or information system management? (These requirements should be satisfied to prevent information leakage or loss of data, misuse of information and information systems and so on.) Q1-(7) Does your company make the security obligations clear to your employees (including temporary staff), for example, nondisclosure agreements signed when they enter or leave your company? (To ensure that everybody within the company satisfy information security requirements, you need to assign a person responsible for it, make clear the rules that should be followed, and let everybody know them.)

2/7 Copyright © 2016 Information-technology Promotion Agency, Japan (IPA)

Q1-(8) Does your company give your employees (including management and temporary staff) security education and training regularly to teach them your company’s approaches and associated rules regarding information security? (It is important to regularly give all the employees security education and training, covering security requirements, prohibited matters, information security threats and countermeasures.)

Q2: Physical (Environmental) security countermeasures The questions Q2-(1) to Q2-(4) are asking about the physical (environmental) security countermeasures. Answer the questions by selecting one of the options 1 to 5 provided below, which you think is the most appropriate for your company. Options for Q2-(1) to Q2-(4) 1.

No rule or control has been established and therefore, it is not implemented.

2.

The rules and controls are to be formulated and disseminated, but only some part of them is implemented.

3.

The rules and controls have been established, and they are disseminated and implemented company-wide, but the state of implementation has not been reviewed.

4.

The rules and controls have been established under the leadership and approval of the management, and they are disseminated and implemented company-wide with its status reviewed on a regular basis by the responsible person.

5.

In addition to those described in item 4 above, your company has improved it to become a good example for other companies by dynamically reflecting the changes of security environment.

Q2-(1) Does your company implement security countermeasures required for the buildings and sites where you want to improve security? (Countermeasures include separating the site from outside using a gate or wall, performing access controls, setting up alarm devices etc. It is also important to divide the area into multiple sections (for example, a delivery-and-receipt room, a working area for outside contractors etc) from the aspect of security.) Q2-(2) Does your company formulate and enforce any security-related rules for the people moving in and out from your company, including clients, vendors, common carriers, cleaners etc? (More people than you imagine can visit your company. It is important to establish security rules that should be followed by the visitors) Q2-(3) Are the important information equipment and wires/cables correctly placed and set up in safety so they can be protected against natural and man-made disasters? (Safety placement and setup refer to placing information equipment and wires/cables in a safe place to protect against unauthorized access and tapping, putting wires/cables underground or under floor, installing devices and systems in a safe place so they can be protected against natural disasters such as water leakage, fire, earthquake etc.)

3/7 Copyright © 2016 Information-technology Promotion Agency, Japan (IPA)

Q2-(4) Does your company handle important documents, mobile PCs, and removable storage media in an appropriate manner? (Appropriate management refers to lockable filing cabinets, taking printed documents off from printers or other output devices immediately, breaking up storage media for secure disposal etc. Important documents include information-system-related documents.） 3: Operation and maintenance controls over information systems and communication networks The questions Q3-(1) to Q3-(7) are asking about the information security countermeasures related to information and communication networks and operational controls of information systems. Answer the questions by selecting one of the options 1 to 5 provided below, which you think is the most appropriate for your company. Options for Q3-(1) to Q3-(7) 1.

No rule or control has been established and therefore, it is not implemented.

2.

The rules and controls are to be formulated and disseminated, but only some part of them is implemented.

3.

The rules and controls have been established, and they are disseminated and implemented company-wide, but the state of implementation has not been reviewed.

4.

The rules and controls have been established under the leadership and approval of the management, and they are disseminated and implemented company-wide with its status reviewed on a regular basis by the responsible person.

5.

In addition to those described in item 4 above, your company has improved it to become a good example for other companies by dynamically reflecting the changes of security environment.

Q3-(1) Does your company protect information systems and data used in the actual operational environment in an appropriate manner? (Appropriate protection refers to separating the development systems from the actual operational systems, implementing change control, restricting the use of actual data in the development systems etc.) Q3-(2) Does your company implement security countermeasures required for information system operation? (Appropriate security countermeasures include developing operational manuals, operating in accordance with the rules and procedures, monitoring the state of implementation, recording and checking security logs etc.) Q3-(3) Does your company have documented procedures for the backup of vital business data and related systems, and implemented them? (Scheduled and systematic data backup is very important, as the backup data supports quick recovery from data loss, system failure or incident. If you fail to back up vital business data and related systems on a regular basis, you cannot restore such data in the event of system failure etc, which may result in serious adverse effect on your business.)

4/7 Copyright © 2016 Information-technology Promotion Agency, Japan (IPA)

Q3-(4) Does your company take countermeasures against malware (such as computer viruses, Worms, Trojan horses, Bots, Spyware etc.) (Countermeasures against malware include installing antivirus software, updating pattern files on a regular basis, applying security patches, etc) Q3-(5) Does your company take countermeasures to mitigate vulnerabilities of the information systems used in your company? (Appropriate countermeasures include configuring your system in consideration of information security, applying security patches, managing versions, changes, and system configuration.) Q3-(6) Does your company take appropriate protective measures (such as encryption) for data being transferred across communication networks and data stored on a public server? (Appropriate protective measures include using VPN, SSL or other secure protocols.) Q3-(7) Does your company implement appropriate security countermeasures to protect storage media such as mobile PCs, USB memories, floppy disks etc in case of their loss, theft and so on? (Mobile PCs, USB memories, and other storage media can be used not only in your office but other areas such as public spaces outside your company, remote offices, users’ homes etc. When you take out such media, there is a higher risk of being stolen or lost, compared to when used in your home or office. Taking this into account, implement appropriate countermeasures.)

4: Information system access control, Security countermeasures for the development and maintenance phases he questions Q4-(1) to Q4-(5) are asking about the security countermeasures for information system development and maintenance as well as access control. Answer the questions by selecting one of the options 1 to 5 provided below, which you think is the most appropriate for your company. Options for Q4-(1) to Q4-(5) 1.

No rule or control has been established and therefore, it is not implemented.

2.

The rules and controls are to be formulated and disseminated, but only some part of them is implemented.

3.

The rules and controls have been established, and they are disseminated and implemented company-wide, but the state of implementation has not been reviewed.

4.

The rules and controls have been established under the leadership and approval of the management, and they are disseminated and implemented company-wide with its status reviewed on a regular basis by the responsible person.

5.

In addition to those described in item 4 above, your company has improved it to become a good example for other companies by dynamically reflecting the changes of security environment.

5/7 Copyright © 2016 Information-technology Promotion Agency, Japan (IPA)

Q4-(1) Does your company implement necessary measures to restrict access to information (data) and information systems, including appropriate management of user IDs, adequate user identification and authentication etc? (Appropriate user ID management includes reviewing user IDs on a regular basis to remove unnecessary ones, restricting the use of shared IDs, forbidding the use of simple passwords etc.) Q4-(2) Does your company implement appropriate access controls over information (data), information systems, and business applications, including granting users adequate access rights for such resources? (Appropriate access controls include restricting access to information (data) and information systems using the different levels of access privileges, limiting functions that can be used by each user, reviewing access rights granted to users etc.) Q4-(3) Does your company implement appropriate access controls over the network? (Appropriate access controls include separating networks, conducting authentication for an access from outside of your company etc.) Q4-(4) Does your company define security requirements for business application development and satisfy them in the design and implementation phases? (Regardless of developing a system internally or outsourcing the system development, security requirements should be included in the specifications, the system has to be designed and developed properly to avoid the creation of vulnerabilities, thorough system tests need to be conducted so that vulnerabilities do not remain unfixed.) Q4-(5) Does your company perform security controls over the selection and purchase of software products and/or the development and maintenance of systems? (If your company is outsourcing the selection and purchase of software products, and/or the development and maintenance of systems, please answer to this question from the aspect of whether you can check the security controls of your subcontractor.)

6/7 Copyright © 2016 Information-technology Promotion Agency, Japan (IPA)

5: Information security incident response and BCM (Business Continuity Management) The questions Q5-(1) to Q5-(3) are asking about the information security incident response. Answer the questions by selecting one of the options 1 to 5 provided below, which you think is the most appropriate for your company. Options for Q5-(1) to Q5-(3) 1.

No rule or control has been established and therefore, it is not implemented.

2.

The rules and controls are to be formulated and disseminated, but only some part of them is implemented.

3.

The rules and controls have been established, and they are disseminated and implemented company-wide, but the state of implementation has not been reviewed.

4.

The rules and controls have been established under the leadership and approval of the management, and they are disseminated and implemented company-wide with its status reviewed on a regular basis by the responsible person.

5.

In addition to those described in item 4 above, your company has improved it to become a good example for other companies by dynamically reflecting the changes of security environment.

Q5-(1) Does your company take appropriate measures for the case of information system failures? (Appropriate measures include implementing redundant systems, backing up the systems, keeping operational logs, clarifying procedures that should be followed when a system failure occurs, signing a service level agreement with the service providers etc.) Q5-(2) Does your company have written procedures for security incident responses that determine how to act in a quick-and-appropriate manner when such an incident occurs? (To respond quickly and appropriately to security incidents, you need to examine steps that should be taken against such incidents, put the result of the study into writing, make concerned parties know about it, develop a telephone tree for emergency communications, and secure resources (including human resources) and equipment required.) Q5-(3) Does your company have a company-wide framework for BCM （ Business Continuity Management）for the case of system down? (You need to prepare for a possible system down, such as by establishing procedures for manually performing the tasks implemented by the systems and securing a place, resources, and equipment for conducting such activities. It is also important to educate and train your employees so they can manually implement those tasks.)

7/7 Copyright © 2016 Information-technology Promotion Agency, Japan (IPA)