katrinashaw

Security Component
1) Security Policy
a) Does the organisation have a Security Policy? If yes, how is the awareness and compliance with this policy promoted within the organisation and with its business partners?

2) Physical Security
a) What physical access controls exist within the organisation’s Data Centre(s) to restrict access to systems that may directly or indirectly handle Customer data to authorised personnel?
b) What environmental controls exist within the organisation’s Data Centre(s) to protect Customer data stored on systems within this environment?

3) Back-ups
a) What process is employed by the organisation to back-up critical data? Has this process been documented?
b) How regularly are backups performed?
c) Are back-up logs maintained to track when and what data has been backed up? Who has access to these logs?
d) Are the backups stored securely offsite? If so where?
e) Does regular testing of backups occur? If so how regularly and what type of testing is performed?

4) Disaster Recovery Plan (DRP)
a) Does the organisation have a documented disaster recovery plan?
b) If the organisation does has a disaster recovery plan how regular is this plan tested?
c) What priority would be given to restoring services provided to The customer in the event of a disaster?

5) Logging/Auditing/Monitoring
a) What logging occurs at the network, system and application levels on hosts that may directly or indirectly handle Customer data?
b) What type of information is captured in these logs and is it sufficient enough to allow a particular event to be traced back to its source?
c) Are all logs “read only” and tamper proof? Where are they stored (i.e. locally on the host or in a central location)?
d) Are the logs reviewed? If so how regularly?
e) How long are the logs archived for?