Business information security Auditor (BISA)

BISA

Organizations want to know the state of their Cyber Security in order to put more effort on what needs to be improved.

Business Information Security Auditor (BISA) analyzes the Cyber Security maturity of organizations. BISA provides a detailed analysis including the status of each of the 133 Cyber Security measures, and the 11 Cyber Security domains, as well as an overall analysis of the Cyber Security of your organization through a dashboard.

BISA also helps your organization develop tactical and strategic directions to further mature and strengthen your security program efforts.

The use of BISA is simple and within everyone’s reach. Just a few questions to answer and your BISA audit report is ready in front of you.

 With BISA, you will know at which one of the five levels of maturity your organization is.

Level 1: Process executed – The process executed achieves the objective.

Level 2: Managed Process – The executed Level 1 process is now implemented and well managed (planned, monitored and adjusted). Its products are properly established, controlled and maintained.

Level 3: Established Process – The Level 2 managed process is now implemented according to a defined procedure that achieves the desired results.

Level 4: Predictable Process – The process established at Level 3 is now operating within defined limits to achieve desired results.

Level 5: Optimization Process – The predictable level 4 process is continually improved to meet current and projected relevant business objectives.

The domains and controls evaluated:

Security policy

·        An information security policy document is approved by management, then published and distributed to all employees and third parties concerned.

·        To ensure the relevance, adequacy and effectiveness of the information security policy, the policy is reviewed at intervals fixed in advance or in the event of major changes.

 Information security organization

·        Top management actively supports security policy within the organization through clear directives, frank commitment, explicit assignment of responsibilities, and recognition of information security responsibilities.

·        Information security activities are coordinated by stakeholders with appropriate roles and roles representative of the different parts of the organization.

·        All responsibilities for information security are clearly defined.

·        An authorization management system is defined and implemented for each new means of information processing.

·        The requirements for confidentiality or non-disclosure commitments are defined and reviewed regularly, in accordance with the needs of the organization.

·        Appropriate relations with the competent authorities are put in place.

·        Appropriate contacts with specialist groups, security forums and professional associations are maintained.

·        The organization conducts regular and independent reviews of the approach taken by itself to manage and implement its security (i.e. monitoring security objectives, policies, procedures and processes related to security of information); such reviews are also necessary when significant changes have occurred in the implementation of security.

Third parties

·        Risks to the organization’s information and processing resources that arise from activities involving third parties are identified and appropriate measures are implemented before granting access.

·        All security needs are addressed before granting clients access to the organization’s information or assets.

·        Agreements concluded with third parties who relate to access, processing, communication or management of information, or means of processing the organization’s information, or which relate to the addition of products or of services to information processing means, cover all the applicable security requirements.

Asset management

·        All goods are clearly identified; an inventory of all important goods is made and managed.

·        The ownership of each piece of information and means of processing the information is assigned to a defined part of the organization.

·        Rules allowing the correct use of information and assets associated with the means of information processing are identified, documented and implemented.

·        The information is classified in terms of value, legal requirements, sensitivity and criticality.

·        An appropriate set of procedures is developed and implemented for the marking and handling of information, in accordance with the classification plan adopted by the organization.

Human resources security

·        The roles and responsibilities for the security of employees, contractors and third-party users are defined and documented in accordance with the organization’s information security policy.

·        Whether they are applicants, contractors or third-party users, verifications of information concerning all applicants are carried out in accordance with laws, regulations and ethics and that they are proportional to business requirements, classification of information accessible and at identified risks.

·        As part of their contractual obligations, employees, contractors and third party users agree on the terms of the employment contract binding them and sign it. This contract should define the responsibilities of the organization and the other party for information security.

·        Management asks employees, contractors and third-party users to apply safety rules in accordance with the organization’s Establisheds policies and procedures.

·        All organization’s employees and; where applicable; contractors and third-party users undergo appropriate awareness training and regularly receive updates to the organization’s policies and procedures, relevant to their functions.

·        A formal disciplinary process for employees who violate safety rules is developed.

·        Responsibilities for purposes or changes to contracts are clearly defined and assigned.

·        All employees, contractors and third-party users return all of the organization’s property in their possession at the end of their period of employment, contract or agreement.

·        The access rights of all employees, contractors and third-party users to information and to the means of processing information are deleted at the end of their period of employment, or modified in the event of modification of the contract or of the agreement.

Physical and environmental security

·        The areas containing information and information processing means are protected by security perimeters (obstacles such as walls, doors with card access control, or reception offices with reception staff).

·        The secure areas are protected by adequate entry controls to ensure that only authorized personnel are admitted.

·        Physical security measures for offices, rooms and equipment are designed and applied.

·        Physical protection measures against damage caused by fires, floods, earthquakes, explosions, civil disturbances and other forms of natural disasters or man-made disasters are designed and implemented.

·        Physical protection measures and guidelines for working in a secure area are designed and applied.

·        Access points such as delivery / loading areas and other points through which unauthorized persons can enter the premises are controlled. Access points, if possible, to information processing facilities, are isolated to prevent unauthorized access.

Hardware security

·        The equipment is located and protected in such a way as to reduce the risk of threats and environmental dangers and the possibilities of unauthorized access.

·        The equipment is protected from power outages and other disturbances due to a failure of general services.

·        Electric or telecommunications cables carrying data are protected against interception or damage.

·        The equipment is maintained properly to guarantee its permanent availability and integrity.

·        Safety is applied to equipment used outside the organization’s premises, taking into account the various risks associated with off-site work.

·        All hardware containing storage media is checked to ensure that all sensitive data has been removed and that any licensed software has been securely uninstalled or overwritten prior to disposal.

·        The hardware, information or software does not leave the premises of the organization without prior authorization.

Operations and telecommunications management

·        The operating procedures are documented, kept up to date and available to all users concerned.

·        Changes made to information processing systems and means are monitored.

·        Tasks and areas of responsibility are separated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.

·        Development, test and operating equipment are separated to reduce the risk of unauthorized access or changes to the operating system.

·        The organization ensures that the security measures, service definitions and service levels provided for in the third-party service agreement are implemented, applied and maintained by the third party.

·        The services, reports and records provided by third parties are regularly checked and reviewed, and audits are regularly performed.

·        Changes in service delivery, including the maintenance and improvement of existing information security policies, procedures and measures, are managed taking into account the criticality of the management systems and processes involved and the risk reassessment.

·        Resource usage is closely monitored and adjusted and projections of future sizing are made to ensure the performance required for the system.

·        The acceptance criteria for new information systems, new versions and upgrades are set and the appropriate tests of the system (s) at the time of development and prior to their acceptance are carried out.

·        Detection, prevention and recovery measures are implemented to protect against malicious code as well as appropriate user awareness procedures.

·        When mobile code use is allowed, the setup ensures that the mobile code operates under a clearly defined security policy and any unauthorized mobile code is prevented from executing.

·        Backup copies of information and software are made and regularly tested in accordance with the agreed backup policy.

·        Networks are adequately managed and controlled to be protected from threats and the security of systems and applications using the network, including information in transit, are maintained.

·        For all network services, network functions, service levels and management requirements are identified and incorporated into any network service agreement, whether provided internally or externally.

·        Procedures for managing removable media are in place.

·        Media that is no longer needed is disposed of safely, following formal procedures.

·        Information handling and storage procedures are established to protect this information from unauthorized disclosure or misuse.

·        System documentation is protected against unauthorized access.

·        Formal exchange policies, procedures and measures are in place to protect the exchange of information passing through all types of telecommunications equipment.

·        Agreements for the exchange of information and software are made between the organization and the external party.

·        Media containing information are protected against unauthorized access, misuse or alteration during transport outside the physical limits of the organization.

·        Information passing through electronic mail is adequately protected.

·        Policies and procedures are developed and implemented to protect information related to the interconnection of corporate information systems.

·        Electronic commerce information transmitted over public networks is protected against fraudulent activity, contract litigation, and unauthorized disclosure and modification.

·        Information passing through online transactions is protected to prevent incomplete transmission, misrouting, unauthorized modification, unauthorized disclosure, unauthorized message duplication or re-transmission.

·        The integrity of information made available on a publicly accessible system is protected to prevent unauthorized modification.

·        Audit reports, which record user activities, exceptions and security-related events, are produced and retained for a pre-defined period to facilitate further investigation and monitoring of access control.

·        Procedures for monitoring the use of information processing facilities are established and the results of monitoring activities are periodically reviewed.

·        Logging equipment and logged information are protected against sabotage and unauthorized access.

·        The activities of the system administrator and the system operator are logged.

·        Any faults are logged and analyzed and appropriate action taken.

·        The clocks of the various information processing systems of the organization or of a security domain are synchronized using a precise and predefined time source.

Access control

·        An access control policy is established, documented and reviewed based on operational and security requirements.

·        A formal user registration and deregistration procedure for granting and removing access to all information systems and services is defined.

·        The assignment and use of privileges is restricted and controlled.

·        Passwords are assigned as part of a formal process.

·        Management reviews user access rights at regular intervals through a formal process.

·        Users are asked to follow good security practices when selecting and using passwords.

·        Users ensure that any equipment left unattended has an appropriate protection device.

·        A clean office policy for paper documents and removable storage media is adopted, and a blank screen policy for information processors.

·        Users only have access to the services for which they have specifically received authorization.

·        Appropriate authentication methods are used to control access by remote users.

·        Automatic hardware identification is considered a means of authenticating connections from specific locations and materials.

·        Physical and logical access to remote diagnostic and configuration ports is controlled.

·        The groups of information services, users and information systems are separated on the network.

·        For shared networks, especially networks that extend beyond organizational boundaries, users’ network connection capacity is restricted, in accordance with access control policy and management application requirements. .

·        Network routing measures are implemented to prevent network connections and information flows from affecting the access control policy of management applications.

·        Access to operating systems is subject to a secure login procedure.

·        A unique and exclusive identifier is assigned to each user and an authentication technique to verify the identity declared by the user is chosen.

·        The systems that manage passwords are interactive and provide quality passwords.

·        The use of utility programs to bypass measures of a system or application is limited and tightly controlled.

·        Inactive sessions are disconnected after a defined period of inactivity.

·        Connection times are restricted to provide an additional level of security for high-risk applications.

·        For users and technical support personnel, access to information and application functions is restricted in accordance with the access control policy.

·        Sensitive systems have a dedicated (isolated) IT environment.

·        A formal procedure and appropriate security measures are in place to protect against the risk associated with the use of mobile computing and communication devices.

·        A policy, procedures and operational programs specific to teleworking are developed and implemented.

·        Acquisition, development and maintenance of information systems

·        Business requirements for new information systems or improvements to existing information systems specify security requirements.

·        The data entered into the applications is validated to verify that it is correct and appropriate.

·        Validation measures are included in the applications to detect possible alterations in information due to processing errors or deliberate acts.

·        Requirements for authentication and protection of message integrity should be identified. Appropriate measures should also be identified and implemented.

·        The output of an application is validated to verify that the processing of stored information is correct and appropriate to the circumstances.

·        A policy for the use of cryptographic measures is developed and implemented in order to protect information.

·        A key management procedure supports the organization’s encryption policy.

·        Procedures are in place to control the installation of software on operating systems.

·        Test data is carefully selected, protected and controlled.

·        Access to the source code of the program is restricted.

·        The implementation of changes is controlled through formal procedures.

·        When changes are made to operating systems, critical management applications are reviewed and tested to verify that there are no adverse effects on business or security.

·        Modification of software packages is not encouraged and only necessary changes are made. Strict control over these changes is also exercised.

·        Any possibility of information leakage is prevented.

·        The organization oversees and controls outsourced software development.

·        The organization is informed in a timely manner of any technical vulnerabilities in operating information systems, the organization’s exposure to said vulnerabilities is assessed and appropriate actions to address the associated risk are taken.

·        Information security incident management

·        Information security events are promptly reported through the appropriate reporting channels.

·        All employees, contractors and third-party users of information systems and services are asked to note and report any security breaches observed or suspected in the systems or services.

·        Responsibilities and procedures to ensure a rapid, efficient and relevant response to an information security incident are established.

·        Mechanisms are in place to quantify and monitor the various types of information security incidents, as well as their volume and associated costs.

·        When a civil or criminal legal action is brought against a natural person or an organization, following an incident related to information security, information should be collected, stored and presented in accordance with the legal provisions relating to the presentation of evidence governing the competent jurisdiction (s).

·        Management of the business continuity plan

·        A business continuity process is developed and managed across the organization that meets the information security requirements for business continuity.

·        The events that could cause business process interruptions are identified, as well as the probability and the impact of such interruptions and their consequences for information security.

·        Plans to maintain or restore operations and ensure the availability of information at the required level and within the required time following an interruption or failure affecting critical business processes, are developed and implemented.

·        A single framework for business continuity plans is managed in order to guarantee the consistency of all the plans, to constantly meet information security requirements and to identify priorities in terms of testing and maintenance.

·        Business continuity plans are tested and updated regularly to ensure they are up to date and effective.

Compliance

·        For each information system and for the organization, all the legal, regulatory and contractual requirements in force are defined, documented and updated explicitly, as well as the procedure used by the organization to meet these requirements.

·        Appropriate procedures to ensure compliance with legal, regulatory and contractual requirements regarding the use of material that may be subject to intellectual property rights and the use of proprietary software are implemented.

·        Important records are protected from loss, destruction and falsification in accordance with legal, regulatory and business requirements.

·        Data protection and confidentiality are guaranteed as required by applicable laws or regulations, and contractual clauses where applicable.

·        Users are dissuaded from using information processing facilities for illegal purposes.

·        Cryptographic measures are taken in accordance with applicable agreements, laws and regulations.

·        Managers ensure the correct execution of all security procedures under their responsibility in order to guarantee their compliance with security policies and standards.

·        The compliance of information systems with the standards relating to the implementation of security is regularly checked.

·        Audit requirements and activities involving controls of operating systems are planned precisely and are the result of an agreement to minimize the risk of business process disruptions.

·        Access to information system audit tools is protected to prevent possible misuse or compromise.

BISA is aligned with the security standards (NIST, CMMI, ISO 27002) and it helps complying with SOC2, FEDRAMP, HIPAA, ISO27001, etc.