Documente Academic
Documente Profesional
Documente Cultură
Risk%Asset Display of seriousness for the scenarios based on the asset involved
You can use the forum www.mehari.info to post questions, remarks or comments
Date Revision status and comments
October 2010 Edition 2-1
April 2011 Edition 2-2
Edition of a few formulas in ISO scoring and IP grids
Methods space
Club de la Scurit de l'Information Franais
11, rue de Mogador, 75009 PARIS
T : +33 1 53 25 08 80 / F : +33 1 53 25 08 88
http://www.clusif.asso.fr/
in the worksheets of the file.
of macros, it will not be possible to use the masks below.
Classification tables:
Mask
T1, T2, T3 & Classif
Questionnaires:
from 01Org to 14 ISM
Mask
+ Themes & ISO 27002
scoring
Risk analysis:
Events,
Mask
Risks per asset or event
Risk treatment:
ActionPlans,
Mask
Obj_PA,
Obj_Projects
Translation managed by
Jean-Louis Roule
Jean-Philippe Jouas
Navigation in the knowledge base
Busines stakes Threats Vulnerabilities
T1 T2 T3 Expo Security
Analyze and evaluate
services
Classif Themes
risks
Current seriousness
Planned seriousness
Public License agreement for Mehari 2010
Version 2010 : 12 January 2010
MEHARI is an Open Information security risk management methodology provided as a spreadsheet containing a knowledg
with attached document like:
- manuel de rfrence de la base de connaissances Excel,
Redistribution and use of this knowledge base and associated documentation ("MEHARI"), with or without modification, are
provided that the following conditions are met:
1. Redistributions in any form must reproduce applicable copyright statements and notices, this list of conditions, and the f
in the documentation and/or other materials provided with the distribution, and
2. Redistributions must contain a verbatim copy of this document.
3. No persons may sell this Methodology, charge for the distribution of this Methodology, or any medium of which this Meth
without explicit consent from the copyright holder.
4. No persons may modify or change this Methodology for republication without explicit consent from the copyright holder.
5. All persons may utilize the Methodology or any portion of it to create or enhance commercial or free software, and copy
software under any terms, provided that they strictly meet all of the above conditions.
MEHARI IS PROVIDED BY THE CLUSIF AND ITS CONTRIBUTORS AS IS AND ANY EXPRESSED OR IMPLIED WARR
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PART
PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE CLUSIF, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF MEHARI BE LIABL
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTE
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF MEHARI EVEN IF ADVISED OF THE PO
SUCH DAMAGE.
The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or o
Mehari without specific, written prior permission from CLUSIF. Title to copyright in MEHARI shall at all times remain with c
A I C A I C A I C A I C A C C A I C A I C A C A I C A I C
Asset type D01 D01 D01 D06 D06 D06 D02 D02 D02 D03 D03 D03 D04 D04 D05 D07 D07 D07 D08 D08 D08 D09 D09 D10 D10 D10 D11 D11 D11
Business Process
Domain 1 :
Domain 2 :
Domain 3 :
Domain 4 :
Domain 5
Domain 6 :
Domain 7 :
/
Domain N
Transverse Processes
Overall Management & policy
Classification
In order to add or suppress a business domain or process, use the line "add" or "suppress" functions.
The classification level is a value from 1 to 4, the maximum in each column is automatically copied out in the "classification" line
and reproduced into the "intrinsic impact table" (tab: Classif) for each type of data and criteria (A, I or C).
A I A I A I C A I A A I A I A A I
Asset type R01 R01 R02 R02 S01 S01 S01 S02 S02 S03 S04 S04 S05 S05 G01 G02 G02
Business Process
Domain 1 :
Domain 2 :
Domain 3 :
Domain 4 :
Domain 5
Domain 6 :
Domain 7 :
/
Domain N
Transverse Processes
Overall Management & policy
Classification
In order to add or suppress a business domain or process, use the line "add" or "suppress" functions.
The classification level is a value from 1 to 4, the maximum in each column is automatically calculated in the "classification" line
and reproduced into the "intrinsic impact table" (tab: Classif) for each type of service and criteria (A, I or C).
E E E E
Asset type C01 C02 C03 C04
Business Process
Domain 1 :
Domain 2 :
Domain 3 :
Domain 4 :
Domain 5
Domain 6 :
Domain 7 :
/
Domain N
Transverse Processes
Overall Management & policy
Classification
Page 8
T3
AND REGULATIONS relative to:
E E
C05 C06
Page 9
Intrinsic Impact table
Data and information assets A I C
Data and information
D01 Data files and data bases accessed by applications
D02 Shared office files and data
D03 Personal office files (on user work stations and equipments)
D04 Written or printed information and data kept by users and personal archives
D05 Listings or printed documents
D06 Exchanged messages, screen views, data individually sensitive
D07 electronic mailing
D08 (Post) Mails and faxes
D09 Patrimonial archives or documents used as proofs
D10 IT related Archives
D11 Data and information published on public or internal sites
Service assets A I C
General Services
G01 User workspace and environment
G02 Telecommunication Services (voice, fax, audio & videoconferencing, etc.)
IT and Networking Services
R01 Extended Network Service
R02 Local Area Network Service
S01 Services provided by applications
S02 Shared Office Services (servers, document management, shared printers, etc.)
S03 Users' disposal of Equipments (workstations, local printers, peripherals, specific interfaces,
etc.)
Nota : Applies to a massive loss of these services, not for one or few users.
S04 Common Services, working environment: messaging, archiving, print, editing, etc.
S05 Web editing Service (internal or public)
Nota : Grey cells represent those asset security criteria for which, in general, no classification is needed and no
scenario exists in the knowledge base.
Lgende :
A Availability
I Integrity
C Confidentiality
E Efficiency (of the management process, regarding compliance to law and regulations). For
this criteria, the decision grid L will be used for impact reduction.
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
01A01-02 For each security manager, is there a clear definition of the job function detailing, in particular, its objectives, responsibilities and 4 E2
interfaces with other areas concerned with security?
01A01-03 Are security management actions represented on dashboards and regularly reviewed? 4 E2
01A01-04 Is there a committee or structure bringing together all security managers, from all disciplines, in order to coordinate the various 2 R1
security related actions and able to make transversal decisions and does it meet regularly?
01A01-05 Is the approach to security clearly recognized and supported by senior management? 2 E2
01A02 Organization and piloting of Information Systems security
01A02-01 Is there a document describing the security policy related to information systems and in particular the organization, management 2 E1 5.1.1
and piloting of security (roles and responsibilities) as well as the fundamental principles underlying information security
management?
01A02-02 Is this Security Policy revised, on a regular basis or when major changes are done, to ensure the upholding of its relevancy and 1 E2 5.1.2
efficiency?
01A02-03 Have the structure and organization of the management of information systems security been defined in detail: CISO, local 4 2 3 E2 6.1.2
responsibilities and contacts, roles and responsibilities towards operational managers and is this organizational structure in
operation?
01A02-04 Has this structure the capacity to alert senior management without delay in the case of a serious incident? 2 E2 6.1.2
01A02-05 Have the mode of managing security and the decision processes been defined in detail : methodology used (for audit of exposure, 4 E2 6.1.2
risk analysis etc.), associated tools, actors (organization, support, training, expertise, advice etc.)?
01A02-06 Have the respective roles of security managers, operational managers and managers of functional domains (information owners) 4 2 E2 6.1.3
been clearly defined with regard to final decision making and arbitration?
01A02-07 Has a mode of information systems security piloting been defined: dashboards (contents and frequency), management structure, 4 E2 6.1.3
orientation and reporting?
01A02-08 Is an annual information systems security plan established which brings together all action plans, means to put in place, planning, 2 2 E2
budget?
01A02-09 Is the Company's Management involved in the organization of the information security, particularly in the development and the 1 E2 6.1.1
approbation of the security policy, responsibilities definition, resource allocation, and the efficiency control of the actions taken?
01A02-10 Is a contact maintained with the concerned authorities regarding information security and crisis situation (Police, Reporting 1 E2 6.1.6
Services, Legal Administration, Firemen, Public Services, etc.) ?
01A02-11 Does the organization improve knowledge about best security practices and maintain contacts with interest groups, associations, 1 3 E2 6.1.7
conferences, etc?
01A02-12 Are the responsibilities and procedures established to provide quick and efficient solutions to the security incidents? 2 E2 13.2.1; 13.1.1
01A02-13 Is there a procedure for regularly updating organizational documents related to information systems security in line with changing 2 3 R1 6.1.8
organization structures?
01A03 General reporting system and incident management system
01A05-05 Are there tools or procedures which enable the updating of the crisis plan and is this updating audited? 4 3 R1
01B Security Reference Guide
01B01 Obligations and responsibilities of personnel and management
This includes all staff, internal and external (temporary contractors, trainees, etc.)
01B01-01 Are the responsibilities and obligations of staff with regard to the usage, preservation, archiving and non disclosure of information 4 E1
detailed in a memo or document available to management?
01B01-02 Does this document specify the personnel's duties and responsibilities regarding the use and protection of the authentication 1 E2 11.3.1
means (passwords, keys, tokens, badges, etc.) at its disposal?
01B01-13 Is there a regular review of such documents or charters relating to staff obligations and responsibilities? 2 3 R1
01B02 General directives related to information protection
01B02-01 Is there document defining the general rules for site protection from external threats, the required conditions for access to each site 2 E2 11.4.2
from outside and the protection of sensitive premises?
01B02-02 Is there a document defining the general rules to apply in order to protect the internal network from external threats, the conditions 2 E2 11.4.2; 11.4.5
required to access the internal network from the outside and vice versa and the separation required between internal sub-
networks?
01B02-03 Is there a document defining the general rules applied to the access protection of computing resources (storage and networking 2 E2 10.8.1; 10.7.3
elements, systems, applications, data, media, etc.) and the conditions required for the granting, the management and control of
access rights?
01B02-04 Are these rules established according to the concerned assets' classification level? 2 E2 10.7.3; 10.8.1;
7.2.2
01B02-05 Is there a document defining the rules applied to the usage of computing (networks, servers etc.) and communications resources? 2 E2 10.8.1; 11.4.1;
10.7.3
01B02-06 Is there a document defining the general rules applied to software development and security considerations in project 2 E2 10.7.3
management?
01B02-07 Is there a document defining the general day-to-day rules applicable to the management of the working environment (documents, 2 E2 10.8.1; 11.3.3;
workstations, telephone, fax, off-site work)? 10.7.3
01B02-08 Is there a document defining additional security procedures to apply regarding mobile computing and teleworking? 2 E2 10.8.1; 11.7.1
01B02-09 Is there a document setting out the requirements, responsibilities and procedures to apply to protect archives that are important for 2 E1 15.1.3
the company?
01B02-10 Do the overall regulatory, contractual, and legal requirements explicitly identified, and does their application by the organization 2 E2 15.1.1
appear in an updated document?
01B02-11 Are the resources and solutions available to managers and users in line with above documents? 4 2 E2
01B02-12 Are the rules concerning information and resource protection easily accessible to all staff (for example via intranet)? 4 2 E2
01B04-02 Is an inventory of the types of assets - as identified and defined herein - kept up-to-date? 4 E2 7.1.1
01B04-03 Is an "owner" appointed for each identified and inventoried asset? 2 E2 7.1.2
An owner is the individual or the entity appointed to assume responsibility of the development, maintenance, operation, use and
security of this asset. The word owner does not mean that the individual or entity holds a property right for this asset.
01B04-04 Is an acceptable set of usage rules defined and documented for each asset? 2 E2 7.1.3
This implies, particularly, defining the private use an employee can make of the company's assets.
01B04-05 Are the rules regarding the return to the company or organization of assets entrusted to employees at the time of termination or 1 E2 8.3.2
change of functions clearly defined and set forth by Management ?
01B04-06 Are there rules regarding outside taking of asset (prior authorization, authorized individuals, log for returning or taking asset 1 E2 9.2.7
outside, deletion of unnecessary data, etc.)?
01B05 Protection of assets having value of evidence
01B05-01 Have the assets that may be used as elements of evidence been identified and itemized? 2 E2
01B05-02 Has it been identified, for each of these assets, the proclamations that it would allow to check and the associated checking 4 E2
process?
01B05-03 Has it been analyzed, for each verification process, reasons that could foil or weaken the capacity to provide conviction? 4 E2
01C01-05 Are contractor companies, who may have access to sensitive information or systems, obliged to ensure that all staff sign a 4 E3 6.1.5
personal commitment that they will abide by the specified security clauses?
01C01-06 Is Management responsible to ensure that the personnel, contractors and third parties respect the company's security policies and 1 E2 8.2.1
procedures?
01C01-07 Is there a control procedure validating and authenticating all rules distributed to staff? 4 3 R1
01C02 Management of strategic personnel, partners and providers
01C02-01 Are strategic skills regularly identified in the organization? 4 2 E2
01C02-02 Are backup solutions available in the absence of strategic skills? 4 3 E3
01C02-03 Are strategic partners and service providers regularly identified? 4 2 E2
01C02-04 Are backup solutions ready for the unavailability of strategic partners or providers? 4 3 E3
01C02-05 Are these backup solutions regarding internal staff or providers ) able to guarantee the normal functioning of the organization 4 3 E3
without major disruption?
01C02-06 Are strategic personnel subject to specific career management? 2 E3
01C02-07 Are strategic partners subject to a specific contractual management? 2 E3
01C02-08 Is there a relevant control and update procedure for the preceding measures? 2 3 R1
01C03 Staff screening procedure
01C03-01 Is there a preliminary information procedure for the personnel (internal or contractual) regarding its duties and responsibilities, and 1 E2 8.1.1
security requirements before any assignment or hiring?
01C03-02 Is screening information collected at time of recruitment of staff likely to be involved in sensitive tasks? 4 E2 8.1.2
01C03-03 Have external contractors, working on site on sensitive tasks, been checked for security clearance approval by an official 4 E2 8.1.2
organization?
01C03-04 Is additional (clearance) information collected when staff are affected to sensitive tasks? 4 E2 8.1.2
NB: an open interview may be used in order to avoid placing people in a situation of conflict of interest
01C04 Awareness and training in security
01C04-01 Is there a program to raise awareness of staff to risks of accident, error or malevolence in the processing of information? 4 2 E1 8.2.2
01C04-02 Are all staff members trained on a regular basis in security awareness? 2 E2 8.2.2
01C04-03 Is there a program to train staff in the rules and general measures of information protection? 2 E2 8.2.2
01C04-04 Do these rules and general measures cover all relevant domains (documents, computer equipment, premises, systems and 2 E2 8.2.2
application access, telephone, fax, behavior in meetings and out of office etc.)?
01C06-04 Are the rights granted to the users as they register (shared services, messaging, etc.) approved by the owners of the concerned 4 E2 11.2.1
assets?
01C06-05 Are all users kept informed, at time of registration, of all the vested rights and of his/her duties regarding any adjudication of rights 4 E2 11.2.1
(vested at the time of registration or he/she could be granted afterwards)?
01C06-06 Are these procedures controlled and are possible defects documented and corrected in real time? 4 R1 11.2.1
The responsiveness of the managerial chain must forbid exception procedures that may result from delays with (de)registration
processes.
01D Insurance
01D01 Insurance against property (or material) damages
01D01-01 Are information systems covered by an insurance policy which accounts for material damage (fire damage, miscellaneous risks 2 E1
and accidents, damage to machines, all computing risks, "all risks except", named risks etc.)?
01D01-02 Does the insurance policy cover all computer and telecommunications systems, cabling and computer rooms? 4 2 E2
01D01-03 Does the insurance policy cover all usual causes of disaster: accident (fire, water damage, lightning etc.), human error, sabotage, 4 2 E2
vandalism (including by company personnel or third party engaged in operations, maintenance or upkeep)?
01D01-04 Does the insurance policy cover (real) costs of information system re-initialization incurred by a disaster (installation, restart and 4 2 E2
system test, data and media reconstruction)?
01D01-07 Does the insurance policy cover the global losses incurred by the disaster? 4 3 E2
01D01-08 Is the coverage of computer and information system (exclusions, guarantees) decided jointly with Information Technology 2 E2
management and updated regularly?
01D01-09 Does the level of guarantee and deductible cover the survival of the company in the case of a disaster? 2 2 E2
01D01-10 Does the level of guarantee and deductible allow the company to survive a disaster without major consequences? 2 3 E2
01D02 Insurance of consequential losses (non-material damages)
01D02-01 Are the information systems covered by an insurance policy which covers non material damage (malevolence, non authorized 2 E1
usage, accidental loss of data or programs, denial of service)?
01D02-02 Does this policy cover all computer systems (internal systems, intranet, extranet, web sites etc.)? 4 2 E2
01D02-03 Does the contract cover the usual causes of this type of damages: accident (breakage, bugs etc.), human error (data entry errors, 4 2 E2
programming errors etc.), malicious entry (frauds, intrusions, service denial, including company personnel or third party responsible
for its operation or maintenance)?
01D02-04 Does this contract cover all (real) costs of investigation and research of the causes and consequences of the disaster? 4 2 E2
01D02-05 Does the insurance contract cover (real) costs of re-initialization of information systems affected by the disaster (restart costs and 4 2 E2
cost of tests following restart, costs of data reconstruction)?
01D02-06 Does this contract cover all additional operating costs (cover of costs and expenses liabilities, costs incurred to limit operational 4 2 E2
shutdown)?
01D02-07 Does the insurance policy cover additional costs incurred by the organization to re-establish its image with clients or partners? 4 E2
01D02-08 Does the policy cover overall loss of turnover incurred due to the disaster? 4 3 E2
01D02-09 Is the choice of computer and information system cover (exclusions, guarantees) decided jointly with Information Technology 2 E2
management and reviewed regularly?
01D02-10 Does the level of guarantee and deductible cover the survival of the company in the case of a disaster? 2 2 E2
01D02-11 Does the level of guarantee and deductible allow the company to survive a disaster without major consequences? 2 3 E2
01D03 Personal Liability Insurance (PLI)
01D03-01 Is the organization covered by personal liability insurance including the consequences of computer disasters (Professional Liability, 4 E1
Product Personal Liability)?
01D03-02 Does the contract cover the usual causes of this type of damages: accident (breakage, bugs etc.), human error (data entry errors, 2 E2
programming errors etc.), malicious entry (frauds, intrusions, service denial, including company personnel or third party responsible
for its operation or maintenance)?
01D03-03 Does the insurance policy cover additional costs incurred by the organization to re-establish its image with clients or partners? 2 E2
01D03-04 Is the choice of computer and information system cover (exclusions, guarantees) decided jointly with Information Technology 2 E2
management and reviewed regularly?
01D03-05 Does the level of guarantee and deductible cover the survival of the company in the case of a disaster? 2 2 E2
01D03-06 Does the level of guarantee and deductible allow the company to survive a disaster without major consequences? 2 3 E2
01D04 Insurance against loss of Key Personnel
01D04-05 Does the insurance policy cover operational losses incurred by the disaster? 4 E2
01D04-06 Is the choice of computer and information system cover (exclusions, deductibles) decided jointly with Information Technology 2 E2
management and updated regularly?
01D04-07 Does the level of guarantee and deductibles cover the survival of the company in the case of a disaster? 2 2 E2
01D04-08 Does the level of guarantee and deductibles allow the company to survive a disaster without major consequences? 2 3 E2
01D05 Management of insurance contracts
01D05-01 Is there a person responsible for the insurances within the organization? 1 E1
01D05-02 Is the level of guarantee for IT related assets the result of a specific study made in conjunction with the IT department (on the 2 E1
basis of a risk analysis carried out recently -within less than three years)?
01D05-03 Is there a regular check (at least once per year) of the insurance contracts by the insurance manager, in consultation with the 2 E2
relevant sector managers, with an adjustment of the cover with the broker or insurance agent if required?
01D05-04 Is there a regular check (at least once per year) of the insurance contracts by the insurance manager, in consultation with the 2 E2
relevant sector managers, with an adjustment of the cover with the broker or insurance agent if required?
01D05-05 Do the relevant sector managers participate in the study of the coverage limits (exclusions, deductible, ceiling, etc) defined in the 2 E2
contracts?
01D05-06 Has there been an analysis of the transfer of risks depending to the various types of partners ? 2 E2
E.g. service and product providers, hosting services, clients
01E Business continuity
01E01 Taking into account the need for business continuity
01E01-01 Has an analysis been carried out of the criticality of applications in order to underscore the requirements of service continuity? 4 2 E1 14.1.2
An in-depth analysis supposes that a list of incidents or failure scenarios and all the foreseeable consequences is established
01E01-02 Has this analysis allowed the minimum service requirements to be defined for each application and system and have these 4 2 E1 14.1.2
minimum service requirements been accepted by the users (information owners)?
01E01-03 Are there processes, regularly implemented, for risk analysis linked to information, possibly leading to a disruption of the company 2 E2 14.1.1
activities and thus a definition of the security requirements, responsibilities, procedures to apply and implement to allow the
development of a business continuity plan?
01E02 Business continuity Plans
01E02-01 Have Business Continuity Plans (BCP) been designed, from a criticality analysis, for each critical activity? 3 E1 14.1.3
01E02-02 Do these plans foresee all measures to undertake to ensure business continuity between the alert and the eventual 3 2 E2 14.1.3
implementation of alternative solutions set forth by the technical Disaster Recovery plans?
01E02-03 Do these plans cover all organizational aspects related to the "manual" continuity solution (personnel, logistics, coaching, etc.)? 3 E2 14.1.3
01E02-04 Have instructions and training been given to implied personnel for the operation of the continuity plans? 2 E2 14.1.3
01E02-05 Do the business continuity plans include procedures for returning to normal activity? 4 2 E2 14.1.3
01E03-05 Are the recovery solutions usable for an unlimited period of time, and if not, has a second solution been identified to replace the 2 E2
initial solution after a predetermined time period?
01E03-06 Is the existence, relevance, and activation of the WRP audited regularly? 3 C1
02A01-02 Is there a list, kept up-to-date, of these profiles and the people responsible for granting access rights for each of them? 4 2 2 E2
02A01-03 Are the rights and the validity conditions attributed to profiles reviewed by the site or general security manager? 4 E2
02A01-04 Do the profiles also allow definition of working time limits (daily hours and periods in the working calendar, weekends, holidays 2 E2
etc.)?
02A01-05 Are these rights and profiles as defined above protected against any possibility of alteration or falsification during their storage or 1 3 R1
when transferred between decision makers and the personnel in charge of implementing the rights?
02A01-06 Is there a regular audit, at least once a year of all rights attributed to the various categories of personnel and a review of the 1 3 C1
pertinence of those access rights?
02A02 Management of access authorizations granted to the site or the building
02A02-01 Does the procedure of granting permanent or semi permanent access authorization require the formal acceptance of line 4 2 E1
management or of the unit managing the external contractor (at a sufficiently senior level)?
An access authorization is granted to a person, it may provide access rights based on the job profile he or she is linked to. It is
usually materialized by a badge carried by the employee.
02A02-02 Is the procedure for granting (or modification or retraction) of access authorization documented and strictly controlled? 4 2 E2
A strict control requires a formal recognition of the signature (electronic or otherwise) of the requestor, that the implementation of
the profile attributed to users is highly secure and that each operation is recorded (mentioning the date of issue of the badge and
its length of validity) that there be a reinforced access control over the modification of such records and that any modification of
records be logged and audited.
02A02-03 Are access authorizations granted to named individuals as a function of their profile? 4 E2
02A02-04 Are the access authorizations to the site materialized by a badge or a card? 2 E2
02A02-05 Are these access authorization badges or cards personalized i.e. with the name and picture of the owner? 2 E2
02A02-06 Can the list of valid access authorizations and corresponding profile be reviewed at any time? 2 E2
02A02-07 Is there a rapid and systematic process for revoking access authorizations (revocation of the badge to the automatic access 4 2 E2
control equipments) and return of the corresponding badge or card at the time of departure of internal or external personnel,
change of site attachment (when the authorization is site dependent) or at the end of mission?
02A02-08 Is there a procedure enabling the subsequent detection of irregularities in the management of access authorizations (badge or 4 C1
card not returned, usage of a lost badge, false badge etc.)?
02A03 Access control to the site or the building
02A03-01 Is the site completely enclosed by a perimeter fence which is difficult to cross or to scale? 1 1 E1 9.1.1
For a building on the public highway to be considered secure, all windows on the ground floor must be locked shut and all access
points must have been taken into consideration (garages or underground car parks, roof etc.)
02A03-03 Does this system guarantee that all people entering are checked? 4 2 E3
An efficient control assumes a double or revolving door, or a security guard who allows only one person to pass at a time (for
pedestrians) and for vehicles entering the site, controls all people present in the vehicle.
02A03-04 Does such a system, if dependent on a badge, guarantee that the same badge cannot be used by a second person (by, for 4 E3
example, memorizing all entries and not allowing a further entry without an intervening exit)?
02A03-05 In the case where presentation of a badge or card is required to gain access to a site, is there the possibility to immediately 4 2 E2
validate the authenticity and validity of the card or badge?
02A03-06 Are the automatic access control systems under 24 hr surveillance enabling the detection of a failure, a system deactivation or 4 2 R1 9.1.1
the usage of emergency exits in real time?
02A03-07 Is there a procedure or automatic alert enabling the immediate intervention of security personnel in the case of failure of the 4 3 R2
access control system (or the usage of an emergency exit)?
02A03-08 Is there a control procedure enabling the detection of irregularities in the access control procedure (audit of procedures and 4 3 C1
parameters of access control systems, audit of exceptions and of interventions etc.)?
02A04 Intrusion detection to the site or the building
02A04-01 Is there an operational intrusion detection system to the site, linked to a 24 hr monitoring center? 4 E2 9.1.1
02A04-02 Does this system detect all boundary incursion, all forced attempts to open locked exits (windows and doors), all opening of 4 2 E2
emergency exits and all exits kept open abnormally?
02A04-03 Is this system backed up by a video and audio control system which allows the surveillance team to make a first analysis or 4 3 E3
dismiss uncertainty from a distance?
02A04-04 Is the surveillance team dedicated to its task, having only security responsibilities and are any alarms immediately detected and 4 3 E3
treated as the highest priority?
02A04-05 In the case of an intrusion detection alarm, does the surveillance team have the possibility of sending out an intervention team 4 2 E2
without delay to verify the cause of the alarm and to take appropriate action?
02A04-06 Sites Security 4 3 E3
02A04-07 Is there an advisory document clearly stating exactly what action to take in the case of each alarm envisaged? 2 E2
02A04-08 Is the intrusion detection system itself under surveillance (alarm in the case of inhibition, auto-surveillance by camera etc.)? 2 3 R1
02A04-09 Are intrusion control points and procedures for reaction to intrusions audited regularly? 2 3 C1
02A05 Access to the loading and unloading areas (goods receipt and consignment) or to areas open to public
02A05-01 Are there specific access control mechanisms from outside through delivery and loading zones in place? 2 E2 9.1.6
02A05-02 Are the delivery and loading zones established in such a way that the delivery men cannot have access to inner parts of the 2 E2 9.1.6
building or the site?
02A05-03 Are there specific measures allowing to isolate the moves of external public and the access from the rest of the building? 2 E2 9.1.6
02C01-04 Have specific procedures been defined for each kind of external person, including providers, induced to intervene in the offices 2 3 E2
(consultants, maintenance or cleaning staff, etc.): specific budge, accompanying person, previous authorization mentioning the
identity of the beneficiary, etc)?
02C01-05 Is there a systematic updating process for the partitioning rules of the office zones? 2 C1
02C02 Physical access control to the protected office zones
02C02-01 Is an automatic authentication and access control system used for protected areas? 2 E2
02C02-02 Are there a procedure and calling means that people who do not have authorization can use to access the protected areas? 3 E3
02C02-03 In the case of a person without authorization entering these areas, does the procedure, guarantee that the person will be 3 E3
accompanied?
02C02-04 Is there a procedure or automatic alert enabling the immediate intervention of security personnel in the case of failure or 2 R1
invalidation of the access control system?
02C02-05 Is the access control system for protected office areas equipped with a no pass-back mechanism? 2 3 E3
02C02-06 Is authentication based on tamper-proof means associated with the user (for example a badge, smart card, or biometric 4 4 E2
recognition system)?
02C02-07 Does the mechanism use strong authentication of the user, with two identifying factors? 4 3 E3
02C02-08 Does the mechanism provide a temporary means of access, to allow for lost, stolen or forgotten badges? 2 E3
02C02-09 Does the temporary means of access grant only access to a strictly limited area? 2 3 E3
02C02-10 Does the access control system guarantee exhaustive checking of the people entering the premises (turnstile preventing more 4 4 E3
than one person from entering at a time, a process to prevent a badge being used by more than one person, etc)?
02C02-11 In addition to controlling access by the normal routes, is access by other routes (such as windows accessible from outside, 4 3 E1
emergency exits, or through false floors or ceilings) monitored?
02C02-12 Are the systems that provide automatic access control to protected areas operational and monitored permanently (24x24) so that 2 R1
any outage or deactivation is flagged in real time?
02C02-13 Are the emergency exits monitored permanently (24x24) so that their use can be checked in real time? 3 E2
02C02-14 Is there an audit process to detect, after the event, any anomalies in the access control system (audit of the procedures and 3 C1
configuration of the access control system, audit of exception procedures and intervention, etc)?
02C03-07 Is there a regular audit, at least once a year, of all access rights currently attributed to each protected office area? 2 C1
This audit should also analyze the relevance of the authorizations granted.
02C03-08 Are all entries into protected zones recorded? 3 E2
02C03-09 Are also all leavings from protected zones recorded? 2 E3
02C03-10 Is there a procedure enabling the subsequent detection of irregularities in the management or the use of access rights (badge or 4 R1
card not returned, usage of a lost badge, false badge etc.)?
02C04 Detection of intrusions into protected office areas
02C04-01 Is there an operational system, linked to a 24 hr monitoring center, detecting the forcing of exits to the protected office zones? 2 E2
This system must monitor forced openings of exits (doors and windows), the usage of an emergency exit or their being kept
open, etc.
02C04-02 Is there an operational system detecting the presence of persons outside normal working hours, linked to a 24 hr monitoring 2 E2
center?
This system should control the presence of persons (volumetric detection, etc.). It may also be a video surveillance system linked
to a 24 hr monitoring center.
02C04-03 Is this system backed up by a video and audio control system which allows the security team to make a first analysis or remotely 3 E2
dismiss uncertainty?
02C04-04 In the case of an intrusion detection alarm, does the surveillance team have the possibility of sending out an intervention team 2 E2
without delay to verify the cause of the alarm and to take appropriate action?
02C04-05 Has the security team sufficient resources to cover the eventuality of multiple alarms set off intentionally? 3 E2
02C04-06 Is the location of electronic systems for detection and processing of alarms protected 24 hrs a day by an access control system 2 R1
and by an intrusion detection system?
02C04-07 Is the intrusion detection system itself monitored (alarm in the case of shutdown, video auto-surveillance etc.)? 3 R2
02C04-08 Are the control points for intrusion detection and the procedures for action subsequent to intrusion subject to regular audit? 3 C1
02C05-07 Are procedures for surveillance and intervention in the case of abnormal behavior audited regularly? 3 C2
02C06 Control of movement of visitors and occasional service providers required to work in the offices
02C06-01 Is there a general control of movement of visitors and occasional service providers (time stamping at arrival and departure, 2 E1 9.1.2
signature of the person visited, etc.)?
02C06-02 Are visitors and occasional service providers always accompanied (on the way in, return to reception, intervening movements )? 2 E1 9.1.2
02C06-03 Are visitor reception zones set aside specifically for that purpose comprising only welcoming areas, meeting rooms or zones 3 E2 9.1.2
accessible to the public?
02C06-04 Have specific procedures been defined for each type of external service provider given to operate in the offices (IT service 4 E2 9.1.2
company, maintenance company, cleaning staff, etc.) such as the wearing of a personalized badge, accompaniment by staff, prior
authorization indicating the name of the operative etc?
02C06-05 Do these procedures ensure that the service provided corresponds to the expressed requirement and that the actions of the 2 E2
service provider are limited only to that requirement?
02C06-06 Are visitors and occasional service providers recorded in such a way as to enable a subsequent verification of the reason of their 3 E2
visit and has a procedure been put in place which enables the detection of dishonesty or abuse?
02C06-07 Is there a secure way to register the departure of visitors (e.g. keeping their identity card)? 2 E2
02C06-08 Are the control procedures of visitors and occasional service providers movements regularly audited? 3 C1
02D Protection of written information
02D01 Conservation and protection of important commonly used documents
02D01-01 Are there facilities available for the staff to put away, close to their desk, commonly used documents requiring a high degree of 4 E2
preservation or protection?
02D01-02 Do these facilities allow to protect important documents from risks of water damage or flooding? 4 E2
02D01-03 Do these facilities allow to protect important documents from risks of fire (fireproof vaults) ? 4 E2
02D01-04 Are the premises used for the storage of these documents equipped with reinforced access control and intrusion detection? 3 E2
02D01-05 Does the shutdown of these security systems (fire, water damage, access control, intrusion detection) trigger an alarm with a 2 R1
surveillance center able to intervene rapidly?
02D01-06 Are these storage conditions subject to regular audit? 3 3 C2
02D02 Protection of documents and removable support media
02D02-01 Do security procedures and instructions define the rules for protecting documents and information support media situated in 3 E1 10.7.1
offices (regardless of the type of support media)?
02D02-02 Do the security procedures and instructions detail the rules for protecting laptop microcomputers (storage, securing by cable 3 E1
etc.)?
02D02-03 Do the security procedures and instructions also detail the rules for protecting Tablet PCs, electronic personal assistant or 3 E2
telephones which may contain sensitive information?
02D02-03 Do the security procedures and instructions detail the rules relative to the printing of sensible documents? 3 E2
02D02-08 Do security staff regularly check (effecting regular rounds) the application of document tidying rules and various support media 3 C1
situated in offices ?
02D02-09 Are these controls also effected during opening hours, in the absence of the regular occupants of the offices? 3 C2
02D02-10 Is the application of the security rules relative to the printing and distribution of sensitive documents regularly audited? 3 C2
02D03-03 Do the paper destruction facilities available to personnel offer a solid guarantee that documents destroyed cannot be 2 3 E2
reconstituted?
For this, the shredder used must cross cut.
02D03-04 Is the capacity of the paper destruction facilities available to personnel compatible with the average volume of documents to 2 E1
destroy?
02D03-05 Has a shredder of sufficient capacity been installed next to each photocopier? 4 E2
Note: the capacity necessary must take into account the maximum thickness that photocopied document can generally attain.
02D03-06 Are all paper destruction procedures and facilities regularly audited? 2 3 C1
02D04 Security of post mail
02D04-01 Is the incoming and outgoing mail sorting and dispatching office kept locked when staff are not present? 4 E1
02D04-02 Is the incoming and outgoing mail sorting and dispatching office protected against risks of fire and water damage (automatic 3 E1
detection and triggering of an alarm with a surveillance center able to intervene rapidly?
02D04-03 Does the mail delivery round ensure that only the intended recipient department or person has access to its or their mail (locked 3 E1
post boxes, direct distribution and delivery direct to the intended person etc.)?
02D04-04 Within the office spaces, is any mail, either outgoing or incoming, kept aside so as not to be read by an unintended third party? 2 E2
02D04-05 Is confidential mail rendered neutral (double envelope with the degree of classification only being indicated on the internal 2 E2
envelope)?
02D04-06 Are important mails sent systematically registered with acknowledgement of receipt? 3 E2
02D04-07 Is the application of mail security advice and procedures regularly audited? 3 C1
02D05 Security of faxes (traditional)
02D05-01 Is there a procedure or instruction stating the modes for sending and receiving confidential faxes? 2 E1
02D05-02 Is the location of each fax machine kept locked when staff are not present? 4 E1
02D05-03 Is the incoming and outgoing faxes office protected against risks of fire and water damage (automatic detection and triggering of 3 E1
an alarm with a surveillance center able to intervene rapidly?
02D06-05 Does the shutdown of security systems (fire, water damage, access control, intrusion detection) trigger an alarm with a 2 R1
surveillance center able to intervene rapidly?
02D06-06 Is the capacity to work on these documents ensured on a long range? 3 C1
02D06-07 Are the storage conditions and associated security systems subject to regular audit? 3 C1
02D07 Management of archived documents
02D07-01 Is there a department specifically responsible for archiving documents to be kept for a long range? 2 E2
02D07-02 Is there a procedure which obliges users to use this archiving service for all documents to be kept for a long range? 2 E2
02D07-03 Are the delays for archiving or returning documents in accordance with the expectations of users? 4 E2
Otherwise users may prefer to keep the documents next to them.
02D07-04 Are the rooms used for archives quipped with appropriate equipments for fire detection and extinguishing, flooding detection 3 3 E2
and water draining?
02D07-05 Are these rooms equipped with reinforced access control and intrusion detection systems? 3 3 E2
02D07-06 Are the archive rooms under video-survey when they are not occupied? 3 3 E3
02D07-07 Are the cartons for archives marked without reference to their content? 3 3 E2
02D07-08 Are the correspondence tables associating the content to the reference of archives not accessible to the personnel in charge of 3 E3
managing physically the cartons of archives?
02D07-09 Are these tables subject to a saving policy ? 3 3 E2
02D07-10 Does the shutdown of security systems (fire, water damage, access control, intrusion detection) trigger an alarm with a 2 3 R1
surveillance center able to intervene rapidly?
02D07-11 Is the requester of an archive authenticated with a strong procedure? 3 3 E2
02D07-12 Is the delivery of an archive registered and logged? 3 3 E2
02D07-13 Is there a specific procedure used for the destruction of archives? 1 E2
02D07-14 Does this procedure guarantee that the requester has the appropriate rights? 4 3 E2
02D07-15 Are the archives protected against any diversion during their transport between the archiving room and the requester? 3 E2
03A01-03 Are there backup batteries (supplying one or more uninterruptible power supplies) guaranteeing sufficient autonomy that 2 E2 9.2.2
equipment shuts down safely and properly?
03A01-04 Is the energy supply system fitted with a control system which signals to the intervention team any partial or complete failure of 2 3 R1
equipment (disconnection of batteries, insufficient charge, uninterruptible supply system shutdown etc.)?
03A01-05 Are energy regulation systems checked frequently (battery capacities in particular) in comparison to system requirements 2 3 C2
(autonomy needed to ensure a proper shutdown)?
03A01-06 Is the regular replacement of intermediate batteries effected in accordance to the manufacturers' specifications? 2 2 E2
03A02 Continuity of energy supply
03A02-01 Has it been established a documented policy relative to the requirements about power supply continuity (and all fluids in 1 2 E1 9.2.2
general)?
03A02-02 Is there a backup energy supply capable of guaranteeing service continuity of critical equipment (making use a generator and 4 2 E1 9.2.2
sufficient independent supply of fuel or independent energy feed)?
03A02-03 Is the backup system tested regularly in order to define the appropriate load required (retaining only critical equipment load 4 C1
levels)?
03A02-04 Is the start-up routine for the backup system tested regularly and its compatibility with the requirements of service continuity (tests 4 2 E2
include system run-down and eventual reconfiguration needed)?
03A02-05 Is the backup energy supply system equipped with an alarm which signals to the intervention team any partial unavailability or 2 3 R1
failure of equipment (failure of the backup system, low fuel, shutdown of detection or switching system etc.)?
03A06-03 For the most critical services, is there system redundancy or a rapid replacement capability? 4 E2
03A06-04 Are all outages, whether unplanned (breakdown) or planned (stoppage), of service equipment detected and flagged to an 2 2 R1
intervention team for rapid reaction?
03A06-05 Is the dependability of service equipment (detection of breakdown or outage, intervention procedures, etc) audited regularly? 2 3 C1
03B01-02 Have an inventory and a classification of all the types of sensitive locations been taken? 4 E2
03B01-03 Has, for each sensitive location or type of location, a manager been named to maintain up-to-date security access rights 4 E1
attributed to each category of personnel and has each of the managers taken up their post?
03B01-04 Do these persons in charge actually assuming this function and do they provide reports to the CISO about it? 4 2 E2
03B01-05 Do the profiles also allow definition of working time limits (daily hours and periods in the working calendar, weekends, holidays 4 E2
etc.)?
03B01-06 Are these rights and profiles as defined above protected against alteration or falsification during their storage or when 1 3 R1
transferred between decision makers and the personnel in charge of implementing the rights?
03B01-07 Is there a regular audit or inspection, at least once a year, of all rights given to the various categories of personnel and of the 1 3 C1 9.1.2
management processes for these rights as well?
03B02 Management of access authorizations granted to sensitive locations
03B02-01 Does the procedure of granting permanent or temporary access authorizations require the formal authorization of line 4 2 E1
management or of the unit managing external contractors (at a sufficiently senior level)?
03B02-03 Are access authorizations granted to named individuals as a function of profile and materialized by a badge or a card or a key? 4 E2
03B02-04 Are badges or cards which represent access authorizations personalized using the name of the holder and his or her 4 E2
photograph?
03B02-05 Can the list of access authorizations and corresponding profile be reviewed at any time? 4 2 E3
03B02-06 Is there a rapid and systematic process of attribution and revocation of access authorizations (with invalidation of the badge in 2 2 E2
automatic control systems) and the return of the badge or corresponding card at time of change of site (if access rights depend
on the site), departure from the company or at the end of a contract and applied both to internal and external staff?
03B02-07 Are keys or badges stored in a locked secure box or cupboard resistant to break in? 4 2 E2
For example: certified safes
03B02-08 Is it prohibited to enter the sensible premises with means of photo, video, or audio taping? 1 E3 9.1.5
03B02-09 Is there a regular audit, at least once a year, of all the badges attributed to all categories of staff and of the pertinence of the 1 2 C1
corresponding authorizations?
03B02-10 Is there a procedure enabling the subsequent detection of irregularities in the management of access authorizations (badge or 4 C2
card not returned, usage of a lost badge, false badge etc.)?
03B03 Access control to sensitive locations
03B03-01 Is use made of an automatic system controlling access to sensitive locations? 4 E1 9.1.2; 9.1.5
03B03-02 Does authentication employ user related data that cannot be falsified (smart cards or biometric data for example)? 4 3 E3
For example :(smart cards, biometric data, digital key, ...
03B03-03 Does the access control system guarantee that all personnel entering the location are verified? 4 3 E2
For example: double door limiting the number of people entering to one-at-a-time or a process which prohibits the usage of a
badge by more than one person etc.
03B03-04 Is control assured of all entry and exit points including both normal exits and others such as windows accessible from outside, 4 3 E2
emergency exits, potential access via raised flooring and false ceilings?
03B03-05 Are the automatic access control systems under 24 hr surveillance enabling the detection of a failure, a system deactivation or 2 2 R1
the usage of emergency exits in real time?
03B03-06 Is there a procedure or automatic alert enabling the immediate intervention of security personnel in the case of a shutdown alarm 2 2 R2
of the access control system (or usage of emergency exit)?
03B03-07 Is there an audit procedure enabling the detection of irregularities in the access control procedures (audit of procedures and 2 3 C1
parameters of access control systems, audit of exceptions and of interventions etc.)?
03B04 Intruder detection in sensitive locations
03B04-01 Is there an operational on site intrusion detection system for sensitive locations linked to a 24 hr monitoring center? 4 2 E1
03B04-02 Does this system detect all attempts to force open locked exits (windows and doors), all opening of emergency exits and all 4 2 E2
normal exits abnormally kept open?
03B04-03 Does this system detect the presence of personnel outside of normal working hours? 4 2 E2
03B04-10 Are intrusion control points and procedures for reaction to intrusions audited regularly? 2 3 C1
03B05 Perimeter monitoring (surveillance of entry points and surroundings of sensitive locations)
03B05-01 Is the perimeter or surroundings of sensitive locations under complete and coherent surveillance by video or direct visual means? 4 E2
03B05-02 Is the surveillance team dedicated to its task, having only security responsibilities and are any alarms immediately detected and 4 3 E3
treated as the highest priority?
03B05-03 In the case of an alarm, does the surveillance team have the possibility of sending out an intervention team without delay to verify 4 E2
the cause of the alarm and to take appropriate action?
03B05-04 Has the security team sufficient resources to cover the eventuality of multiple alarms set off intentionally? 4 3 E3
03B05-05 Is there an advisory document clearly stating exactly what action to take in the case of each alarm envisaged? 2 E2
03B05-06 Is video surveillance material recorded and kept for a long period? 1 E3
03B05-07 Is the intrusion detection system itself under surveillance (alarm in the case of shutdown, auto-surveillance by camera etc.)? 2 3 R1
03B06-08 Are procedures for surveillance and intervention in the case of abnormal behavior audited regularly? 2 3 C1
03B07 Cabling access control
03B07-01 Is physical access to cabling protected (specific conduits difficult to access or kept locked)? 2 2 E2
03B07-02 Are all cable paths kept under video surveillance with alerts in the case of abnormal presence (to signal to staff which screen to 4 3 E3
pay particular attention to)?
03C01-02 Have each of the possible water entry points been determined as low risk or have measures been taken to ensure that the risk of 4 E3
flooding is very low?
For example: pre-emptive fire extinguisher systems, one way valves on exhaust pipes, independent measurement of humidity,
etc.
03C01-03 Are each of the various systems to avoid water damage protected from shutdown and under constant monitoring? 2 3 R2
03C01-04 Is there a regular audit of the proper implementation of the measures to prevent water damage and methods to ensure that they 2 3 C2
remain pertinent (verification of risk analysis)?
03C02 Detection of water damage
03C02-01 Are there humidity detectors near to sensitive equipment (in particular in raised flooring) linked to a 24 hr monitoring center? 4 E2 9.1.4
03C02-02 Are there water detectors nearby sensitive equipment (in particular in raised flooring) linked to a 24 hr monitoring center? 4 E2 9.1.4
03C02-03 Is there a water leakage detection system on the floor above the location of sensitive equipment linked to a 24 hr monitoring 4 E3 9.1.4
center?
03C02-04 Does the security desk have the possibility of sending in a rapid intervention team which has sufficient means to act? 2 2 E2
For example: knowledge of the location of water cut off points and protected shunts, computers with up-to-date piping plans and
cut off points, plastic covers in order to protect equipment etc.
03C02-05 Has the security team sufficient resources to cover the eventuality of multiple alarms set off intentionally? 4 3 E3
03C02-06 Is there an advisory document clearly stating exactly what action to take in the case of each alarm envisaged? 2 3 E2
03C02-07 In any shutdown of detection systems systematically signaled to a 24 hr monitoring center? 2 R1
03C02-08 Is the detection equipment regularly tested and are procedures and intervention capabilities regularly audited? 2 3 C1
03C02-09 Are procedures and intervention capabilities regularly audited? 2 C1
03C03 Water evacuation
03C03-01 Are there permanent means for evacuating water (pumps, natural drain-ways etc.) and a team able to use them effectively? 2 E2
03D01-03 Are the different fire protection systems protected from shutdown and under continual monitoring? 2 3 R2
03D01-04 Is there a regular audit of the electric cabling due to changes of the power supply configurations? 4 C2
For example : control of possible hot points using an infrared camera
03D01-05 Is there a regular audit of the proper implementation of fire prevention measures and methods to ensure that they remain 2 3 C2
pertinent?
verification of risk analysis
03D02 Fire detection
03D02-01 Is there an automatic fire detection system for sensitive locations (raised floors and false ceilings if they exist)? 2 E1 9.1.4
03D02-02 Does the fire detection system have at least two types of detector (for example ionic and optical smoke detector)? 4 2 E2
03D02-03 Are the automatic detectors linked to a 24 hr monitoring center, equipped with a system which clearly identifies the location of the 2 E2
alarms which have been set off?
03D02-04 Is any shutdown of fire detection systems systematically signaled to a 24 hr monitoring center? 4 2 R1
03D02-05 Is the detection equipment regularly tested? and are procedures and intervention capabilities regularly audited? 2 3 C1
03D02-06 Are procedures and intervention capabilities regularly audited? 2 3 C1
03D03 Fire extinguishing
03D03-01 Is the monitoring center able to rapidly send in a team which has sufficient means to act (precise diagnosis of the situation, 2 1 E1
manual extinguishers, triggering of automatic extinguishers, emergency call)?
03D03-02 Has the security team sufficient resources to cover the eventuality of multiple alarms? 2 3 E2
03D03-03 Is there an advisory document clearly stating exactly what action to take in the case of each alarm envisaged? 2 3 E2
03D03-04 Is there specific and regular training of intervention personnel? 4 E2
03D03-05 Are all mobile fire extinguishers regularly controlled by a competent authority (filling, usage manuals, risk reduction, location 1 E2
etc.)?
03D03-06 Are sensitive locations protected by an automatic extinguishing system (air, raised floors, false ceilings)? 4 2 E2 9.1.4
03D03-07 Are automatic extinguishing systems regularly maintained and tested by approved specialists? 2 E2
03D03-08 Is the shutdown of an automatic fire extinguisher system immediately signaled to a 24 hr monitoring center? 4 2 R1
03D03-09 Is there an installation of armed fire taps near to computer rooms and is this installation periodically and regularly verified and 4 E1
maintained?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
04A01-04 Has this analysis been complemented by a study of network capacity to ensure reliability of communications in all cases of failure 4 2 E3
of a single link or piece of equipment?
04A01-05 Is there a dynamic measurement of network load and are load balancing tools available? 4 E2
04A01-06 Do network monitoring and configuration tools allow real time corrective action compatible with the needs of the users? 4 2 E2
04A01-07 Are overload detection and load balancing tools accessible only by administrators and are they protected by strengthened access 2 2 R2
control?
04A01-08 Is any failure or shutdown of network overload detection and equilibrating equipment signaled immediately to the monitoring 2 3 R1
center and to network administrators?
04A01-09 Are regular performance tests of load detection equipment and reconfiguration mechanisms carried out? 2 3 C1
04A01-10 Are regular audits carried out of equipment parameters and procedures associated with the load detection and reconfiguration 1 3 C1
systems?
04A01-11 Are regular audits carried out of the procedures associated to the load detection and reconfiguration systems? 1 3 C1
04A02 Management of extended network equipment maintenance
04A02-01 Is all equipment covered by a maintenance contract? 2 E1 9.2.4
04A02-02 Has all critical production equipment been identified, has their performance capability been controlled and have the acceptable 4 E2
and maximum downtime limits been documented?
04A02-03 Have specifically adapted clauses related to these requirements been set down within maintenance contracts? 4 2 E2
04A02-04 Are the penalties of non-compliance with these clauses sufficiently persuasive for the contract holder? 4 2 E3
04A02-05 Have escalation procedures been detailed in the case of non-compliance or difficulties in maintenance and do they anticipate the 2 3 R1
intervention of specialists within a short delay commensurate with the criticality of the equipment?
04A02-06 Has the number and proximity of specialists been detailed and do they guarantee a sufficiently good level of maintenance within 4 R2
an acceptable delay?
04A02-07 Do the maintenance contracts anticipate a complete replacement of equipment in the case of significant damage which would not 4 E3
normally be taken into account by curative maintenance?
04A02-08 Are maintenance contracts and procedures regularly audited? 2 3 C1
04A03 Procedures and Business Contingency Planning following incidents on the extended network
04A03-01 Has a list been established of incidents which could affect the proper functioning of the extended network and analyzed the 2 E2
seriousness level, for each of them?
04A03-03 Have sufficient means of intervention (reconfiguration) on the extended network been put in place which cover satisfactorily all of 2 2 E2
the scenarios identified and do they allow for the actions decided to be implemented within the specified delays?
04A03-04 For each possible critical incident on the extended network has an expected resolution time and escalation procedure been 4 E3
determined in the case of failure or delay of the specified corrective actions?
04A03-05 Are the diagnostic, management and reconfiguration tools of the extended network protected against all possible untimely or 4 3 R1
malicious action?
04A03-06 Do incident recovery plans and procedures cover the eventual loss of data (especially e-mail messages)? 4 E3
04A03-07 Are diagnostic and reconfiguration facilities regularly audited in order to assure a satisfactory minimum functioning of the 2 3 C1
extended network in the case of an incident?
04A04 Backup plan of extended network configurations
04A04-01 Has a backup plan been established encompassing all network configurations, defining all objects to save and the frequency of 4 E1 10.5.1
backups?
04A04-02 Has this plan been translated into automatic operational routines? 2 2 E2 10.5.1
04A04-03 Has the backup of programs, (source and executables), documentation and parameters been regularly tested in order to be able 4 2 E1 10.5.1
to reconstitute the production environment at any time?
04A04-04 Are operational automatic routines protected by a high level of protection against illicit or unintentional modification? 4 3 R1 10.5.1
Such a mechanism may be a digital seal or any equivalent protection system.
04A04-05 Are all configuration backups and files which enable the restoration of the extended network production environment also saved 4 2 E3 10.5.1
at a location off premises (recourse backup) ?
04A04-06 Are recourse backup copies stored in a secure location and protected against accidental risk or theft? 4 E3 10.5.1
Such a location must be protected by strict access control as well as protected against fire or water damage risk.
04A04-07 Are regular tests carried out to read backups and recourse backups? 2 3 C1 10.5.1
04A04-08 Are all procedures and plans for backup of configuration files regularly audited? 2 3 C1
04A05 Business Contingency Planning (BCP) of the Extended Network
04A05-01 Is there an operational recovery solution to make up for the unavailability of any critical equipment or link on the extended 4 2 E1 14.1.3
network?
04A05-02 Is this recovery solution satisfactorily operational? 4 2 E2 14.1.3
04A05-03 Are these alternative solutions described in detail in one (or several) Disaster Recovery Plan formal and complete? 4 E1 14.1.3
A complete recovery plan must include the conditions for triggering, the actions to execute, the priorities, the actors to mobilize
and their contact details as well as the conditions for considering the return to the normal state.
04A05-04 Are these plans tested in operational conditions at least once a year? 4 2 C1 14.1.5
04A05-05 Is there a formal guarantee that the capacity and compatibility of these recovery solutions will support a sufficient operational load 4 2 E2 14.1.5
which has been approved by all connected entities?
04A05-06 If the recovery solutions include delivery of hardware components which cannot be triggered during tests, is there a contractual 4 2 E2
engagement within the recovery plan for the delivery of the replacement hardware within fixed and anticipated time limits
guaranteed by the manufacturer or other third party (leaser, broker, other)?
04A05-07 If the recovery facility (hot site, equipment etc.) is subscribed through a service provider, is the number of other subscribers 2 2 E3
known and limited?
04A05-08 Has the possible unavailability or failure of the recovery facility been considered and has a second level backup been organized? 2 3 R1
04A05-09 Is the backup solution usable for an unlimited duration and, if not, has a follow on backup solution been established? 2 E3
04B02-04 Does the transmission between systems and security equipments of reference data (secret elements, secret or public keys, etc.) 4 3 E3
use mechanisms which guarantee inviolability and authenticity?
In the case of authentication using cryptographic procedures, the mechanisms used for the transmission of reference elements
(public keys in particular) must guarantee a level of security comparable to the authentication protocol itself.
04B02-05 Does the management procedure of revoked keys systematically test that the keys have not been revoked? 4 2 E2
04B02-06 Does the management procedure of revoked keys guarantee that the control systems take in consideration in real time any 4 2 E3
revocation?
04B02-07 Are the processes that guarantee authentication under strict control? 4 3 C1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there
is an audit at least once a year of the authentication procedures and processes.
04B03 Authentication of the entity accessed for an outgoing access across the extended network
04B03-01 Is there a mechanism for the authentication of the called entity before any outgoing access from the internal network across the 4 1 E1
extended network?
04B03-02 Is the authentication mechanism recognized as "strong"? 4 2 E2
The only methods recognized as "strong", that is to say observable without divulging information, are those based on
cryptographic algorithms.
04B03-03 Does the security equipment that retains and uses reference data (secret elements) to support authentication use mechanisms 4 3 E2
which guarantee inviolability and authenticity?
In the case of authentication using cryptographic procedures, the mechanisms of modification, storage and transmission of
reference elements (public keys in particular) must use a level of security comparable to the authentication protocol itself.
04B03-04 Does the transmission between equipments of reference data (secret elements) to support authentication use mechanisms which 4 3 E3
guarantee inviolability and authenticity?
In the case of authentication using cryptographic procedures, the mechanisms of transmission of reference elements (secret
elements, public keys, etc.) must guarantee a level of security comparable to the authentication protocol itself.
04B03-05 Does the revoked keys management procedure guarantee that the control systems systematically test that the keys used have 4 2 E2
not been revoked?
04B03-06 Does the revoked keys management procedure guarantee that the control systems take into consideration in real time any 4 2 E3
revocation of keys?
04B03-07 Are the processes that guarantee authentication under strict control? 4 3 C1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that an
audit is performed at least once a year of authentication procedures and processes.
04C01-01 Have the permanent links and data exchanges which must be protected by encryption solutions been defined and such solutions 4 E2 12.3.1
been implemented on the extended network?
04C01-02 Does the encryption solution offer valid and solid guarantees and has it been approved by the Information Security Officer? 4 2 E2
The sufficient length of the key is one of among many parameters to take into consideration (as a function of the algorithm) . The
recommendation of an official organization can be a confidence factor.
04C01-03 Do the procedure and mechanisms of storage, distribution and exchange of keys and more generally the management of the 4 3 E3 12.3.2
keys offer solid guarantees which merit confidence and are they approved by the Information Security Officer?
04C01-04 Are the encryption mechanisms embodied in electronic components which are strictly protected at a physical level against 4 3 3 R2
intrusion or change?
Encryption mechanisms should be contained within protected enclosures to which it should be impossible to gain a
04C01-05 Is shutdown or by-pass of the encryption solution immediately detected and signaled to a team available 24 hrs a day capable of 4 2 R1
triggering an immediate reaction?
04C01-06 In the case of inhibition or bypass of the encryption solution or the activation of an unprotected fail-over link of the network, is 4 2 R1
there a procedure to immediately alert all users?
For example by a warning requiring the user to acknowledge its receipt.
04C01-07 Is there a regular audit, at least once a year, of all data exchange, encryption systems and associated procedures? 4 3 C1
04C02 Integrity control of exchanges on the extended network
04C02-01 Have all data exchanges and permanent links which must be protected by sealing solutions been defined and implemented on 4 E2
the extended network?
04C02-02 Does the sealing solution offer valid and solid guarantees and has it been approved by the Information Security Officer? 4 2 E2
The sufficient length of the key is one of among many parameters to take into consideration (as a function of the algorithm) . The
recommendation of an official organization can be a confidence factor.
04C02-03 Do the procedure and mechanisms for storage, distribution and exchange of keys and more generally the management of keys 4 3 E3
offer a sufficient level of confidence and have they been approved by the Information Security Officer?
04C02-04 Are the sealing mechanisms embodied in electronic components which are in turn strictly protected at a physical level against 4 3 3 R2
intrusion or change?
Sealing mechanisms should be contained within protected enclosures to which it should be impossible to gain access. The
algorithm is contained within the microprocessor or a microprocessor card which is protected physically and logically.
04C02-05 Is shutdown or by-pass of the sealing solution immediately detected and signaled to a team available 24 hrs a day capable of 4 2 R1
triggering an immediate reaction?
04D01-10 Are the procedures for monitoring the extended network, for the detection of the anomalies and the reactivity of the surveillance 2 3 C1
team subject to regular audit?
04D02 Offline analysis of traces, log files and event journals on the extended network
04D02-01 Has detailed analysis been carried out of the events or succession of events on the extended network which may have had an 2 E1 10.10.1
impact on security (refused connections, re-routings, reconfigurations, changes in performance, access to sensitive data or tools
etc.)?
04D02-02 Are these events recorded as well as the parameters used for their subsequent analysis? 4 E1 10.10.1
04D02-03 Is there an application capable of analyzing these records as well as performance measures, of establishing statistics, a 4 2 3 E2
dashboard and anomaly diagnostics for examination by a competent team of specialists?
04D02-04 Is the structure empowered to analyze these summaries (or incidents logs and security related events) required to do so within a 4 E2
fixed and determined period and does it have sufficient availability?
04D02-05 Has the expected response from the surveillance team been defined for each case of alert and are its availability and staffing 4 E3
level sufficient to meet these expectations?
04D02-06 Are the parameters defining the elements to record and the analyses to effect strictly protected against unauthorized change 4 R1 10.10.3
(limited rights and strong authentication)?
04D02-07 Is any inhibition of the recording and processing system immediately signaled to the surveillance team? 4 R1
04D02-08 Are the records and summary analyses protected against any destruction or modification? 2 E2 10.10.3
04D02-09 Are the records and summary analyses kept for a long period? 2 E2 10.10.3
04D02-10 Are the procedures for recording, processing and analyzing of the records and summaries as well as the availability of the 2 C1
analysis and corrective team subject to regular audit?
04D03 Management of incidents on the extended network
Number Questions R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
05A Security of the architecture of the local area network
05A01 Partitioning of the local area network into security domains
05A01-01 Has a partitioning of the local area network been effected in order to separate what is strictly the internal network from the areas which 4 E1
communicate externally (DMZ)?
A DMZ, or demilitarized zone, is an exchange zone to the outside, isolated from the internal network (e.g. using a firewall).
05A01-02 Has the local area network been partitioned into security domains, each requiring a consistent set of security rules, and into zones of 4 2 E1 11.4.5
confidence within which controls may be specifically adapted?
05A01-03 In particular, has any wireless network (WLAN) been considered as a distinct domain, strictly isolated from the rest of the network (by 4 2 E1 11.4.5
firewall or filtering router, etc.)?
05A01-04 Have these partitions been documented and is the documentation kept up to date? 2 E2 11.4.5
05A01-05 Is there a complete description of the links and communication equipment in place? 2 E2 11.4.5
05A01-06 Is each domain isolated from the others domains, by using specific security means (filtering router, firewall, etc)? 4 2 E2 11.4.5; 11.4.6
05A01-07 Is the security proper to this filtering equipment subject to active maintenance and follow-up by an appropriate expert? 4 3 E3
05A01-08 For each of the domains, has a strictly limited list of authorized inter-domain links, communications and protocols been defined and, by 4 2 E2 11.4.6
default, are all other protocols shut off ("nothing except" policy)?
05A01-09 Is there a procedure for the management of inter-domain connection requests and a group in charge of the analysis of these requests, of 4 2 E3
their authorization and the definition of filtering rules which will be put in place (firewall, service requests, protocols etc.)?
05A01-10 Is there a group in charge of controlling the application of the defined rules and the removal of specific rights when the requirement is no 4 2 E3
longer needed or the conditions are no longer met?
05A01-11 Are any addition to the authorized connection list for a domain and any modification of its parameters logged and audited? 4 3 C1
05A01-12 Is there a regular review of all authorized connections (standard and non-standard) and of their pertinence? 4 3 C1 11.4.7
05A02 Security of the functioning of the local area network architecture
05A02-01 Has each security domain been analyzed to determine the requirements of continuity of service and, if necessary, has redundancy been 4 2 E2
incorporated into interconnection points, networking equipment and meshed links?
05A02-02 Has a systematic analysis of potential single points of failure been carried out in order to ensure that service equipments (such as 4 2 E3
energy supply, air conditioning, etc.) do not affect the redundancy planned for network equipment or architecture?
05A02-03 Has a control of the average and peak load been carried out for each element of the network and of the compatibility of the network and 4 2 E2
associated equipment at this load level and is this control regularly repeated?
05A02-04 Has this analysis been complemented by a study of network capacity to ensure reliability of communications even in the case of failure 4 2 E3
of a single link or piece of equipment?
05A02-05 Is there a dynamic measurement of network load and of the load balancing tools? 4 E2
05A02-06 Do network monitoring and reconfiguration tools allow real time corrective action compatible with the requirements of the users? 4 2 E2
05A02-07 Does the architecture of network equipment allow easy adaptation to changes of load levels (clusters, load balancing etc.)? 2 E2
Number Questions R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
05A02-08 Are overload detection and load balancing appliances and devices accessible only by administrators and is their access protected by 2 2 R1
strengthened access control?
05A02-09 Is any inhibition or shutdown of network overload detection and load balancing equipment signaled immediately to the monitoring center 2 3 R1
or to network administrators?
05A02-10 Are regular performance tests of detection and reconfiguration mechanisms carried out? 2 3 C1
05A02-11 Are regular audits of the parameterization of detection and reconfiguration systems carried out? 1 3 C1
05A02-12 Are regular audits carried out of procedures associated with the detection and reconfiguration systems? 1 3 C1
05A03 Organization of the maintenance of local area network equipment
05A03-01 Are all local area network equipments covered by a maintenance contract? 2 E1 9.2.4
05A03-02 Have all equipment, critical to the provision of expected operation and performance of the network, been identified and, for each of 4 E2
them, have the required acceptable and maximum downtime delays been published?
05A03-03 Have specifically adapted clauses related to these requirements been specified within maintenance contracts? 4 2 E2
05A03-04 Are the penalties of non-compliance with these causes sufficiently persuasive for the contract holder? 4 2 E3
05A03-05 Have escalation procedures been detailed in the case of non-compliance or difficulties in maintenance and do they anticipate the 2 3 R1
intervention of specialists within a short delay commensurate with the criticality of the equipment?
05A03-06 Have the number and proximity of specialists been detailed and do they guarantee a sufficiently good level of maintenance within an 4 R1
acceptable delay?
05A03-07 Do the maintenance contracts anticipate a complete replacement of equipment in the case of significant damage which would not 4 E3
normally be taken into account by curative maintenance?
05A03-08 Are maintenance contracts and procedures regularly audited? 2 3 C1
05A04 Procedures and Recovery Plans following incidents on the local area network
05A04-01 Has a list been established of incidents which could affect the proper functioning of the local area network and, for each of them, the 2 E1
seriousness level?
05A04-02 Has it been established, for each serious incident, the solutions to implement and the actions to execute by operational personnel? 2 E1
05A04-03 Are the means of intervention over the LAN (for diagnostic as well as for reconfiguration) able to cover satisfactorily all of the scenarios 2 2 E2
identified and do they ensure that the actions can be implemented within the specified time delays?
05A04-04 For each serious incident on the local area network, have an expected resolution time and escalation procedure been determined in the 4 E3
case of failure or delay of the anticipated corrective actions?
05A04-05 Are the diagnostic, management and reconfiguration tools of the local area network protected against all possible untimely or malicious 4 3 R1
action?
05A04-06 Do incident recovery plans and procedures cover the eventual loss of data (especially loss of requests and messages)? 4 E3
05A04-07 Are diagnostic and reconfiguration means regularly audited in order to assure a satisfactory minimum functioning of the local area 2 3 C1
network in the case of an incident?
05A05 Save and Restore plans of local area network configurations
05A05-01 Has a backup plan been established, encompassing all local area network configurations, defining all objects to save and the frequency 4 E1 10.5.1
of backups?
05A05-02 Has this plan been translated into automatic operational routines? 2 2 E2 10.5.1
05A05-03 Has the backup of programs (source and executables, documentation and parameters) been regularly tested in order to be able to 4 2 E1 10.5.1
reconstitute the production environment at any time?
Number Questions R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
05A05-04 Are automatic operational backup routines protected by a high level of security against illicit or unintentional modification? 4 3 R1 10.5.1
Such a mechanism may be a digital seal or any equivalent modification detection system.
05A05-05 Are all configuration and file backups, necessary for the restoration of the local area network production environment, also saved at a 4 2 E3 10.5.1
location off premises (recourse backup)?
05A05-06 Are recourse backup copies stored in a secure location and protected against accidental or human risks? 4 E3 10.5.1
Such a location must be protected by strict access control as well as protected against fire or water damage risk.
05A05-07 Are regular tests carried out to read backups and recourse backups? 2 3 R2 10.5.1
05A05-08 Are all procedures and plans for backup of configuration files regularly audited? 2 3 C1
05A06 Disaster Recovery Plan (DRP) of the local area network
05A06-01 Is there a recovery solution to make up for the unavailability of any equipment or critical link in the local area network? 4 2 E1 14.1.3
05A06-02 Is this recovery solution fully operational? 4 2 E2 14.1.3
05A06-03 Are these solutions described in detail in one (or several) Disaster Recovery Plan? 4 E1 14.1.3
A complete Disaster Recovery plan must describe the rules for triggering, the actions to execute, the priorities, the actors to mobilize and
their contact details, as well as the conditions for return to normal operating conditions.
05A06-04 Are these plans tested operationally at least once a year? 4 2 C1 14.1.5
05A06-05 Is there a formal guarantee of compatibility and capacity that these recovery solutions will support a sufficient operational load which has 4 2 E2 14.1.5
been approved by all concerned parties?
05A06-06 If the recovery solutions include delivery of hardware components, which cannot be triggered during tests, is there a contractual 4 2 E2
engagement within the recovery plan for the delivery of hardware within fixed and anticipated time limits, guaranteed by the
manufacturer or other third party (leaser, broker, other)?
05A06-07 If the recovery equipment and/or solution are pooled, is the number of other subscribers known and limited? 2 2 E3
05A06-08 Has the unavailability or failure of the recovery facility been considered and has a second level backup been organized? 2 3 R1
05A06-09 Is the backup solution usable for an unlimited duration and if not, has a follow on solution been established? 2 E3
05A06-10 Are the existence, the pertinence and the updates of the Disaster Recovery Plans regularly audited? 2 3 C1
05A07 Management of critical suppliers as regards a permanent maintenance service
05A07-01 Have the consequences of the disappearance of a supplier of equipment, network service or software been analyzed (in the case of 2 E2
failure, of a bug or change requirement) and has a list of critical points been established?
05A07-02 For each critical point, is there a corrective solution to cope with the failure or disappearance of a supplier (maintenance documentation 2 E2
lodged with a trusted third party, replacement of equipment or of software by widely available market solutions etc.)?
05A07-03 Is it certain that this corrective solution could be made operational within a sufficiently short time to enable the business activity to restart 2 2 E3
and which is acceptable to the users ?
05A07-04 Have alternate options to the basic solution been considered for the case where the latter might encounter unforeseen difficulties? 2 3 E3
05A07-05 Is there a regular review of critical points and of the corrective solutions envisaged? 2 3 C1
05B Access control to the local area network
05B01 Management of access profiles on the local area network
05B01-01 Has a management policy for access rights to the local network been established according to an analysis of the security requirements 2 E1 11.1.1
as per the business stakes?
Number Questions R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
05B01-02 Is this policy documented, regularly revised and approved by the concerned managers in charge? 2 E2 11.2.2
05B01-03 Is access to the local area network and to the various parts of this network defined in terms of job profiles which regroup roles or 4 2 E1
functions within the organization (profiles define access rights which are available to the holders of the profile)?
Note: in certain circumstances, the notion of "profile" may be replaced by a notion of "group". In addition, access rights which may be
attributed to partners must also be considered.
Access profiles must comprise the access rights towards each partition of the network, for a station connected directly to the network as
well as for connections from outside the LAN (mobile users, teleworking, partners, etc.).
05B01-04 Have various variable parameters been introduced into the access rights definition rules (which determine the rights that are attributed to 4 2 E2
profiles) as a function of context, in particular, the location of the requesting station (direct LAN access, extended network (WAN),
external), the nature of the connection used (LAN, Leased line, Internet, type of protocol etc.) or the classification of the sub-network
requested?
05B01-05 Do the profiles also allow definition of working time limits (daily working hours) and calendars (weekends, holidays, etc.)? 2 E3
05B01-06 Have these profiles and the access rights attributed to the different profiles, as a function of context, been approved by the information 4 2 E2
owners and the Information Security Officer?
05B01-07 Is the process of definition and management of rights attributed to profiles under strict control? 4 3 R1
A strict control requires that the list of people allowed to change rights attributed to profiles be strictly limited, that the implementation of
these rights into tables be strictly secure at the time of transmission and storage and that there exists a reinforced access control in
order to be able to modify these rights and that any modification of these rights be logged and audited.
05B01-08 Is there a regular audit, at least once a year, of the access rights attributed to each profile and of the profile management procedures? 4 2 C1 11.2.4
05B02-04 Is there a systematic process of updating the table of access authorizations at the time of departure of in house personnel? 2 E2 11.2.4
05B02-05 Is there a systematic process of updating the table of access authorizations at the time of change of function (at the end of contract for 2 E3 11.2.4
external personnel or internal change of function)?
05B02-06 Is there a list of all personnel who have access to the local area network? 1 C1
05B02-07 Is there a regular audit, at least once a year, of all access authorizations granted to the personnel to the local area network and all those 1 2 C1 11.2.4
granted to partners?
05B03 User or entity authentication for access requests to the local area network from an internal access point
This mechanism corresponds, for example, to the authentication implemented in a Windows domain controller.
Number Questions R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
05B03-01 Is there a mechanism of authentication of each user before any access to a local area network resource? 4 1 E1
05B03-02 Does the process of modification or definition of a user credential respect a set of rules which ensures its robustness? 4 2 E2 11.2.3
In the case of passwords: sufficient length (8 characters or more), obligatory mixture of types of characters, frequent change (less than
once a month), impossibility of reusing an old password, non-trivial word test using a dictionary, banning of "standard systems", first
names, anagrams of username, dates etc.
In the case of certificates or authentication based on cryptographic mechanisms, a generation process evaluated or publicly recognized,
encryption keys of a sufficient length etc.
05B03-03 Does the process of providing user credentials guarantee its inviolability? 4 2 E3
The usage of a typed password will always be a weak point. the only process which does not divulge observable information consists
either of introducing an object containing a secret code (smart card), or using a code which changes at every moment (token card ) or
using a means which contains some biometric characteristic.
05B03-04 Do the security equipment that retain and use reference data (passwords, calling number, etc.) in support of authentication use 4 3 E2
mechanisms which guarantee inviolability and authenticity?
Passwords must be stored encrypted and a preliminary control of the user must be made before usage.
In the case of authentication using cryptographic procedures, the mechanism must provide solid guarantees validated by a recognized
organization.
05B03-05 Does the transmission of reference data in support of authentication (password, calling number, etc.) between the user equipment and 4 3 E3
security systems, use mechanisms which guarantee inviolability and authenticity?
Transmission of a password must be encrypted or use an algorithm which introduces a variable at each transmission.
In the case of authentication using cryptographic procedures, the mechanism must provide solid guarantees validated by a recognized
organization.
05B03-06 Is there an automatic process of invalidation of the calling station or the user account in the case of multiple incorrect attempts, so as to 4 2 E2
require the intervention of an administrator to reinstate the station or the user?
05B03-07 Does the procedure for the replacement of a lost or mislaid user credential (e.g. password, token card) lead to the instant deactivation of 4 2 E2
this credential?
05B03-08 Does the procedure for the replacement of a lost or mislaid user credential (e.g. password, token card) impose an effective control of the 4 2 E3
requestor's identity?
05B03-09 Are authentication parameters under strict control? 4 2 C1
A strict control requires that people allowed to change the definition rules of identifiers, the identifiers themselves, rules of surveillance of
connection attempts etc., be strictly limited and that there exists a reinforced access control to effect these modifications, that these
modifications be logged and audited and that there exists a regular general audit at least once a year of all authentication parameters.
05B03-10 Are the processes that ensure authentication under strict control? 4 3 C1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there is an
audit, at least once a year, of authentication procedures and processes.
05B04 User or requestor authentication before access to the local area network from a remote site via the extended network
05B04-01 Do membership rules of the extended network impose that all users are authenticated prior to any outgoing access using the extended 4 1 E1
network?
05B04-02 Do membership rules to the extended network and the controls effected mean that the same level of confidence can be attributed to 4 2 E2
users of the extended network as those of the local area network?
Number Questions R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
05B04-03 Is the pertinence of the rules of membership to the extended network regularly audited? 4 3 C1
05B04-04 Is a regular audit carried out to ensure that the rules of membership to the extended network are applied by all the entities which are 4 3 C1
authorized to connect to it?
05B05 User or requestor authentication for outside access to the local area network
(e.g. from the switched telephone network (POTS), X25, ISDN, broadband, Internet, etc.)
05B05-01 Is there a mechanism of authentication of all users connecting to the local area network from the outside? 4 2 E1 11.4.2
05B05-02 Does the process of modification or definition of a user credential in support of access control respect a set of rules which ensures its 4 2 E2 11.4.2
intrinsic validity?
In the case of passwords: sufficient length (8 characters or more), obligatory mixture of types of characters, frequent change (less than
once a month), impossibility of reusing an old password, non-trivial word test using a dictionary, banning of "standard systems", first
names, anagrams of username, dates etc.
In the case of certificates or authentication based on cryptographic mechanisms, a generation process evaluated or publicly recognized,
encryption keys of a sufficient length etc.
05B05-03 Does the process of using a credential guarantee its impregnability? 4 2 E3 11.4.2
The usage of a password will always be a weak point. the only process which does not divulge observable information consists either of
introducing an object containing a secret (smart card), or using a code which changes at every moment (token card type SecureId) or
using a means which contains some biometric characteristic.
05B05-04 Do the security equipment that retain reference data (e.g. passwords, calling number, etc.) to support access authentication use 4 3 E2
mechanisms which guarantee impregnability and authenticity?
Passwords must be stored encrypted and a preliminary control of the user must be made before usage.
In the case of authentication using cryptographic procedures, the mechanism must provide solid guarantees validated by a recognized
organization.
05B05-05 Does the transmission of reference data in support of authentication (e.g. passwords, calling address, etc.) between user equipment and 4 3 E3
security systems use mechanisms which guarantee impregnability and authenticity?
Transmission of a password must be encrypted or use an algorithm which introduces a variable at each transmission.
In the case of authentication using cryptographic procedures, the mechanism must provide solid guarantees validated by a recognized
organization.
05B05-06 Is there an automatic process of invalidation of the calling station or the user account in the case of multiple incorrect attempts, so as to 4 2 E2
require the intervention of an administrator to reinstate the station or the user?
05B05-07 Does the procedure for the replacement of a lost or mislaid user credential (e.g. password, token card) lead to the instant deactivation of 4 2 E2
this credential?
05B05-08 Does the procedure for the replacement of a lost or mislaid user credential (e.g. password, token card) impose an effective control of the 4 2 E3
requestor's identity?
05B05-09 Are authentication parameters under strict control? 4 2 C1
A strict control requires that people allowed to change the definition rules of identifiers, the identifiers themselves, rules of surveillance of
connection attempts etc., be strictly limited and that there exists a reinforced access control to effect these modifications, that these
modifications be logged and audited and that there exists a regular general audit at least once a year of all authentication parameters.
05B05-10 Are the processes that ensure authentication under strict control? 4 3 C1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there is an
audit, at least once a year, of authentication procedures and processes.
Number Questions R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
05B06 User or requestor authentication for access requests to the local area network from a WiFi sub-network
05B06-01 Are all WiFi networks isolated from the local area network by a firewall? 4 2 E1
05B06-02 Is there a method of authentication of all users connecting to the local area network from a WiFi sub-network? 4 2 E1
05B06-03 Does the process of definition or modification of user credential for access control from a WiFi sub network respect a set of rules which 4 2 E2
ensures its intrinsic validity?
In the case of passwords: sufficient length (8 characters or more), obligatory mixture of types of characters, frequent change (less than
once a month), impossibility of reusing an old password, non-trivial word test using a dictionary, banning of "standard systems", first
names, anagrams of username, dates etc.
In the case of certificates or authentication based on cryptographic mechanisms, the generation process must be evaluated or publicly
recognized, encryption keys of a sufficient length etc.
In the case of simple access identifiers (e.g. calling phone number), a call back procedure is recommended.
05B06-04 Does the authentication system guarantee the impregnability of the user's credential? 4 2 E3
05B06-05 Do the security equipment that retain reference data (e.g. passwords, calling address, etc.) to support access authentication use 4 3 E2
mechanisms which guarantee impregnability and authenticity?
Passwords must be stored encrypted and a preliminary control of the user must be made before usage.
In the case of authentication using cryptographic procedures, the mechanism must provide solid guarantees validated by a recognized
organization.
05B06-06 Does the transmission of reference data in support of authentication (e.g. passwords, calling address, etc.) between calling user 4 3 E3
equipment and authentication systems use mechanisms which guarantee impregnability and authenticity?
Transmission of a password must be encrypted or use an algorithm which introduces a variable at each transmission.
In the case of authentication using cryptographic procedures, the mechanism must provide solid guarantees validated by a recognized
organization.
05B06-07 Is there an automatic process of invalidation of the user account and/or workstation in the case of multiple incorrect attempts so as to 4 2 E2
require the intervention of an administrator to reinstate the station or the user?
05B06-08 Does the procedure for the replacement of a lost or mislaid user credential (e.g. password, token card) lead to the instant deactivation of 4 2 E2
this credential?
05B06-09 Does the procedure for the replacement of a lost or mislaid user credential (e.g. password, token card) impose an effective control of the 4 2 E3
requestor's identity?
05B06-10 Are authentication parameters for the access from a WiFi sub-network under strict control? 4 2 C1
A strict control requires that people able to change the definition rules of identifiers, the identifiers themselves, rules of monitoring
connection attempts etc., be strictly limited and that there exist a reinforced access control to effect these modifications, that these
modifications be logged and audited and that there exists a regular general audit at least once a year of all authentication parameters.
05B06-11 Are the processes that guarantee authentication from a WiFi sub network under strict control? 4 3 C1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there is an
audit, audit, at least once a year, of authentication procedures and processes.
05B07 General filtering of access to the local area network
05B07-01 Do all access to the local area network require the use of an identifier recognized by the system? 2 E1
05B07-02 Is there a one to one correspondence between an identifier and a real physical person? 4 2 E2
05B07-03 Have all generic or by-default accounts and passwords been changed or deleted? 4 2 E2
Number Questions R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
05B07-04 Is the identifier provided for access to the local area network systematically subject to authentication? 4 2 E1
Systematic authentication requires that the control process be in place for all possible access paths (internal access, all types of access
from the outside including reserved ports such as an those used for remote maintenance).
05B07-05 Is there a systematic control of the context of the access requestor (local area network, extended network, external link, nature of the 4 2 E3
link and protocols used )?
05B07-06 Is there a systematic control of the profile and the context of the connection of the requestor and the appropriateness of that profile and 4 2 E3
context with the access requested?
05B07-07 Is there an automatic invalidation of the user identifier in the absence of traffic after a defined delay, which requires user re-identification 4 E2
and re-authentication?
05B07-08 For connections requiring it, is there an identification for the calling equipment (MAC address, IP address, etc.) as per the access control 3 E3 11.4.3
rules?
05B07-09 Are the processes of definition and management of access filtering rules under strict control? 4 2 R1
A strict control requires that the list of persons allowed to change the filtering security parameters be extremely limited, and that there be
a reinforced access control in order to be able to effect such modification and that any modification be logged and audited.
05B07-10 Are there regular penetration tests into the network carried out in addition to detailed technical audits? 2 3 C1 15.2.2
05B08 Routing control of outgoing access
05B08-01 Do all outgoing accesses require the use of an identifier recognized by the system? 2 E1 11.4.2
05B08-02 Does this identifier correspond to a unique and directly or indirectly identifiable physical person? 1 E2 11.4.2
05B08-03 Is the identifier used in outgoing access control systematically subject to authentication? 4 2 E2 11.4.2
Systematic authentication requires that there is a process in place for all access paths and all outgoing ports.
05B08-04 Has it been defined, in a security policy relatively to outgoing accesses, rules specifying the connections authorized (type of external 4 2 E2
network, authorized links and protocols) function of the internal sub-networks considered?
05B08-05 Is there, before authorizing any outgoing access, a control of the rules defined in the security policy? 4 2 E2
05B08-06 Is there an automatic invalidation of the user identifier in the absence of traffic after a defined delay which requires user re-identification 4 E2
and re-authentication?
05B08-07 Are the processes of definition and management of outgoing access filtering rules under strict control? 4 2 R1
A strict control requires that the list of persons allowed to change the filtering security parameters be extremely limited, and that there be
a reinforced access control in order to be able to effect such modification and that any modification be logged and audited.
05B08-08 Are there regular penetration tests of the network carried out and regular specialized technical audits effected? 2 3 C1
05B09 Authentication of the external entity accessed for outgoing access to sensitive sites
05B09-01 Is there a possibility to declare sites or remote access points as sensitive and, as such, requiring an authentication of the entity 4 1 E2
accessed?
05B09-02 Is there a mechanism of authentication of the entity called before access to sensitive sites from the internal network? 4 1 E2
05B09-03 Does the authentication mechanism of the accessed entity provide a recognized "strong" level of security? 4 2 E3
Notably the usage of a simple password will always be a weakness. The only methods recognized as "strong", that is observable without
divulging information, are those based on cryptographic algorithms.
Number Questions R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
05B09-04 Do the security equipment that retain credentials (e.g. passwords, calling number, etc.) use mechanisms which guarantee their 4 3 E2
impregnability and authenticity?
Passwords must be stored encrypted and a preliminary control of the user must be made before usage.
In the case of authentication using cryptographic procedures, the mechanism must provide solid guarantees validated by a recognized
organization.
05B09-05 Does the transmission of credentials (e.g. passwords, calling address, etc.) between calling user equipment and authentication systems 4 3 E3
use mechanisms which guarantee their impregnability and authenticity?
Transmission of a password must be encrypted or use an algorithm which introduces a variable at each transmission.
In the case of authentication using cryptographic procedures, the mechanism must provide solid guarantees validated by a recognized
organization.
05B09-06 Does the revoked keys management procedure guarantee that the control systems take into consideration in real time any revocation of 4 2 E2
keys?
05B09-07 Does the revoked keys management procedure guarantee that the control systems systematically test that the keys used have not been 4 2 E3
revoked?
05B09-08 Are the processes that guarantee the authentication of the accessed entities under strict control? 4 3 R1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there is an
audit at least once a year of the authentication procedures and processes.
05C01-01 Have the permanent links and data exchanges which must be protected by encryption solutions been defined and such solutions been 4 E1 12.3.1
implemented on the local area network?
05C01-02 Does the encryption solution offer valid and solid guarantees and has it been approved by the Information Security Officer? 4 2 E2
The sufficient length of the keys is one of among many parameters to take into consideration (as a function of the algorithm) . The
recommendation of an official organization can be a confidence factor.
05C01-03 Do the procedures and mechanisms for storage, distribution and exchange of keys and more generally the management of keys offer a 4 3 E2 12.3.2
sufficient level of confidence and have they been approved by the Information Security Officer?
05C01-04 Are the encryption mechanisms embodied in electronic components which are strictly protected at a physical level against intrusion or 4 3 3 R2
change?
Encryption mechanisms should be contained within protected enclosures to which it should be impossible to gain access, i.e. within a
microprocessor or smart cards and protected physically and logically.
05C01-05 Is shutdown or by-pass of the encryption solution immediately detected and signaled to a team available 24 hrs a day capable of 4 2 R1
triggering an immediate reaction?
05C01-06 In the case of inhibition or bypass of the encryption solution or the activation of an unprotected fail-over link of the network, is there a 4 2 R1
procedure to immediately alert all users?
For example by a warning requiring the user to acknowledge its receipt.
05C01-07 Is there a regular audit, at least once a year, of all data exchange, encryption systems and associated procedures? 4 3 C1
05C02 Integrity control of exchanges on the local area network
Number Questions R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
05C02-01 Have the permanent links and data exchanges which must be protected by sealing solutions been defined and implemented on the 4 E1
local area network?
05C02-02 Does the sealing solution offer valid and solid guarantees and has it been approved by the Information Security Officer? 4 2 E2
The sufficient length of the keys is one of among many parameters to take into consideration (as a function of the algorithm). The
recommendation of an official organization can be a confidence factor.
05C02-03 Do the procedure and mechanisms of storage, distribution and exchange of keys and more generally the management of the keys offer 4 3 E2
solid guarantees which merit confidence and have they been approved by the Information Security Officer?
05C02-04 Are the sealing mechanisms embodied in electronic components which are in turn strictly protected at a physical level against intrusion 4 3 3 R2
or change?
Sealing mechanisms should be contained within protected appliances to which it should be impossible to gain access, i.e. within a
microprocessor or smart card, and protected physically and logically.
05C02-05 Is shutdown or by-pass of the sealing solution immediately detected and signaled to a team available 24 hrs a day capable of triggering 4 2 R1
an immediate reaction?
05C02-06 In the case of inhibition or bypass of the sealing solution or the activation of an unprotected fail-over link, is there a procedure to 4 2 R1
immediately alert all users?
For example by a warning requiring the user to actively validate its receipt.
05C02-07 Is there a regular audit, at least once a year, of all systems of data integrity protection and of associated procedures? 4 3 C1
05C03 Encryption of exchanges in the case of remote access to the local area network
05C03-01 Have encryption solutions been defined and implemented for exchanges with users connecting from outside (mobile staff, authorized 4 E1 12.3.1
service providers etc.) ?
05C03-02 Does the encryption solution offer valid and solid guarantees and has it been approved by the Information Security Officer? 4 2 E2
The sufficient length of the keys is one of among many parameters to take into consideration (as a function of the algorithm). The
recommendation of an official organization can be a confidence factor.
05C03-03 Do the procedure and mechanisms of storage, distribution and exchange of keys, and more generally the management of the keys, offer 4 3 E2 12.3.2
solid guarantees which merit confidence and are they approved by the Information Security Officer?
05C03-04 Are the encryption mechanisms embodied in physical electronic components which are strictly protected at a physical level against 4 3 3 R1
intrusion or change?
Encryption mechanisms should be contained within protected enclosures to which it should be impossible to gain access, i.e. within a
microprocessor or smart card and protected physically and logically.
05C03-05 Is access to the network from the outside impossible without using encryption 4 2 R1
05C04 Protection of the integrity of exchanges in the case of remote access to the local area network
05C04-01 Have solutions for sealing or integrity control of exchanges with users connecting from the outside (mobile staff, authorized service 4 E2
providers etc.) been defined and implemented?
05C04-02 Does the sealing solution offer valid and solid guarantees and has it been approved by the Information Security Officer? 4 2 E2
The sufficient length of the keys is one of among many parameters to take into consideration (as a function of the algorithm). The
recommendation of an official organization can be a confidence factor.
05C04-03 Do the procedures and mechanisms of storage, distribution and exchange of keys and more generally the management of keys offer 4 3 E3
solid guarantees which merit confidence and have they been approved by the Information Security Officer?
Number Questions R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
05C04-04 Are the sealing mechanisms embodied in electronic components which are in turn strictly protected at a physical level against intrusion 4 3 3 R2
or change?
Sealing mechanisms should be contained within protected enclosures to which it should be impossible to gain access, i.e. within a
microprocessor or smart card and protected physically and logically.
05C04-05 Is access to the network from the outside impossible without using integrity control? 4 2 R1
05D Control, detection and resolution of incidents on the local network
05D01 Real-time monitoring of the local area network
05D01-01 Have events or successions of events been analyzed which might reveal abnormal behavior or illicit action on the local area network 4 E2 10.10.2
and as a consequence have specific monitoring indicators or control points been identified?
05D01-02 Is the system equipped with an automatic real time monitoring system in the case of an accumulation of abnormal events (for example 4 E3 10.10.2
unsuccessful connection attempts on non-open ports)?
05D01-03 Is use made of an intrusion detection system or capable of detecting anomalies on the local area network? 4 E2 10.10.2
05D01-04 Are there one or more applications capable of analyzing the individual anomaly diagnostic data on the local area network and of 4 E3
triggering an alert to operational personnel?
05D01-05 Is there within operational personnel a team available 24 hrs a day or group capable of reacting in the case of a monitoring alert on the 4 2 E3
network?
05D01-06 For each case of alert has the expected response from the intervention team been defined and is the availability of the intervention team 4 3 E3
sufficient to face this expectation?
05D01-07 Are the parameters defining alarms strictly protected (restricted access rights and strict authentication) against illicit modification? 4 R1
05D01-08 Does any stoppage of the alarm system, linked to the local area network, trigger an alarm towards the surveillance team? 4 3 R1 10.10.2
05D01-09 Are the elements enabling the detection of an anomaly or incident archived (on disk, cassette or optical disk etc.)? 2 E2 10.10.3
05D01-10 Are the monitoring procedures of the local area network, the detection of the anomalies and the availability of the surveillance team 2 3 C1
subject to regular audit?
05D02 Offline analysis of traces, log files and event journals on the local area network
05D02-01 Has detailed analysis been carried out of the events or succession of events on the local area network which may have an impact on 2 E1 10.10.1
security (refused connections, re-routings, reconfigurations, changes in performance, access to sensitive data or tools etc.)?
05D02-02 Are these events recorded as well as the parameters used for their subsequent analysis? 4 E1 10.10.1
05D02-03 Is there an application capable of analyzing these records as well as performance measures, of establishing statistics, a dashboard and 4 2 3 E2
anomaly diagnostics for examination by a competent team of specialists?
05D02-04 Is the structure, empowered to analyze these summaries (or incidents logs) and security related events, required to do so within a fixed 4 E2
and determined period and does it have sufficient availability?
05D02-05 Has the expected reaction from the surveillance team been defined for each case of alert and are its availability and staffing level 4 E3
sufficient to meet these expectations?
05D02-06 Are the parameters defining the elements to record and the analyses to effect strictly protected against unauthorized change (limited 4 R1 10.10.3
rights and strong authentication)?
05D02-07 Is any inhibition of this recording and processing system immediately signaled to the surveillance team? 4 R1
05D02-08 Are the records and summary analyses protected against any alteration or destruction?? 2 E2 10.10.3
05D02-09 Are the records and summary analyses kept for a long period? 2 E2 10.10.3
Number Questions R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
05D02-10 Are the procedures for recording, processing and analysis of the records and summaries as well as the availability of the analysis and 2 C1
corrective team subject to regular audit?
05D03 Management of incidents on the local area network
05D03-01 Is there a hot-line charged with taking, recording and escalating all calls related to the local area network incidents? 2 E1 10.10.5
05D03-02 Is this hot-line available 24 hours a day? 2 E2 10.10.5
05D03-03 Is there a system to support incident management? 2 2 E2 10.10.5
05D03-04 Does this system centralize incidents detected both by operational personnel and by users? 2 E2 10.10.5
05D03-05 Does this system cater for a systematic follow-up of necessary actions? 4 E3 10.10.5
05D03-06 Does this system incorporate a categorization of incidents including statistics and dashboards generation destined for use by the 4 E3
Information Security Officer?
05D03-07 Is the incident management system strictly controlled with regard to unauthorized or illicit modification? 4 3 R1
A strict control requires a reinforced protection in order to modify records and an audit trail or protection by electronic seal of all
modifications of records.
05D03-08 Is each major incident on the network subject to a specific follow-up (nature and description, priority, technical solution, analysis in 4 E2 13.2.1
progress, expected resolution lead time etc.)?
06A01-02 Is operational network personnel required to sign contract clauses of adherence to that security policy (no matter their status: 4 E2
permanent or temporary staff, students, etc.)?
06A01-03 Do these clauses make clear that the obligation to respect security applies to all information no matter what the medium is (paper, 2 2 E3
magnetic, optical, etc.)?
06A01-04 Do these clauses make clear, if necessary and legally possible, that the obligation to respect the security policy applies without 4 2 E3
limitation in time?
This applies, in particular, to the clauses concerning confidentiality, they may (and often must) continue after the end of the
contract linking (directly or indirectly) the employee or service provider or partner to the company
06A01-05 Do these clauses make clear that the personnel has an obligation not to tolerate any action contrary to security from other 4 3 E3
people?
06A01-06 Does the signature of these clauses represent a formal commitment? 4 3 E2
In order to achieve a formal commitment, the personnel should explicitly state that his/her signature implies having understood
and accepted the security policy
06A01-07 Are these same clauses obligatory for contractors working on network operations? 4 2 E2
Practically, the contractors should ensure that their personnel sign individually and explicitly under the same conditions than
internal staff.
06A01-08 Is there a mandatory and well adapted training course aimed at network operations personnel? 2 E2
06A01-09 Are the confidentiality agreements, signed by personnel, securely kept (at least in a locked cupboard )? 2 3 R1
06A01-10 Are the confidentiality agreements, signed by external contractors, securely kept (at least in a locked cupboard )? 2 3 R1
06A01-11 Is there a regular audit, at least once a year, of the effective application of the signature procedure by operational personnel 2 3 C1
(directly employed by the company or indirectly through a service company) ?
06A02 Control of the implementation or upgrade of software or hardware
06A02-01 Is there a control procedure for change decisions, equipment and system evolutions (registration, planning, formal approbation, 2 2 E1 10.1.2
communication to all concerned individuals, etc.)?
06A02-02 Are the change decisions based on an analysis of the capacity of the new equipment and systems in ensuring the required load 2 E2 10.3.1
taking into account the evolution of foreseeable requests?
06A02-03 Do the installations take into account physical protection (protected access, no direct external view to equipments, absence of 2 E2 9.2.1
physical threats, climate conditions, protection against thunderbolts, protection against dust, etc.)?
06A02-04 Is there a definite review, involving Information Security Office personnel, of the potential risks related to functional changes 2 E2 12.4.1; 10.3.2
associated to each new or revised network software or equipment?
06A02-05 Does this review contain an analysis of the risks that may arise from these functional changes? 2 2 E2 12.4.1; 10.3.2
06A02-06 Has operational staff received specific formal training in risk analysis? 1 E3
06A02-07 Does operational staff obtain appropriate advice when needed? 4 E3
06A02-08 Are security measures, to be implemented to counter any new risks identified, subject to formal review and control before start of 4 E2 10.3.2
production?
06A02-10 Are the security parameters and configuration rules controlled before any new version is installed and operated? 4 E2 11.4.4; 10.3.2
06A02-11 Is it considered the possible impact over the continuity plans due the system changes? 2 E2 10.3.2
06A02-12 Are any dispensations from the prior risk analysis and control of security parameters subject to strict procedures requiring the 4 R1
signature of a senior manager?
06A02-13 Is the start of production of new equipment or software only possible by operational staff? 4 2 E2 12.4.1; 6.1.4
06A02-14 Is the start of production of new equipment or software only possible following a defined validation and authorization process? 2 3 E3 12.4.1; 6.1.4
06A02-15 Are all the control procedures related to start of production subject to regular audit? 2 3 C1
06A03 Control of maintenance operations
06A03-01 Is it kept a trace of all maintenance operations? 1 E2 9.2.4
06A03-02 Are all maintenance operations required to terminate with a systematic verification of all security parameters (as defined at the 4 2 E2
start of production)?
06A03-03 Are all maintenance operations required to terminate with a systematic verification of security log files parameters (events to be 4 3 E3
recorded, context of events to be recorded, duration of retention, etc.)?
06A03-04 Are all maintenance operations required to terminate with a systematic verification of administration control parameters 4 3 E3
(necessary profile, authentication type, removal of standard logins, etc.)?
06A03-05 Is a formal dispensation, signed by a responsible manager, required if the above mentioned procedures are not observed? 4 E3
06A03-06 Is the totality of start of production (after maintenance) control procedures regularly audited? 2 3 C1
06A04 Control of Remote Maintenance
06A04-01 In the case of remote maintenance, is there a secure authentication procedure of the remote maintenance center? 2 E2 11.4.4
06A04-02 In the case of remote maintenance is there a secure authentication procedure for maintenance personnel? 4 2 E2 11.4.4
06A04-03 Is there a set of procedures covering the attribution of access rights for a new maintenance operative, the revocation of rights and 2 E3 11.4.4
the attribution of rights in emergency situations?
06A04-04 Have the procedures and protocols for the exchange and storage of secret data etc., been approved by the Information Security 4 E3
Officer or a specialized organization?
06A04-05 Does the usage of the remote maintenance line require the prior agreement (for each usage) of operational personnel (following 4 E2 11.4.4
the provider's request specifying the nature, date and time of the intervention )?
06A04-06 Is the equipment allocated for remote maintenance protected against inhibition or modification of access conditions, resulting in 2 2 R1
the triggering of an alarm?
06A04-07 Are all the control procedures for remote maintenance regularly audited? 2 3 C1
06A05 Management of Operating Procedures for Network Operation
06A05-01 Do the network operating procedure result from the study of the overall cases to be covered by said procedure (normal operating 4 E2 10.1.1
cases and incidents)?
06A05-02 Are the operating procedures documented and kept up to date? 4 E2 10.1.1
06A05-03 Are these operating procedures readily available upon request by any accredited individual? 4 E2 10.1.1
06A05-04 Does the Management approve changes to procedures ? 2 E2 10.1.1
06A07-04 Is a formal dispensation, signed by a responsible manager, required if the above mentioned procedures are not observed? 4 E3
06B01-02 Does this document (or documents) require the removal of all generic or by default accounts and does it detail the list of such 4 2 E2
accounts?
06B01-03 Does this document or procedure impose a synchronization feature, based on a reliable time reference? 4 E2 10.10.6
06B01-04 Are these parameters set and updated regularly in line with latest information and in cooperation with expert authorities 2 3 E3
(specialized audits, subscription to a service center, regular consultation with CERTs, etc.)?
CERT : Computer Emergency Response Team.
06B02-04 Is the configuration of network equipment of user workstations checked systematically for compliance against this reference 2 3 E2
document?
06B02-05 Is this control effected systematically, at each connection to the network? 4 E3
06B02-06 Are there automatic routines which systematically analyze the use of the telephone network for data transmission? 4 E3
06B02-07 Are there automatic routines which test for the presence of non declared wireless network (WiFi) access points? 4 E3
06B02-08 Are user workstations protected against the possibility of installing systems software and of modifying configurations? 4 E3
06B02-09 Is there a regular audit of the user configuration reference document and is the configuration control procedure regularly 2 3 C1
executed?
06C Control of administrative rights
06C01 Control of special access rights to network equipment
06C01-01 Has a management policy for privileged access rights on the network equipment been established, based on a pre-analysis of 2 E1 11.1.1
the security requirements and business stakes?
06C01-02 Is this policy documented, regularly reviewed, and approved by the affected managers? 2 E2
06C01-03 Have profiles been defined, as part of network operations, corresponding to each type of activity (equipment administration, the 1 E1 10.1.3; 10.6.1;
administration of security equipment, network management, management of backup medias and contents etc.)? 11.2.2
06C01-04 For each profile have the necessary administrative rights been defined? 4 2 E1 10.1.3; 10.6.1
06C01-05 Does the process of attribution of administrative rights require the formal authorization of management (or the manager 4 2 E2 10.1.3
responsible for external service providers) at a sufficiently high level?
06C01-06 Does the process of attribution of administrative rights effected uniquely in relation to the profile of the holder? 4 2 E2 10.1.3
06C01-07 Is the process of granting (modification or retraction) of special rights to an individual strictly controlled? 4 2 3 R1 11.2.2
A strict control requires a formal recognition of the signature (electronic or not) of the requestor, that there be an access control in
order to attribute or modify such rights and that any modification of special rights be logged and audited.
06C01-08 Is there a systematic process of removal of administrative rights at the time of departure or role change of staff? 4 3 E2 11.2.4
06C01-09 Is there a regular audit, at least once a year, of all administrative rights attributed ? 1 2 C1 11.2.4
06C02-02 Are the rules, for instance in the case of passwords, considered to be very strict? 2 2 E2
Strict rules impose the use of tested non-trivial passwords and the use of a mixture of different types of character of a reasonable
length (ten or more characters). It is desirable that such rules be decided or agreed upon by the CISO.
06C02-03 Is a strong authentication used for the connection of administrators to the supervision system as well as for the connection of the 4 2 E2
supervision system to network equipments?
If the administrator connects to a hypervisor (such as HP OpenView, IBM TIVOLI, CA Unicenter, BMC Patrol or Bull OpenMaster)
with secure authentication and effective access control, an equivalent level of security is needed for the objects that are managed
(avoiding for example visible passwords, default public and community groups, access via telnet or simple SQL) in order to avoid
malicious direct action on the equipment.
06C02-04 Is there a consistent control of the administrator's rights, of its context, and of the suitability of this context with the requested 4 E2
access, as per formal rules of access control?
06C02-05 Are authentication parameters under strict control? 4 2 R1
A strict control requires that the list of people able to change authentication rules, the identifiers themselves and the rules for
monitoring connection attempts be strictly limited, that there be a reinforced access control in order to be able to modify these
rights and that any modification of these rights be logged and audited and that there be a general audit at least once a year of all
authentication parameters.
06C02-06 Are the processes that guarantee authentication under strict control? 4 3 R1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there
is an audit at least once a year of the authentication procedures and processes.
06C02-07 Is there a regular audit of existing profiles having administrative rights? 4 3 C1 11.2.4
06C02-08 Is there a regular audit of the procedures for granting profiles and the security parameters protecting the profiles and the rights? 4 3 C1
06D01-02 Are the rules related to network audits, relevant procedures and associated responsibilities defined and documented? 3 E2 15.3.1
The limits to be determined concern the type of access to the equipment, the controls and authorized processing, the deletion of
sensitive data obtained, the flagging of certain operations, ... and the empowerment of the individuals conducting the audits.
07A01-03 Is it possible to adjust the access rights attributed to a given profile, based on the nature of the connection and equipment used 4 E2
(location, link, network, protocol, encryption, etc) and on the classification of the resources accessed?
07A01-04 Do the profiles also allow definition of working time limits (daily hours and periods in the working calendar, weekends, holidays 2 E3 11.5.6
etc.)?
07A01-05 Have these profiles and the access rights attributed to the different profiles, as a function of context, been approved by the 4 2 E2 11.5.6
information owners and the Information Security Officer?
07A01-06 Is the process of definition and management of rights attributed to profiles under strict control? 4 3 R1
A strict control requires that the list of people able to change rights attributed to profiles be strictly limited and that the
implementation of these rights into tables be strictly secure during transmission and storage and that there exists a reinforced
access control in order to be able to modify these rights and that any modification of these rights be logged and audited.
07A01-07 Is it possible to review at any time, the complete list of profiles and of the rights attributed to each profile? 2 2 C1
07A01-08 Is there a regular audit at least once a year of all rights attributed to each profile and the profile management procedures? 4 2 C1 11.2.4
07A02-02 Are authorizations granted to named individuals only as a function of their profile? 2 E1
07A02-03 Is the procedure for granting (or changing or revoking) authorization to an individual (either directly or via his profile) strictly 4 2 3 E2 11.2.2
controlled?
A strict control requires a formal recognition of the signature (electronic or otherwise) of the requestor, that the implementation of
the profile attributed to users in the form of tables is highly secure during transmission and storage and that there be a reinforced
access control over the modification of such records and that any modification of records be logged and audited.
07A02-04 Is there a systematic process of updating the table of access authorizations at the time of departure of personnel (either internal 4 3 E2 11.2.4
or external)?
07A02-05 Is there a systematic process of updating the table of access authorizations at the time of change of function? 4 E3 11.2.4
07A02-06 Is there a strictly controlled process (as above) which allows to delegate his/her own authorizations, in part or in whole, to a 4 E3
person of choice for a determined period (in case of absence)?
In this case, the delegated rights must no longer be authorized to the person who has delegated them during this time. The owner
however, must have the possibility of taking them back, by which process he or she effectively ends the delegation.
07A02-07 Is it possible to control at any time, for all users, the rights, authorizations and privileges in force? 2 C1
07A02-08 Is there a regular audit, at least once a year, of the profiles and authorizations granted to all users and of the procedures for 1 2 C1 11.2.4
management of attributed profiles?
07A03 Authentication of the access requestor (user or entity)
07A03-01 Does the process of distribution or modification of the user credentials guarantee that only the holder of the identifier can have 2 1 E1 11.5.3
access to them (initial communication is confidential, password change is under the exclusive control of the user, etc.)?
07A03-02 Does the process of definition or modification of user credentials respect a set of rules which ensures their intrinsic validity? 4 2 E2 11.2.3; 11.5.3
In the case of passwords: sufficient length (8 characters or more), obligatory mixture of types of characters, frequent change (less
than once a month), impossibility of reusing an old password, non-trivial word test using a dictionary, banning of "standard
systems", first names, anagrams of username, dates etc. In the case of certificates and authentications based on cryptographic
mechanisms: generation process evaluated or publicly recognized, keys of a sufficient length etc.
07A03-03 Does the process of presenting a user password guarantee its inviolability? 4 2 E3 11.5.1; 11.5.3
The usage of a password will always be a weak point. The only process which does not divulge observable information consists
of either introducing an object containing a secret (smart card), or entering a code which changes at every moment (token card
type SecureId) or using a biometric characteristic.
07A03-05 Do the mechanisms for retention and usage of credentials by the user (or by the equipment representing the user) or by the 2 2 3 E2 11.5.1; 11.5.3
target systems guarantee inviolability and authenticity of these credentials?
Passwords must be stored encrypted and a preliminary access control must be made before being accessible to the user.
In the case of authentication using cryptographic procedures, the mechanism must propose solid guarantees validated by a
recognized organization.
07A03-06 Do the mechanisms used for the transmission of the credentials between the user and target equipments guarantee inviolability 2 2 3 E3 11.5.1; 11.5.3
and authenticity of these credentials?
Transmission of a password must be encrypted or use an algorithm which introduces a variable at each transmission.
In the case of authentication using cryptographic procedures, the mechanism must propose solid guarantees validated by a
recognized organization.
07A03-07 In the case of multiple incorrect authentication attempts, is there an automatic process which temporarily invalidates the identifier 4 2 E2 11.5.1; 11.5.3
used or, possibly, the user workstation itself, or which slows down the authentication process so as to inhibit any automatic
routine from connecting?
07A03-08 Does the procedure for the replacement of a lost or mislaid user credential (password, token card) allow the instant deactivation 2 2 E2 11.5.3
of the old credential?
07A03-09 Does the procedure for the replacement of a lost or mislaid user credential (password, token card) allow an effective control of 2 2 E3 11.5.3
the requestor's identity?
07A03-11 Are the processes that ensure authentication under strict control? 4 3 C1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (close with a seal)
and that there be an audit at least once a year of authentication procedures and processes (including the processes which aim to
detect intrusion attempts and the processes which respond to these intrusion attempts).
07A04-05 May the authentication process be renewed during an open session for those transactions considered to be sensitive? 4 E3
07A04-06 Is there an automatic invalidation of the user session in the absence of traffic after a defined duration, thus requiring user re- 4 E3 11.5.5
identification and re-authentication?
07A04-07 Is there a systematic control, based upon definite access rules, of the profile of the requestor, of the association context and of 4 2 E3
the appropriateness of that profile and context for the access requested?
07A04-08 Are the parameters for the definition and management of access filtering rules under strict control? 4 2 R1
A strict control requires that the list of persons allowed to change the security parameters for access filtering be extremely limited,
and that there be a reinforced access control in order to be able to effect such modification and that any modification be logged
and audited.
07A04-09 Are the processes that guarantee access filtering under strict control? 4 3 C1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (close with a seal)
and that there be an audit at least once a year of access filtering procedures and processes (including the processes which aim
to detect intrusion attempts and the processes which respond to these intrusion attempts).
07A04-10 Are regular tests carried out to attempt to break into the information system and are there detailed technical audits run by 2 3 R2
specialists?
07A05 Authentication of the server for access to sensitive servers
07A05-01 Is there a possibility to declare servers as sensitive and, as such, requiring an authentication of the server accessed? 4 1 E2
07A05-02 Is there a mechanism of authentication of the server called before access to a sensitive server from the internal network? 4 1 E2
07A05-03 Does the authentication mechanism of the accessed servers provide a recognized "strong" level of security? 4 2 E3
Notably the usage of a simple password will always be a weakness. The only methods recognized as "strong", that is observable
without divulging information, are those based on cryptographic algorithms.
07A05-04 Do the security equipment that retain credentials (e.g. passwords, calling number, etc.) use mechanisms which guarantee their 4 3 E2
impregnability and authenticity?
Passwords must be stored encrypted and a preliminary control of the user must be made before usage.
In the case of authentication using cryptographic procedures, the mechanism must provide solid guarantees validated by a
recognized organization.
07A05-05 Does the transmission of credentials (e.g. passwords, calling address, etc.) between calling user equipment and authentication 4 3 E3
systems use mechanisms which guarantee their impregnability and authenticity?
Transmission of a password must be encrypted or use an algorithm which introduces a variable at each transmission.
In the case of authentication using cryptographic procedures, the mechanism must provide solid guarantees validated by a
recognized organization.
07A05-06 Does the revoked keys management procedure guarantee that the control systems take into consideration in real time any 4 2 E2
revocation of keys?
07A05-07 Does the revoked keys management procedure guarantee that the control systems systematically test that the keys used have 4 2 E3
not been revoked?
07A05-08 Are the processes that guarantee the authentication of the accessed entities under strict control? 4 3 R1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there
is an audit at least once a year of the authentication procedures and processes.
07C01-01 Has a specific analysis been carried out to determine which access requests and related parameters will be logged? 4 E2 10.10.2
07C01-02 Is a tool or control application used which is able to log accesses to sensitive resources (applications, files, databases, etc.)? 4 E2 10.10.2
07C01-03 Are the rules, specifying which accesses to log and retain, formalized? 2 E2
07C01-04 Have the rules, specifying which accesses to log and retain, been approved by the information owners or the Information Security 4 E3
Officer?
07C01-05 Do the rules which specify which accesses will be logged include the necessary elements to carry out a subsequent investigation 2 E2 10.10.1
in the case of anomaly?
These rules should specify for each type of access (system, database management system, etc. ) the fundamental elements to
record; for example user ID, the service or application requested, date and time, the point from where the access was requested
if known etc.
07C01-06 Have these rules been validated by Legal Department (particularly for logs containing personal data)? 2 2 E3 10.10.1
07C01-07 Are all these records archived (on disk, cassettes, optical disk, etc.) and conserved for a long period in such a way as to be un- 2 E2 10.10.1; 10.10.3
modifiable?
07C01-08 Are the parameters for definition and management of recording connections (login) and called applications under strict control? 4 2 R1 10.10.3
A strict control requires that the list of persons allowed to change the definition parameters and the management of the recording
rules for the logins and called applications be strictly limited and that there exist a reinforced access control to effect these
modifications and that these modifications be logged and audited.
07C01-09 Are the processes which ensure the recording of connections and called applications under strict control? 4 3 C1
A strict control requires that the software used for recording has been validated and undergoes a regular test for integrity (closed
with seal) and that there be an audit at least once a year of recording procedures and processes (including the processes which
aim to detect modification attempts and the processes which respond to these modification attempts).
07C02-06 Have these rules been validated by Legal Department (particularly for logs containing personal data)? 2 2 E3 10.10.1
07C02-07 Are all these records archived (on disk, cassettes, optical disk, etc.) and conserved for a long period in such a way as to be un- 2 E2 10.10.3; 10.10.1
falsifiable?
07C02-08 Are the parameters for definition and management of the rules for recording privileged system calls under strict control? 4 2 R1 10.10.3
A strict control requires that the list of persons allowed to change the recording parameters be strictly limited and that there exists
a reinforced access control to effect these modifications and that these modifications be logged and audited.
07C02-09 Are the processes which ensure the recording of privileged system calls under strict control? 4 3 C1
A strict control requires that the software used for recording has been validated and undergoes a regular test for integrity (closed
with seal) and that there be an audit at least once a year of recording procedures and processes (including the processes which
aim to detect modification attempts and the processes which respond to these modification attempts).
07D01-02 Has this analysis allowed to detail the minimum performance levels that must be maintained for each system and have these 4 2 E2
performance levels been accepted by users or information owners?
07D01-03 Has the appropriate level of architectural redundancy been determined (e.g. clusters or disk replication ) for the servers or 4 2 E2
equipment concerned?
07D01-04 Does the architecture and its implementation guarantee that the minimum performance levels will be exceeded in the case of an 4 2 E2
incident of failure?
Such a guarantee supposes that either failsafe systems are entirely automatic or that sufficient detection systems and staff are in
place so as to manually reconfigure them.
07D01-05 Is there an assurance in this case that secondary equipment (power supply, air-conditioning, etc. ) does not introduce any 2 E3
additional risk and does not eliminate redundancy envisaged for the systems architecture or equipment?
07D01-06 Does any shutdown or inhibition of redundant equipment or system devoted to detecting the need for human intervention or for 2 R1
automatic reconfiguration trigger an alarm to an operational manager?
07D01-07 Are regular tests made to demonstrate that security equipment is able to guarantee minimum performance levels required in the 2 3 C1
case of an incident or failure?
07D02 Isolation of Sensitive Systems
07D02-01 Has the systems' sensitivity been analyzed (based on the applications and data processed) including peripheral systems or 3 E2 11.6.2
robots used for storage or archiving, print servers or central printing equipment, etc.) to highlight their security requirements?
A thorough analysis implies the establishment of a list of incident scenarios (A, I, C), for which all foreseeable consequences
were analyzed.
07D02-02 Did this analysis allow to formalize minimum requirements for each system and were these minimum requirements accepted by 3 E2 11.6.2
the users (information owner)?
07D02-03 Have appropriate isolation measures (physical and logical) been determined for these servers and equipment? 3 E2 11.6.2
These measures may impose to use different data centers for sensitive servers or applications from other servers.
08A01-05 Do these clauses make clear that the personnel has an obligation not to tolerate any action contrary to security from other people? 4 3 E3
08A01-11 Is there a regular audit, at least once a year, of the effective application of the signature procedure by operational personnel 2 3 C1
(directly employed by the company or indirectly through a service company) ?
08A02 Control of the operational tools and utilities
08A02-01 Have different profiles been defined for the systems operation staff (administration and management of configurations, 4 E1
administration of security equipment, monitoring, audit and investigation)?
08A02-02 Are all members of systems operation staff attributed with one of these profiles? 4 E2
08A02-03 Have all the sensitive system tools and utilities (rights administration, configuration management, backups, copies, hot restarts, 4 E2 11.5.4
etc.) been exhaustively audited and listed for each profile?
08A02-04 Is it possible only for holders of a certain profile to use the corresponding tools and utilities subsequent to proper strong 2 2 E3 11.5.4
authentication (smart card or token card)?
08A02-05 Is it forbidden to create or add sensitive tools or utilities without formal authorization? 2 2 E2 11.5.4
08A02-06 Is there a regular automated check to enforce this rule which triggers an alert to an appropriate manager? 2 2 E3 11.5.4
08A02-07 Does the segregation of rights of systems operation staff prevent undue modification of sensitive tools or utilities or at least, is 4 2 E3 11.5.4
there an automatic routine which checks that no modification has been made and which may trigger an alert to a manager if so?
08A02-08 Are the granting of administrative profiles and the implementation of the aforementioned security measures subject to regular 2 2 C1
audit?
08A05-04 Is a formal dispensation, signed by a responsible manager, required if the above mentioned procedures are not observed? 2 3 E3
08A06-02 In the case of remote maintenance, are maintenance staff subject to a secure authentication procedure? 4 2 E2 11.4.4
08A06-03 Is there a set of procedures covering the granting and revocation of access rights for remote maintenance operatives and the 2 E3 11.4.4
granting of rights in urgent situations?
08A06-04 Have the procedures and protocols for transmission and retention of secret conventions (in the case of remote maintenance) been 4 E3
approved by the Information Security Officer or a qualified specialist?
08A06-05 Does the usage of the remote maintenance line require the prior agreement (for each usage) of system operations personnel 4 3 E3 11.4.4
(upon request by the manufacturer or editor specifying the nature, date and time of the intervention)?
08A06-06 Are data or command exchanges during remote maintenance protected by encryption? 4 2 E3
08A06-07 Are data or command exchanges during remote maintenance protected by integrity control (sealing)? 4 2 E3
08A06-08 Is the usage of the remote maintenance line under strict control ? 4 3 E2
A strict control supposes that each use of the line, the name of the maintenance operative and the actions carried out is registered,
and that there be a subsequent audit of the appropriateness of the actions and their conformity with the rules laid down by
maintenance managers.
08A06-09 Are the equipment accessible for remote maintenance protected against inhibition or modification of the access conditions for 2 2 R1
remote maintenance (e.g. by the triggering of an alarm)?
08A06-10 Are control procedures for remote maintenance regularly audited? 2 3 C1
08A07 Protection of sensitive printed documents and reports
08A07-01 Are all sensitive documents and reports printed in secure premises? 4 E1
08A07-02 Are all sensitive documents and reports protected against diversion while being produced? 4 3 E1
08A07-03 Are all sensitive documents and reports protected against diversion while waiting for distribution? 4 3 E1
08A07-04 Does the distribution system for printouts and reports ensure protection against theft (locked cabinets and carrying cases during 4 3 E2
transportation)?
08A07-05 Does the distribution system for printouts and reports ensure protection against prying consultation? 4 3 E2
08A07-06 Does the distribution system for printouts and reports require the addressee to be authenticated prior to their delivery? 4 3 E3
08A07-07 Are printed documents and reports labeled anonymously without showing any particular classification? 4 E2
08A07-08 Are these measures adapted to the maximum security level of the information within (temporary storage in locked strong boxes 4 E2
and hand delivery for very sensitive information)?
08A07-09 Are sensitive printed documents and reports put on the scrap destroyed in a secure way so that they cannot be exploited? 4 3 E2
08A07-10 Are the security procedures for distribution of printed material regularly audited? 2 3 C1
08A08 Management of Operating Procedures for IT production
08A09-05 Is there a regular review of these incidents or malfunctions with the concerned suppliers and providers? 2 E2 10.2.2
08A09-06 Are any changes in the contract relationship (obligations, service levels, etc.) analyzed for resulting potential risks? 2 E3 10.2.3
08B Control of hardware and software configurations
08B01 Conformity control of systems parameters and configurations
08B01-01 Is there a document (or a set of documents ) or an operational procedure which describes all security parameters for the systems? 4 2 E1
Such a document should be derived from the security policy and describe all the filtering rules decided. It should also mention the
reference to the system versions so as to check the status of the updates.
08B01-02 Does this document require that all generic or by default accounts be deleted and their list established? 4 2 E2 11.4.4
08B01-03 Are the system versions, fixes and parameters updated regularly in line with latest information? 2 3 E2 10.7.4; 12.6.1
This should be done in cooperation with expert authorities (specialized audits, subscription to a service center, regular consultation
with CERTs, etc.)
08B01-04 Does the resulting document or procedure impose a synchronization feature, based on a reliable time reference? 4 E3 10.10.6
08B01-05 Are these reference documents protected, by secure methods, against untimely or illicit alteration (sealing)? 2 3 R1 10.7.4
08B01-06 Is the integrity of system configurations checked, regularly (at least weekly) if not at each system start-up, against the configuration 4 2 E3 15.2.2
theoretically expected?
08B01-07 Are regular audits carried out of the compliance to the specifications for security parameters? 2 R1 15.2.2
08B01-08 Are regular audits carried out of the exception and escalation procedures in the case of difficulty or installation problems? 2 R1 15.2.2
08B01-09 Are the development and test environments separated from the operational environments? 1 C1
08B02 Conformity control of operational software configurations (including packages)
08B02-01 Is there a document (or a set of documents ) or an operational procedure which describes the security parameters for all 4 2 E1
applications?
These parameters should result from the security architecture retained for the applications
08B02-02 Is this document updated for each change of version? 2 2 E2
08B02-03 Does this document require that all generic or by default accounts be deleted and their list established? 4 2 E2
08B02-07 Are regular audits carried out of possible differences between the security parameters expected and effectively implemented? 2 R1 15.2.2
08B02-08 Are regular audits carried out of the exception and escalation procedures in the case of difficulty or installation problems? 2 R1 15.2.2
08B03-04 Is the protective seal controlled automatically (otherwise it may be an authoritative signature) at each new installation? 4 R2
08B03-05 Is a check made of the proof of origin and integrity of received maintenance module or a new version, from the editor or the 4 E2
manufacturer (for operating systems)?
08B03-06 Are the sealing and sealing control tools protected against any unauthorized usage? 4 R2
08B03-07 Does the inhibition of the automatic control of seals trigger an alarm to a manager? 4 E3
08B03-08 Are there regular audits of protection procedures for reference programs? 4 C1
08C Management of storage media for data and programs
08C01 Management of storage media
08C01-01 Are all media removals from the media library controlled by a dedicated person or department responsible for the media handling? 4 E1 10.7.1
08C01-02 Are media returns after use by the operations controlled by the same person or department? 4 E2 10.7.1
08C01-03 Is the removal of storage media systematically registered (date and time, individual responsible for media, etc.) ? 4 E2 10.7.1
08C01-04 Is the disposal of storage media systematically registered (date and time, individual responsible for media, etc.) ? 4 E2 10.7.1; 10.7.2
08C01-05 Is there a procedure to erase data on media before exit or disposal? 1 E3 10.7.1; 9.2.6
08C01-06 Are any missing items systematically subject to a search procedure and a follow-on form included in the overall operational 4 E2
dashboard?
08C01-07 Are all movements of storage media into or out of the library strictly controlled with respect to production systems planning? 4 E3
08C01-08 Are the files related to storage media management under strict control? 4 2 R1
A strict control requires that people authorized to access the files be registered and in limited number, that there be a reinforced
access control to be able to modify the files and that any modification be logged and audited.
08C01-09 Are the processes which ensure the management of storage media under strict control? 4 3 C1
A strict control requires to control that the software has been effectively, that a regular data integrity test (seal) be performed and
that there is an audit, at least once a year, of media management procedures and processes (including handling the anomalies
detected in the course of storage media management).
08C02-03 Are the processes which ensure the management of storage media marking under strict control? 4 3 C1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there is
an audit at least once a year of support media marking procedures and processes (including a management of anomalies detected
in the course of support media marking).
This presupposes that there be a document which details all of the requirements of support media marking.
08C03-04 In addition to access control for the normal exits, is there a specific control for non authorized exits (windows accessible from 4 3 E3
outside, emergency exits, potential access via false panels, flooring and ceilings, etc)?
08C03-05 Are the automatic access control systems under 24 hr surveillance enabling to detect in real time the failure or deactivation of the 2 2 R1
system or the usage of emergency exits?
08C03-06 Is there an audit procedure enabling later to uncover irregularities in the access control procedures (audit of procedures and 2 3 C1
parameters of access control systems, audit of exceptions and of interventions etc.)?
08C03-07 Is there an operational intrusion detection system for the storage locations, linked to a 24 hr monitoring center? 4 2 R2
08C03-08 Are the on site locations for production storage media placed under 24 hours surveillance (video surveillance of the location itself)? 4 3 R2
08C03-09 Is the transfer of production media, between the production and on site storage locations, under strict control (specific moving 2 E2
procedures, secured containers etc.)?
08C03-10 Is the storage location of production storage media protected against accidental risk (fire detection and extinguisher equipment, 4 E2
protection from water damage, etc.)?
08C03-11 Is the storage location for production storage media regulated and supervised for temperature and humidity? 4 E2 10.7.1
08C03-12 Are the automatic fire, flood and humidity detection systems, under 24 hour operational control enabling to detect in real time a 2 2 R1
failure, a deactivation or an alarm?
08C03-13 Is there a procedure or automatic routine which triggers the immediate intervention of specialized personnel in the case of an 2 2 C1
alarm (of the access control system or the incident detection system)?
08C04 Physical security of storage media (kept in an external site)
08C04-01 Is use made of a specialized company, which offers contractual guarantees of security, for the storage of archives outside the 4 E1
production site?
08C04-02 Does the contract signed with the outside media storage company ensure a high level of security (strong access authentication, 4 3 E2
control of access points and emergency exits, intrusion detection, video surveillance, protection against natural risk, intervention
team, etc.)?
08C04-03 Does the procedure used for the transfer of sensitive media to the external storage location require a high level of security (like 4 E2 10.8.3
secure containers and transporters accredited by the company)?
08C04-05 Is there a regular audit of the security measures used by the company ensuring the external storage of archives and backups? 2 3 C2
08C04-06 Is there a regular audit of the management procedures related to storage media (transport and return )? 2 3 C1
08C04-07 Is there a regular audit of the contractual clauses specifying relations with the company ensuring the external storage of archives 2 3 C1
and backups?
08C05 Verification and turnover of archive storage media
08C05-01 Are the storage media which retain data for long periods (archives) regularly verified (as a function of the frequency of updates and 4 E2
the classification of the information)?
08C05-02 Are the storage media which retain data for long periods (archives) periodically copied to new storage media with the maintenance 4 E2
of an inventory and redundancy of media?
08C05-03 Is there a regular verification of the technical compatibility between the storage media and the operational solution used to effect 2 E3
restoration of data?
08C05-04 Are regular tests carried out of archived media readability? 4 E2
08C05-05 Do the reread tests contain controls of the authenticity of the information stored? 4 E3
08C05-06 Are the files used for the management of storage media rotation and sampling under strict control? 4 3 R2
A strict control requires that people authorized to access the files be registered and in limited number, that there be a reinforced
access control to be able to modify them and that any modification be logged and audited.
08C05-07 Are the procedures concerning the verification of archived storage media regularly audited? 2 3
08C06 Security of storage networks (SAN : Storage Area Network and NAS)
08C06-01 Are the storage networks physically or logically isolated from other data networks? 4 E1
08C06-02 Are the storage networks protected by a firewall which only allows data and administrative flows related to storage? 4 2 E1
08C06-03 Is access to storage bays subject to strong authentication, for authorized elements (servers and administration stations)? 4 3 E2
08C06-07 Are the security mechanisms for access to data protected against infraction or alteration? 4 3 R1
08C06-08 Is the switching off or bypass of security mechanisms immediately detected and signaled to a responsible team? 4 2 R1
08C06-09 Is this team available 24 hrs a day and capable of intervening immediately? 4 2 R1
08C06-10 Is there a procedure detailing the actions to carry out in the case of error or alert? 3 C1
08C07 Physical Security of Transiting Medias
08C07-01 Are the transfer of medias between sites (internal or external) strictly controlled (specific procedures, follow-up or secured 2 E1 10.8.3
containers, etc.) ?
08C07-02 Are the medias marked anonymously, without reference to any classification, while in transit? 4 E2
08D01-07 Do the maintenance contracts anticipate the complete replacement of equipment in the case of important damage which might not 4 E3
be taken into consideration by reparative maintenance?
08D01-08 Are the maintenance contracts, the choice of subcontractors and associated maintenance procedures subject to regular audit? 2 3 C1
08D02-02 Do the suppliers provide a technical software support center which guarantees a quick and competent telephone assistance? 2 E2
08D02-03 Do the software maintenance contracts anticipate the regular release of new versions taking into account all applicable fixes to the 4 E2
product?
08D02-04 Are there specific maintenance contracts for software products (systems, middleware and applications) which require corrective 4 E2
delays that standard maintenance cannot cover?
08D02-05 Do these contracts detail specific maximum intervention delays, compatible with the availability requirements? 4 2 E2
08D02-06 Do the contracts detail the required time slots and days of intervention (24h/7d for example) compatible with the requirements of 4 2 E3
availability?
08D02-07 Do the contracts stipulate the conditions of escalation in case of difficulty? 4 3 R1
08D02-08 Do the contracts specify specific clauses when system downtime exceeds specific durations stipulated (penalties, replacement of 4 3 E3
hardware, etc.)?
It is desirable that these clauses be general and apply to all cases no matter what the reasons (technical difficulty, staff strikes,
etc.)
08D02-09 Are the maintenance contracts, the choice of subcontractors and associated maintenance procedures subject to regular audit? 2 3 C1
08D03 Application recovery procedures and plans following incidents during operation
08D03-10 For encrypted data retrieval, does the Key Management provide the recovery for lost or altered keys? 2 E3 12.3.2
08D04 Backup of software configurations (system, applications and configuration parameters)
08D04-01 Has a backup plan been established which covers all programs and defines all objects to save and the frequency of backups? 4 E1 10.5.1
08D04-02 Does the plan also cover system and middleware configuration parameters to save? 4 3 E2 10.5.1
08D04-03 Does the plan also cover application parameters to save? 4 3 E2 10.5.1
08D04-04 Is the plan implemented by automatic production routines? 2 3 E2 10.5.1
08D04-05 Are there regular tests that the backup copies of programs (source code and/or executables) enable the effective restoration of the 4 2 E2 10.5.1; 14.1.5
production environment at any time?
These tests should consider all the backups (including documentation and parameters files) of legitimate elements.
08D04-06 Are the production routines which ensure backups protected, against illicit or undue modification, by secure mechanisms? 4 3 R1 10.5.1
Such mechanisms might be electronic seal or any equivalent modification detection system.
08D05-02 Has an analysis been carried out with the users in order to define for each file the maximum acceptable time between two 2 E1 10.5.1
backups?
These studies are to be based on the capacity to rebuild lost information and permit to define the required backup cycle
08D05-03 Have studies been made of the necessary synchronization between bound backups for all platforms in order to ensure the proper 2 E1 10.5.1
functioning of the resumed applications and the coherence of the data necessary for this resumption?
08D06-03 Has an activity recovery solution been defined and implemented to resolve each scenario identified above, in accordance with user 4 2 E1 14.1.3
requirements?
08D06-04 Are the technical, organizational and human resources sufficient to address the organization's requirements for IT continuity? 4 E2 14.1.3
This means being able to correct personnel deficiencies
08D06-05 Are the technical, organizational and human resources educated to address the organization's requirements for IT continuity? 4 E2 14.1.3
This implies to train appropriately all concerned staff.
08D06-06 Are all these solutions described in detail in Disaster Recovery Plans including the conditions for triggering the plan, the actions to 4 E1 14.1.3
execute, the priorities, the actors to mobilize and their contact details?
08D06-07 Are these plans tested at least once a year? 4 2 E2 14.1.5
08D06-08 Are above tests able to guarantee that the staff capacity and the recovery systems can cope, under full operational load, the 4 3 E2 14.1.5
minimum IT services required by users?
The tests required to obtain this guarantee are preferably full scale tests of each variant of scenario, involving all users. The results
of the tests have to be registered and analyzed in order to improve the capability of the organization to answer to the situations
considered.
08D06-13 Are the existence, the pertinence and the updates of the IT services Recovery Plans regularly controlled? 2 3 C1
08D06-14 Is the updating of the above procedures within the recovery plan subject to regular audit? 2 3 C1
08D07 Anti virus protection for production servers
08D07-01 Have the measures to be taken by the IT staff been defined so as to prevent, detect and correct any attacks by malevolent code 2 3 E2 10.4.1
(virus, spyware, other)?
08D07-02 Are production servers (including office and mail servers) protected by anti virus or malevolent code software? 4 E1 10.4.1
08D07-03 Are several antivirus software (from different editors) simultaneously operating for the protection of the operation servers? 4 E2
08D07-04 Are antivirus software products regularly and automatically updated (daily)? 4 2 E2
08D07-05 Is a subscription held with an emergency response center able to warn and anticipate large scale virus attacks for which the 4 3 E3
installed antivirus software is not yet up to date?
08D07-06 Is there an emergency committee which can be implemented quickly in the case of alert or detection of viral infection? 4 3 E2
08D07-07 Is the activation and the update of antivirus software on servers subject to regular audit? 2 3 C1
08D08 Management of critical systems (regarding maintenance continuity)
08D08-01 Have the consequences of the disappearance of a supplier been analyzed (in the case of failure, a bug or change requirement) 2 E2
and has a list of critical systems been established?
This is valid for hardware, software or service providers
08D08-02 For all critical systems, has a corrective solution been analyzed to cope with the failure or disappearance of a supplier 2 E2
(consignment of maintenance documentation or source code with a trusted third party, hardware replacement by standard market
solutions etc.)?
08D08-03 Is there a guarantee that the corrective solutions could be made operational within time delays compatible with the continuity of the 2 2 E2
business and accepted by the users?
08D08-04 Have variants to the primary solution been considered in case it might encounter unforeseen difficulties? 2 3 E3
08D08-05 Is there a regular review of critical systems and corrective solutions envisaged? 2 3 C1
08D09 Off site emergency (recourse) backups
08D09-01 Are all software backups and configuration files, which enable the restoration of the production environment, also saved at a 4 3 E1
location off premises (recourse backup)?
08D09-02 Are all data saved for backup also saved at a location off premises (recourse backup)? 4 2 E1
08D09-03 Are regular tests carried out that these emergency backups can be read? 2 3 E2
08D10 Maintaining user accounts
08D10-01 Has it been defined with the users the maximum acceptable delay for reinstating their rights following the accidental or deliberate 4 E1
blocking of their accounts (application, system, or network?
08D10-02 Is the procedure to follow if an account is blocked defined? 4 E2
08E01-04 Is there, within operational personnel, a team or individual available 24 hrs a day and capable of reacting in the case of an alert 4 2 E3
after this application has detected an anomaly?
08E01-05 Has the expected response time from the surveillance team been defined for each case of alert and are its availability and staffing 4 E3
level sufficient to meet these expectations?
08E01-06 Are the alarm definition parameters strictly protected (restricted access rights and strong authentication ) against illicit 4 3 R1
modification?
08E01-07 Does the shutdown of the alarm system trigger an alert with the surveillance team? 4 3 R1
08E01-08 Are all the elements which enabled the detection of an anomaly or incident archived (on disk, cassette or DON etc.)? 2 E2
08E01-09 Are the procedures of detection of the anomalies and the availability of the surveillance team subject to regular audit? 2 3 C1
08E02 Offline management of traces, logs and event journals
08E02-01 Has a detailed analysis been carried out of the events or succession of events which may have an impact on security (refused 2 E1
connections, reconfigurations, changes in performance, access to sensitive data or tools etc.)?
08E02-02 Are these events recorded as well as the parameters useful for their subsequent analysis? 4 E1
08E02-03 Is there an application able to analyze these records as well as performance measurements and to infer statistics, a dashboard, 4 2 3 E2
anomaly diagnostics, etc. for examination by a competent team?
08E02-04 Is the structure in charge of the analysis of these summaries (or incident logs and security related events) obliged to do so at 4 E2
regular intervals and does it have sufficient availability?
08E02-05 Has the expected reaction from the surveillance team been defined for each case of alert and is its availability level sufficient to 4 E3
meet these expectations?
08E02-06 Are the parameters defining the elements to record and the summaries effected on these elements strictly protected against 4 R1
unauthorized change (limited rights and strong authentication)?
08E02-07 Is any inhibition of the recording and processing system immediately signaled to the surveillance team? 4 R1
08E02-08 Are the records and summary analyses kept for a long period? 2 E2
08E02-09 Are the procedures for recording, processing and analysis of the records and summaries as well as the availability of the analysis 2 C1
and corrective team subject to regular audit?
08E03 Management of system and application incidents
08F01-06 Is there a systematic process of removal of special rights at the time of departure or role change of IT operations staff? 2 E2 11.2.4
08F01-07 Is there a regular audit, at least once a year, of all special rights attributed ? 1 2 C1 11.2.4
08F02 Authentication of administrators and operational personnel
08F02-01 Is the authentication protocol used for administrators or holders of special rights considered to be secure? 4 4 E2
An authentication protocol is considered secure if it is not susceptible to being broken by a listening device on the network or
rendered inoperable by specialists tools (in particular password crack tools ). Such security usually uses cryptographic methods.
08F02-02 Are the rules, for instance in the case of passwords, considered to be very strict? 2 E2
Strict rules impose the use of tested non-trivial passwords, using a mixture of different types of characters and of a reasonable
length (ten characters). It is desirable that these rules have been approved by the Information Security Officer
08F02-03 Is there a consistent control of the administrator's rights, of its context, and of the suitability of this context with the requested 4 E2
access, as per formal rules of access control?
08F02-05 Are the processes that guarantee authentication under strict control? 4 3 R1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there is
an audit at least once a year of the authentication procedures and processes.
08F02-06 Is there a regular audit of the privileged profiles effectively granted? 4 3 C1 11.2.4
08F02-07 Is there a regular audit of the procedures of granting privileged rights and the security parameters attached to protecting profiles 4 3 C1
and rights?
08F03 Surveillance of system administrators' actions
08F03-01 Has a detailed analysis been carried out of the events and operations carried out with administrative rights which may potentially 2 E2 10.10.4; 10.6.1
have an impact on system security (configuration of security systems, access to sensitive information, usage of sensitive tools,
download or modification of administrative tools etc.)?
08F03-02 Are these events recorded as well as all parameters which may be useful for their subsequent analysis? 4 E2 10.10.4; 10.6.1
08F03-03 Is there a system able to detect any modification or deletion of a past record and to immediately trigger an alarm to a manager? 4 2 E3 10.10.4
08F03-04 Is there a summary of these records enabling management to detect abnormal behavior? 4 3 E3 10.10.4
08F03-05 Is there a system enabling the detection of any modification of recording parameters and to immediately trigger an alarm to a 4 2 E3 10.10.4
manager?
08F03-06 Does any inhibition of the recording and processing of the logged events system trigger an alarm to a manager? 4 E3 10.10.4
08F03-07 Are all records or summary analyses protected against any falsification or destruction? 2 E2 10.10.4
08F03-08 Are all records or summary analyses kept for a long period? 2 E2 10.10.4
08F03-09 Are the procedures, which record and process privileged operations, regularly audited? 2 C1 10.10.4
08G Audit and control Procedures relative to Information Systems
08G01 Operation of Audit Control
08G01-01 Have requirements and enforced procedures for the audit of IT systems been enacted by Management? 4 E2 15.3.1
08G01-02 Are the rules related to Information System audits, relevant procedures and associated responsibilities defined and documented? 3 E2 15.3.1
The restrictions concern the type of access to data and applications, the authorized controls and processing, the deletion of
sensitive data obtained, the flagging of certain operations, ... and the empowerment of the individuals conducting the audits.
08H01-03 Has a list of conditions been established and updated by each owner of data requiring to be archived concerning the archiving 4 1 E1
rules?
08H01-04 Are the requirements for external (legal and regulatory) and internal archiving defined and tackled by the entity owning the data 4 E1 13.2.3; 15.1.3
and accepted by the top management at the highest level?
The consequences (legal, financial, image) of non compliance (partial or total) of the archiving requirements must be endorsed by
the board of managers.
08H01-05 Are service agreements negotiated with the IT department, considered as agents only for the data? 4 1 E2 15.1.3
Each agreement must state the requirements: content of the archives, retention duration, durability, capacity to trace, imputability,
non disclosure, procedures and delay for disposal, administrative constraints, etc.
A clear separation must be stated between the content of the archives, under responsibility of the owner of data, and the container
(media, disks, tapes, cartridges) under the responsibility of the IT department.
08H01-06 Are the resources necessary for archiving the data known and financed over the longer term? 2 1 E2 15.1.3
08H01-07 Are there regular readability tests of the archives? 4 C1
08H01-08 Are the possible modifications resulting from technological or regulatory evolutions, that may modify the content or the containers 4 2 E2
of the archives, taken into account, documented and accepted by the management?
These evolutions cannot be avoided on the long term and all the external regulations must be respected in order to guarantee the
conformity of the data to the original ones.
08H01-09 Is the existence of the hardware and software tools for the processing of the archives regularly controlled? 2 C1
08H01-10 Is there a regular control of the procedures stated for the archiving and any deviation related to the data owners? 4 2 C1
The controls must also look for eliminating the possibilities of fraud involving the persons in charge of the operations as well as
those who may have an access to the contents or the containers.
08H01-11 Are all the procedures concerning the archiving policy audited regularly? 4 3
08H02 IT Archives access management
08H02-01 Have the requirements and procedures to be followed to access the archives been specified by management? 2 E2 15.3.1
08H02-02 Does each archive or set of archives have a designated owner? 4 E2
08H02-03 Are requests for extracts from the archives accepted only from the designated owner? 4 2 E2
08H02-04 Is a request from the owner subject to authentication? 4 2 E2
08H02-05 Is this authentication check considered to be strong? 4 3 E3
08H02-06 Given that users do not have access to the archives, does the archival department always keep the original version? 4 3 E3
08H02-07 Is access to the archives by archival personnel subject to strong authentication? 4 3 E3
08H02-08 Is each access recorded in a secure manner? E3
4 3
08H02-09 Is transfer of an archive or of a copy to the requester carried out in a secure manner? 4 3 E3
08H02-10 Are the conditions of access to the archives and the associated security systems audited regularly 3 2 C1
08H03 Management of IT archive safety
08H03-04 Are the archive storage locations under permanent video surveillance? 2 3 E2
09A01-07 Is it possible to review at any time the list of profiles and the rights attributed to each profile? 2 2 C1
09A01-08 Is there a regular audit, at least once a year, of the totality of rights attributed to each profile and the profile management 4 2 C1 11.2.4
procedures?
09A02 Management of access authorizations to application data (granting, delegation, revocation)
09A02-01 Does the procedure of granting access authorization to applications require the formal authorization of line management (at a 4 2 E1 11.6.1
sufficiently senior level)?
09A02-02 Are authorizations granted to named individuals and only as a function of their profile? 2 E1 11.6.1
09A02-03 Is the procedure for granting (or modification or revocation) of access rights (directly or via a profile) strictly controlled? 4 2 3 E2 11.2.2
A strict control requires a formal recognition of the signature (electronic or otherwise) of the requestor, that the implementation of
the profile attributed to users in the form of tables is highly secure and that there be a reinforced access control over the
modification of such records and that any modification of records be logged and audited.
09A02-04 Is there a systematic process of updating the table of access rights at the time of departure of personnel (internal or external 4 E2 11.2.4
personnel)?
09A02-05 Is there a systematic process of updating the table of access rights at the time of change of function? 4 E3 11.2.4
09A02-06 Is there a strictly controlled process (see below) which allows rights to be delegated, in part or in whole, to a person of choice for a 4 E3
determined period (in case of absence )?
In this case, the delegated rights must no longer be available to the person who has delegated them during this time. The latter
however, must have the possibility of taking them back, by which process he or she effectively ends the delegation.
09A02-07 Is it possible to control at any time, for all users, the rights, authorizations and privileges in force? 2 C1
09A02-08 Is there a regular audit, at least once a year, of the profiles and authorizations granted to all personnel and the procedures for 1 2 C1 11.2.4
management of attributed profiles?
09A03 Authentication of the access requestor
09A03-03 Does the presentation of his credentials by the user guarantee their inviolability? 4 2 E3 11.5.3
Typing a password will always be a weak point. The only processes whose observation does not divulge information consist either
of introducing an object containing a secret (smart card), or using a code which changes at every moment (token card) or using a
means of which contains some biometric characteristic.
09A03-04 Is there a guarantee that the credentials, used for authentication, will remain inviolable and authentic while kept or presented by 2 2 3 E2 11.5.3
the user or by the user agent?
Passwords must be stored encrypted and a preliminary access control must be made before usage.
In the case of authentication using cryptographic processing, the mechanism must provide solid guarantees validated by a
reference organization.
09A03-05 Is there a guarantee that the credentials, used for authentication, will remain inviolable and authentic while transmitted between the 2 2 3 E3 11.5.3
user and the target systems?
Transmission of a password must be encrypted or use an algorithm which introduces a variable at each transmission.
In the case of authentication using cryptographic processing, the mechanism must provide solid guarantees validated by a
reference organization.
09A03-06 In the case of multiple incorrect authentication attempts, is there a process which automatically invalidates the user identifier, even 4 2 E2 11.5.3
the user workstation itself, or a slowing of the authentication process (aimed at preventing connection from an automatic routine)?
09A03-07 Does the procedure for the replacement of lost or mislaid user authentication means (password, token card) allow for the instant 2 2 E2 11.5.3
deactivation of the user account?
09A03-08 Does the procedure for the replacement of lost or mislaid user authentication means (password, token card) allow for an effective 2 2 E3 11.5.3
control of the requestor's identity?
09A03-09 Are authentication parameters under strict control? 4 2 R1
A strict control requires that people able to change the definition rules of credentials, the credentials themselves, rules of
surveillance of connection attempts etc., be strictly limited and that there exists a reinforced access control to effect these
modifications, that these modifications be logged and audited and that a general audit be run at least once a year of all
authentication parameters.
09A03-10 Are the processes that guarantee authentication under strict control? 4 3 C1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there be
an audit at least once a year of authentication procedures and processes (including the processes which aim to detect violations
attempts and the processes which respond to these violation attempts).
09A04-03 Have all generic or by-default accounts and passwords been changed or deleted? 4 2 E2 11.5.2
09A04-04 Is the acceptance of the account identified by the system systematically followed by authentication control? 2 2 E2 11.5.2
Systematic authentication requires that the process be implemented for all subsystems (remote processing monitor, database
management system, batch processes, etc. ), for all application requests, for all access routes and for all ports, including ports
reserved for remote maintenance.
09A04-05 May the authentication process be repeated during an open session for transactions considered to be sensitive? 4 E3 11.5.6
09A04-06 Is there an automatic invalidation of the user identifier in the absence of traffic after a defined delay, which requires user re- 4 E3 11.5.5
identification and re-authentication?
09A04-07 Are there application access controls which limit the view and access to very sensitive information? 4 E3 11.6.1
09A04-08 Is there a systematic control of the profile and connection context of the requestor and of their appropriateness for the access 4 2 R1
requested?
09A04-09 Is the process of definition and management of access filtering rules under strict control? 4 2 C1
A strict control requires that the list of persons able to change the filtering security parameters be extremely limited, and that there
be a reinforced access control in order to be able to effect such modification and that any modification be logged an audited.
09A04-10 Are the processes that guarantee access filtering under strict control? 4 3 R2
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there be
an audit at least once a year of access control procedures and processes (including the processes which aim to detect change
attempts and the processes which respond to these change attempts).
09A05-02 Is there a mechanism of authentication of the application called before access to a sensitive application from the internal network? 4 1 E2
09A05-03 Does the authentication mechanism of the accessed sensitive applications provide a recognized "strong" level of security? 4 2 E3
Notably the usage of a simple password will always be a weakness. The only methods recognized as "strong", that is observable
without divulging information, are those based on cryptographic algorithms.
09A05-04 Do the security equipment that retain credentials (e.g. passwords, calling number, etc.) use mechanisms which guarantee their 4 3 E2
impregnability and authenticity?
Passwords must be stored encrypted and a preliminary control of the user must be made before usage.
In the case of authentication using cryptographic procedures, the mechanism must provide solid guarantees validated by a
recognized organization.
09A05-05 Does the transmission of credentials (e.g. passwords, calling address, etc.) between calling user equipment and authentication 4 3 E3
systems use mechanisms which guarantee their impregnability and authenticity?
Transmission of a password must be encrypted or use an algorithm which introduces a variable at each transmission.
In the case of authentication using cryptographic procedures, the mechanism must provide solid guarantees validated by a
recognized organization.
09B01-04 Do the procedures and mechanisms for storage, distribution and exchange of keys and more generally the management of keys 4 3 R1
offer a sufficient level of confidence and have they been approved by the Information Security Officer?
09B01-05 Are the sealing mechanisms strictly protected against violation or change? 4 3 3 R2
In the case of hardware sealing and appliances, they should be physical protected against access to the sealing mechanisms. If a
software solution is used, it must itself contain an integrity control.
09B01-06 Is shutdown or by-pass of the sealing solution immediately detected and signaled to a team available 24 hrs a day and capable of 4 2 R2
triggering an immediate reaction?
09B01-07 Is there a procedure detailing the actions to carry out in the case of error or alert? 3 2 R2
09B01-08 Are sealing mechanisms, their parameters and associated procedures subject to regular audit? 4 3 C1
09B02 Protection of integrity of exchanged data
09B02-01 Have all data exchanges which must be protected by sealing solutions been defined and have such solutions been implemented at 4 E2 12.2.3
the application level?
09B02-02 Are the seals controlled automatically by the corresponding applications? 4 2 E3 12.2.3
09B02-03 Does the sealing solution offer valid and solid guarantees and has it been approved by the Information Security Officer? 4 2 E2 12.2.3
The sufficient length of the key is one of the parameters to take into consideration (as a function of the algorithm). The
recommendation of an official organization can be a confidence factor.
09B02-04 Do the procedures and mechanisms for storage, distribution and exchange of keys and more generally the management of keys 4 3 R1
offer a sufficient level of confidence and have they been approved by the Information Security Officer?
09B02-05 Are the sealing mechanisms strictly protected against violation or change? 4 3 3 R2
In the case of hardware sealing and appliances, they should be physical protected against access to the sealing mechanisms. If a
software solution is used, it must itself contain an integrity control.
09B02-06 Is shutdown or by-pass of the sealing solution immediately detected and signaled to a team available 24 hrs a day or by direct call 4 2 R2
and capable of triggering an immediate reaction?
09B04-05 When these controls exist, are they the integrated into an operational process for alert and processing of errors? 4 E2
09B05 Continuous (plausibility, ) checks on data processing
09B05-01 Have the checks that should be made to verify consistency of the data after processing by the application been analyzed with the 4 E1 12.2.1; 12.2.4
users (test variables, ratios, evolution and comparison before and after processing, etc.), and have the corresponding checks been
implemented in the applications?
09B05-02 Are the parameters for these checks recorded in tables separated from the application code and easily verifiable? 4 E2
09B05-03 Are the processes insuring continuous checking of the data processing under strict control? 4 3 R1
Strict control requires that the corresponding software is validated and is subject to a regular integrity check (sealing) and that
there is an audit at least once a year of the control process and procedures (including procedures for detecting attempts at
modification and for reacting to these attempts).
09C01-03 Does the procedure and mechanisms of storage, distribution and exchange of keys and more generally the management of the 4 3 E2 12.3.2
keys offer solid guarantees which merit confidence and are they approved by the Information Security Officer?
09C01-04 Are the encryption mechanisms strictly protected against violation or change? 4 3 3 R2
In the case of hardware encryption and appliances, they should be physical protected against access to the encryption
mechanisms. If a software solution is used, it must itself contain an integrity control.
09C01-05 Is shutdown or by-pass of the encryption solution immediately detected and signaled to a team available 24 hrs a day or by direct 4 2 R1
call and capable of triggering an immediate reaction?
09C01-06 Are encryption mechanisms, their parameters and associated procedures subject to regular audit? 4 3 C1
09C02 Encryption of stored data
09C02-01 Have the files or storage zones which must be protected by encryption solutions been defined and have such solutions been 4 E1 12.3.1
implemented in the application architecture?
09C02-02 Is this encryption systematically applied (as a function of information classification ) and/or automatic (as a function of storage 2 3 E2
media) each time data is written to the storage media or each time the application session closes?
09C02-03 Is this encryption systematically applied each time files are transferred or remotely-loaded by the relevant applications? 2 3 E2
09C02-04 Does the encryption solution offer valid and solid guarantees and has it been approved by the Information Security Officer? 4 2 E2
The sufficient length of the key is one of among many parameters to take into consideration (as a function of the algorithm). The
recommendation of an official organization can be a confidence factor.
09C02-05 Do the procedures and mechanisms for storage, distribution and, more generally, management of keys offer a sufficient level of 4 3 E2 12.3.2
confidence and have they been approved by the Information Security Officer?
The possibility of having to recover these data on another hardware system or another version of the operating system needs to be
anticipated.
09C02-06 Are the encryption mechanisms strictly protected against intrusion or change? 4 3 3 E3
In the case of hardware encryption and appliances, they should be physical protected against access to the encryption
mechanisms. If a software solution is used, it must itself contain an integrity control.
09C02-07 Is shutdown or by-pass of the encryption solution immediately detected and signaled to a team available 24 hrs a day or by direct 4 2 R1
call and capable of triggering an immediate reaction?
09C02-08 Are encryption mechanisms for stored data, their parameters and associated procedures (in particular the management and 4 3 C1
protection of keys) subject to regular audit?
09C03 Anti electromagnetic radiation protection
09C03-01 Are means used to prevent radiation from equipment hosting very sensitive applications (Tempest, cable shielding, faradizations of 2 E2
the offices)?
09C03-02 Are radiation levels regularly controlled for equipment hosting these sensitive applications? 2 2 E3
09D02-04 Are the means of recovering access keys or encryption keys protected against accidental or malicious loss? 4 3 E2
09D02-05 Are there regular audits of these means and procedures to guarantee permanent access to the data files? 2 3 E2
09E Service continuity
09E01 Hardware reconfiguration
09E01-01 Has a fail-safe architecture been established, including redundancy and system mirroring for critical equipment or servers? 4 2 E2 14.1.4
09E01-02 Does the implementation of this architecture guarantee the minimum performance levels required in the case of incident or failure? 4 2 E2
Such a guarantee supposes either that failsafe systems features are entirely automatic or that systems will detect failures and staff
will have the specifications and capability to manually reconfigure failed systems.
09E01-03 Is there some assurance in this case that ancillary equipment (power supply, air-conditioning, etc. ) do not introduce any additional 2 E3
risk and do not ruin the redundancy expected from the equipment or network architecture?
09E01-04 Does the shutdown or invalidation of any redundant equipment or failure dtection system (requiring human intervention) trigger an 2 R1
alarm to an operational manager?
09E01-05 Are regular tests made to demonstrate that security equipment is able to guarantee minimum performance levels required in the 2 2 C1
case of an incident or failure?
09E02 Application service continuity plans
09E02-01 Have application service continuity plans been established for each business application, based on its criticality classification 3 E1 14.1.3
level?
09E02-02 Are these continuity plans compatible with the Disaster Recovery Plans for the hardware and systems used by the process or 3 2 E1 14.1.3
application?
09E02-03 Do these continuity plans detail all the actions necessary to ensure service continuity between the time of an alert and the effective 3 2 E2 14.1.3
implementation of solutions prescribed by the Disaster Recovery Plans?
09E02-04 Do these plans treat all the organizational aspects related to a manual emergency solution (personnel, logistic, management etc.)? 3 E2 14.1.3
09E02-05 Have the appropriate instructions and training been given to staff in order to deal with a "manual" emergency solution? 2 E2 14.1.3
09E02-06 Have the application service continuity plans anticipated all the procedures required for a return to normal service? 4 2 E2 14.1.3
09E02-08 Is the crisis plan initiation compliant with the above application service continuity plan? 4 E2
09E02-09 Are these plans regularly tested under full scale conditions (with operational data volumes) and updated at least once a year? 3 2 C1 14.1.5
09E02-10 Are the updates of these plans regularly audited (at least once a year)? 3 2 C1
09E03 Management of critical applications (with regard to maintenance continuity)
09E03-01 Have the consequences of the disappearance of an application or package editor been analyzed (in the case of failure of a bug or 2 E2
the need for evolution) and has a list of critical applications been deduced?
09E03-02 For each critical application, is there a corrective solution to cope with the failure or disappearance of a supplier (consignment of 2 E2
maintenance documentation and source code with a trusted third party, replacement of equipment or of software by standard
package etc.)?
09E03-03 Is it certain that this corrective solution could be made operational to enable company activity to restart within a time delay 2 2 E2
sufficiently short to be acceptable to users?
09E03-04 Have variants to the primary solution been considered in case the latter might encounter unforeseen difficulties? 2 3 E3
09E03-05 Is there a regular review of critical applications and corrective solutions envisaged? 2 3 C1
09F Control of origin and receipt of data
09F01 Proof of origin, electronic signature
09F01-01 Have sensitive transactions been identified which must be protected by electronic signature solutions implemented at the 4 E2 12.3.1
application level?
09F01-02 Is the conformity of signatures controlled automatically by the application? 4 2 E2
09F01-03 Does the electronic signature solution offer valid and solid guarantees and has it been approved by the Information Security 4 2 E2
Officer?
The sufficient length of the key is one of among many parameters to take into consideration (as a function of the algorithm). The
recommendation of an official organization can be a confidence factor.
09F01-04 Do the procedure and mechanisms of storage, distribution and exchange of keys and more generally the management of the keys 4 3 E2 12.3.2
offer solid guarantees which merit confidence and are they approved by the Information Security Officer?
09F01-05 Are the electronic signature mechanisms strictly protected against violation or change? 4 3 3 R2
In the case of hardware solution or appliance, it should be physical protected against access to the signature mechanisms. If a
software solution is used, it must itself contain an integrity control.
09F01-06 Is shutdown or by-pass of the signature solution immediately detected and signaled to a team available 24 hrs a day or by direct 4 2 R1
call and capable of triggering an immediate reaction?
09F01-07 Is there a procedure which details the operations to carry out in the case of error or alert? 3 2 R1
09F01-08 Are electronic signature mechanisms, their parameters and associated procedures subject to regular audit? 4 3 C1
09F02 Prevention of message duplication and replay (numbering, sequencing)
09F02-01 Have sensitive transactions been identified which must be protected by sequencing control solutions implemented at the 4 E2
application level (or at the network level)?
09F02-02 Is the coherence of the numbers and sequences controlled automatically by the application or by the middleware used? 4 2 E2
09F02-03 Does the numbering and sequencing solution offer valid and solid guarantees and has it been approved by the Information 4 2 E2
Security Officer?
The recommendation of an official organization can be a confidence factor.
09F03-04 Is the acknowledgement of receipt mechanism protected against all undesirable intervention? 2 3 R1
09F03-05 Is there a procedure which details the operations to carry out in the case of error or alert? 3 2 R1
09F03-06 Is the acknowledgement of receipt system subject to regular audit? 3 2 C1
09G Detection and management of application incident and anomalies
09G01 Detection of application anomalies
09G01-01 Have events or successions of events been analyzed which might reveal abnormal behavior or illicit action and, as a consequence, 4 E2
have specific monitoring points been identified?
09G01-02 Are features, detecting and recording sensitive events, installed in applications (with type of event, user identifier, date and time, 4 3 E2
etc.)?
09G01-03 Is there an audit trail within certain sensitive processes which records the events which would enable later diagnosis of 4 3 E3
anomalies?
09G01-04 Are sensitive applications provided with an automatic monitoring function dealing in real time with large numbers of abnormal 4 3 E3
events (for example many unsuccessful connection attempts on user workstations or unsuccessful attempts to use sensitive
transactions)?
09G01-05 Are all these diagnostic elements registered? 2 E2
09G01-06 Are there one or more applications capable of analyzing the individual anomaly diagnostic data and triggering an alert to 4 2 E3
operational personnel?
09G01-07 Does the anomaly diagnostic system trigger an alarm in real time to a permanent surveillance team able or by direct call and able 4 3 E3
to react without delay?
09G01-08 For each case of alert has the expected response from the intervention team been defined and is the availability of the intervention 4 E3
team sufficient to face this expectation?
09G01-09 Are the parameters defining the elements to record and the diagnostic analyses effected on these elements strictly protected 4 R2
(restricted access rights and strict authentication ) against illicit modification?
09G01-10 Does the stopping of the recording and record processing system trigger an alarm with the surveillance team? 4 R1
09G01-11 Are the procedures for recording, processing and diagnostic analysis and the availability of the intervention team regularly audited? 2 C1
09H E-commerce
09H01 Security of the e-commerce Sites
10A01-02 Is an analysis carried out with user managers of the level of impact and probability of possible dysfunction taking into consideration 4 E2 12.1.1
the security measures already in place and the additional or specific measures envisaged in the specifications of the project?
10A01-03 Are there project reviews during which these risks are presented, decisions are taken about their acceptability or not and about 4 2 E1 12.1.1
any additional security measures needed?
10A01-04 Has the possibility of information leaks through hidden canals been considered within risk studies and have adapted controls been 4 2 E3 12.5.4
implemented?
10A01-05 Is the implementation of security measures, specific to the project, formally tracked during the project lifecycle? 4 C1
The tracking may consist of an obligatory review point at each project phase, followed up by documentation detailing the choice of
solutions and the status of their implementation.
10A01-06 Is there a support group, specialized in project risk analysis, assisting the management of the project with the risk analysis 4 E2
process?
10A01-07 Is the Information Security Office implicated, directly or indirectly, in security related decisions in the projects? 10A08 has been 4 E2
deleted
10A02 Change management
10A02-01 Are all change requests for an application subject to a formal review procedure (requestor, rationale, decision process)? 2 E2 12.5.1
10A02-02 Are all automatic software changes or updates made impossible? 2 R2 12.5.1
10A02-03 Are the versions of all software kept up? 2 E2 12.5.1
10A02-04 Are the versions of all associated documentation kept up? 2 E2
10A02-05 When changes are made to the operating systems, is there a review and test of their impact on the applications? 4 E2 12.5.2
10A02-06 Does the change management procedure impose non regression tests to be run? 4 E2 12.5.2
Non regression tests check that the modifications do not change the characteristics nor the performances of the other functions of
the application.
10A02-07 Is the impact on the continuity plans of the changes introduced into the applications taken into account? 2 E2 12.5.2; 14.1.5
10A03 Externalization of software development
10A03-01 When the software development is subcontracted, have the issues regarding license agreement and intellectual property of the 2 E2 12.5.5
code developed been handled?
10A03-02 Were requirements regarding the quality and the security level of the code formally integrated in the contracts? 2 2 E2 12.5.5
10A03-03 Have access rights allowing to audit the quality of the work effected by subcontractors been agreed upon? 2 2 E2 12.5.5
10B01-02 Is the attribution of profiles and tasks to application development personnel done on an individual and nominative basis? 2 2 E2
10B01-03 Is a trace kept of the tasks effected by each member of development staff? 2 E2
10B01-04 Are the application development, test and integration environments strictly separated? 4 E1 12.4.1
10B01-05 Have strict and separated access rights been defined for these environments, based on profile and project? 4 E2
A strict access control supposes that it is necessary to get the right profile in order to access to a given environment
10B01-06 Is the authentication protocol for development personnel holding privileged rights considered as strong? 4 4 E3
An authentication protocol is considered secure if it is not susceptible to being broken by a listening device on the network or
rendered inoperable by specialists tools (in particular password crack tools ). Such security usually uses cryptographic methods.
10B01-07 In the particular case of passwords, can the imposed rules be considered as very strict? 2 E2
Very strict rules impose the use of tested non-trivial passwords, using a mixture of different types of characters and of a reasonable
length (ten characters or more). It is desirable that these rules have been approved by the Information Security Officer.
10B01-08 Do application development procedures require that a person never have sole responsibility for a task? 2 R1
10B01-09 Do application development procedures require that, for sensitive functions, a verification of code is made by an independent 4 3 R2
team?
10B01-10 Do application development procedures require a formal validation, by users, of the coverage of functional tests? 4 E2
10B01-14 Are the organization of tasks within development teams and the application of clear segregation and control rules regularly 2 C1
audited?
10B02 Ensuring confidentiality in application developments
10B02-01 Do the development procedures impose an analysis of the confidentiality of applications developed and a classification of objects 4 E1
implemented in the course of developments (documentation, source code, executable code, study notes, etc.)?
10B02-02 In the case of development of a confidential application, are their special procedures for management of documentation? 4 E1
10B02-03 In the case of development of a confidential application, are profiles put in place which enable the distribution of confidential 4 2 E1
information to be limited only to people who have a real need?
10B02-04 Are source code, executable code and documentation protected by a strict access control procedure which details, as a function of 4 2 E2 12.4.3
development phase, the authorized profiles having access to these objects as well as the storage conditions and corresponding
access control rules?
An access control procedure using strict access conditions should guarantee that all code or documentation modification is made
by an authorized person under authorized conditions.
10B02-05 Are the control parameters related to the management of rights attributed to development personnel under strict control? 2 3 R2
A strict control requires that the list of people able to change rights attributed to development personnel by project and the access
control parameters to development environment and objects be strictly limited and that there be a reinforced access control in
order to modify these rights and that any modification of these rights be logged and audited.
10B02-06 Are the processes which ensure the filtering of access to development objects (documentation and code ) under strict control ? 2 3 R3
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there be
an audit at least once a year of the procedures and processes of access filtering (including the process aiming to detect
modification attempts and the processes which respond to these modification attempts).
10B02-07 In the case of developments of packages or conferred on IT service companies are the above conditions contractually imposed on 2 2 E1
the editor, partner or subcontractor?
10B02-08 Is the management of access rights to development objects, protection procedures and mechanisms subject to a regular audit? 2 3 C1
10B04-02 If sensible or personal data have to be used, is it ensured deleting sensitive details and contents before using them (or make them 2 2 E2 12.4.2
anonymous)?
10B04-03 When using operations data, do the access control procedure that apply to the running applications also apply to the test 2 2 E2 12.4.2
applications?
10B04-04 Is the operating information used by a test application deleted immediately after the test is completed? 2 E2 12.4.2
10B04-05 Is there a log of all copy or use of operating data during tests to create a audit trail? 2 C1 12.4.2
10B05 Security of application maintenance
10B05-01 Do application maintenance procedures impose a strict separation between detailed specification, design, unit test and integration 4 E1
tasks, with the attribution of specific profiles to the various members of the maintenance staff?
10B05-02 Is the attribution of profiles and tasks to maintenance personnel done on an individual and named basis? 2 2 E2
10B05-03 Is a trace kept of the tasks effected by each member of the maintenance staff? 2 2 E2
10B05-04 Are the application maintenance, test and integration environments strictly separated? 4
10B05-05 Have strict and separated access rights been defined for these environments, based on profile and project? 4 E2
A strict access control supposes that it is necessary to get the right profile in order to access to a given environment
10B05-06 Is the authentication protocol for development personnel holding privileged rights considered as strong? 4 4 E3
An authentication protocol is considered secure if it is not susceptible to being broken by a listening device on the network or
rendered inoperable by specialists tools (in particular password crack tools ). Such security usually uses cryptographic methods.
10B05-07 In the particular case of passwords, can the imposed rules be considered as very strict? 2 E2
Very strict rules impose the use of tested non-trivial passwords, using a mixture of different types of characters and of a reasonable
length (ten characters or more). It is desirable that these rules have been approved by the Information Security Officer.
10B05-08 Do application maintenance procedures require that a person never be the only person responsible for a task? 2 E2
10B05-09 Do application maintenance procedures require that, for sensitive functions, a verification of code is a made by an independent 4 3 E2
team?
10B05-10 Do application maintenance procedures require a formal validation, by users, of the coverage of functional tests? 4 E2
10B05-11 Do application maintenance procedures require that a formal validation be run by the security function of the coverage of tests 4 3 E3
related to security functions or mechanisms?
10B05-12 In the case of application maintenance conferred on outside contractors, are the above conditions contractually imposed on the 2 E1
partner or subcontractor?
Note: when the maintenance is assured by a software editor and/or in a another country, separated by considerable distance, the
guarantees made in respect of maintenance conditions must be reviewed with great care.
10B05-14 Are the organization of tasks within application maintenance and the application of clear segregation and control rules regularly 2 C1
audited?
10B06 Hot Maintenance
10B06-01 Is real-time (hot) maintenance, when done directly in the production environment, subject to the triggering of a formal procedure 4 2 E1
including, in particular, the formal agreement of the operational director and the manager responsible for the application domain (or
data owner) concerned?
10B06-02 Is a full backup of the production environment (systems and applications) made before any real time maintenance, which would 4 2 E2
enable a return to the previous situation in case of a problem?
10B06-03 Is a full backup of operational data (synchronized) made before any real time maintenance so as to enable a return to the prior 4 2 E2
situation in case of a problem?
10B06-04 Is a trace kept of all operations effected and commands launched during any real time maintenance in order to be able to 4 E2
investigate afterwards, or even to cancel them, if the sequence of operations finished improperly?
10B06-05 Are the procedures of real time maintenance and their application subject to regular audit? 4 3 C1
11A02-06 Is the conformity of the software configurations for user workstations regularly controlled relatively to the authorized options? 4 2 E3 15.2.2
11A02-07 Does the inhibition of the control process trigger an alarm to a manager? 4 3 E3
11A02-08 Is it also controlled that the users do not possess the access rights required for the installation of additional hardware or software? 2 3 E3
11A03-02 Is a permanent inventory held up to date of the software officially installed and declared on each work station? 2 E2 15.1.2
11A03-03 Is there a regular control of the conformity of the software installed to those declared or that they possess an authorized license? 4 2 E2 15.1.2
11A04-05 Is a check made of the proof of origin and integrity of received maintenance module or a new version, from the editor or the 4 E2
manufacturer (for operating systems)?
11A04-06 Are there regular audits of protection procedures for reference programs? 4 C1
11A05 Management of service suppliers and providers relating to the operation and handling of the user workstations base
11A05-01 Is it regularly ensured that the security services allocated to suppliers or providers for the operation and handling of the user 4 C1 10.2.1
workstations are efficiently implemented and maintained by them?
11A05-02 Is it ensured that the service suppliers or providers for the operation and handling of the user workstations have efficiently 2 E2 10.2.1
prepared the appropriate arrangements to ensure that the services are provided as agreed?
11A05-03 Is the respect of the security provisions by the suppliers or providers regularly reviewed? 4 E1 10.2.2
11A05-04 Is it ensured that the suppliers and providers report and document any security incident concerning operation and handling of the 4 E2 10.2.2
user workstations?
11A05-05 Is there a regular review of these incidents or malfunctions with the concerned suppliers and providers? 2 E2 10.2.2
11A05-06 Are any changes in the contract relationship (obligations, service levels, etc.) analyzed for resulting potential risks? 2 E3 10.2.3
11B Protection of workstations
11B01 Control of access to workstations
11B01-01 Is access to the workstation itself (even for local use) protected by a password or authentication system? 4 E1
11B01-02 Does the process of creation or modification of user authentication means respect a set of rules which ensures its intrinsic validity? 4 E1 11.2.3
In the case of passwords: sufficient length (8 characters or more), mandatory mixture of types of characters, frequent change
(less than once a month), impossibility of reusing an old password, non-trivial word test using a dictionary, banning of "standard
systems", first names, anagrams of username, dates etc. In the case of authentication based on cryptographic mechanisms and of
certificates: a generation process evaluated or publicly recognized, encryption keys of a sufficient length etc.
11B01-03 Does the process of providing credentials for authentication (like user password) guarantee its inviolability? 4 E2
The usage of a password will always be a weak point. The only process which does not divulge observable information consists
either of introducing an object containing a secret (smart card), or using a code which changes at every moment (token card type
SecureId) or providing some biometric character.
11B01-10 Are the procedures and services for access control subject to regular audit? 3 C1
11B02-02 Has it been established a security policy and recommendations relative to teleworking using remote connections to the office 4 E1 11.7.2
network)?
The recommendations and instructions should cover the precautions and means to implement and cover the security of the
connection to the company network (reinforced authentication, VPN, etc.), possible restriction of access authorizations,
precautions concerning the use of personal workstations by individuals other than the incumbent (family, friends, etc.).
11B02-03 Does the security policy formally forbid to carry out of the premises documents classified or carrying a value of proof? 4 E2 9.2.5; 11.71
11B02-04 Are personnel likely to work off site made aware of and receive training on the measures to be applied in order to protect 4 E2 9.2.5; 11.71
documents, systems and the data they contain?
These measures cover physical and logical protection against theft as well as disclosure or unauthorized access by family
members as well as by other persons.
11B02-05 Are the computing systems used off site only those belonging to the company and configured specifically for that purpose (in 2 E2 11.7.2
particular if they permit an access to the internal network)?
11B02-06 Is the configuration of computing systems used for work outside company buildings (portable computers) regularly checked? 3 C1
11B03 Use of personal equipment or external equipment (not owned by the organization)
11B03-01 Has an exhaustive analysis of all the work situations or professional exchanges using equipments that do not belong to the 4 E2
organization?
11B03-02 Has an exhaustive analysis of all the external peripheral connection possibilities to the Information Systems of the organization 4 E2
(USB ports, bluetooth, etc...) ?
11B03-03 Are these analyses regularly updated ? 2 C2
A technological survey should be effected so as to improve knowledge of new types of devices and new vulnerabilities.
11B03-04 Has it been deduced from them a security policy regarding the use of personal equipment for work purposes? 2 E2 6.1.4; 11.7.2
The instructions should consider the introduction and use of personal equipment such as laptops, PDAs, external disks, optical
supports, USB keys, etc.
11B03-05 Have means of control regarding the use of personal equipment been defined and implemented? 2 E2 6.1.4
Such as specific parameters of the operating systems, filtering capabilities, etc.
11B03-06 Are the means of control protected against untimely or illicit alteration? 2 R1
11B03-07 Is there a regular audit of the procedures and means of control? 2 C1
11C Protection of data on the workstation
11C01 Protection of the confidentiality of data on the workstation or on a data server (logical disk for the workstation)
11C01-01 Is confidential data stored encrypted, whether on the user workstation or hosted on a data server (logical disk)? 4 E2 11.7.1; 12.3.1
11C02-03 Is the encryption process applied whichever media type (external disk, USB key, PDA, etc.)? 4 E2
11C03 Confidentiality considerations during maintenance operations on user workstations
11C03-01 Is there a procedure which details the actions to carry out before calling maintenance to ensure that unauthorized staff do not gain 4 E2 9.2.6
access to sensitive information which may be stored on the workstation (physical erasing of sensitive data and of temporary files,
retaining of disks etc.)?
11C03-02 Is there a written procedure and a binding clause in personnel maintenance contracts stipulating that any storage media which 2 E2
contained sensitive data be destroyed before disposal?
11C03-03 Is there a procedure of checking for system integrity after maintenance intervention (absence of spyware, or trojans etc.)? 3 E2
11C03-04 Are the procedures described above obligatory in all circumstances and do any derogations require the signature of senior 3 R2
management?
11C03-05 Are the above procedures subject to regular audit? 3 C2
11C04 Protection of the integrity of files stored on workstations or on data servers (logical disk for workstations)
11C04-01 Are integrity sensitive files (whether stored on workstations or hosted on a data server) write-protected and is there an integrity 4 E2
control mechanism?
Such a mechanism may authorize the creation of modifiable working copies while guaranteeing the integrity of the original
11C04-02 Are the components of the integrity control process security protected against any alteration, modification or inhibition? 3 R2
11C04-03 Is the process or the directives concerning integrity control extended to messages and message attachments? 4 E2
11C04-04 Is the process or the directives concerning integrity control extended to information contained in address books 4 E3
11C04-05 Have users undergone training on integrity control means indicating in particular the rules to respect such that integrity control 2 E2
cannot be circumvented?
11C04-06 Are regular audits carried out on the usage of means of integrity control by users? 3 C2
11C05 Security of Email and Electronic Information Exchanges
11C05-01 Is there a security policy specific to emails defining precautions for use and security measures to implement? 2 E1 10.8.4
11C05-03 Does this policy impose that message sent with a high importance be systematically requesting an acknowledgement of receipt 3 E2
controlled by the sender?
11C05-04 Is there also a security policy attached to various other electronic exchange of information (telephonic or video conference, 2 E1 10.8.5
cooprative work, document sharing, FTP services, instant messaging, etc.) defining the security measure and precautions to
implement?
11C05-05 Has it been implemented an encrypted electronic messaging service? 3 E2 10.8.4
11C05-06 Has it been implemented a digital signature service? 3 E3 10.8.4
11C05-07 Is a service in charge of collection and treatment of undesirable messages? 3 E3
Undesirable messages (spams, virus, false virus alerts, etc...) must be immediately sent to this service, which will estimate the
threat and put in place counter measures: specific filtering, internal warning, etc...
11C05-08 Are regular audits carried out on the procedures and instructions concerning email and electronic exchanges security? 2 C1
11D02-03 Are there specific maintenance contracts for all software requiring high availability and for which standard repair times are not 2 E1
acceptable?
11D02-04 Are maintenance contracts, selection of service providers and the associated procedures regularly audited? 3 C1
11D03 Users' configurations backup plans
11D03-04 Are the production routines which ensure backups of user configurations protected, against illicit or undue modification, by secure 4 3 R1 10.5.1
mechanisms?
Such mechanisms might be electronic seal or any equivalent modification detection system.
11D03-05 Are user configuration backup plans and procedures subject to regular audit? 2 3 C1
11D04 Backup plans for user data stored on data servers
11D04-01 Is all user data stored on data servers systematically backed up? 4 3 E1 10.5.1
11D04-02 Has the frequency of backups been communicated to users? 2 E1 10.5.1
11D04-03 Are several generations of save files available in order to guard against missing or unreadable files, by organizing, for example a 2 E2 10.5.1
rotation of backup media?
11D04-04 Is a complete quarterly or six-monthly backup set kept to serve as an emergency archive? 2 E2 10.5.1
11D04-05 Are the backup procedures, for office data stored on servers, subject to a regular audit? 3 C1
11D05 Backup plan for data stored on user workstations.
11D05-01 Are the users made aware and trained to backup operations for sensitive data possibly stored in their workstation? 3 E1 10.5.1
11D05-02 Is all user data (stored on workstations) systematically backed up (by users, at a fixed frequency or when connecting to the internal 4 E1 10.5.1; 11.7.1
network)?
11D05-03 Do users also have the possibility to effect a backup themselves if necessary? 4 E1 10.5.1
11D05-04 Are several generations of saved files available in order to guard against missing or unreadable files, by organizing, for example a 2 E2 10.5.1
rotation of backup media?
11D05-05 Is a complete quarterly or six-monthly backup set kept to serve as an emergency archive? 2 E2 10.5.1
11D05-06 Are the backup procedures for user data subject to a regular audit? 3 C1
11D06 Anti virus (malware, unauthorized executable code, etc.) protection for user workstations.
11D06-01 Has it been defined a policy to prevent risks of attack from malevolent codes (virus, Trojan Horse, worms, etc.) like prohibit the use 2 E1 10.4.1
of unauthorized software, protection measures during file retrieval via external networks and reviews of installed software?
11D06-02 Are user workstations equipped with a means to protect from viruses and malware? 4 E1
11D06-03 Is the anti virus product regularly updated? 2 E1
With internet, new threats are instantaneous thus forcing to control at least every day of the existence of a corrective update
11D06-04 Is there a regular and automatic analysis of all the files on the workstations? 2 E2
11D06-05 Have actions to be taken by users' support team in case of an attack by malevolent code (alert, confinement measures, triggering 3 E2 10.4.1
of a crisis management process, etc.) been defined?
11D06-06 Is it possible for the users' support team to make, at any time, a complete check of the users' workstation base? 2 E2
11D07-09 If the recovery solutions include delivery of hardware components (which cannot be triggered during tests), is there a contractual 4 2 E2
commitment by the manufacturer or any relevant third party (distributor) to deliver the replacement hardware within fixed and
anticipated time limits as stated in the recovery plan?
11D07-10 Are the existence, the pertinence and the updates of the users' workstations Recovery Plans regularly controlled? 2 3 C1
11D07-11 Is the updating of the above procedures within the recovery plan subject to regular audit? 2 3 C1
11D08 Access management to office data and files
11D08-01 Is the list of office file formats, that are required to be accessible, kept up to date? 4 3 E1
11D08-02 Are the necessary hardware and software elements required for the access to all the types of office files put in archive available or 4 3 E1
easily made available?
11D08-03 Do the procedures of allocation and personalization of office files encryption and protection capabilities guarantee possibilities to 4 3 E2
access the files, even if their owners are absent or have left the organization?
11D08-04 Are the recovery capabilities of the access or encryption keys protected against accidental or malevolent unavailability? 4 3 E2
11D08-05 Are there regular audits of the mechanisms and procedures that guarantee the continuity of access to office files? 2 3 E2
11E Control of administrative rights
11E01 Management of privileged access rights granted on user workstations (administrative rights)
11E01-06 Is there a systematic process of removal of special rights at the time of departure or role change of user support operations staff? 2 E2 11.2.4
11E01-07 Is there a regular audit, at least once a year, of all special rights attributed ? 1 2 C1 11.2.4
11E02 Authentication and control of the access rights of administrators and operational personnel
11E02-01 Is the authentication of the administrator required before taking control of a user workstation? 4 4 E2
11E02-02 Is the authentication protocol used for administrators or holders of special rights considered to be secure? 4 4 E2
An authentication protocol is considered secure if it is not susceptible to being broken by a listening device on the network or
rendered inoperable by specialists tools (in particular password crack tools ). Such security usually uses cryptographic methods.
11E02-03 Are the rules, for instance in the case of passwords, considered to be very strict? 2 E2
Strict rules impose the use of tested non-trivial passwords, using a mixture of different types of characters and of a reasonable
length (ten characters). It is desirable that these rules have been approved by the Information Security Officer
11E02-04 Is there a consistent control of the administrator's rights, of its context, and of the suitability of this context with the requested 4 E2
access, as per formal rules of access control?
11E02-05 Are authentication parameters under strict control? 4 2 R1
A strict control requires that the list of people able to change authentication rules, the credentials themselves and the surveillance
rules of connection attempts be strictly limited, that there be a reinforced access control in order to be able to modify these rights
and that any modification of these rights be logged and audited and that there be a general audit at least once a year of all
authentication parameters.
11E02-06 Are the processes that guarantee authentication under strict control? 4 3 R1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there is
an audit at least once a year of the authentication procedures and processes.
11E02-07 Is there a regular audit of the procedures of the security parameters attached to protecting profiles and rights? 4 3 C1
11E03 Surveillance of system administrators' actions over the users' workstations
11E03-01 Has a detailed analysis been carried out of the events and operations carried out with administrative rights on the users' 2 E2 10.10.4
workstations which may potentially have an impact on system security?
11E03-02 Are these events recorded as well as all parameters which may be useful for their subsequent analysis? 4 E2 10.10.4
11E03-03 Is there a system able to detect any modification or deletion of a past record and to immediately trigger an alarm to a manager? 4 2 E3 10.10.4
11E03-04 Is there a summary of these records enabling management to detect abnormal behavior? 4 3 E3 10.10.4
Number Question R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
12A Security of operational procedures
12A01 Consideration of security in relation with operational personnel (permanent and temporary staff)
12A01-01 Is there a security policy, specifically aimed at operations personnel, related to telecommunications? 4 E1 9.2.1
This policy should cover the requirements for the protection of information as well as the protection of physical assets and
processes and mention the forbidden behaviors
12A01-02 Is telecommunication operations personnel required to sign contract clauses of adherence to that security policy (no matter their 4 E2
status: permanent or temporary staff, students, etc.)?
12A01-03 Do these clauses make clear that the personnel has an obligation not to tolerate any action contrary to security from other people? 4 3 E3
12A01-09 Is there a regular audit, at least once a year, of the effective application of the signature procedure by operational personnel 2 3 C1
(directly employed by the company or indirectly through a service company) ?
12A02 Control of the implementation of new equipments or upgrade of existing systems
Equipments for classical telephony : PABX, ...
With ToIP : call server, gateway converter to classical telephony, routers, switches
Equipments dedicated to users: telephone terminal, fax machines (often combined with printing, scanning and photocopy
capabilities , ...), tele and videoconferencing, ...
These systems may provide configuration, management, directory, billing and storage (answering machine, voice mail) services,
12A02-01 Are the decisions to change or update equipment and systems significantly subject to a control procedure (registration, planning, 4 E1 10.1.2; 10.3.1
formal approval, communication to all concerned individuals, etc.)?
The possible separation (physical or logical, using VLAN) of data and voice flows shall be analyzed when moving to ToIP and
revised based on the observed load changes, the same applies to interconnection capabilities between the two networks
12A02-02 Are the change decisions based on an analysis of the capacity of the new equipment and systems to ensure the required load and 2 E2 10.3.1
take into account the evolution of foreseeable requests?
12A02-03 Do the installations take into account physical protection? 2 E2 9.2.1
Protected access, no direct external view on equipments, no multiple physical threats, continuity of power supply, weather
conditions, protection against thunderbolts, protection against dust, etc.
12A02-04 Is any new or modified functionality linked to a new system or new version of a system, systematically documented before moving 4 2 E2
into production?
12A02-05 Is such new functionality (or change in functionality), linked to a new system or new version of a system, formally and 2 E2 10.3.2
systematically reviewed in conjunction with the IT security function?
Number Question R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
12A02-06 Does this review include an analysis of the risks that may result from the changes? 2 2 E2 10.3.2
12A02-07 Have telecommunication operations staff received formal appropriate training in risk analysis? 1 E3
This should include service continuity as well as confidentiality and integrity of the data and the transmissions
12A02-08 May the operation staff obtain an appropriate support specially competent on risk analysis? 4 E3
12A02-09 Are the security measures, determined to counter the new identified risks, formally reviewed before implementation? 4 2 E3 10.3.2
12A02-10 Are security parameters and configuration rules (deletion of generic accounts, changing of any default passwords, blocking of 4 E3 10.3.2; 11.4.4
unauthorized communications ports, setting of access rights and authentication parameters, etc.) listed in detail and regularly
updated?
12A02-11 Are the security parameters and configuration rules controlled prior to any start of production of a new version? 4 E3 10.3.2; 11.4.4
12A02-12 Has the eventual impact of the systems' changes regarding the continuity plans been considered? 2 E2 10.3.2
12A02-13 Are any derogations from the prerequisite risk analysis and control of security parameters subject to strict procedures, including a 4 R1
signature from senior management?
12A02-14 Can the start of production of new systems and applications be only carried out by operations personnel? 2 2 E3 6.1.4; 12.4.1
12A02-15 Is the start of production of new versions of systems or applications possible by the use of a defined validation and authorization 2 2 E3 6.1.4; 12.4.1
process?
12A02-16 Are the start of production control procedures regularly audited? 2 3 C1
12A03 Control of maintenance operations
12A03-01 Is it kept a trace of all maintenance operations? 1 E2 9.2.4
12A03-02 Are all maintenance operations required to terminate with a systematic control of physical or recorded configurations and security 4 2 E2
parameters (as defined at time of start of production)?
12A03-03 Are all maintenance operations required to terminate with a systematic control of the recording parameters for security events and 4 3 E3
the life span of records?
12A03-04 Are all maintenance operations required to terminate with a systematic control of system administration parameters (required 4 3 E3
profile, authentication type, removal of standard logins etc.)?
12A03-05 Is a formal dispensation, signed by a responsible manager, required if the above mentioned procedures are not observed? 4 E3
12A04-02 In the case of remote maintenance, are maintenance staff subject to a secure authentication procedure? 4 2 E2 11.4.4
12A04-03 Is there a set of procedures covering the granting and revocation of access rights for remote maintenance operatives and the 2 E3 11.4.4
granting of rights in urgent situations?
12A04-04 Does the usage of the remote maintenance line require the prior agreement (for each usage) of telecommunication operations 4 3 E3 11.4.4
personnel (upon request by the manufacturer or editor specifying the nature, date and time of the intervention)?
12A04-05 Is the usage of the remote maintenance line under strict control ? 4 3 E2
A strict control supposes that each use of the line, the name of the maintenance operative and the actions carried out is registered,
and that there be a subsequent audit of the appropriateness of the actions and their conformity with the rules laid down by
maintenance managers.
Number Question R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
12A04-06 Are control procedures for remote maintenance regularly audited? 2 3 C1
12A05 Management of Operating Procedures for Telecommunication Operation
12A05-01 Do the operating procedures result from the study of the overall cases to be covered by said procedure (normal operating cases 4 E2 10.1.1
and incidents)?
12A05-02 Are the operating procedures documented and kept up to date? 4 E2 10.1.1
12A05-03 Are the operating procedures readily available upon request by any accredited individual? 4 E2 10.1.1
12A05-04 Is the telecommunications operation Management required to approve changes to procedures ? 4 E2 10.1.1
12A05-05 Are these procedures protected from unauthorized alterations? 2 R1
12A05-06 Are the operating procedures audited regularly for authenticity and relevance? 2 C1
12A06 Management of service providers relating to telecommunication
12A06-01 Is it regularly ensured that the security services allocated to suppliers or providers are efficiently implemented and maintained by 4 C1 10.2.1
them?
12A06-02 Is it ensured that the telecommunications service suppliers or providers have efficiently prepared the appropriate arrangements to 2 E2 10.2.1
ensure that the services are provided as agreed?
12A06-03 Is the respect of the security provisions by the suppliers or providers regularly reviewed? 4 E1 10.2.2
12A06-04 Is it ensured that the suppliers and providers report and document any security incident concerning information or networks? 4 E2 10.2.2
12A06-05 Is there a regular review of these incidents or malfunctions with the concerned suppliers and providers? 2 E2 10.2.2
12A06-06 Are any changes in the contract relationship (obligations, service levels, etc.) analyzed for resulting potential risks? 2 E3 10.2.3
12B Control of hardware and software configurations
12B01 Network equipment customizing and compliance control of configurations
12B01-01 Is an exact inventory of the equipments kept up to date by the concerned responsible persons? 2 E2
Of key importance with ToIP for the move of terminal equipments and their configuration (including configured emergency call
numbers)
12B01-02 Is there a document (or a set of documents ) or an operational procedure which describes all security parameters for the 4 2 E1
equipments and systems?
Such a document should be derived from the security policy and describe all the filtering rules decided. It should also mention the
reference to the system versions so as to check the status of the updates.
12B01-03 Does this document require that all generic or by default accounts be deleted and their list established? 4 2 E2 11.4.4
12B01-04 Are the system versions, fixes and parameters updated regularly in line with latest information? 2 3 E2 10.7.4; 12.6.1
This should be done in cooperation with expert authorities (specialized audits, subscription to a service center, regular consultation
with CERTs, etc.)
12B01-05 Does the resulting document or procedure impose a synchronization feature, based on a reliable time reference? 4 E3 10.10.6
12B01-06 Are these reference documents protected, by secure methods, against untimely or illicit alteration (sealing)? 2 3 R1 10.7.4
12B01-07 Is the integrity of system configurations checked, regularly (at least weekly) if not at each system start-up, against the configuration 4 2 E3 15.2.2
theoretically expected?
12B01-08 Are regular audits carried out of the compliance to the specifications for security parameters? 2 R1 15.2.2
12B01-09 Are regular audits carried out of the exception and escalation procedures in the case of difficulty or installation problems? 2 R1 15.2.2
12B01-10 Are the development and test environments separated from the operational environments? 1 C1
Number Question R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
12B01-11 Is it possible to control, each time it is needed, the compliance of the architecture and of the configurations of the equipments ? 2 2 R2
12B02-04 Is the protective seal controlled automatically (otherwise it may be an authoritative signature) at each new installation? 4 R2
12B02-05 Is a check made of the proof of origin and integrity of received maintenance module or a new version, from the editor or the 4 E2
manufacturer (for operating systems)?
12B02-06 Are the sealing and sealing control tools protected against any unauthorized usage? 4 R2
12B02-07 Does the inhibition of the automatic control of seals trigger an alarm to a manager? 4 E3
12B02-08 Are there regular audits of protection procedures for reference programs? 4 C1
12C Service continuity
12C01 Organization of operational equipment maintenance
12C01-01 Is all equipment covered by a maintenance contract? 2 E1 9.2.4
12C01-02 Are there specific maintenance contracts for all hardware which require a high availability and for which the replacement must be 4 E2
made within limited delays?
12C01-03 Do the contracts stipulate maximum delays before intervention and compatible with the requirements of availability? 4 2 E2
12C01-04 Do the contracts detail the required time slots and days of intervention (24h/7d for example) compatible with the requirements of 4 2 E3
availability?
12C01-05 Do the contracts stipulate the conditions of escalation in case of difficulty? 4 3 R1
12C01-06 Do the contracts detail specific clauses for when the hardware downtime exceeds the specific times stipulated (penalties, hardware 4 3 E3
replacement, etc.)?
It is desirable that these clauses be general and apply to all cases no matter what the reasons (technical difficulty, staff strikes,
etc.)
12C01-07 Do the maintenance contracts anticipate the complete replacement of equipment in the case of important damage which might not 4 E3
be taken into consideration by reparative maintenance?
A special attention should be born on the confidentiality of data stored on the disk of the replaced equipments
12C01-08 Are the maintenance contracts, the choice of subcontractors and associated maintenance procedures subject to regular audit? 2 3 C1
12C02-02 Do the suppliers provide a technical software support center which guarantees a quick and competent telephone assistance? 2 E2
12C02-03 Are there specific maintenance contracts for software products (systems, middleware and applications) which require corrective 4 E2
delays that standard maintenance cannot cover?
Number Question R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
12C02-04 Do these contracts detail specific maximum intervention delays, compatible with the availability requirements? 4 2 E2
12C02-05 Do the contracts detail the required time slots and days of intervention (24h/7d for example) compatible with the requirements of 4 2 E3
availability?
12C02-06 Do the contracts stipulate the conditions of escalation in case of difficulty? 4 3 R1
12C02-07 Do the contracts specify specific clauses when hardware downtime exceeds specific durations stipulated (penalties, replacement 4 3 E3
of hardware, etc.)?
It is desirable that these clauses be general and apply to all cases no matter what the reasons (technical difficulty, staff strikes,
etc.)
12C02-08 Are the maintenance contracts, the choice of subcontractors and associated maintenance procedures subject to regular audit? 2 3 C1
12C03-02 Does the plan also cover configuration parameters of the telecommunication equipments to save? 4 3 E2 10.5.1
12C03-03 Is the plan implemented by automatic production routines? 2 3 E2 10.5.1
12C03-04 Are there regular tests that the backup copies of configurations enable the effective restoration of the production environment at 4 2 E2 10.5.1; 14.1.5
any time?
These tests should consider all the backups (including documentation and parameters files) of legitimate elements.
12C03-05 Are the production routines which ensure backups protected, against illicit or undue modification, by secure mechanisms? 4 3 R1 10.5.1
Such mechanisms might be electronic seal or any equivalent modification detection system.
12C04-03 Has an activity recovery solution been defined and implemented to resolve each scenario identified above, in accordance with user 4 2 E1 14.1.3
requirements?
12C04-04 Are the technical, organizational and human resources sufficient to address the organization's requirements for IT continuity? 4 E2 14.1.3
This means being able to correct personnel deficiencies
12C04-05 Are the technical, organizational and human resources educated to address the organization's requirements for continuity? 4 E2 14.1.3
This implies to train appropriately all concerned staff.
12C04-06 Are all these solutions described in detail in Disaster Recovery Plans including the conditions for triggering the plan, the actions to 4 E1 14.1.3
execute, the priorities, the actors to mobilize and their contact details?
12C04-07 Are these plans tested at least once a year? 4 2 E2 14.1.5
Number Question R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
12C04-08 Are above tests able to guarantee that the staff capacity and the recovery systems can cope, under full operational load, the 4 3 E2 14.1.5
minimum service levels required by users?
The tests required to obtain this guarantee are preferably full scale tests of each variant of scenario, involving all users. The results
of the tests have to be registered and analyzed in order to improve the capability of the organization to answer to the situations
considered.
12C04-09 If the recovery solutions include delivery of hardware components (which cannot be triggered during tests), is there a contractual 4 2 E2
commitment by the manufacturer or any relevant third party (leaser, broker, distributor) to deliver the replacement hardware within
fixed and anticipated time limits as stated in the recovery plan?
12C04-10 Has the unavailability or failure of the recovery facility been considered and has a replacement solution been defined and validated 2 3 E2
(second level recovery)?
12C04-11 Has this (second level recovery) solution been validated? 2 3 E3
12C04-12 Is the recovery solution usable for an unlimited duration and, if not, has a follow on replacement solution been established? 2 3 E3
12C04-13 Are the existence, the pertinence and the updates of the services Recovery Plans regularly controlled? 2 3 C1
12C04-14 Is the updating of the above procedures within the recovery plan subject to regular audit? 2 3 C1
12C05 Management of critical systems (regarding maintenance continuity)
12C05-01 Have the consequences of the disappearance of a supplier been analyzed (in the case of failure, a bug or change requirement) 2 E2
and has a list of critical systems been established?
This is valid for hardware, software or service providers
12C05-02 For all critical systems, has a corrective solution been analyzed to cope with the failure or disappearance of a supplier 2 E2
(consignment of maintenance documentation or source code with a trusted third party, hardware replacement by standard market
solutions etc.)?
12C05-03 Is there a guarantee that the corrective solutions could be made operational within time delays compatible with the continuity of the 2 2 E2
business and accepted by the users?
12C05-04 Have variants to the primary solution been considered in case it might encounter unforeseen difficulties? 2 3 E3
12C05-05 Is there a regular review of critical systems and corrective solutions envisaged? 2 3 C1
12D Use of end-user telecommunication equipment
12D01 Control of the compliance of user configurations
12D01-01 Has a list of the telecommunication software authorized on the users' stations been established? 4 E2
This list should indicate the reference versions authorized and possibly the parameterization options
12D01-02 Are these lists protected against untimely or illicit alteration by a robust sealing process? 2 R2
12D01-03 Are the rights provided to users preventing them to modify the specific telecommunication (telephone, audio or video conferencing, 4 E2
etc. )configurations of their equipment?
12D01-04 Is the conformity of the telecommunication configurations for user workstations regularly controlled relatively to the authorized 4 2 C1
options?
12D01-05 Does the inhibition of the control process trigger an alarm to a manager? 4 3 C2
12D01-06 Are the processes of control themselves subject to regular audits? 4 C1
12D02 Training and awareness setting for users
12D02-01 Are the users made aware of the risks of tapping resulting from the use of telecommunication equipment and services? 4 E1
Number Question R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
12D02-02 Are the users informed of risks resulting from the malevolent usage, locally or remotely, of their communication equipment? 4 E2
In addition to the use of their colleagues' equipment without their knowing.
12D02-03 Are the deactivation procedures explained to users at the installation or replacement time of their equipment? 2 E2
12D02-04 Are the control and security procedures documented? 4 E2
12D02-05 Are all the users trained about these procedures? 4 3 E2
12D03 Utilization of cryptographic equipment
12D03-01 Are encryption of exchanges mechanisms settable in accordance to the non-disclosure requirements established? 4 E2
12D03-02 Are the encryption capabilities explained to all the staff? 4 E2
12D03-03 Have the user functions requiring a protection of the telecommunication exchanges been analyzed? 4 3 E2
12D03-04 Have encryption functions been installed on all the corresponding user equipment? 4 3 E2
12E Control of administrative rights
12E01 Management of privileged access rights granted on equipments and systems (administrative rights)
12E01-01 Have profiles been defined, within telecommunication operations staff, corresponding to each type of activity (system 1 E1 10.1.3; 11.2.2
administration, administration of security equipment, system monitoring, management of data storage and backup functions etc.)?
12E01-02 For each profile have the necessary rights and privileges been defined? 4 2 E1 10.1.3
12E01-03 Does the process of attributing special rights require the formal authorization of management (or the manager responsible for 4 2 E2 10.1.3
external service providers) at a sufficiently high level?
12E01-04 Is the process of attributing special rights allocated only in relation to the profile of the holder? 4 2 E2 10.1.3
12E01-05 Is the process of granting (modification or revocation) of special rights to an individual strictly controlled? 4 2 3 R1 11.2.2
A strict control requires a formal recognition of the signature (electronic or not) of the requestor, that there be a tight control of
access in order to attribute or modify such rights and that any modification of special rights be logged and audited.
12E01-06 Is there a systematic process of removal of special rights at the time of departure of telecommunication operations staff? 2 E2 11.2.4
12E01-07 Is there a systematic process of removal of special rights at the time of rle change of telecommunication operations staff? 2 E2 11.2.4
12E01-08 Is there a regular audit, at least once a year, of all special rights attributed ? 1 2 C1 11.2.4
12E02 Authentication and control of the access rights of administrators and operational personnel
12E02-01 Is the authentication protocol used for administrators or holders of special rights considered to be secure? 4 4 E2
An authentication protocol is considered secure if it is not susceptible to being broken by a listening device on the network or
rendered inoperable by specialists tools (in particular password crack tools ). Such security usually uses cryptographic methods.
12E02-02 Are the rules, for instance in the case of passwords, considered to be very strict? 2 E2
Strict rules impose the use of tested non-trivial passwords, using a mixture of different types of characters and of a reasonable
length (ten characters). It is desirable that these rules have been approved by the Information Security Officer
12E02-03 Is there a consistent control of the administrator's rights, of its context, and of the suitability of this context with the requested 4 E2
access, as per formal rules of access control?
Number Question R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
12E02-04 Are authentication parameters under strict control? 4 2 R1
A strict control requires that the list of people able to change authentication rules, the credentials themselves and the surveillance
rules of connection attempts be strictly limited, that there be a reinforced access control in order to be able to modify these rights
and that any modification of these rights be logged and audited and that there be a general audit at least once a year of all
authentication parameters.
12E02-05 Are the processes that guarantee authentication under strict control? 4 3 R1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there is
an audit at least once a year of the authentication procedures and processes.
12E02-06 Is there a regular audit of the security parameters attached to protecting profiles and rights? 4 3 C1
12E03 Surveillance of system administrators' actions over the equipments and systems
12E03-01 Has a detailed analysis been carried out of the events and operations carried out with administrative rights which may potentially 2 E2 10.10.4
have an impact on system security (configuration of security systems, access to sensitive information, usage of sensitive tools,
download or modification of administrative tools etc.)?
12E03-02 Are these events recorded as well as all parameters which may be useful for their subsequent analysis? 4 E2 10.10.4
12E03-03 Is there a system able to detect any modification or deletion of a past record and to immediately trigger an alarm to a manager? 4 2 E3 10.10.4
12E03-04 Is there a summary of these records enabling management to detect abnormal behavior? 4 3 E3 10.10.4
12E03-05 Is there a system enabling the detection of any modification of recording parameters and to immediately trigger an alarm to a 4 2 E3 10.10.4
manager?
12E03-06 Does any inhibition of the recording and processing of the logged events system trigger an alarm to a manager? 4 E3 10.10.4
12E03-07 Are all records or summary analyses protected against any falsification or destruction? 2 E2 10.10.4
12E03-08 Are all records or summary analyses kept for a long period? 2 E2 10.10.4
12E03-09 Are the procedures, which record and process privileged operations, regularly audited? 2 C1 10.10.4
13A02-06 Does this program include training or awareness of the consequences of not respecting the legal provisions relating to PPI? 4 E2
13A02-07 Is the level of knowledge of members of staff concerning PPI periodically evaluated by survey or other mechanism? 4 3 E3
13A02-08 Are members of staff periodically reminded of the existence of this program by poster, or other communication? 2 E2
13A02-09 Is this program revised at least every five years? 2 3 R1
13A02-10 Is the enforcement of this program subject to a periodic audit? 2 3 C1
13A03 Applicability of the PPI policy
13A03-01 Have the conditions necessary for implementing the PPI policy been analyzed? 2 C1
13A03-02 Have the corresponding resources (technical and human) been put in place? 4 3 E2
13A03-03 Is the level of resource necessary for the application of PPI audited regularly? 1 3 E2
13A04 Monitoring the implementation of the PPI policy
13B01-11 Does the application of this frame of reference enable all information published to be traced back? 2 2 C1
This includes the capacity to trace back the chain of treatments so as to identify the original data (references to the facts,
accounting data entries, ... ) and the decisions related to the origin of the information
13B01-12 Has a manager responsible for Communication of financial data been appointed? 4 E2
13B01-13 Does the policy concerning Communication of financial data (or its management framework) clearly establish the responsibilities of 4 E1
each of the contributors?
13B01-14 Is there a committee related to the governing bodies that is charged with developing the Communication of financial data policy 4 E2
and with periodically studying any related problems?
13B01-15 Is the Communication of financial data policy revised regularly? 2 3 E2
13B02 Communication of financial data training and awareness program
13B02-01 Is there a Communication of financial data awareness and training program? 2 E1
13B02-02 Is this program approved by the manager responsible or in charge of the Communication of financial data? 2 E2
13B02-03 Is this program available to the staff who process information covered by the legal provisions related to Communication of financial 2 E2
data?
13B02-06 Does this program include training or awareness of the consequences of not respecting the legal provisions relating to 4 E2
Communication of financial data?
13B02-07 Is the level of knowledge of members of staff concerning the Communication of financial data periodically evaluated by survey or 4 3 E3
other mechanism?
13B02-09 Is this program revised at least every five years? 2 3 R1
13B02-10 Is the enforcement of this program subject to a periodic audit? 2 3 C1
13B03 Applicability of the Communication of financial data policy
13B03-01 Have the conditions necessary for implementing the Communication of financial data policy been analyzed? 2 C1
13B03-02 Have the corresponding resources (technical and human) been put in place? 4 3 E2
13B03-03 Is the level of resource necessary for the application of Communication of financial data audited regularly? 1 3 E2
13B04 Monitoring the implementation of the Communication of financial data policy
13B04-01 Is the implementation of the Communication of financial data policy audited regularly? 4 3 C1
13B04-02 Are sanctions defined in case of nonconformity or failure to apply the policy? 4 3 E2
13B04-03 Have these sanctions been communicated to staff? 2 3 E2
13C Respect of regulations concerning the verification of computerized accounting (VCA)
13C01 Preservation of accounting data and treatments
13C01-01 Is there a list of the types of recordings to preserve and of the procedures and protections to apply until their end of life? E2
This list should consider media like : paper, microfiches, files and their protection during the requested retention durations.
4 1
13C01-02 Are the basic accounting data preserved in compliance with the VCA regulations? 4 E2
The elementary data are individual, not yet aggregated, data considered since their origin, for example: historic files of movements
(orders, bills, stocks...), written evidences, statements, permanent data, operations of files' updates...
13C01-03 Are files which contain long term or reference information (accounting schemas, client files, suppliers, tariffs, 4 E2
products) kept in compliance with the VCA?
13C01-04 Are operational procedures kept in compliance with VCA regulations? 4 E2
13C01-05 Are operational systems which have a direct or indirect link with the accounting system kept in compliance with 4 E2
VCA regulations?
13C01-06 Are all accounting applications and applications which feed the accounting system, via intermediate or interface 4 E2
files, kept?
13C01-07 Are analytical or budgetary applications used to determine expenses and incomes kept? 4 E3
13C01-08 Are constraints related to the migration of systems and applications respected ? 4 C1
In the case of migrations, the company must be able to supply either copies of the history of each data file or the
tools and processes used for converting existing data files towards the new system. It is not therefore necessary to
retain a working version of the old system.
13C02-03 Is this documentation preserved as required by the regulation (either on paper or electronically)? 1 E2
13C02-04 Is this documentation updated using a precise system of follow up of documents version numbers? 4 E2
13C02-05 Is the source code of programs related to VCA accessible? 4 E2
13C02-06 Are all documents, data and transactions, subject to legal control, preserved and accessible in the host country 1 E2
13C02-07 itself?
Is the retention plan for data and information, including documentation, compliant with the rules in force (duration 1 E2
and nature of support media)?
13C02-08 Do IT contracts with third parties contain a specific legal clause taking into account VCA regulations such as the availability of 1 E2
source code, documentation and technical assistance in the case of a VCA audit?
Such third parties include outsourcing, software editors, suppliers, etc.
13C02-09 Does the documentation, issued from application developments and updates, comply to VCA regulation (for all 1 E2
applications within the scope of VCA regulations)?
13C02-10 In the case of company acquisitions is there a clause which guarantees the respect of obligations related to VCA? 1 E2
13C02-11 Is there a control procedure related to VCA elements covering backup plan, operations technical documents, data, 1 C1
processing, version of the saved elements, etc. ?
13C03 Verification of computerized accounting data training and awareness program
13C03-01 Is there a VCA awareness and training program? 2 E1
13C03-02 Is this program approved by the VCA manager? 2 E2
13C03-03 Is this program offered to the staff who process information covered by the legal provisions related to VCA? 2 E2
13C03-06 Does this program include training or awareness of the consequences of not respecting the legal provisions relating to VCA? 4 E2
13C03-07 Is the level of knowledge of members of staff concerning VCA periodically evaluated by survey or other mechanism? 4 3 E3
13C03-09 Is this program revised at least every five years? 2 3 R1
13C03-10 Is the enforcement of this program subject to a periodic audit? 2 3 C1
13C04 Applicability of the VCA policy
13C04-01 Have the conditions necessary for implementing the VCA policy been analyzed? 2 C1
13C04-02 Have the corresponding resources (technical and human) been put in place? 4 3 E2
13C04-03 Is the level of resource necessary for the application of VCA audited regularly? 1 3 E2
13C05 Monitoring the implementation of the VCA policy
13C05-01 Is the implementation of the VCA policy audited regularly? 4 3 C1
13C05-02 Are sanctions defined in case of nonconformity or failure to apply the policy? 4 3 E2
13D01-07 Has the adequacy of the directives with respect to all the relevant laws and regulations been verified by independent audit? 4 3 E2
13D02-05 Does this program include training or awareness of the consequences of not respecting the legal provisions relating to IPR? 4 E2
13D02-06 Is the level of knowledge of members of staff concerning IPR periodically evaluated by survey or other mechanism? 4 3 E3
13D02-07 Is this program revised at least every five years? 2 3 R1
13D02-08 Is the enforcement of this program subject to a periodic audit? 2 3 C1
13D03 Applicability of the intellectual property rights policy
13D03-01 Have the conditions necessary for implementing the IPR policy been analyzed? 2 C1
13D03-02 Have the corresponding resources (technical and human) been put in place? 4 3 E2
13D03-03 Is the level of resource necessary for the application of IPR audited regularly? 1 3 E2
13D04 Monitoring the implementation of the intellectual property rights policy
13D04-01 Is the implementation of the IPR policy audited regularly? 4 3 C1
13D04-02 Are sanctions defined in case of nonconformity or failure to apply the policy? 4 3 E2
13D04-03 Have these sanctions been communicated to staff? 2 3 E2
13E Protection of computerized systems
13E01-06 Has the adequacy of the directives with respect to all the relevant laws and regulations been verified by independent audit? 4 3 E2
13E01-07 Has a manager responsible for the protection of computerized systems been appointed? 4 E2
13E01-08 Is the protection of computerized systems responsible manager known to all members of staff? 2 E2
13E01-09 Does the protection of computerized systems policy (or the management framework) clearly define the responsibilities of the 4 E1
various stakeholders?
13E01-10 Is there a committee related to the governing bodies that is charged with developing directions for the protection of computerized 4 E2
systems and with periodically studying any related problems?
13E01-11 Is the protection of computerized systems policy revised regularly? 2 3 E2
13E02 Protection of computerized systems training and awareness program
13E02-01 Is there a protection of computerized systems awareness and training program? 2 E1
13E02-02 Is this program approved by the protection of computerized systems manager or respondent? 2 E2
13E02-03 Is this program offered to the staff concerned? 2 E2
13E02-04 Does this program include training or awareness of the consequences of not respecting the legal provisions relating to the 4 E2
protection of computerized systems?
13E02-05 Is the level of knowledge of members of staff concerning the protection of computerized systems periodically evaluated by survey 4 3 E3
or other mechanism?
13E02-06 Is this program revised at least every five years? 2 3 R1
13E02-07 Is the enforcement of this program subject to a periodic audit? 2 3 C1
13E03 Applicability of the protection of computerized systems policy
13E03-01 Have the conditions necessary for implementing the protection of computerized systems policy been analyzed? 2 C1
13E03-02 Have the corresponding resources (technical and human) been put in place? 4 3 E2
13E03-03 Is the level of resource necessary for the application of the protection of computerized systems audited regularly? 1 3 E2
13E04 Monitoring the implementation of the protection of computerized systems policy
13E04-01 Is the implementation of the protection of computerized systems policy audited regularly? 4 3 C1
13E04-02 Are sanctions defined in case of nonconformity or failure to apply the policy? 4 3 E2
13E04-03 Have these sanctions been communicated to staff? 2 3 E2
13F Human safety and protection of the environment
13F01 Policy and instructions relative to Human safety and protection of the environment
13F01-01 Is there a collection of all applicable legal and regulatory rules and measures relative to the human safety and protection of the 2 E2
environment?
13F01-02 Is this collection revised every year? 2 E2
13F01-08 Has a manager responsible for human safety and protection of the environment been appointed? 4 E2
13F01-09 Is the responsible manager relative to the human safety and protection of the environment known to all members of staff? 2 E2
13F01-10 Does the policy (or the management framework) relative to human safety and protection of the environment clearly define the 4 E1
responsibilities of the various stakeholders?
13F01-11 Is there a committee related to the governing bodies that is charged with developing directions for relative to the human safety and 4 E2
protection of the environment and with periodically studying any related problems?
13F01-12 Is the policy relative to the human safety and protection of the environment revised regularly? 2 3 E2
13F02 Human safety and protection of the environment training and awareness program
13F02-01 Is there a Human safety and protection of the environment awareness and training program? 2 E1
13F02-02 Is this program approved by the Human safety and protection of the environment manager or respondent? 2 E2
13F02-03 Is this program offered to the staff concerned? 2 E2
13F02-04 Does this program include training or awareness of the consequences of not respecting the legal provisions relating to the Human 4 E2
safety and protection of the environment?
13F02-05 Is the level of knowledge of members of staff concerning the Human safety and protection of the environment periodically 4 3 E3
evaluated by survey or other mechanism?
13F02-06 Is this program revised at least every five years? 2 3 R1
13F02-07 Is the enforcement of this program subject to a periodic audit? 2 3 C1
13F03 Applicability of the Human safety and protection of the environment policy
13F03-01 Have the conditions necessary for implementing the Human safety and protection of the environment policy been analyzed? 2 C1
13F03-02 Have the corresponding resources (technical and human) been put in place? 4 3 E2
13F03-03 Is the level of resource necessary for the application of the Human safety and protection of the environment audited regularly? 1 3 E2
13F04 Monitoring the implementation of the Human safety and protection of the environment policy
13F04-01 Is the implementation of the Human safety and protection of the environment policy audited regularly? 4 3 C1
13F04-02 Are sanctions defined in case of nonconformity or failure to apply the policy? 4 3 E2
13F04-03 Have these sanctions been communicated to staff? 2 3 E2
13G Rules related to the use of encryption
13G01 Policy and instructions relative to the use of encryption
13G01-01 Is there a collection of all applicable legal and regulatory rules and measures regarding the use of encryption? 2 E2
13G01-02 Is this collection revised every year? 2 E2
13G01-03 Is there a policy and are there precise directives concerning the use of encryption? 4 E1
13G01-04 Has this policy been approved by the governing bodies? 2 E2
14A06-02 Does the method permit to analyze the risk acceptance criteria for each scenario? 2
14A07 Selection of the measures (controls) for risk reduction
14A07-01 Does the organization have at its disposal the elements allowing to select the most efficient security measures required? 4 1
The method used must permit to propose improvement directions for each risk situation and to optimize the selection based on the
objectives and constraints of the organization.
14A07-02 Does the method permit to identify the residual risks after treatment of these risks? 3 2
14A07-03 Are the residual risks, either after treatment or acceptance, presented to the management for validation? 2 2
14A08 Selection of the security measures in accordance to the statement of applicability (SOA)
14A08-01 Is a list of decisions and security measures applicable to the organization formally established? 4
14A08-02 Does the statement of applicability describe the security measures already in place? 2 2
14A08-03 Are the security measures excluded or differed documented and justified? 2 2
14B Implement the management system
14B01 Formulation of a risk treatment plan
14B01-01 Has a risk treatment plan been established? 4 1
14B01-02 Does this plan identify the actions to be taken including the appropriate resources, responsibilities, deadlines, and priorities? 2
F3 Maintenance 04A02, 04A06, 05A03, 05A07, 08D01, 08D02, 08D08, 09E03, 11D01, 11D02,
12C01, 12C02, 12C05
G1 Projects and developments 10A, 10B
H1 Incident management 04D, 05D, 06C03, 07C, 08E, 08F03, 09G, 11E03, 12E03
I1 Audit management 06D, 08G
J1 Compliance management 13
K1 Information security management 14
system
Code
Family type Event description Code
type
3 3 1
3 3 1
3 3 1
3 3 1
2 2 1
3 3 1
2 2 1
2 2 1
3 3 1
2 2 1
3 3 1
4 4 1
2 2 1
2 2 1
2 2 1
3 3 1
3 3 1
3 3 1
2 2 1
3 3 1
2 2 1
3 3 1
2 2 1
2 2 1
2 2 1
2 2 1
2 2 1
2 2 1
2 2 1
2 2 1
Reference Base of scenarios
ASSET VULNERABILITY THREAT
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
F01-ER1 D01 A File erasure Fic.eff ER.P Pro Exp Ain Uai
F01-ER1 D01 A File erasure Fic.eff ER.P Pro Exp Ain Una
F01-EM1 D01 A File erasure Fic.eff MA.L Del Exp Ain Ual
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
F01-ER1 D02 A File erasure Fic.eff ER.P Pro Exp Ain Una
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
F01-ER1 D03 A File erasure Fic.eff ER.P Pro Exp Abs Apc Una
F01-EM1 D03 A Files erasure Fic.eff MA.L Del Bur Abs Apc Una
F01-EM1 D03 A Files erasure Fic.eff MA.L Del Bur Hho Apc Una
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
F01-EM1 D10 A File erasure Fic.eff MA.L Del Exp Ain Ual
F01-EM1 D10 A File erasure Fic.eff MA.L Del Exp Ain Uai
F01-EM1 D10 A File erasure Fic.eff MA.L Del Exp Ain Pna
F01-ER1 D11 A File erasure Fic.eff ER.P Pro Exp Ain Uai
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
F01-ER1 D11 A File erasure Fic.eff ER.P Pro Exp Ain Una
F01-EM1 D11 A File erasure Fic.eff MA.L Del Exp Ain Una
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
F09-ER D01 I File tampering Fic.alt ER.P Pro Ain Tru Ual
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
D06-I Distortion (undetected) of data or of transmitted data that are individually sensitive
data tampering ER.P Prs
F10-ER D06b I Fic.alt
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
F11-MA1 D01 C File disclosure Fic.dif MA.L Vol Ain Tru Ual
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
F13-MA1 D06 C screen harnessing Dtr.div MA.L Ele Ext Aem Tie
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
F01-ER2 S01 A program file erasure Cfl.eff ER.P Pro Exp Uai
F01-ER2 S01 A program file erasure Cfl.eff ER.P Pro Exp Una
F01-EM2 S01 A program file erasure Cfl.eff MA.L Del Exp Ual
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
S03-A Unavailability of interface services or terminals for users (PC, local printers, peripherals, specific interfaces, etc.)
software erasure IF.L Exp Exp
F01-EA5 S03 A configuration Cfl.eff
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
S04-A Unavailability of common system services: messaging, archiving, printing, editing, etc.
program file erasure IF.L Exp Exp
F01-EA2 S04 A Cfl.eff
F01-ER2 S04 A program file erasure Cfl.eff ER.P Pro Exp Uai
F01-ER2 S04 A program file erasure Cfl.eff ER.P Pro Exp Una
F01-EM2 S04 A program file erasure Cfl.eff MA.L Del Exp Ual
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
media
F03-MA2 S04 A storing disappearance Med.dis MA.P Vol Md. Pna
program
media disappearance MA.P Vol Md. E
F03-MA2 S04 A storing Med.dis
program
media
F03-MA2 S04 A storing disappearance Med.dis MA.P Vol Md. Pse
program
media inoperability AC.M Equ Exp
F04-AC2 S04 A storing Med.ine
program
media inoperability IC.E De Exp
F04-AC2 S04 A storing Med.ine
program
media inoperability IC.E Se Exp
F04-AC2 S04 A storing Med.ine
program
media inoperability IF.L Exp Exp
F04-AC2 S04 A storing Med.ine
program
media inoperability IC.E Pol Md.
F04-AC2 S04 A storing Med.ine
program
media inoperability IC.E De Md.
F04-AC2 S04 A storing Med.ine
program
media
inoperability IC.E Age Md.
F04-AC2 S04 A storing Med.ine
program
Server damaging IC.E De Exp
F06-AC1 S04 A Eq.hs
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
S05-I Alteration of the publishing services for web sites, public or internal
program file tampering ER.P Pro D
F09-AC2 S05 I Cfl.alt
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
C06-E Non compliance of processes attached to the protection of human beings and environment
compliance Non application PR.N Api Exp
F20-NC C06 E of processes Pro.inf
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Accidental erasure of files of data, due to a production incident 1 A A 3 1 1 1 3 1 3 08A03 08E03
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
max(min(07A03;07A0
Malicious pollution of files of data, by a user not authorized, connected from 4;08F02);min(09A03;0
the internal network
1 M A 3 1 1 1 3 0 3
9A04);09C02)
Loss, due to accidental destruction, of media supporting files of data, within the
production premises, due to flooding
1 A A 3 1 1 1 3 0 3
Loss, due to accidental destruction, of media supporting files of data, in the 03D01
media storage premises, due to a fire
1 A A 2 1 1 1 3 0 2
Loss, due to accidental destruction, of media supporting files of data, in the
media storage premises, due to flooding
1 A A 3 1 1 1 3 0 3
Loss, due to accidental disappearance, of media supporting files of data, in the
media storage premises
1 A A 3 1 1 1 3 0 3
Loss, due to accidental disappearance, of media supporting files of data, within
the production premises
1 A A 3 1 1 1 3 0 3
Theft of media supporting files of data, within the production premises, by a
member of the staff not authorized
1 M A 2 1 1 1 3 0 2 03B06 min(03B03;03B04)
09D01
Impossibility, due to an accident, to use a media supporting files of data, within
the production premises, caused by the breakdown of an equipment
1 A A 3 1 1 1 3 0 3
Impossibility, due to an accident, to use a media supporting files of data, within 03C01
the production premises, due to a liquid (water) damage
1 A A 3 1 1 1 3 0 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
min(03A01;03A04)
Impossibility, due to an accident, to use a media supporting files of data, within
the production premises, due to an electrical over load
1 A A 2 1 1 1 3 0 2
08A03 08E03
Impossibility, due to an accident, to use a media supporting files of data, within
the production premises, due to a production incident
1 A A 3 1 1 1 3 0 3
Impossibility, due to an accident, to use a media supporting files of data, in the 08C03
media storage premises, due to a liquid (water) damage
1 A A 3 1 1 1 3 0 3
Disappearance, due to an accident, of means required for accessing files of
data
1 A A 3 1 1 1 3 0 3
Accidental erasure of files shared for office work, due to a virus 1 A A 4 1 1 1 1 0 4 min(08D07;11D06)
Erasure, due to an error, of files shared for office work, by a user authorized
legitimately, connected from the internal network
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of files shared for office work, by a user authorized
illegitimately, connected from the internal network
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of files shared for office work, by a user not
authorized, connected from the internal network
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of files shared for office work, by a member of the
production team, connected from the internal network
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of files shared for office work, by a member of the
maintenance team , connected from the internal network
1 E A 3 1 1 1 1 0 3
Malicious erasure of files and backups shared for office work, by a user
authorized legitimately, connected from the internal network
1 M A 2 1 1 1 1 0 2
Malicious erasure of files and backups shared for office work, by a user 07A02
authorized illegitimately, connected from the internal network
1 M A 2 1 1 1 1 0 2
Malicious erasure of files and backups shared for office work, by a user not min(07A03;07A04)
authorized, connected from the internal network
1 M A 2 1 1 1 1 0 2
Malicious erasure of files and backups shared for office work, by a member of min(08F02;08F03)
the production team, connected from the internal network
1 M A 2 1 1 1 1 0 2
Malicious erasure of files and backups shared for office work, by a member of
the maintenance team , connected from the internal network
1 M A 2 1 1 1 1 0 2
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Malicious erasure of files and backups shared for office work, by a member of min(08F02;08F03)
the production team, connected from the internal network
1 M A 2 1 1 1 1 0 2
03D01
Loss, due to accidental destruction, of media supporting files shared for office
work, within the production premises, due to a fire
1 A A 2 1 1 1 1 0 2
Loss, due to accidental destruction, of media supporting files shared for office
work, within the production premises, due to flooding
1 A A 3 1 1 1 1 0 3
Theft of media supporting files shared for office work, within the production
premises, by a member of the staff not authorized
1 M A 2 1 1 1 1 0 2 03B06 min(03B03;03B04)
Theft of media supporting files shared for office work, within the production
premises, by a member of the production team
1 M A 2 1 1 1 1 0 2 03B06
Theft of media supporting files shared for office work, within the production
premises, by a member of the services team
1 M A 2 1 1 1 1 0 2 03B06
Impossibility, due to an accident, to use a media supporting files shared for min(03A01;03A04)
office work, within the production premises, due to an electrical over load
1 A A 2 1 1 1 1 0 2
Impossibility, due to an accident, to use a media supporting files shared for 08A03 08E03
office work, within the production premises, due to a production incident
1 A A 3 1 1 1 1 0 3
Theft or malicious destruction of means required for accessing files shared for
office work
1 M A 2 1 1 1 1 0 2
Accidental erasure of files used for personal office activity, due to a virus 1 A A 4 1 1 1 1 0 4 min(08D07;11D06)
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Erasure, due to an error, of files used for personal office activity, by a member 1 E A 3 1 1 1 1 0 3
of the maintenance team
Erasure, due to an error, of files used for personal office activity, by a user not 1
authorized, directly connected to the workstation, while the user is absent
E A 3 1 1 1 1 0 3
Malicious erasure of files and backups used for personal office activity, by a
user not authorized, directly connected to the workstation, while the user is 1 M A 2 1 1 1 1 0 2
11B01
absent
Malicious erasure of files and backups used for personal office activity, by a
user not authorized, directly connected to the workstation, outside working 1 M A 2 1 1 1 1 0 2
11B01
hours
Malicious erasure of files and backups used for personal office activity, by a 1 min(08F02;08F03)
member of the production team, connected from the internal network
M A 2 1 1 1 1 0 2
Malicious erasure of files and backups used for personal office activity, by a 1 M A 2 1 1 1 1 0 2
member of the maintenance team
Loss, due to accidental destruction, of media supporting files used for personal 1 A A 2 1 1 1 1 0 2
office activity, in the offices, due to a fire
Loss, due to accidental destruction, of media supporting files used for personal 1 A A 3 1 1 1 1 0 3
office activity, in the offices, due to flooding
Loss, due to accidental disappearance, of media supporting files used for 1
personal office activity, in the offices
A A 3 1 1 1 1 0 3
Loss, due to accidental disappearance, of media supporting files used for 1
personal office activity, outside the company
A A 3 1 1 1 1 0 3
Vol of PC portable contenant des fichiers used for personal office activity, in the 1 02C05 02D02
offices, by a member of the enterprise staff
M A 2 1 1 1 1 0 2
Vol of PC portable contenant des fichiers used for personal office activity, in the 1 02C05 02D02
offices, by a member of the services team
M A 2 1 1 1 1 0 2
Vol of PC portable contenant des fichiers used for personal office activity, in the 1 02C05 max(02C03;02D02)
offices, by a visitor
M A 2 1 1 1 1 0 2
Vol of PC portable contenant des fichiers used for personal office activity, 1 M A 2 1 1 1 1 0 2
outside the company
Theft of media supporting files used for personal office activity, in the offices, by 1 02C05 02D02
a member of the enterprise staff
M A 2 1 1 1 1 0 2
Theft of media supporting files used for personal office activity, in the offices, by 1 02C05 02D02
a member of the services team
M A 2 1 1 1 1 0 2
Theft of media supporting files used for personal office activity, in the offices, by 1 02C05 max(02C03;02D02)
a visitor
M A 2 1 1 1 1 0 2
Impossibility, due to an accident, to use a media supporting files used for
1
personal office activity, in the offices, caused by the breakdown of an A A 3 1 1 1 1 0 3
equipment
Impossibility, due to an accident, to use a media supporting files used for 1
personal office activity, in the offices, due a liquid (water) damage
A A 3 1 1 1 1 0 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Impossibility, due to an accident, to use a media supporting files used for 1 min(03A01;03A04)
personal office activity, in the offices, due to an electrical over load
A A 2 1 1 1 1 0 2
min(02D01;02D06)
Malevolent disappearance, theft or destruction of document written or printed
detained by users, due to a theft, by a member of the services team
1 M A 2 1 1 1 1 2
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Accidental loss of data during a transfer: messages or transactions waiting for 08A03
treatment, due to a production incident
1 A A 3 1 1 1 1 3
Accidental loss of data during a transfer: messages or transactions waiting for 03D01
treatment, due to a fire
1 A A 2 1 1 1 1 2
Accidental loss of data during a transfer: messages or transactions waiting for 03C01
treatment, due to flooding
1 A A 3 1 1 1 1 3
Accidental loss of data during a transfer: e-mails during emission or receipt, 08A03
due to a production incident
1 A A 3 1 1 1 1 3
Accidental loss of data during a transfer: e-mails during emission or receipt, 03D01
due to a fire
1 A A 2 1 1 1 1 2
Accidental loss of data during a transfer: e-mails during emission or receipt, 03C01
due to flooding
1 A A 3 1 1 1 1 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Accidental loss of documents during a transportation: fax during emission or 02D05
receipt, due to a liquid (water) damage
1 A A 3 1 1 1 1 3
Malicious destruction of documents during a transfer : theft of fax, in the fax 02D05
office by a member of the staff not authorized
1 M A 2 1 1 1 1 2
min(02D06;02D07)
Accidental disappearance or impossibility to use a document of archives
(patrimony or documents) or important documents to preserve for a long period 1 A A 3 1 1 1 1 3
of time, within the archival premises, due to a liquid (water) damage
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Accidental disappearance or impossibility to use a document of archives min(02D06;02D07)
(patrimony or documents) or important documents to preserve for a long period 1 A A 2 1 1 1 1 2
of time, within the archival premises, due to a fire
min(02D06;02D07)
Loss of document of archives (patrimony or documents) or important
documents to preserve for a long period of time, due to to a procedure error, 1 E A 3 1 1 1 1 3
within the archival premises
min(02D06;02D07) min(02D06;02D07)
Malevolent disappearance, theft or destruction of document of archives
(patrimony or documents) or important documents to preserve for a long period 1 M A 2 1 1 1 1 2
of time, within the archival premises, by vandals or terrorists acting from outside
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Erasure, due to an error, of files of digitalized archives , by a member of the
production team, connected from the internal network
1 E A 3 1 1 1 1 0 3
Malicious erasure of files and backups of digitalized archives , by a member of 08H02
the production team, connected from the internal network
1 M A 2 1 1 1 1 0 2
Malicious erasure of files and backups of digitalized archives , by a user
authorized legitimately, connected from the internal network
1 M A 2 1 1 1 1 0 2
Malicious erasure of files and backups of digitalized archives , by a user 08H02
authorized illegitimately, connected from the internal network
1 M A 2 1 1 1 1 0 2
Malicious erasure of files and backups of digitalized archives , by a member of 08H02
the staff not authorized, connected from the internal network
1 M A 2 1 1 1 1 0 2
Loss, due to accidental destruction, of media supporting files of digitalized 08H03
archives , in the media storage premises, due to a fire
1 A A 2 1 1 1 1 0 2
Loss, due to accidental destruction, of media supporting files of digitalized 08H03
archives , in the media storage premises, due to flooding
1 A A 3 1 1 1 1 0 3
Loss, due to accidental disappearance, of media supporting files of digitalized 08H01
archives , within the archival premises
1 A A 3 1 1 1 1 0 3
Loss, due to accidental disappearance, of media supporting files of digitalized
archives , within the production premises
1 A A 3 1 1 1 1 0 3
Theft of media supporting files of digitalized archives , within the archival
premises, by an authorized staff member
1 M A 2 1 1 1 1 0 2 08H03
Impossibility, due to an accident, to use a media supporting files of digitalized 08H03 08C05
archives , within the archival premises, due to ageing
1 A A 2 1 1 1 1 0 2
Impossibility, due to an accident, to use a media supporting files of digitalized 08H03
archives , within the archival premises, due to a liquid (water) damage
1 A A 3 1 1 1 1 0 3
Disappearance, due to an accident, of means required for accessing files of
digitalized archives
1 A A 3 1 1 1 3 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Erasure, due to an error, of files of data posted on public or internal sites , by a
user not authorized, connected from the internal network
1 E A 3 1 1 1 3 0 3
Erasure, due to an error, of files of data posted on public or internal sites , by a
member of the production team, connected from the internal network
1 E A 3 1 1 1 3 0 3
Erasure, due to an error, of files of data posted on public or internal sites , by a
member of the maintenance team
1 E A 3 1 1 1 3 0 3
Malicious erasure of files and backups of data posted on public or internal sites min(07A03;07A04)
, by a user not authorized, connected from the internal network
1 M A 2 1 1 1 3 0 2
Malicious erasure of files and backups of data posted on public or internal sites min(08F02;08F03)
, by a member of the production team, connected from the internal network
1 M A 2 1 1 1 3 0 2
Malicious erasure of files and backups of data posted on public or internal sites max(08A05;08E02)
, by a member of the maintenance team
1 M A 2 1 1 1 3 0 2
10B05
Pollution, by accident, of files of data posted on public or internal sites due to
a procedure error, during a software maintenance operation
1 A A 3 1 1 1 3 3
10B06
Pollution, by accident, of files of data posted on public or internal sites due to
a procedure error, during a hot maintenance operation
1 A A 3 1 1 1 3 3
Pollution, by accident, of files of data posted on public or internal sites due a 08D03 08E02
production incident
1 A A 3 1 1 1 3 3
03D01
Loss, due to accidental destruction, of media supporting files of data posted on
public or internal sites , within the production premises, due to a fire
1 A A 2 1 1 1 3 0 2
03D01
Loss, due to accidental destruction, of media supporting files of data posted on
public or internal sites , in the media storage premises, due to a fire
1 A A 2 1 1 1 3 0 2
Theft of media supporting files of data posted on public or internal sites , within
the production premises, by a member of the staff not authorized
1 M A 2 1 1 1 3 0 2 03B06 min(03B03;03B04)
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Theft of media supporting files of data posted on public or internal sites , within
the production premises, by a member of the production team
1 M A 2 1 1 1 3 0 2 03B06
Theft of media supporting files of data posted on public or internal sites , within
the production premises, by a member of the services team
1 M A 2 1 1 1 3 0 2 03B06
Impossibility, due to an accident, to use a media supporting files of data posted 03C01
on public or internal sites , within the production premises, due to a liquid 1 A A 3 1 1 1 3 0 3
(water) damage
Impossibility, due to an accident, to use a media supporting files of data posted min(03A01;03A04)
on public or internal sites , within the production premises, due to an electrical 1 A A 2 1 1 1 3 0 2
over load
Impossibility, due to an accident, to use a media supporting files of data posted 08A03 08E03
on public or internal sites , within the production premises, due to a production 1 A A 3 1 1 1 3 0 3
incident
Tampering, by accident, (and not detected) of files of data due to a procedure max(09B05;10B05) 09B04
error, during a software maintenance operation
1 A L 3 1 1 1 1 1 3
max(09B05;10B06) 09B04
Tampering, by accident, (and not detected) of files of data due to a procedure
error, during a hot maintenance operation
1 A L 3 1 1 1 1 1 3
Tampering, by accident, (and not detected) of files of data due to a production max(09B05;08D03) 09B04
incident
1 A L 3 1 1 1 1 1 3
Tampering, due to an error of procedure, of configurations of data, by a user 09B05 09B04
authorized legitimately, connected from the internal network
1 E L 3 1 1 1 1 1 3
max(09B05;min(07A0 09B04
Tampering, due to an error of procedure, of configurations of data, by a user 1;07A02;08F01);min(0
authorized illegitimately, connected from the internal network
1 E L 3 1 1 1 1 1 3 9A01;09A02))
max(09B05;min(07A0 09B04
Tampering, due to an error of procedure, of configurations of data, by a user 3;07A04;08F02);min(0
not authorized, connected from the internal network
1 E L 3 1 1 1 1 1 3
9A03;09A04))
Tampering, by accident, (and not detected) of files of data posted on public or max(09B05;10B05) 09B04
internal sites due to a procedure error, during a software maintenance 1 A L 3 1 1 1 1 1 3
operation
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Malicious (and undetected) tampering of files of data, by a user authorized max(09B05;min(07A0 09B04
illegitimately, connected from the internal network
1 M L 3 1 1 1 1 1 3 1;07A02;08F01);min(0
9A01;09A02))
Malicious (and undetected) tampering of files of data, by a user not authorized, max(09B05;min(07A0 09B04
connected from the internal network
1 M L 3 1 1 1 1 1 3 3;07A04;08F02);min(0
9A03;09A04);09B01;0
Malicious (and undetected) tampering of files of data, by a member of the max(09B01;09C02)
9C02) 09B04
production team, connected from the internal network
1 M L 3 1 1 1 1 1 3
Malicious (and undetected) tampering of files of data during production by a max(09B01;09C02) 09B04
member of the maintenance team
1 M L 3 1 1 1 1 1 3
08A06 09B04
Malicious (and undetected) tampering of files of data, by an unauthorized third
party , connected through a remote maintenance port
1 M L 3 1 1 1 1 1 3
Malicious (and undetected) tampering of files of data during the transportation max(09B01;09C02) 09B04
between sites by an authorized staff member
1 M L 3 1 1 1 1 1 3
Malicious (and undetected) swap of media containing files of data during 09B04
production by an authorized staff member
1 M L 2 1 1 1 1 1 2
Malicious (and undetected) swap of media containing files of data during max(03B04;03B05;03 max(min(03B01;03B0 09B04
production by a member of the staff not authorized 1 M L 2 1 1 1 1 1 2 B06) 2;03B03);08C02;09B0
1;09C02)
Malicious (and undetected) swap of media containing files of data during the max(09B01;09C02) 09B04
transportation between sites by an authorized staff member 1 M L 2 1 1 1 1 1 2
min(07A01;07A02;08F
Tampering, due to an error of procedure, of configurations shared for office
01)
work during user treatments, by a user authorized illegitimately, connected from 1 E I 3 1 1 1 1 3
the internal network
Malicious (and undetected) tampering of files shared for office work during min(07A01;07A02;08F
production, by a user authorized illegitimately, connected from the internal 1 M I 3 1 1 1 1 3 01)
network
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
max(min(08F02;07A0
Malicious (and undetected) tampering of files shared for office work during 3;07A04);11C01;11C0
production, by a user not authorized, connected from the internal network
1 M I 3 1 1 1 1 3
4)
Malicious (and undetected) tampering of files shared for office work during max(11C011;11C04)
production, by a member of the production team, connected from the internal 1 M I 3 1 1 1 1 3
network
Malicious (and undetected) tampering of files shared for office work during max(11C01;11C03;11
C04)
production, by a member of the maintenance team , connected from the 1 M I 3 1 1 1 1 3
internal network
Malicious (and undetected) swap of media containing files shared for office max(11C01;11C04)
work during production, by an authorized staff member, connected from the 1 M I 2 1 1 1 1 2
internal network
Malicious (and undetected) swap of media containing files shared for office max(03B04;03B05;03 max(min(03B01;03B0
work during production, by a member of the staff not authorized, connected 1 M I 2 1 1 1 1 2 B06) 2;03B03);08C02;11C0
from the internal network 1;11C04)
Malicious (and undetected) tampering of files used for personal office activity max(11C01;11C04)
stored on the work station, by a member of the production team, connected 1 M I 3 1 1 1 1 3
from the internal network
Malicious (and undetected) tampering of files used for personal office activity max(11C01;11C03;11
stored on the work station by a member of the maintenance team
1 M I 3 1 1 1 1 3 C04)
Malicious (and undetected) tampering of files used for personal office activity 11C02
stored on a removable media by an authorized staff member
1 M I 3 1 1 1 1 3
Malicious (and undetected) tampering of files used for personal office activity max(11B01;11C01;11
open on the workstation, by a user not authorized, directly connected to the 1 M I 3 1 1 1 1 3 C04)
workstation
Malicious (and undetected) swap of media containing files used for personal 11C02
office activity stored on a removable media by an authorized staff member 1 M I 2 1 1 1 1 2
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
09B03 09B04
Tampering of data individually sensitive due to an error during capture or typing 1 E L 3 1 1 1 1 1 3
09B03 09B03 09B04
Malicious handling of data (individually) sensitive during production, by a user
authorized legitimately, connected from the internal network
1 M L 3 1 1 1 1 1 3
max(min(07A03;07A0 09B04
Malicious handling of data (individually) sensitive during production, by a 4;08F02);min(09A03;0
member of the staff not authorized, connected from the internal network
1 M L 3 1 1 1 1 1 3
9A04;08F02);09B01;0
9C02)
max(min(07A01;07A0 09B04
Malicious handling of data (individually) sensitive during production, by a user
authorized illegitimately, connected from the internal network
1 M L 3 1 1 1 1 1 3 2);min(09A01;09A02))
max(04C01;04C02;09 09B04
Malicious handling of messages or data during transfers, over the extended
network, by a member of the production team
1 M L 3 1 1 1 1 1 3 B02;09C01)
max(05C03;05C04) 09B04
Malicious handling of messages or data during transfers, during an access to
the network from outside, by a member of the staff not authorized
1 M L 3 1 1 1 1 1 3
max(05C03;05C04) 09B04
Malicious handling of messages or data during transfers, during an access to
the network from outside, by a member of the production team
1 M L 3 1 1 1 1 1 3
max(05C01;05C02;09 09B04
Malicious handling of messages or data during transfers, during exchanges on B02;09C01)
the local area network, by a member of the staff not authorized
1 M L 3 1 1 1 1 1 3
max(05C01;05C02;09 09B04
Malicious handling of messages or data during transfers, during exchanges on B02;09C01)
the local area network, by a member of the production team
1 M L 3 1 1 1 1 1 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Malicious handling of e-mails during emission or receipt, by an unauthorized 11C05
third party
1 M I 3 1 1 1 1 3
Malicious handling of e-mails during emission or receipt, by a member of the 11C05
production team
1 M I 3 1 1 1 1 3
Sending of a faked email, by using a forged signature 1 M I 3 1 1 1 1 3 11C05
max(09B05;10B06) 09B04
Tampering, by accident, (and not detected) of files of data posted on public or
internal sites due to a procedure error, during a hot maintenance operation
1 A L 3 1 1 1 1 1 3
Tampering, by accident, (and not detected) of files of data posted on public or max(09B05;08D03) 09B04
internal sites due a production incident
1 A L 3 1 1 1 1 1 3
Tampering, due to an error of procedure, of configurations of data posted on 09B05 09B04
public or internal sites during user treatments, by a user authorized 1 E L 3 1 1 1 1 1 3
legitimately, connected from the internal network
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Malicious (and undetected) tampering of files of data posted on public or max(09B05;min(07A0 09B04
internal sites during production, by a user authorized illegitimately, connected 1 M L 3 1 1 1 1 1 3 1;07A02;08F01);min(0
from the internal network 9A01;09A02))
Malicious (and undetected) tampering of files of data posted on public or max(09B05;min(07A0 09B04
internal sites during production, by a user not authorized, connected from the 1 M L 3 1 1 1 1 1 3 3;07A04;08F02);min(0
internal network 9A03;09A04))
max(09B01;09C02) 09B04
Malicious (and undetected) tampering of files of data posted on public or
internal sites during production, by a member of the production team
1 M L 3 1 1 1 1 1 3
max(09B01;09C02) 09B04
Malicious (and undetected) tampering of files of data posted on public or
internal sites during production, by a member of the maintenance team
1 M L 3 1 1 1 1 1 3
Disclosure, due to an error, of files of data due to a procedure error during 09C02
production
1 E C 3 1 1 1 1 3
Disclosure, due to an error, of files of data due to a procedure error during a max(08A05;09C02)
hardware maintenance operation
1 E C 3 1 1 1 1 3
Disclosure, due to an error, of files of data due to a procedure error during max(10B04;09C02)
development tests
1 E C 3 1 1 1 1 3
Disclosure, due to an error, of files of data due to a procedure error during a max(08A05;09C02)
software maintenance operation
1 E C 3 1 1 1 1 3
Diversion of files of data during user treatments, by a user authorized 07C01
legitimately, connected from the internal network
1 M C 3 1 1 1 1 3
Diversion of files of data during user treatments, by a user authorized 07C01 max(min(07A01;07A0
illegitimately, connected from the internal network
1 M C 3 1 1 1 1 3 2);min(09A01;09A02))
Diversion of files of data during user treatments, by a user not authorized, max(min(07A03;07A0
connected from the internal network
1 M C 3 1 1 1 1 3 4;08F02;08C06);min(0
9A03;09A04))
Diversion of files of data, during production, by a member of the production 09C02
team
1 M C 3 1 1 1 1 3
max(05B03;min(07A0
Diversion of files of data during production, by an unauthorized third party , 3;07A04))
connected from the internal network
1 M C 3 1 1 1 1 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
min(05B08;05B09)
Diversion of files of data during production, by an unauthorized third party ,
connected on the storage network
1 M C 3 1 1 1 1 3
08C03 09C02
Disclosure of information, due to a theft, of media containing files of data,
during a storage in the site, by an authorized staff member
1 M C 2 1 1 1 1 2
08C04 09C02
Disclosure of information, due to a theft, of media containing files of data,
during an externalized storage , by an authorized staff member
1 M C 2 1 1 1 1 2
03B06 max(min(03B03;03B0
Disclosure of information, due to a theft, of media containing files of data, 4);09C02)
during production, by a member of the staff not authorized
1 M C 2 1 1 1 1 2
max(08C07;09C02)
Disclosure of information, due to a theft, of media containing files of data,
during the transportation between sites, by a member of the staff not authorized
1 M C 2 1 1 1 1 2
08C03 max(08C03;09C02)
Disclosure of information, due to a theft, of media containing files of data,
during a storage in the site, by a member of the staff not authorized
1 M C 2 1 1 1 1 2
08C04 max(08C04;09C02)
Disclosure of information, due to a theft, of media containing files of data,
during an externalized storage , by a member of the staff not authorized
1 M C 2 1 1 1 1 2
Disclosure, due to an error, of files shared for office work due to a procedure 11C01
error during production
1 E C 3 1 1 1 1 3
Disclosure, due to an error, of files shared for office work due to a procedure max(11C01;11C03)
error during a hardware maintenance operation
1 E C 3 1 1 1 1 3
Diversion of files shared for office work during user treatments, by a user
authorized legitimately, connected from the internal network
1 M C 3 1 1 1 1 3
Diversion of files shared for office work during user treatments, by a user min(07A01;07A02)
authorized illegitimately, connected from the internal network
1 M C 3 1 1 1 1 3
Diversion of files shared for office work during user treatments, by a user not max(min(07A03;07A0
authorized, connected from the internal network
1 M C 3 1 1 1 1 3 4;08C06;08F02);11C0
1)
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Diversion of files shared for office work during production, by a member of the 11C01
production team
1 M C 3 1 1 1 1 3
Diversion of files shared for office work during a maintenance operation, by a max(11C01;11C03)
member of the maintenance team
1 M C 3 1 1 1 1 3
max(05B03;min(07A0
Diversion of files shared for office work during production, by an unauthorized 3;07A04);11C01)
third party , connected from the internal network
1 M C 3 1 1 1 1 3
max(min(05B04;05B0
Diversion of files shared for office work during production, by an unauthorized 5;05B06;05B07;06B0
third party , connected, from outside, to the local area notwork
1 M C 3 1 1 1 1 3 2);min(07A03;07A04);
11C01)
max(min(05B08;05B0
Diversion of files shared for office work during production, by an unauthorized 9);11C01)
third party , connected on the storage network
1 M C 3 1 1 1 1 3
02C05 11C01
Disclosure of information, due to a theft, of media containing files shared for
office work, during production, by an authorized staff member
1 M C 2 1 1 1 1 2
Disclosure of information, due to a theft, of media containing files shared for 11C01
office work, during the transportation between sites, by an authorized staff 1 M C 2 1 1 1 1 2
member
08C03 11C01
Disclosure of information, due to a theft, of media containing files shared for
office work, during a storage in the site, by an authorized staff member
1 M C 2 1 1 1 1 2
08C04 11C01
Disclosure of information, due to a theft, of media containing files shared for
office work, during an externalized storage , by an authorized staff member
1 M C 2 1 1 1 1 2
max(min(03B03;03B0
Disclosure of information, due to a theft, of media containing files shared for
office work, during production, by a member of the staff not authorized
1 M C 2 1 1 1 1 2 4);11C01)
Disclosure of information, due to a theft, of media containing files shared for max(08C07;11C01)
office work, during the transportation between sites, by a member of the staff 1 M C 2 1 1 1 1 2
not authorized
08C03 max(08C03;11C01)
Disclosure of information, due to a theft, of media containing files shared for
office work, during a storage in the site, by a member of the staff not authorized
1 M C 2 1 1 1 1 2
Disclosure of information, due to a theft, of media containing files shared for 08C04 max(08C04;11C01)
office work, during an externalized storage , by a member of the staff not 1 M C 2 1 1 1 1 2
authorized
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Disclosure, due to an error, of files used for personal office activity due to a 11C01
procedure error, during user treatments
1 E C 3 1 1 1 1 3
Disclosure, due to an error, of files used for personal office activity due to a max(11C01;11C03)
procedure error, during a hardware maintenance operation
1 E C 3 1 1 1 1 3
Diversion of files used for personal office activity, by a member of the staff not max(min(11B01;11E0
authorized, directly connected to the workstation, while the user is absent
1 M C 3 1 1 1 1 3 1);11C01)
Diversion of files used for personal office activity, by a member of the staff not max(min(11B01;11E0
authorized, directly connected to the workstation, outside working hours
1 M C 3 1 1 1 1 3 1);11C01)
Diversion of files used for personal office activity, during production, by a 11C01
member of the production team
1 M C 3 1 1 1 1 3 min(11E02;11E03)
Diversion of files used for personal office activity, during a maintenance max(11C01;11C03)
operation, by a member of the maintenance team
1 M C 3 1 1 1 1 3
Disclosure of information, due to an accidental loss, of media containing files 11C01
used for personal office activity, outside the company
1 A C 3 1 1 1 1 0 3
02C05 max(min(02C01;02C0
Disclosure of information, due to a theft, of media containing files used for
2;02C03);11C02)
personal office activity, in the offices, by a member of the enterprise staff, while 1 M C 2 1 1 1 1 2
the user is absent
02C05 max(02C06;11C02)
Disclosure of information, due to a theft, of media containing files used for
personal office activity, in the offices, by a visitor, while the user is absent
1 M C 2 1 1 1 1 2
Disclosure of information, due to a theft, of media containing files used for max(02C04;02C05) max(min(02C01;02C0
2;02C03);11C02)
personal office activity, in the offices, by a member of the enterprise staff, 1 M C 2 1 1 1 1 2
outside working hours
Disclosure of information, due to a theft, of media containing files used for 02C05 11C02
personal office activity, in the offices, by a member of the services team, 1 M C 2 1 1 1 1 2
outside working hours
Disclosure of information, due to a theft, of media containing files used for 11C02
personal office activity, outside the company
1 M C 2 1 1 1 1 2
Disclosure of information, due to a theft, of portable equipment (e.g. PC) 02C05 max(min(02C01;02C0
containing files used for personal office activity, in the offices, by a member of 1 M C 2 1 1 1 1 2 2;02C03;11B01);11C0
the enterprise staff, while the user is absent 1)
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Disclosure of information, due to a theft, of portable equipment (e.g. PC) 02C05 max(02C06;11B01;11
containing files used for personal office activity, in the offices, by a visitor, while 1 M C 2 1 1 1 1 2 C01)
the user is absent
max(02C04;02C05) max(min(02C01;02C0
Disclosure of information, due to a theft, of portable equipment (e.g. PC)
2;02C03;11B01);11C0
containing files used for personal office activity, in the offices, by a member of 1 M C 2 1 1 1 1 2 1)
the enterprise staff, outside working hours
Disclosure of information, due to a theft, of portable equipment (e.g. PC) 02C05 max(11B01;11C01)
containing files used for personal office activity, in the offices, by a member of 1 M C 2 1 1 1 1 2
the services team, outside working hours
Theft of documents written or printed detained by users, in the offices, by a 02C05 max(02A02;02C03;02
user authorized illegitimately, while the user is absent
1 M C 2 1 1 1 1 2 D02)
Theft of documents written or printed detained by users, in the offices, by a 02C05 02D02
member of the services team
1 M C 2 1 1 1 1 2
02C05 max(02D02;min(02C0
Theft of documents written or printed detained by users, in the offices, by a 1;02C02;02C03))
member of the enterprise staff, while the user is absent
1 M C 2 1 1 1 1 2
Theft of documents written or printed detained by users, in the offices, by a 02C05 max(02D02;min(02C0
visitor, while the user is absent
1 M C 2 1 1 1 1 2 1;02C02;02C06))
02D02
Theft of documents written or printed detained by users, outside the company 1 M C 2 1 1 1 1 2
Theft of documents , during the printing on a shared printer, by a member of the max(02D02;11C06)
enterprise staff
1 M C 2 1 1 1 1 2
max(02D02;11C06)
Theft of documents , during the printing on a shared printer, by a visitor 1 M C 2 1 1 1 1 2
02D02
Theft of documents , during the distribution, by a member of the enterprise staff 1 M C 2 1 1 1 1 2
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Theft of documents , during the distribution, by a visitor 1 M C 2 1 1 1 1 2 02D02
02D03
Theft of discarded documents , within the collection circuit of paper bins 1 M C 2 1 1 1 1 2
08A07
Disclosure of listings or printouts, due to an error or accidental loss, during the
distribution, by a member of the production team
1 E C 3 1 1 1 1 3
08A07
Theft of listings or printouts , during the distribution, by a member of the
enterprise staff
1 M C 2 1 1 1 1 2
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Disclosure of data after tampering , by a member of the staff not authorized, max(05C03;09C01)
connected on the extended network
1 M C 3 1 1 1 1 3
max(03B07;05C01;09
Disclosure of data after tampering , by a member of the enterprise staff,
connected from the internal network
1 M C 3 1 1 1 1 3 C01)
max(min(06C01;06C0
Disclosure of data after tampering , by a member of the enterprise staff, after 2);09C01)
modification of a network equipment
1 M C 3 1 1 1 1 3
Disclosure of data after tampering , by a member of the production team, after min(06A01;06C03) 09C01
modification of a network equipment
1 M C 3 1 1 1 1 3
max(06A04;09C01)
Disclosure of data after tampering , by an unauthorized third party , after a
remote modification of a network equipment, using a remote maintenance line
1 M C 3 1 1 1 1 3
max(06A02;09C01)
Disclosure of data after tampering , by an unauthorized third party , after a
remote modification of a network equipment, using a flaw not yet fixed
1 M C 3 1 1 1 1 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
02D04
Theft of post mail, during collection or diffusion, in the offices 1 M C 2 1 1 1 1 2
02D05
Intentional disclosure of faxes, in the fax office 1 M C 2 1 1 1 1 2
02D05
Intentional disclosure of faxes, during collection or diffusion 1 M C 2 1 1 1 1 2
02D05
Diversion of fax due to a malicious transfer of receiver fax 1 M C 3 1 1 1 1 3
08H03 max(08H03;09C02)
Disclosure of information, due to a theft, of media containing files of digitalized
archives , within the archival premises, by an authorized staff member
1 M C 2 1 1 1 1 2
08H03 max(08H03;09C02)
Disclosure of information, due to a theft, of media containing files of digitalized
archives , within the archival premises, by a member of the staff not authorized
1 M C 2 1 1 1 1 2
08H03 max(08H03;09C02)
Disclosure of information, due to a theft, of media containing files of digitalized
archives , in the distribution office, by a member of the staff not authorized
1 M C 2 1 1 1 1 2
03D01 min(03D02;03D03)
Unavailability of the working environment, by accident, due to a fire 1 A A 2 1 1 1 1 2
03C01 min(03C02;03C03)
Unavailability of the working environment, by accident, due to flooding 1 A A 3 1 1 1 1 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Accidental erasure of programs of telecommunication services (voice, fax, 12A02
videoconferencing, etc.), due to a production incident
1 A A 3 1 1 1 1 0 3
12A03
Malicious erasure of programs of telecommunication services (voice, fax,
videoconferencing, etc.), by a member of the maintenance team
1 M A 2 1 1 1 1 0 2
03D01 min(03D02;03D03)
Long lasting unavailability, damaging or loss of (host) system, by accident of
telecommunication services (voice, fax, videoconferencing, etc.), within the 1 A A 2 1 1 1 1 1 2
production premises, due to a fire
03C01 min(03C02;03C03)
Long lasting unavailability, damaging or loss of (host) system, by accident of
telecommunication services (voice, fax, videoconferencing, etc.), within the 1 A A 3 1 1 1 1 1 3
production premises, due to flooding
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Temporary unavailability of (host) system, due to an accident, of
telecommunication services (voice, fax, videoconferencing, etc.), due to a lack 1 A A 3 1 1 1 1 0 3
of power supply (external cause)
min(03B03;03B04;03
Malicious damaging of host systems of telecommunication services (voice, fax, B06)
videoconferencing, etc.), due to vandalism, within the production premises, by a 1 M A 2 1 1 1 1 0 2
member of the staff not authorized
min(02A01;02A02;02 02A04
Malicious damaging of host systems of telecommunication services (voice, fax, A03;02A05)
videoconferencing, etc.), due to vandalism, by vandals or terrorists acting from 1 M A 2 1 1 1 1 0 2
inside (after an intrusion)
06A02 04D03
Accidental erasure of configuration (code, parameters, etc.) of the extended
network services due to a production incident
1 A A 3 1 1 1 1 0 3
Malicious erasure de configuration (code, parameters, etc.) of the extended 06C02 04D02
network services by a user not authorized
1 M A 2 1 1 1 1 0 2
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Malicious erasure de configuration (code, parameters, etc.) of the extended min(06C02;06C03)
network services by a member of the production team
1 M A 2 1 1 1 1 0 2
03C01
Damaging of (host) system, by accident of the extended network services ,
within the production premises, due to a liquid (water) damage
1 A A 3 1 1 1 1 0 3
min(03A01;03A04)
Damaging of (host) system, by accident of the extended network services ,
within the production premises, due to an electrical over load
1 A A 2 1 1 1 1 0 2
03A05
Long lasting unavailability, damaging or loss of (host) system, by accident of the
extended network services , within the production premises, due to a lightning
1 A A 2 1 1 1 1 0 2
03D01 min(03D02;03D03)
Long lasting unavailability, damaging or loss of (host) system, by accident of the
extended network services , within the production premises, due to a fire
1 A A 2 1 1 1 1 1 2
03C01 min(03C02;03C03)
Long lasting unavailability, damaging or loss of (host) system, by accident of the
extended network services , within the production premises, due to flooding
1 A A 3 1 1 1 1 1 3
Malicious damaging of host systems of the extended network services , due to min(03B03;03B04;03
vandalism, within the production premises, by a member of the staff not 1 M A 2 1 1 1 1 0 2 B06)
authorized
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Malicious damaging of host systems of the extended network services , due to
vandalism, by vandals or terrorists acting from outside
1 M A 2 1 1 1 1 0 2
min(02A01;02A02;02 02A04
Malicious damaging of host systems of the extended network services , due to A03;02A05)
vandalism, by vandals or terrorists acting from inside (after an intrusion)
1 M A 2 1 1 1 1 0 2
Accidental erasure of configuration (code, parameters, etc.) of Local Area 06A02 05D03
Network services, due to a production incident
1 A A 3 1 1 1 1 1 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Malicious erasure de configuration (code, parameters, etc.) of Local Area 06C02 05D02
Network services, by a user not authorized
1 M A 2 1 1 1 1 0 2
03C01
Damaging of (host) system, by accident of Local Area Network services, within
the production premises, due to a liquid (water) damage
1 A A 3 1 1 1 1 0 3
min(03A01;03A04)
Damaging of (host) system, by accident of Local Area Network services, within
the production premises, due to an electrical over load
1 A A 2 1 1 1 1 0 2
03A05
Long lasting unavailability, damaging or loss of (host) system, by accident of
Local Area Network services, within the production premises, due to a lightning
1 A A 2 1 1 1 1 0 2
03D01 min(03D02;03D03)
Long lasting unavailability, damaging or loss of (host) system, by accident of
Local Area Network services, within the production premises, due to a fire
1 A A 2 1 1 1 1 1 2
03C01 min(03C02;03C03)
Long lasting unavailability, damaging or loss of (host) system, by accident of
Local Area Network services, within the production premises, due to flooding
1 A A 3 1 1 1 1 1 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Malicious damaging of host systems of Local Area Network services, due to min(03B03;03B04;03
vandalism, within the production premises, by a member of the staff not 1 M A 2 1 1 1 1 0 2 B06)
authorized
min(02A01;02A02;02 02A04
Malicious damaging of host systems of Local Area Network services, due to A03;02A05)
vandalism, by vandals or terrorists acting from inside (after an intrusion)
1 M A 2 1 1 1 1 0 2
min(06C02;06C03)
Malicious breakdown of Local Area Network services, mass erasure or
pollution of the configuration of a host system by a member of the production 1 M A 2 1 1 1 1 0 2
team
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Erasure, due to an error, of programs of application services , by a user max(07A02;09A02)
authorized illegitimately
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of programs of application services , by a user not min(07A03;07A04)
authorized
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of programs of application services , by a member of
the production team
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of programs of application services , by a member of
the maintenance team
1 E A 3 1 1 1 1 0 3
Malicious erasure of programs of application services , by a user authorized min(07C01;08E02)
legitimately
1 M A 2 1 1 1 1 0 2
Malicious erasure of programs of application services , by a user authorized min(07C01;08E02) max(07A02;09A02)
illegitimately
1 M A 2 1 1 1 1 0 2
min(07A03;07A04)
Malicious erasure of programs of application services , by a user not authorized 1 M A 2 1 1 1 1 0 2
Malicious erasure of programs of application services , by a member of the min(08F02;08F03)
production team
1 M A 2 1 1 1 1 0 2
Malicious erasure of programs of application services , by a member of the min(07C02;08E02)
maintenance team
1 M A 2 1 1 1 1 0 2
min(08F02;08F03)
Malicious erasure of files and backups of application services , by a member of
the production team
1 M A 2 1 1 1 1 0 2
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
03D01
Loss, due to destruction, of media supporting programs of application
services , within the production premises, due to a fire
1 A A 2 1 1 1 1 0 2
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Impossibility, due to an accident, to use a media supporting programs of
application services , in the media storage premises, due to pollution
1 A A 2 1 1 1 1 0 2
Impossibility, due to an accident, to use a media supporting programs of 08C03
application services , in the media storage premises, due to a liquid (water) 1 A A 3 1 1 1 1 0 3
damage
Impossibility, due to an accident, to use a media supporting programs of
application services , in the media storage premises, due to ageing
1 A A 2 1 1 1 1 0 2 08C05
03C01
Damaging of (host) system, by accident of application services , within the
production premises, due to a liquid (water) damage
1 A A 3 1 1 1 1 0 3
min(03A01;03A04)
Damaging of (host) system, by accident of application services , within the
production premises, due to an electrical over load
1 A A 2 1 1 1 1 0 2
03A05
Long lasting unavailability, damaging or loss of (host) system, by accident of
application services , within the production premises, due to a lightning
1 A A 2 1 1 1 1 0 2
03D01 min(03D02;03D03)
Long lasting unavailability, damaging or loss of (host) system, by accident of
application services , within the production premises, due to a fire
1 A A 2 1 1 1 1 0 2
03C01 min(03C02;03C03)
Long lasting unavailability, damaging or loss of (host) system, by accident of
application services , within the production premises, due to flooding
1 A A 3 1 1 1 1 0 3
09E01
Temporary unavailability of (host) system, due to an accident, of application
services , caused by the breakdown of an equipment
1 A A 3 1 1 1 1 0 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
min(03B03;03B04;03
Malicious damaging of host systems of application services , due to vandalism, B06)
within the production premises, by a member of the staff not authorized
1 M A 2 1 1 1 1 0 2
min(02A01;02A02;02 02A04
Malicious damaging of host systems of application services , due to vandalism, A03;02A05)
by vandals or terrorists acting from inside (after an intrusion)
1 M A 2 1 1 1 1 0 2
min(08F02;08F03)
Malicious breakdown of application services , mass erasure or pollution of the
configuration of a host system , by a member of the production team
1 M A 2 1 1 1 1 0 2
min(07C02;08E02)
Malicious breakdown of application services , mass erasure or pollution of the
configuration of a host system , by a member of the maintenance team
1 M A 2 1 1 1 1 0 2
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Locking of application services , due to to a malicious saturation of computing min(07C01;07C02) 08E01 min(08E02;08E03)
or network equipments
1 M A 3 1 1 1 1 0 3
Locking of accounts necessary for operation of application services , due to to
a blockage of accounts attack
1 M A 2 1 1 1 1 0 2
Accidental erasure of programs of common office services, due to a production 08A03 08E03
incident
1 A A 3 1 1 1 1 0 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Malicious pollution of programs of common office services during production by max(min(07A01;07A0
a user authorized illegitimately
1 M A 3 1 1 1 1 3 2;08F01);min(09A01;0
9A02))
Malicious pollution of programs of common office services during production by max(min(07A03;07A0
a user not authorized
1 M A 3 1 1 1 1 3 4;08F02);min(09A03;0
9A04))
Malicious pollution of programs of common office services during production by min(08F02;08F03)
a member of the production team
1 M A 3 1 1 1 1 3
Malicious pollution of programs of common office services during production by min(08F02;08F03) 10B05
a member of the maintenance team
1 M A 3 1 1 1 1 3
03D01
Loss, due to destruction, of media supporting programs of common office
services, within the production premises, due to to a fire
1 A A 2 1 1 1 1 0 2
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Impossibility, due to an accident, to use a media supporting programsof
common office services, within the production premises, caused by the 1 A A 3 1 1 1 1 0 3
breakdown of an equipment
Damaging of (host) system, by accident of common office services, within the min(03A01;03A04)
production premises, due to an electrical over load
1 A A 2 1 1 1 1 0 2
03A05
Long lasting unavailability, damaging or loss of (host) system, by accident of
common office services, within the production premises, due to a lightning
1 A A 2 1 1 1 1 0 2
03D01 min(03D02;03D03)
Long lasting unavailability, damaging or loss of (host) system, by accident of
common office services, within the production premises, due to a fire
1 A A 2 1 1 1 1 0 2
03C01 min(03C02;03C03)
Long lasting unavailability, damaging or loss of (host) system, by accident of
common office services, within the production premises, due to flooding
1 A A 3 1 1 1 1 0 3
09E01
Temporary unavailability of (host) system, due to an accident, of common office
services, caused by the breakdown of an equipment
1 A A 3 1 1 1 1 0 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Temporary unavailability of (host) system, due to an accident, of common office
services, caused by the breakdown or the unavailability of auxiliary elements
1 A A 3 1 1 1 1 0 3
min(02A01;02A02;02 02A04
Malicious damaging of host systems of common office services, due to A03;02A05)
vandalism, by vandals or terrorists acting from inside (after an intrusion)
1 M A 2 1 1 1 1 0 2
min(08F02;08F03)
Malicious breakdown of common office services, mass erasure or pollution of
the configuration of a host system , by a member of the production team
1 M A 2 1 1 1 1 0 2
min(07C02;08E02)
Malicious breakdown of common office services, mass erasure or pollution of
the configuration of a host system , by a member of the maintenance team
1 M A 2 1 1 1 1 0 2
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Stoppage of functioning of common office services, due to a long lasting
absence of internal staff required
1 A A 2 1 1 1 1 0 2
min(11E02;11E03)
Malicious erasure of all configurations (programs, code, parameters, etc.) of
equipments provided to end users, by a member of the production team
1 M A 3 1 1 1 1 0 3
11D06
Heavy unavailability of equipments provided to end users, due a virus 1 A A 4 1 1 1 1 0 4
Heavy unavailability of equipments provided to end users, within the production 03A05
premises, due to a lightning
1 A A 2 1 1 1 1 0 2
03D01 min(03D02;03D03)
Heavy unavailability of equipments provided to end users, within the production
premises, due to a fire
1 A A 2 1 1 1 1 0 2
Heavy unavailability of equipments provided to end users, within the production 03C01 min(03C02;03C03)
premises, due to flooding
1 A A 3 1 1 1 1 0 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
03B06 min(03B01;03B02;03 03B04
Malicious heavy destruction of equipments provided to end users, due to B03)
vandalism, within the production premises, by an authorized staff member
1 M A 2 1 1 1 1 0 2
min(03B03;03B04;03
Malicious heavy destruction of equipments provided to end users, due to B063)
vandalism, within the production premises, by an unauthorized third party
1 M A 2 1 1 1 1 0 2
min(07A03;07A04)
Malicious erasure of programs of common system services , by a user not
authorized
1 M A 2 1 1 1 1 0 2
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Pollution, by accident, of programs of common system services due to a 10B05
procedure error, during a software maintenance operation
1 A A 3 1 1 1 1 0 3
Pollution, by accident, of programs of common system services due to a 10B06
procedure error, during a hot maintenance operation
1 A A 3 1 1 1 1 0 3
Pollution, by accident, of programs of common system services due a 08E02
production incident
1 A A 3 1 1 1 1 0 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Theft of media supporting programs of common system services , in the media
storage premises, by a member of the staff not authorized
1 M A 2 1 1 1 1 0 2 03B06 08C03
03C01
Damaging of (host) system, by accident of common system services , within the
production premises, due a liquid (water) damage
1 A A 3 1 1 1 1 0 3
Damaging of (host) system, by accident of common system services , within the min(03A01;03A04)
production premises, due to an electrical over load
1 A A 2 1 1 1 1 0 2
03A05
Long lasting unavailability, damaging or loss of (host) system, by accident of
common system services , within the production premises, due to a lightning
1 A A 2 1 1 1 1 0 2
03D01 min(03D02;03D03)
Long lasting unavailability, damaging or loss of (host) system, by accident of
common system services , within the production premises, due to a fire
1 A A 2 1 1 1 1 0 2
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
03C01 min(03C02;03C03)
Long lasting unavailability, damaging or loss of (host) system, by accident of
common system services , within the production premises, due to flooding
1 A A 3 1 1 1 1 0 3
09E01
Temporary unavailability of (host) system, due to an accident, of common
system services , caused by the breakdown of an equipment
1 A A 3 1 1 1 1 0 3
min(02A01;02A02;02 02A04
Malicious damaging of host systems of common system services , due to A03;02A05)
vandalism, by vandals or terrorists acting from inside (after an intrusion)
1 M A 2 1 1 1 1 0 2
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Stoppage of functioning of common system services , due to to a social conflict
with the production staff
1 V A 2 1 1 1 1 0 2
08A03 08E03
Accidental erasure of programs of information publishing services on an
internal or public web site, due to a production incident
1 A A 3 1 1 1 1 0 3
max(07A02;09A02)
Erasure, due to an error, of programsof information publishing services on an
internal or public web site, by a user authorized illegitimately
1 E A 3 1 1 1 1 0 3
min(07A03;07A04)
Erasure, due to an error, of programsof information publishing services on an
internal or public web site, by a user not authorized
1 E A 3 1 1 1 1 0 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
min(07C01;08E02)
Malicious erasure of programs of information publishing services on an internal
or public web site, by a user authorized legitimately
1 M A 2 1 1 1 1 0 2
min(07C01;08E02) max(07A02;09A02)
Malicious erasure of programs of information publishing services on an internal
or public web site, by a user authorized illegitimately
1 M A 2 1 1 1 1 0 2
min(07A03;07A04)
Malicious erasure of programs of information publishing services on an internal
or public web site, by a user not authorized
1 M A 2 1 1 1 1 0 2
min(08F02;08F03)
Malicious erasure of programs of information publishing services on an internal
or public web site, by a member of the production team
1 M A 2 1 1 1 1 0 2
min(07C02;08E02)
Malicious erasure of programs of information publishing services on an internal
or public web site, by a member of the maintenance team
1 M A 2 1 1 1 1 0 2
min(08F02;08F03)
Malicious erasure of files and backups of information publishing services on an
internal or public web site, by a member of the production team
1 M A 2 1 1 1 1 0 2
max(min(07A01;07A0
Malicious pollution of programs of information publishing services on an internal 2;08F01);min(09A01;0
or public web site during production by a user authorized illegitimately
1 M A 3 1 1 1 1 0 3
9A02))
max(min(07A03;07A0
Malicious pollution of programs of information publishing services on an internal 4;08F02);min(09A03;0
or public web site during production by a user not authorized
1 M A 3 1 1 1 1 0 3
9A04))
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
min(08F02;08F03)
Malicious pollution of programs of information publishing services on an internal
or public web site during production by a member of the production team
1 M A 3 1 1 1 1 0 3
min(08F02;08F03) 10B05
Malicious pollution of programs of information publishing services on an internal
or public web site during production by a member of the maintenance team
1 M A 3 1 1 1 1 0 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Theft of media supporting programs of information publishing services on an
internal or public web site, in the media storage premises, by a member of the 1 M A 2 1 1 1 1 0 2 03B06
production team
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Long lasting unavailability, damaging or loss of (host) system, by accident of 03D01 min(03D02;03D03)
information publishing services on an internal or public web site, within the 1 A A 2 1 1 1 1 0 2
production premises, due to a fire
Long lasting unavailability, damaging or loss of (host) system, by accident of 03C01 min(03C02;03C03)
information publishing services on an internal or public web site, within the 1 A A 3 1 1 1 1 0 3
production premises, due to flooding
min(03B03;03B04;03
Malicious damaging of host systems of information publishing services on an B063)
internal or public web site, due to vandalism, within the production premises, by 1 M A 2 1 1 1 1 0 2
a member of the staff not authorized
min(07C02;08E02)
Malicious breakdown of information publishing services on an internal or public
web site, mass erasure or pollution of the configuration of a host system , by a 1 M A 2 1 1 1 1 0 2
member of the maintenance team
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Malicious destruction of host systems of information publishing services on an
internal or public web site, due to a terrorist action, by vandals or terrorists 1 M A 2 1 1 1 1 0 2
acting from outside
08A03
Locking of information publishing services on an internal or public web site, due
to to a blocking bug in a system or application software
1 E A 2 1 1 1 1 0 2
08A03
Locking of information publishing services on an internal or public web site, due
to to a blocking bug in a custom software
1 E A 3 1 1 1 1 0 3
07D01 08E01
Locking of information publishing services on an internal or public web site, due
to a production incident
1 E A 3 1 1 1 1 0 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Malicious (and undetected) tampering of configurations (code, parameters, 12A03 12B01
etc.) of telecommunication services (voice, fax, videoconferencing, etc.), by a 1 M I 3 1 1 1 1 0 3
member of the maintenance team
12A04
Malicious (and undetected) tampering of configurations (code, parameters,
etc.) of telecommunication services (voice, fax, videoconferencing, etc.), by an 1 M I 3 1 1 1 1 0 3
unauthorized third party , connected through a remote maintenance port
min(06C02;06C03)
Malicious (and undetected) tampering of configurations (code, parameters,
etc.) of the extended network services , by a member of the production team
1 M I 3 1 1 1 1 0 3
min(06C01;06C02)
Malicious (and undetected) tampering of configurations (code, parameters,
etc.) of the extended network services , by a user not authorized
1 M I 3 1 1 1 1 0 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
min(06C02;06C03)
Malicious (and undetected) tampering of configurations (code, parameters,
etc.) of Local Area Network services, by a member of the production team
1 M I 3 1 1 1 1 0 3
min(06C01;06C02)
Malicious (and undetected) tampering of configurations (code, parameters,
etc.) of Local Area Network services, by a user not authorized
1 M I 3 1 1 1 1 0 3
Malicious (and undetected) tampering of programs of application services , by max(07C02;08F03) max(08B02;08B03) 09B04
a member of the production team
1 M I 3 1 1 1 1 1 3
Malicious (and undetected) tampering of programs of application services , by 07C02 max(min(07A01;07A0 09B04
a user not authorized
1 M I 3 1 1 1 1 1 3 2;07A03;07A04);08B0
2;08B03;09B05)
Malicious (and undetected) swap of media containing programs of application max(08B03;09B05) 09B04
services during production by an authorized staff member 1 M I 2 1 1 1 1 1 2
Malicious (and undetected) swap of media containing programs of application max(03B04;03B05;03 max(min(03B01;03B0 09B04
services during production by a member of the staff not authorized B06) 2;03B03);08B03;08C0
1 M I 2 1 1 1 1 1 2 2;09B05)
Malicious (and undetected) swap of media containing programs of application max(08B03;09B05) 09B04
services during the transportation between sites by an authorized staff member 1 M I 2 1 1 1 1 1 2
Tampering of service, due to an altered process of connection to the server of max(07C02;08F03) max(07A05.09A05)
application services during the connection to the service by a member of the 1 M I 3 1 1 1 1 1 3
production team
Tampering of service, due to an altered process of connection to the server of 10B01 max(07A05.09A05)
application services during the connection to the service by a member of the 1 M I 3 1 1 1 1 1 3
development team
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Tampering of service, due to an altered process of connection to the server of 10B05 max(07A05.09A05)
application services during the connection to the service by a member of the 1 M I 3 1 1 1 1 1 3
maintenance team
Tampering or inhibition of security functions by accident (not detected) of
application services during the setting up after an intervention by a member of
the production team
1 E I 3 1 1 1 1 1 3
08B01
Tampering, due to an error of procedure, of configurations of common office
services, by a member of the maintenance team
1 E I 3 1 1 1 1 0 3
08B01
Tampering, due to an error of procedure, of configurations of common office
services, by a member of the production team
1 E I 3 1 1 1 1 0 3
08A04 08B01
Malicious (and undetected) tampering of configurations (code, parameters,
etc.) of common office services, by a member of the maintenance team
1 M I 3 1 1 1 1 0 3
min(08F02;08F03)
Malicious (and undetected) tampering of configurations (code, parameters,
etc.) of common office services, by a member of the production team
1 M I 3 1 1 1 1 0 3
max(min(07A01;07A0
Malicious (and undetected) tampering of configurations (code, parameters, 2;07A03;07A04);08B0
etc.) of common office services, by a user not authorized
1 M I 3 1 1 1 1 0 3
1)
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Tampering or inhibition of security functions by accident (not detected) of 08B01
common office services, during the setting up after an intervention by a
member of the production team
1 E I 3 1 1 1 1 0 3
08A04 08B01
Malicious (and undetected) tampering of configurations (code, parameters,
etc.) of common system services , by a member of the maintenance team
1 M I 3 1 1 1 1 0 3
min(08F02;08F03)
Malicious (and undetected) tampering of configurations (code, parameters,
etc.) of common system services , by a member of the production team
1 M I 3 1 1 1 1 0 3
max(min(07A01;07A0
Malicious (and undetected) tampering of configurations (code, parameters, 2;07A03;07A04);08B0
etc.) of common system services , by a user not authorized
1 M I 3 1 1 1 1 0 3
1)
Tampering or inhibition of security functions by accident (not detected) of 08B01
common system services , during the setting up after an intervention by a 1 E I 3 1 1 1 1 0 3
member of the production team
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Malicious (and undetected) tampering or inhibition of security functions of min(08F01;08F02)
common system services , during the setting up after an intervention by a 1 M I 3 1 1 1 1 0 3
member of the staff not authorized
max(08B02;08B03;09 09B05
Tampering of programs by accident (not detected) of information publishing B05)
services on an internal or public web site, by a member of the production team
1 E L 3 1 1 1 1 1 3
Malicious (and undetected) swap of media containing programs of information max(08B03;09B05) 09B04
publishing services on an internal or public web site during production by an 1 M L 2 1 1 1 1 1 2
authorized staff member
Malicious (and undetected) swap of media containing programs of information max(03B04;03B05;03 max(min(03B01;03B0 09B04
publishing services on an internal or public web site during production by a B06) 2;03B03);08B03;08C0
member of the staff not authorized
1 M L 2 1 1 1 1 1 2 2;09B05)
Malicious (and undetected) swap of media containing programs of information max(08B03;09B05) 09B04
publishing services on an internal or public web site during the transportation 1 M L 2 1 1 1 1 1 2
between sites by an authorized staff member
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Tampering of service, due to an altered process of connection to the server of max(07C02;08F03) max(07A05.09A05)
information publishing services on an internal or public web site during the
connection to the service by a member of the production team 1 M L 3 1 1 1 1 1 3
Tampering of service, due to an altered process of connection to the server of 10B01 max(07A05.09A05)
information publishing services on an internal or public web site during the
connection to the service by a member of the development team 1 M L 3 1 1 1 1 1 3
Tampering of service, due to an altered process of connection to the server of 10B05 max(07A05.09A05)
information publishing services on an internal or public web site during the
connection to the service by a member of the maintenance team 1 M L 3 1 1 1 1 1 3
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Disclosure of program files, due to an error of application services due to a 10B02
procedure error, during a hardware maintenance operation
1 M C 3 1 1 1 1 0 3
Disclosure of programs, due to a theft, of media containing program files of 08C03 10B02
application services , during a storage in the site, by an authorized staff 1 M C 2 1 1 1 1 0 2
member
Disclosure of programs, due to a theft, of media containing program files of 08C04 10B02
application services , during an externalized storage , by an authorized staff 1 M C 2 1 1 1 1 0 2
member
03B06 max(min(03B03;03B0
Disclosure of programs, due to a theft, of media containing program files of 4);10B02)
application services , during production, by a member of the staff not authorized
1 M C 2 1 1 1 1 0 2
Disclosure of programs, due to a theft, of media containing program files of 08C03 max(08C03;10B02)
application services , during a storage in the site, by a member of the staff not 1 M C 2 1 1 1 1 0 2
authorized
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Disclosure of programs, due to a theft, of media containing program files of 08C04 max(08C04;10B02)
application services , during an externalized storage , by a member of the staff 1 M C 2 1 1 1 1 0 2
not authorized
13A01
Non compliance to laws or regulations concerning the protection of personal
information due to the use of inadequate procedures
1 E L 2 1 1 1 1 1 2
13A04
Non compliance to laws or regulations concerning the protection of personal
information due to the intentional non application of procedures
1 M L 2 1 1 1 1 1 2
13B01
Non compliance to laws or regulations concerning financial communication
due to the use of inadequate procedures
1 E L 2 1 1 1 1 1 2
13B03
Non compliance to laws or regulations concerning financial communication
due to the non application of procedures, consequence of lack of resources
1 E L 2 1 1 1 1 1 2
13B02
Non compliance to laws or regulations concerning financial communication
due to the non application of procedures, consequence of lack of knowledge
1 E L 2 1 1 1 1 1 2
13B04
Non compliance to laws or regulations concerning financial communication
due to the intentional non application of procedures
1 M L 2 1 1 1 1 1 2
min(13C01;13C02)
Non compliance to laws or regulations concerning the digital accounting
control due to the use of inadequate procedures
1 E L 2 1 1 1 1 0 2
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Non compliance to laws or regulations concerning the digital accounting 13C04
control due to the non application of procedures, consequence of lack of 1 E L 2 1 1 1 1 1 2
resources
13C05
Non compliance to laws or regulations concerning the digital accounting
control due to the intentional non application of procedures
1 M L 2 1 1 1 1 1 2
min(11A03;13D01)
Non compliance to laws or regulations concerning the protection intellectual
property due to the use of inadequate procedures
1 E L 2 1 1 1 1 1 2
min(11A03;13D04)
Non compliance to laws or regulations concerning the protection intellectual
property due to the intentional non application of procedures
1 M L 2 1 1 1 1 1 2
13E04
Non compliance to laws or regulations concerning the protection of computer
systems due to the intentional non application of procedures
1 M L 2 1 1 1 1 1 2
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
13F01
Non compliance to laws or regulations concerning the security of persons and
the protection of environment due to the use of inadequate procedures
1 E L 2 1 1 1 1 1 2
Non compliance to laws or regulations concerning the security of persons and 13F03
the protection of environment due to the non application of procedures, 1 E L 2 1 1 1 1 1 2
consequence of lack of resources
Non compliance to laws or regulations concerning the security of persons and 13F02
the protection of environment due to the non application of procedures, 1 E L 2 1 1 1 1 1 2
consequence of lack of knowledge
Non compliance to laws or regulations concerning the security of persons and 13F04
the protection of environment due to the intentional non application of 1 M L 2 1 1 1 1 1 2
procedures
Palliative
EFF-PALL
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
Palliative
EFF-PALL
08D05
08D05
08D05
min(08D05;08D09)
min(08D05;08D09)
min(08D05;08D09)
min(08D05;08D09)
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
Palliative
EFF-PALL
08D05
08D05
08D05
08D05
09D02
09D02
11D04
11D04
11D04
11D04
11D04
11D04
11D04
11D04
11D04
11D04
11D04
Palliative
EFF-PALL
min(11D04;08D09)
min(11D04;08D09)
11D04
11D04
11D04
11D04
11D04
11D04
11D04
11D08
11D08
11D05
11D05
11D05
Palliative
EFF-PALL
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
Palliative
EFF-PALL
11D05
11D05
11D08
11D08
Palliative
EFF-PALL
09F03
09F03
09F03
09F03
09F03
09F03
11C05
11C05
11C05
11C05
11C05
11C05
11C05
11C05
11C05
Palliative
EFF-PALL
02D05
02D05
02D05
02D05
02D04
02D04
02D04
02D05
02D04
02D05
02D05
02D05
02D04
02D04
Palliative
EFF-PALL
08H02
Palliative
EFF-PALL
08H02
08H02
08H02
08H02
08H02
08H02
08H02
08H02
09D02
09D02
08D05
08D05
Palliative
EFF-PALL
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
min(08D05;08D09)
min(08D05;08D09)
min(08D05;08D09)
min(08D05;08D09)
08D05
08D05
Palliative
EFF-PALL
08D05
08D05
08D05
08D05
08D05
08D05
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
01E03
01E03
01E03
01E03
Palliative
EFF-PALL
12C03
12C03
12C03
12C03
12C04
12C04
12C04
12C04
12C04
12C01
03A06
Palliative
EFF-PALL
03A02
12C01
12C01
12C01
12C01
12C04
12C05
04A04
04A04
04A04
04A04
Palliative
EFF-PALL
04A04
04A04
max(04A01;04A05;mi
n(01E01;01E02))
max(04A01;04A05;mi
n(01E01;01E02))
04A05
04A05
04A05
max(04A01;04A02)
03A06
03A02
04A02
04A02
Palliative
EFF-PALL
04A02
04A02
04A05
04A04
04A04
04A06
min(01E01;01E02)
01C02
01C02
04A03
05A05
05A05
05A05
Palliative
EFF-PALL
05A05
05A05
05A05
max(05A02;05A06;mi
n(01E01;01E02))
max(05A02;05A06;mi
n(01E01;01E02))
05A06
05A06
05A06
max(05A02;05A03)
03A06
03A02
05A03
Palliative
EFF-PALL
05A03
05A03
05A03
05A06
05A05
05A05
05A07
min(01E01;01E02)
01C02
01C02
05A04
08D04
08D04
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
Palliative
EFF-PALL
08D04
08D04
08D04
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
min(08D06;09E02)
min(08D06;09E02)
min(08D06;09E02)
max(07D01;08D01)
03A06
03A02
03A03
08D01
Palliative
EFF-PALL
08D01
08D01
08D01
min(08D06;09E02)
08D04
08D04
08D08
09E03
min(01E01;01E02)
01C02
01C02
08D02
10A04
08D03
Palliative
EFF-PALL
08D10
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
min(08D06;09E02)
min(08D06;09E02)
min(08D06;09E02)
max(07D01;08D01)
Palliative
EFF-PALL
03A06
03A02
08D01
08D01
08D01
08D01
min(08D06;09E02)
08D04
08D04
08D08
09E03
min(01E01;01E02)
Palliative
EFF-PALL
01C02
01C02
11D02
08D10
11D03
11D03
11D03
11D03
max(01E03;11D07)
max(01E03;11D07)
max(01E03;11D07)
max(01E03;11D07)
max(01E03;11D07)
Palliative
EFF-PALL
max(01E03;11D07)
max(01E03;11D07)
11D01
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
min(08D06;09E02)
min(08D06;09E02)
Palliative
EFF-PALL
min(08D06;09E02)
max(07D01;08D01)
03A06
03A02
03A03
08D01
08D01
08D01
08D01
min(08D06;09E02)
08D08
09E03
Palliative
EFF-PALL
min(01E01;01E02)
01C02
01C02
08D02
10A04
08D03
08D10
08D04
08D04
08D04
08D04
08D04
08D04
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
min(08D06;09E02)
Palliative
EFF-PALL
min(08D06;09E02)
min(08D06;09E02)
max(07D01;08D01)
03A06
03A02
08D01
08D01
08D01
08D01
08D04
08D04
Palliative
EFF-PALL
min(08D06;09E02)
08D08
09E03
min(01E01;01E02)
01C02
01C02
08D02
10A04
08D03
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
Palliative
EFF-PALL
Service assets
General Services
G01 User workspace and environment 0 0 0 0 >
G02 Telecommunication Services (voice, fax, audio & videoconferencing, etc.) 0 0 0 0 > 0 0 0 0 >
Code
Type Event Code
type
Absence of personnel from a partner AB.P.Pep
Absence of personnel, accidental AB.P
Absence of internal personnel AB.P.Per
Absence of service : Power supply AB.S.Ene
Absence of service : Air-conditioning AB.S.Cli
Absence or unavailability of service,
AB.S Absence of service : Premises AB.S.Loc
by accident
Absence or unavailability of application maintenance AB.S.Maa
Absence or unavailability of system maintenance AB.S.Mas
Lightning AC.E.Fou
Serious accident affecting the
AC.E Fire AC.E.Inc
environment
Flooding AC.E.Ino
Breakdown of computing or telecommunication equipment AC.M.Equ
Accident affecting hardware AC.M
Breakdown of auxiliary equipment AC.M.Ser
Voluntary absence of personnel AV.P Social conflict with strike AV.P.Gre
Design error ER.L Blocking bug due to a design or programming error (internal development) ER.L.Lin
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
If 0 in the opposite cell, the intrinsic seriousness of the scenarios will be
considered
Action plans If 1 in the opposite cell, the current seriousness of the scenarios will be
1
considered
0
If 1 in the opposite cell, the reduced seriousness from the completion of
Number of scenarios projects (Obj_projects) or selected plans (1 in the "Decision" row below) will 1
Family of be considered
scenarios
Measures
Services to Current Target Services to Curren Target Services to Curren Target
S1 S2 S3 S4 Tot needing Type of plan Decision improve level level improve t level level improve t level level
improvement
If 1 in the opposite cell, the reduced seriousness from the completion of
Number of scenarios projects (Obj_projects) or selected plans (1 in the "Decision" row below) will 1
Family of be considered
scenarios
Measures
Services to Current Target Services to Curren Target Services to Curren Target
S1 S2 S3 S4 Tot needing Type of plan Decision improve level level improve t level level improve t level level
improvement
If 1 in the opposite cell, the reduced seriousness from the completion of
Number of scenarios projects (Obj_projects) or selected plans (1 in the "Decision" row below) will 1
Family of be considered
scenarios
Measures
Services to Current Target Services to Curren Target Services to Curren Target
S1 S2 S3 S4 Tot needing Type of plan Decision improve level level improve t level level improve t level level
improvement
If 1 in the opposite cell, the reduced seriousness from the completion of
Number of scenarios projects (Obj_projects) or selected plans (1 in the "Decision" row below) will 1
Family of be considered
scenarios
Measures
Services to Current Target Services to Curren Target Services to Curren Target
S1 S2 S3 S4 Tot needing Type of plan Decision improve level level improve t level level improve t level level
improvement
If 1 in the opposite cell, the reduced seriousness from the completion of
Number of scenarios projects (Obj_projects) or selected plans (1 in the "Decision" row below) will 1
Family of be considered
scenarios
Measures
Services to Current Target Services to Curren Target Services to Curren Target
S1 S2 S3 S4 Tot needing Type of plan Decision improve level level improve t level level improve t level level
improvement
If 1 in the opposite cell, the reduced seriousness from the completion of
Number of scenarios projects (Obj_projects) or selected plans (1 in the "Decision" row below) will 1
Family of be considered
scenarios
Measures
Services to Current Target Services to Curren Target Services to Curren Target
S1 S2 S3 S4 Tot needing Type of plan Decision improve level level improve t level level improve t level level
improvement
If 1 in the opposite cell, the reduced seriousness from the completion of
Number of scenarios projects (Obj_projects) or selected plans (1 in the "Decision" row below) will 1
Family of be considered
scenarios
Measures
Services to Current Target Services to Curren Target Services to Curren Target
S1 S2 S3 S4 Tot needing Type of plan Decision improve level level improve t level level improve t level level
improvement
If 1 in the opposite cell, the reduced seriousness from the completion of
Number of scenarios projects (Obj_projects) or selected plans (1 in the "Decision" row below) will 1
Family of be considered
scenarios
Measures
Services to Current Target Services to Curren Target Services to Curren Target
S1 S2 S3 S4 Tot needing Type of plan Decision improve level level improve t level level improve t level level
improvement
If 1 in the opposite cell, the reduced seriousness from the completion of
Number of scenarios projects (Obj_projects) or selected plans (1 in the "Decision" row below) will 1
Family of be considered
scenarios
Measures
Services to Current Target Services to Curren Target Services to Curren Target
S1 S2 S3 S4 Tot needing Type of plan Decision improve level level improve t level level improve t level level
improvement
If 1 in the opposite cell, the reduced seriousness from the completion of
Number of scenarios projects (Obj_projects) or selected plans (1 in the "Decision" row below) will 1
Family of be considered
scenarios
Measures
Services to Current Target Services to Curren Target Services to Curren Target
S1 S2 S3 S4 Tot needing Type of plan Decision improve level level improve t level level improve t level level
improvement
If 1 in the opposite cell, the reduced seriousness from the completion of
Number of scenarios projects (Obj_projects) or selected plans (1 in the "Decision" row below) will 1
Family of be considered
scenarios
Measures
Services to Current Target Services to Curren Target Services to Curren Target
S1 S2 S3 S4 Tot needing Type of plan Decision improve level level improve t level level improve t level level
improvement
0
Summary of the objectives resulting from the action plans
DOMAIN
SERVICE
D01-C
D02-C
D03-C
D01-A
D02-A
D03-A
D04-A
D06-A
D07-A
D08-A
D09-A
D10-A
D11-A
Objectives
D01-I
D02-I
D03-I
D06-I
D07-I
D08-I
D10-I
D11-I
SUB-SERVICE from the
action plans
01 Organization of security
01A Roles and structures of security
01A01 Organization and piloting of general security
01A02 Organization and piloting of Information Systems security
01A03 General reporting system and incident management system
01A04 Organization of audits and audit program
01A05 Crisis management related to information security
01B Security Reference Guide
01B01 Obligations and responsibilities of personnel and management
01B02 General directives related to information protection
01B03 Classification of resources
01B04 Asset management
01B05 Protection of assets having value of evidence
01C Human Resource Management
01C01 Staff involvement, contractual clauses
01C02 Management of strategic personnel, partners and providers
01C03 Staff screening procedure
01C04 Awareness and training in security
01C05 Third Parties Management (partners, suppliers, clients, public, etc.)
01C06 People Registration
01D Insurance
01D01 Insurance against property (or material) damages
01D02 Insurance of consequential losses (non-material damages)
01D03 Personal Liability Insurance (PLI)
01D04 Insurance against loss of Key Personnel
01D05 Management of insurance contracts
01E Business continuity
01E01 Taking into account the need for business continuity
01E02 Business continuity Plans
01E03 Workplace Recovery Plans (WRP)
02 Sites security
02A Physical access control to the site and the building
02A01 Management of access rights to the site or building
02A02 Management of access authorizations granted to the site or the building
02A03 Access control to the site or the building
02A04 Intrusion detection to the site or the building
02A05 Access to the loading and unloading areas (goods receipt and consignment) or to areas open to
02B public
Protection Against Miscellaneous Environmental Risks
02B01 Analysis of Miscellaneous Environmental Risks
02C Control of access to office areas
02C01 Partitioning of office areas into protected zones 0
02C02 Physical access control to the protected office zones 0
02C03 Management of access authorizations to protected office area 0 0
02C04 Detection of intrusions into protected office areas 0
02C05 Monitoring of protected office areas 0 0 0 0
02C06 Control of movement of visitors and occasional service providers required to work in the offices
0
02D Protection of written information
02D01 Conservation and protection of important commonly used documents 0
02D02 Protection of documents and removable support media 0
02D03 Paper-bin collection and destruction of documents
02D04 Security of post mail 0
02D05 Security of faxes (traditional) 0 0
02D06 Conservation and protection of important documents (to be preserved during a long period) 0 0
02D07 Management of archived documents 0
03 Security of Premises
03A General Maintenance
03A01 Quality of energy supply 0 0 0
03A02 Continuity of energy supply
03A03 Air conditioning security
03A04 Quality of cabling 0 0 0
03A05 Lightning protection
03A06 Dependability of service equipment
03B Control of access to sensitive locations (other than office zones)
03B01 Access rights management to sensitive locations
03B02 Management of access authorizations granted to sensitive locations
03B03 Access control to sensitive locations 0 0 0 0
03B04 Intruder detection in sensitive locations 0 0 0 0
03B05 Perimeter monitoring (surveillance of entry points and surroundings of sensitive locations)
03B06 Surveillance of sensitive locations 0 0 0
03B07 Cabling access control
03B08 Location of sensible premises.
03C Security against water damage
03C01 Prevention of risk of water damage 0 0 0 0 0
03C02 Detection of water damage
03C03 Water evacuation
03D Fire security
03D01 Fire risk prevention 0 0 0 0 0
03D02 Fire detection
03D03 Fire extinguishing
04 Extended Network (intersite)
04A Security of the extended network architecture and service continuity
04A01 Functional security of the extended network architecture
04A02 Management of extended network equipment maintenance
04A03 Procedures and Business Contingency Planning following incidents on the extended network
04A04 Backup plan of extended network configurations
04A05 Business Contingency Planning (BCP) of the Extended Network
04A06 Management of critical suppliers as regards a permanent maintenance service
04B Control of connections on the extended network
04B01 Security profiles for entities connected to the extended network
04B02 Authentication of the entity for an incoming access from the extended network
04B03 Authentication of the entity accessed for an outgoing access across the extended network
08D03 Application recovery procedures and plans following incidents during operation 0 0 0
08D04 Backup of software configurations (system, applications and configuration parameters)
11A05 Management of service suppliers and providers relating to the operation and handling of the user
workstations base
11B Protection of workstations
11B01 Control of access to workstations 0 0
11B02 Work effected off company premises 0
11B03 Use of personal equipment or external equipment (not owned by the organization)
11C Protection of data on the workstation
11C01 Protection of the confidentiality of data on the workstation or on a data server (logical disk for the
workstation) 0 0 0 0
11C02 Protection of the confidentiality of data stored on removable media
0 0
11C03 Confidentiality considerations during maintenance operations on user workstations
0 0
11C04 Protection of the integrity of files stored on workstations or on data servers (logical disk for
workstations) 0 0
11C05 Security of Email and Electronic Information Exchanges 0 0
11C06 Protection of documents printed on shared printers
11D Service continuity of the work environment
11D01 Organization of user hardware maintenance
11D02 Organization of user software maintenance (system, middleware and application)
12E03 Surveillance of system administrators' actions over the equipments and systems
13 Management processes
13A Protection of personal information (PPI)
13A01 Policy and instructions related to PPI
13A02 PPI training and awareness program
13A03 Applicability of the PPI policy
13A04 Monitoring the implementation of the PPI policy
13B Communication of financial data
13B01 For example,
Policy the Financial
and instructions Security
related Law (loi Mer) of
to Communication in financial
France and the Sarbanes Oxley Act in the
data
United States
13B02 Communication of financial data training and awareness program
13B03 Applicability of the Communication of financial data policy
13B04 Monitoring the implementation of the Communication of financial data policy
13C Respect of regulations concerning the verification of computerized accounting (VCA)
13C01 Preservation of accounting data and treatments
13C02 Documentation of accounting data, procedures and treatments
13C03 Verification of computerized accounting data training and awareness program
13C04 Applicability of the VCA policy
13C05 Monitoring the implementation of the VCA policy
13D Protection of intellectual property rights (IPR)
13D01 Policy and instructions relative to the Protection of intellectual property rights
13D02 Intellectual property rights training and awareness program
13D03 Applicability of the intellectual property rights policy
13D04 Monitoring the implementation of the intellectual property rights policy
13E Protection of computerized systems
13E01 Policy and instructions relative to the Protection of computerized systems
13E02 Protection of computerized systems training and awareness program
13E03 Applicability of the protection of computerized systems policy
13E04 Monitoring the implementation of the protection of computerized systems policy
13F Human safety and protection of the environment
13F01 Policy and instructions relative to Human safety and protection of the environment
13F02 Human safety and protection of the environment training and awareness program
13F03 Applicability of the Human safety and protection of the environment policy
13F04 Monitoring the implementation of the Human safety and protection of the environment policy
13G Rules related to the use of encryption
13G01 Policy and instructions relative to the use of encryption
13G02 Use of encryption training and awareness program
13G03 Monitoring the implementation of the use of encryption policy
14 Information security management
14A Establish the management system
14A01 Define the boundaries of the ISMS
14A02 Define the ISMS policy
14A03 Define the risk assessment approach and associated metrics
14A04 Identification of the risks
14A05 Analysis and evaluation of the risks
14A06 Selection of risk treatment options
14A07 Selection of the measures (controls) for risk reduction
14A08 Selection of the security measures in accordance to the statement of applicability (SOA)
14B Implement the management system
14B01 Formulation of a risk treatment plan
14B02 Implementation of the risk treatment plan
14B03 Selection and implementation of ISMS indicators
14B04 Implementation of training and awareness plan
14B05 Incident detection and response
14C Monitor the management system
14C01 Monitoring execution of the security procedures and measures
14C02 Steering the audit program
14C03 Review of risks and security measures
14D Improve the management system
14D01 Continuous improvement
14D02 Actions to correct nonconformities
14D03 Actions to prevent nonconformities
14D04 Communication to stakeholders
14E Documentation
14E01 Documentation management
14E02 Document approval
14E03 Updates
14E04 Document naming and versioning management
14E05 Documentation disposal
14E06 Withdrawing of obsolete documents
D04-C
D05-C
D06-C
D07-C
D08-C
D09-C
D10-C
G01-A
0
G02-A
0
0
0
0
R01-A
0
0
0
0
0
0
R02-A
0
0
0
0
0
0
0
S01-A
0
0
0
0
0
0
0
S02-A
0
0
0
0
0
0
0
S03-A
0
S04-A
0
0
0
0
0
0
0
S05-A
0
0
0
0
0
0
0
G02-I
R01-I
R02-I
S01-I
S02-I
S04-I
S05-I
S01-C
C01-E
C02-E
C03-E
C04-E
C05-E
C06-E
0 0 0 0 0 0 0
0
0
0
0
0
0
0
0
0
0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0
0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0
0 0 0 0 0 0 0 0 0 0 0 0
0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 0 0 0 0
0 0
0
0 0
0 0 0
0 0 0 0 0
0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0
0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0
0 0 0 0 0 0
0 0 0 0
0 0 0 0
0 0
0 0
0 0
0 0 0 0 0
0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0
0 0 0 0 0 0
0 0 0 0 0 0
0 0 0 0 0
0 0 0 0 0
0 0
0 0
0 0
0
0
0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0
0
0 0 0 0 0 0
0 0 0 0
0
0
0
0
0 0
0
0
0
0
0
0
0 0
0 0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Objectives per project Projects :
Each cell should mention the level of quality (up to 4) expected for the service w
DOMAINS line 4, giving the target date "yy (year), space, mm (month)" (for example 12 06
Objectives
target date:
SERVICES
P1
P2
P3
P4
P5
P6
Need
SUB-SERVICES 10 01
01 Organization of security
01A Roles and structures of security
01A01 Organization and piloting of general security
01A02 Organization and piloting of Information Systems security
01A03 General reporting system and incident management system
01A04 Organization of audits and audit program
01A05 Crisis management related to information security
01B Security Reference Guide
01B01 Obligations and responsibilities of personnel and management
01B02 General directives related to information protection
01B03 Classification of resources
01B04 Asset management
01B05 Protection of assets having value of evidence
01C Human Resource Management
01C01 Staff involvement, contractual clauses
01C02 Management of strategic personnel, partners and providers
01C03 Staff screening procedure
01C04 Awareness and training in security
01C05 Third Parties Management (partners, suppliers, clients, public, etc.)
01C06 People Registration
01D Insurance
01D01 Insurance against property (or material) damages
01D02 Insurance of consequential losses (non-material damages)
01D03 Personal Liability Insurance (PLI)
01D04 Insurance against loss of Key Personnel
01D05 Management of insurance contracts
01E Business continuity
01E01 Taking into account the need for business continuity
01E02 Business continuity Plans
01E03 Workplace Recovery Plans (WRP)
02 Sites security
02A Physical access control to the site and the building
02A01 Management of access rights to the site or building
02A02 Management of access authorizations granted to the site or the building
02A03 Access control to the site or the building
02A04 Intrusion detection to the site or the building
02A05 Access to the loading and unloading areas (goods receipt and consignment) or to areas open to
02B public
Protection Against Miscellaneous Environmental Risks
02B01 Analysis of Miscellaneous Environmental Risks
02C Control of access to office areas
02C01 Partitioning of office areas into protected zones
02C02 Physical access control to the protected office zones
02C03 Management of access authorizations to protected office area
02C04 Detection of intrusions into protected office areas
02C05 Monitoring of protected office areas
02C06 Control of movement of visitors and occasional service providers required to work in the offices
08D03 Application recovery procedures and plans following incidents during operation
08D04 Backup of software configurations (system, applications and configuration parameters)
11A05 Management of service suppliers and providers relating to the operation and handling of the user
workstations base
11B Protection of workstations
11B01 Control of access to workstations
11B02 Work effected off company premises
11B03 Use of personal equipment or external equipment (not owned by the organization)
11C Protection of data on the workstation
11C01 Protection of the confidentiality of data on the workstation or on a data server (logical disk for the
workstation)
11C02 Protection of the confidentiality of data stored on removable media
11C04 Protection of the integrity of files stored on workstations or on data servers (logical disk for
workstations)
11C05 Security of Email and Electronic Information Exchanges
11C06 Protection of documents printed on shared printers
11D Service continuity of the work environment
11D01 Organization of user hardware maintenance
11D02 Organization of user software maintenance (system, middleware and application)
11D06 Anti virus (malware, unauthorized executable code, etc.) protection for user workstations.
11E02 Authentication and control of the access rights of administrators and operational personnel
11E03 Surveillance of system administrators' actions over the users' workstations
12 Telecommunications operations
12A Security of operational procedures
12A01 Consideration of security in relation with operational personnel (permanent and temporary staff)
12A02 Control of the implementation of new equipments or upgrade of existing systems
12A03 Equipments for classicaloperations
Control of maintenance telephony : PABX, ...
With ToIP : call server, gateway converter to classical telephony, routers, switches
12A04 Control of Remote
Equipments Maintenance
dedicated to users: telephone terminal, fax machines (often combined with printing,
12A05 scanning and of
Management photocopy
Operatingcapabilities
Procedures , ...),
for tele and videoconferencing,
Telecommunication ...
Operation
These systems may provide configuration, management, directory, billing and storage (answering
12A06 Management of service providers relating to telecommunication
machine, voice mail) services,
12B Control of hardware and software configurations
12B01 Network equipment customizing and compliance control of configurations
12B02 Conformity control of operational software to a reference version
12C Service continuity
12C01 Organization of operational equipment maintenance
12C02 Organization of software maintenance (systems and attached services)
12C03 Backup of software configurations (system, services and configuration parameters)
12E03 Surveillance of system administrators' actions over the equipments and systems
13 Management processes
13A Protection of personal information (PPI)
13A01 Policy and instructions related to PPI
13A02 PPI training and awareness program
13A03 Applicability of the PPI policy
13A04 Monitoring the implementation of the PPI policy
13B Communication of financial data
13B01 For example,
Policy the Financial
and instructions Security
related Law (loi Mer) of
to Communication in financial
France and the Sarbanes Oxley Act in the
data
United States
13B02 Communication of financial data training and awareness program
13B03 Applicability of the Communication of financial data policy
13B04 Monitoring the implementation of the Communication of financial data policy
13C Respect of regulations concerning the verification of computerized accounting (VCA)
13C01 Preservation of accounting data and treatments
13C02 Documentation of accounting data, procedures and treatments
13C03 Verification of computerized accounting data training and awareness program
13C04 Applicability of the VCA policy
13C05 Monitoring the implementation of the VCA policy
13D Protection of intellectual property rights (IPR)
13D01 Policy and instructions relative to the Protection of intellectual property rights
13D02 Intellectual property rights training and awareness program
13D03 Applicability of the intellectual property rights policy
13D04 Monitoring the implementation of the intellectual property rights policy
13E Protection of computerized systems
13E01 Policy and instructions relative to the Protection of computerized systems
13E02 Protection of computerized systems training and awareness program
13E03 Applicability of the protection of computerized systems policy
13E04 Monitoring the implementation of the protection of computerized systems policy
13F Human safety and protection of the environment
13F01 Policy and instructions relative to Human safety and protection of the environment
13F02 Human safety and protection of the environment training and awareness program
13F03 Applicability of the Human safety and protection of the environment policy
13F04 Monitoring the implementation of the Human safety and protection of the environment policy
13G Rules related to the use of encryption
13G01 Policy and instructions relative to the use of encryption
13G02 Use of encryption training and awareness program
13G03 Monitoring the implementation of the use of encryption policy
14 Information security management
14A Establish the management system
14A01 Define the boundaries of the ISMS
14A02 Define the ISMS policy
14A03 Define the risk assessment approach and associated metrics
14A04 Identification of the risks
14A05 Analysis and evaluation of the risks
14A06 Selection of risk treatment options
14A07 Selection of the measures (controls) for risk reduction
14A08 Selection of the security measures in accordance to the statement of applicability (SOA)
14B Implement the management system
14B01 Formulation of a risk treatment plan
14B02 Implementation of the risk treatment plan
14B03 Selection and implementation of ISMS indicators
14B04 Implementation of training and awareness plan
14B05 Incident detection and response
14C Monitor the management system
14C01 Monitoring execution of the security procedures and measures
14C02 Steering the audit program
14C03 Review of risks and security measures
14D Improve the management system
14D01 Continuous improvement
14D02 Actions to correct nonconformities
14D03 Actions to prevent nonconformities
14D04 Communication to stakeholders
14E Documentation
14E01 Documentation management
14E02 Document approval
14E03 Updates
14E04 Document naming and versioning management
14E05 Documentation disposal
14E06 Withdrawing of obsolete documents
List of intrinsic vulnerabilities
Criteria
Type of supporting asset Type of damage Type of vulnerability Code
AICE
Category: Service
Alteration Possibility of alteration of software configurations (software and parameters) A and I Cfl.alt
Failure Possibility of software failure (bug) A Cfl.bug
Disclosure of software Possibility of disclosure of a software file C Cfl.dif
Software Configuration
Erasure Possibility of erasure of software configurations A Cfl.eff
Unauthorized use Possibility of denial to use (due to lack of license) I Cfl.lic
Pollution Possibility of pollution of software configurations I Cfl.pol
Account or means to access the Lock Possibility of user accounts to be blocked A Cpt.blo
service Loss Possibility of loss of capability to connect to the service A Cpt.dis
Destruction Possibility of destruction of equipment A Eq.des
Hardware (Equipment) Failure Possibility of failure of equipment A Eq.hs
Not operable Possibility of non operable equipment A Eq.mo
Premises Unavailability Possibility of premises to be not accessible A Loc.ina
Destruction Possibility of destruction of media containing software A Med.des
Loss Possibility of loss of media containing software A Med.dis
Media containing software
Exchange Possibility of loss of media containing software I Med.ech
Not operable Possibility of non operable media containing software A Med.ine
Auxiliary means or equipments Unavailability Possibility of unavailability of auxiliary means or equipments I Ser.hs
Category: data
means to access data Loss Possibility of loss of means allowing to access data (physical or logical keys) A Cle.dis
Alteration Possibility of alteration of data in transit or messages I Dtr.alt
Disclosure Possibility of duplication and disclosure of data in transit, messages, screens C Dtr.div
Data in transit, messages, screens
Loss Possibility of loss of data in transit or messages A and C Dtr.per
Alteration Possibility of alteration of files containing data I Fic.alt
Disclosure Possibility of duplication or diffusion (and disclosure) of a file containing data C Fic.dif
File containing data
Erasure Possibility of erasure of data files A Fic.eff
Pollution Possibility of pollution (slow evolution) of data in a file A Fic.pol
Destruction Possibility of destruction of media containing data A Med.des
Loss Possibility of loss of media containing data A and C Med.dis
Media containing data Duplication Possibility of duplication and disclosure of media containing data A and C Med.dup
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
Synthesis table : Risk seriousness
Impact
4 2 3 4 4
3 2 3 3 4
2 1 2 2 3
1 1 1 1 2
1 2 3 4
Likelihood
C 4 1 1 1 1 C 4 2 2 1 1 C 4 2 2 1 1 C 4 2 2 2 1
O 3 1 1 1 1 O 3 2 2 1 1 O 3 3 2 2 1 O 3 3 3 2 1
N 2 1 1 1 1 N 2 2 2 2 1 N 2 3 3 2 1 N 2 4 3 2 1
F 1 1 1 1 1 F 1 2 2 2 1 F 1 3 3 2 1 F 1 4 3 2 1
nc 1 1 1 1 nc 2 2 2 1 nc 3 3 2 1 nc 4 3 2 1
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
P A L L P A L L P A L L P A L L
C 4 1 1 1 1 C 4 1 1 1 1 C 4 1 1 1 1 C 4 1 1 1 1
O 3 1 1 1 1 O 3 2 2 1 1 O 3 2 2 1 1 O 3 2 2 2 1
N 2 1 1 1 1 N 2 2 2 2 1 N 2 3 3 2 1 N 2 3 3 2 1
F 1 1 1 1 1 F 1 2 2 2 1 F 1 3 3 2 1 F 1 4 3 2 1
nc 1 1 1 1 nc 2 2 2 1 nc 3 3 2 1 nc 4 3 2 1
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
P A L L P A L L P A L L P A L L
C 4 1 C 4 2 C 4 2 C 4 2
O 3 1 O 3 2 O 3 2 O 3 2
N 2 1 N 2 2 N 2 3 N 2 3
F 1 1 F 1 2 F 1 3 F 1 4
nc 1 nc 2 nc 3 nc 4
1 1 1 1
P A L L P A L L P A L L P A L L
D D D D
I I I I
S S S S
S 1 1 1 1 1 S 1 2 2 2 1 S 1 3 3 2 1 S 1 4 4 2 1
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
P R E V P R E V P R E V P R E V
D D D D
I I I I
S S S S
S 1 1 1 1 1 S 1 2 2 2 1 S 1 3 3 2 1 S 1 4 4 2 1
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
P R E V P R E V P R E V P R E V
D 4 1 1 1 1 D 4 1 1 1 1 D 4 2 2 1 1 D 4 2 2 2 1
I 3 1 1 1 1 I 3 2 2 1 1 I 3 2 2 1 1 I 3 3 3 2 2
S 2 1 1 1 1 S 2 2 2 2 1 S 2 3 3 2 1 S 2 4 4 3 2
S 1 1 1 1 1 S 1 2 2 2 1 S 1 3 3 2 1 S 1 4 4 3 2
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
P R E V P R E V P R E V P R E V