DB-Mehari 2010 Exc en 2-20

MEHARI 2010 - release 2-2
Mehari 2010 knowledge base

Worksheet Objective
Description and pointers within the worksheets of the file.
Intro If the security policy of your organisation forbids the use of macros, it will not be possible to use
Nav Scheme of navigation within the knowledge base

License Reminder of the public licence of MEHARI
Stakes analysis and asset classification module.
T1, T2 and T3 Classification tables
Classif Asset classification
Security services diagnostic module (or Audit)
Domain 01 Org to 14 ISM Questionnaires relative to MEHARI security domains (01 to 14)
Services Recap of the quality of the security services
Themes MEHARI security themes
ISO 27002 scoring table following the diagnostic of MEHARI security
ISO 27002 services
Risk analysis module (identification, assessment and classification of risks)
Expo Table of natural likelihood of threats (or natural exposure)
Scenarios Table of risk scenarios including formulas for risk assessment
Risk%Asset Display of seriousness for the scenarios based on the asset involved
Display fo the seriousness of scenarios based on the origin or event

Risk%event considered
Risk treatment : options, risk reduction plans and follow on
Action_plans Risk reduction plans selected
Obj_PA Tab used for the selection of risk reduction plans
Obj_Projects Tab used for the selection of risk reduction projects
Parameters and permanent elements of the method
Vulnerabilities This tab and the following are provided by the method
Seriousness Seriousness Table function on Impact and Likelihood
IP Grids Impact and Likelihood tables for the scenarios
You can use the forum www.mehari.info to post questions, remarks or comments
Date Revision status and comments
October 2010 Edition 2-1
April 2011 Edition 2-2
Edition of a few formulas in ISO scoring and IP grids
Methods space
Club de la Scurit de l'Information Franais
11, rue de Mogador, 75009 PARIS
T : +33 1 53 25 08 80 / F : +33 1 53 25 08 88
http://www.clusif.asso.fr/
in the worksheets of the file.
of macros, it will not be possible to use the masks below.
Classification tables:
Mask
T1, T2, T3 & Classif
Questionnaires:
from 01Org to 14 ISM
Mask
+ Themes & ISO 27002
scoring
Risk analysis:
Events,
Mask
Risks per asset or event
Risk treatment:
ActionPlans,
Mask
Obj_PA,
Obj_Projects
Grids for risk acceptability,

Impact and Likelyhood Mask
evaluation
Translation managed by
Jean-Louis Roule
Jean-Philippe Jouas
Navigation in the knowledge base
Busines stakes Threats Vulnerabilities
T1 T2 T3 Expo Security
Analyze and evaluate
services
Classif Themes
risks
Impact Potentiality or likelihood
Intrinsic seriousness ISO 27002
Current seriousness
Risk%asset Scenarios selection
Risk%event Reduce Retain Avoid Transfer

Treat
risks
Action_plans Obj_PA Obj_Projects
Planned seriousness
Public License agreement for Mehari 2010
Version 2010 : 12 January 2010
MEHARI is an Open Information security risk management methodology provided as a spreadsheet containing a knowledg
with attached document like:
- manuel de rfrence de la base de connaissances Excel,
Redistribution and use of this knowledge base and associated documentation ("MEHARI"), with or without modification, are
provided that the following conditions are met:
1. Redistributions in any form must reproduce applicable copyright statements and notices, this list of conditions, and the f
in the documentation and/or other materials provided with the distribution, and
2. Redistributions must contain a verbatim copy of this document.
3. No persons may sell this Methodology, charge for the distribution of this Methodology, or any medium of which this Meth
without explicit consent from the copyright holder.
4. No persons may modify or change this Methodology for republication without explicit consent from the copyright holder.
5. All persons may utilize the Methodology or any portion of it to create or enhance commercial or free software, and copy
software under any terms, provided that they strictly meet all of the above conditions.
The CLUSIF may revise this license from time to time.

Each revision is distinguished by a version number.
You may use Mehari under terms of this license or under the terms of any subsequent revision of the license.
MEHARI IS PROVIDED BY THE CLUSIF AND ITS CONTRIBUTORS AS IS AND ANY EXPRESSED OR IMPLIED WARR
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PART
PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE CLUSIF, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF MEHARI BE LIABL
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTE
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF MEHARI EVEN IF ADVISED OF THE PO
SUCH DAMAGE.
The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or o
Mehari without specific, written prior permission from CLUSIF. Title to copyright in MEHARI shall at all times remain with c
MEHARI is a registered trademark of the CLUSIF.
Copyright 1997-2010 The CLUSIF, PARIS, France.

https://www.clusif.asso.fr/
NIVEAUX DE SENSIBILITE DES APPLICATIONS, DONNEES ET INFORMATIONS
Table T1 CLASSIFICATION OF DATA

Application
Business processes, domains of data web data
Application Personal Archived
application or activity, FONCTION individually Shared Office Personal Listings Electronic Snail mail Digitalized on-line
data (data docu docu
(description) sensible data Office data or prints mail Fax archives (external or
bases) ments ments
Common services (transient, internal)
Messages)
A I C A I C A I C A I C A C C A I C A I C A C A I C A I C
Asset type D01 D01 D01 D06 D06 D06 D02 D02 D02 D03 D03 D03 D04 D04 D05 D07 D07 D07 D08 D08 D08 D09 D09 D10 D10 D10 D11 D11 D11
Business Process
Domain 1 :
Domain 2 :
Domain 3 :
Domain 4 :
Domain 5
Domain 6 :
Domain 7 :
/
Domain N
Transverse Processes
Overall Management & policy
Classification
In order to add or suppress a business domain or process, use the line "add" or "suppress" functions.
The classification level is a value from 1 to 4, the maximum in each column is automatically copied out in the "classification" line
and reproduced into the "intrinsic impact table" (tab: Classif) for each type of data and criteria (A, I or C).
Le 04/09/2017 Page 5 / 654

Table T2 CLASSIFICATION OF SERVICES

Common
IT Services
Business processes, domains of Extended Local Area Users' Services,
FUNCTION Shared Office (Systems, Web editing Telecom
application or activity, Network Network Application Services disposal of working
(description) Services peripherals, Service Services
Common services Services Services Equipments environmen
etc.)
t
A I A I A I C A I A A I A I A A I
Asset type R01 R01 R02 R02 S01 S01 S01 S02 S02 S03 S04 S04 S05 S05 G01 G02 G02
Business Process
Domain 1 :
Domain 2 :
Domain 3 :
Domain 4 :
Domain 5
Domain 6 :
Domain 7 :
/
Domain N
Classification
In order to add or suppress a business domain or process, use the line "add" or "suppress" functions.
The classification level is a value from 1 to 4, the maximum in each column is automatically calculated in the "classification" line
and reproduced into the "intrinsic impact table" (tab: Classif) for each type of service and criteria (A, I or C).
Le 04/09/2017 Page 6 / 654

Le 04/09/2017 Page 7 / 654

T3
Table T3 CLASSIFICATION OF the COMPLIANCE to LAWS AND REGULATIONS relative to:
Business processes, domains personal

FUNCTION financial digital accounting intellectual
of application or activity, information
(description) communication control property
Common services protection
E E E E
Asset type C01 C02 C03 C04
Business Process
Domain 1 :
Domain 2 :
Domain 3 :
Domain 4 :
Domain 5
Domain 6 :
Domain 7 :
/
Domain N
Classification
There is only one criteria for classification:

E: Efficiency (of the management process in order to comply to the legal, regulatory or contractual requirements, for the
Domain)
Page 8
T3
AND REGULATIONS relative to:
the protection of people safety and

information protection of
systems environment
E E
C05 C06
or contractual requirements, for the
Page 9
Intrinsic Impact table
Data and information assets A I C
Data and information
D01 Data files and data bases accessed by applications
D02 Shared office files and data
D03 Personal office files (on user work stations and equipments)
D04 Written or printed information and data kept by users and personal archives
D05 Listings or printed documents
D06 Exchanged messages, screen views, data individually sensitive
D07 electronic mailing
D08 (Post) Mails and faxes
D09 Patrimonial archives or documents used as proofs
D10 IT related Archives
D11 Data and information published on public or internal sites
Service assets A I C
General Services
G01 User workspace and environment
G02 Telecommunication Services (voice, fax, audio & videoconferencing, etc.)
IT and Networking Services
R01 Extended Network Service
R02 Local Area Network Service
S01 Services provided by applications
S02 Shared Office Services (servers, document management, shared printers, etc.)
S03 Users' disposal of Equipments (workstations, local printers, peripherals, specific interfaces,
etc.)
Nota : Applies to a massive loss of these services, not for one or few users.
S04 Common Services, working environment: messaging, archiving, print, editing, etc.
S05 Web editing Service (internal or public)
Management process type of assets E

Management Processes for compliance to law or regulations
C01 Compliance to law or regulations relative to personal information protection
C02 Compliance to law or regulations relative to financial communication
C03 Compliance to law or regulations relative to digital accounting control
C04 Compliance to law or regulations relative to intellectual property
C05 Compliance to law or regulations relative to the protection of information systems
C06 Compliance to law or regulations relative to people safety and protection of environment
Nota : Grey cells represent those asset security criteria for which, in general, no classification is needed and no
scenario exists in the knowledge base.
Lgende :
A Availability
I Integrity
C Confidentiality
E Efficiency (of the management process, regarding compliance to law and regulations). For
this criteria, the decision grid L will be used for impact reduction.
351061430.xls ! Classif 10 Dcembre 2006

For selecting an asset, set a 1 in the F column
Asset
(asset selection)
selection
For unselecting an asset, set a 0
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
351061430.xls ! Classif 11 Dcembre 2006

Audit Questionnaire : Organization of security 1 variant
Number Question R-V1 R-V2 R-V3 R-V4 W Max Min Typ ISO 27002
01A Roles and structures of security
01A01 Organization and piloting of general security
01A01-01 Do all areas concerned with security have a dedicated manager (computer and telecom security, general security in the workplace 4 2 E1
(documents, fax, telephone), general physical security of the sites and premises) or a designated point of contact (HR for
awareness and training, work contracts, user account and access rights management, responsibility for disciplining malicious acts
or internal negligence)?
01A01-02 For each security manager, is there a clear definition of the job function detailing, in particular, its objectives, responsibilities and 4 E2
interfaces with other areas concerned with security?
01A01-03 Are security management actions represented on dashboards and regularly reviewed? 4 E2
01A01-04 Is there a committee or structure bringing together all security managers, from all disciplines, in order to coordinate the various 2 R1
security related actions and able to make transversal decisions and does it meet regularly?
01A01-05 Is the approach to security clearly recognized and supported by senior management? 2 E2
01A02 Organization and piloting of Information Systems security
01A02-01 Is there a document describing the security policy related to information systems and in particular the organization, management 2 E1 5.1.1
and piloting of security (roles and responsibilities) as well as the fundamental principles underlying information security
management?
01A02-02 Is this Security Policy revised, on a regular basis or when major changes are done, to ensure the upholding of its relevancy and 1 E2 5.1.2
efficiency?
01A02-03 Have the structure and organization of the management of information systems security been defined in detail: CISO, local 4 2 3 E2 6.1.2
responsibilities and contacts, roles and responsibilities towards operational managers and is this organizational structure in
operation?
01A02-04 Has this structure the capacity to alert senior management without delay in the case of a serious incident? 2 E2 6.1.2
01A02-05 Have the mode of managing security and the decision processes been defined in detail : methodology used (for audit of exposure, 4 E2 6.1.2
risk analysis etc.), associated tools, actors (organization, support, training, expertise, advice etc.)?
01A02-06 Have the respective roles of security managers, operational managers and managers of functional domains (information owners) 4 2 E2 6.1.3
been clearly defined with regard to final decision making and arbitration?
01A02-07 Has a mode of information systems security piloting been defined: dashboards (contents and frequency), management structure, 4 E2 6.1.3
orientation and reporting?
01A02-08 Is an annual information systems security plan established which brings together all action plans, means to put in place, planning, 2 2 E2
budget?
01A02-09 Is the Company's Management involved in the organization of the information security, particularly in the development and the 1 E2 6.1.1
approbation of the security policy, responsibilities definition, resource allocation, and the efficiency control of the actions taken?
01A02-10 Is a contact maintained with the concerned authorities regarding information security and crisis situation (Police, Reporting 1 E2 6.1.6
Services, Legal Administration, Firemen, Public Services, etc.) ?
01A02-11 Does the organization improve knowledge about best security practices and maintain contacts with interest groups, associations, 1 3 E2 6.1.7
conferences, etc?
01A02-12 Are the responsibilities and procedures established to provide quick and efficient solutions to the security incidents? 2 E2 13.2.1; 13.1.1
01A02-13 Is there a procedure for regularly updating organizational documents related to information systems security in line with changing 2 3 R1 6.1.8
organization structures?
01A03 General reporting system and incident management system
Mise jour : janvier 2010 351061430.xls ! 01 Org page 12

01A03-01 Is there an incident reporting system which relays incidents to Information Systems Security correspondents including an incident 2 E1 13.1.1
summary for the CISO?
01A03-02 Does this reporting system include all incidents (operation, development, maintenance, usage of the information system) physical, 4 2 E1 13.1.1
logical or organizational?
01A03-03 Does this reporting system include malevolent actions and failed attempts to breach security? 4 3 E3 13.1.1
01A03-04 Is this reporting system applied in all locations and organizations including subsidiaries? 4 3 E2 13.1.1; 13.2.1
01A03-05 Are the form and description of incidents recorded in a database enabling continuous improvement as well as easy selective 2 E2 13.2.2
access in order to be able to follow up the resolution of individual incidents?
01A03-06 Is the collection of forensic proofs performed each time a legal action is considered? 2 E2 13.2.3
01A03-07 Is the implementation and updating of the incident management system followed-up using a dashboard and a regular review which 2 2 R1
are transformed into action plans?
01A04 Organization of audits and audit program
01A04-01 Has the security function communicated to internal auditors (or the structure responsible for internal audits) a reference guide 4 2 E2
related to the information system security, describing in particular, the obligations of each category of personnel, the mandatory
directives and the recommendations?
01A04-02 Is the procedure, allowing derogation from internal directives, written into the audit reference documentation and is the procedure 4 E2
auditable?
01A04-03 Is there a coordination structure or a procedure enabling information security managers to define the annual audit program or to 4 E3
participate in its definition?
01A04-04 Is the CISO informed of the audit results which concern information systems security? 2 3 E2
01A04-05 Is the CISO informed of summary audit results not specifically related to information systems security and does (s)he have access 4 E2
to corresponding detailed audit reports?
01A04-06 Has the annual audit program been presented to and approved by the management? 2 E2
01A04-07 Is the organization of annual information system audits subject to a regularly reviewed and followed-up dashboard? 2 3 R1
01A05 Crisis management related to information security
01A05-01 Is there a crisis plan in all buildings which details, as a function of various symptoms, the names and contact details of all persons 4 2 E1
to notify in order that they may effect an initial diagnosis and, as a function of this diagnosis, the members of the crisis team to
convoke and the most urgent actions to carry out?
01A05-02 Is there an alert procedure, distributed to the entire organization, which enables directly or indirectly (via surveillance personnel) to 2 E1
contact the various persons likely to initiate a crisis plan?
01A05-03 Does the crisis plan describe in detail the major crisis situations linked to information systems and does it address issues specific 4 2 E2
to them?
01A05-04 Does the crisis plan include the implementation of corresponding logistical means (equipped war room, communications etc.)? 4 2 E2
01A05-05 Are there tools or procedures which enable the updating of the crisis plan and is this updating audited? 4 3 R1
01B Security Reference Guide
01B01 Obligations and responsibilities of personnel and management
This includes all staff, internal and external (temporary contractors, trainees, etc.)
01B01-01 Are the responsibilities and obligations of staff with regard to the usage, preservation, archiving and non disclosure of information 4 E1
detailed in a memo or document available to management?
01B01-02 Does this document specify the personnel's duties and responsibilities regarding the use and protection of the authentication 1 E2 11.3.1
means (passwords, keys, tokens, badges, etc.) at its disposal?

01B01-03 Do the personnel's duties and responsibilities specify how to react when the workstation is left vacant (logout, logoff, screen 1 E2 11.3.2
savers, lock-out, etc.) ?
01B01-04 Are the obligations and responsibilities of personnel related to the usage and protection of assets and resources belonging to the 4 E2
company detailed in a memo or document available to management?
01B01-05 Does this document detail what is tolerated and the limits that cannot be disregarded (personal use of company possessions for 2 E2 15.1.5
example)?
01B01-06 Does this document detail the course of action in case of excess or abuse? 2 E2
01B01-07 Is there a formal disciplinary process to cover a breach to security rules or infringement of procedure? 1 E3 8.2.3
01B01-08 Are the obligations and responsibilities of management in the domain of protection of information and of company resources 2 E2
detailed in a document distributed to all staff managers?
01B01-09 Are the Management's duties and responsibilities at the time of an employee's termination or change of functions (internal or 1 E2 8.3.1
contract) defined and specified by a procedure or a document disclosed to all the managers ?
01B01-10 Does the previous procedure (or the equivalent document) cover the questioning and deletion of access rights to all relevant parts 2 E2 8.3.3
of the information system?
01B01-11 Are all documents or charters concerning staff obligations and responsibilities authenticated? 2 3 E3
01B01-12 Are the Managers ensuring and held accountable for their colleagues' compliance to the policies and standards in force? 2 3 R1 15.2.1
01B01-13 Is there a regular review of such documents or charters relating to staff obligations and responsibilities? 2 3 R1
01B02 General directives related to information protection
01B02-01 Is there document defining the general rules for site protection from external threats, the required conditions for access to each site 2 E2 11.4.2
from outside and the protection of sensitive premises?
01B02-02 Is there a document defining the general rules to apply in order to protect the internal network from external threats, the conditions 2 E2 11.4.2; 11.4.5
required to access the internal network from the outside and vice versa and the separation required between internal sub-
networks?
01B02-03 Is there a document defining the general rules applied to the access protection of computing resources (storage and networking 2 E2 10.8.1; 10.7.3
elements, systems, applications, data, media, etc.) and the conditions required for the granting, the management and control of
access rights?
01B02-04 Are these rules established according to the concerned assets' classification level? 2 E2 10.7.3; 10.8.1;
7.2.2
01B02-05 Is there a document defining the rules applied to the usage of computing (networks, servers etc.) and communications resources? 2 E2 10.8.1; 11.4.1;
10.7.3
01B02-06 Is there a document defining the general rules applied to software development and security considerations in project 2 E2 10.7.3
management?
01B02-07 Is there a document defining the general day-to-day rules applicable to the management of the working environment (documents, 2 E2 10.8.1; 11.3.3;
workstations, telephone, fax, off-site work)? 10.7.3
01B02-08 Is there a document defining additional security procedures to apply regarding mobile computing and teleworking? 2 E2 10.8.1; 11.7.1
01B02-09 Is there a document setting out the requirements, responsibilities and procedures to apply to protect archives that are important for 2 E1 15.1.3
the company?
01B02-10 Do the overall regulatory, contractual, and legal requirements explicitly identified, and does their application by the organization 2 E2 15.1.1
appear in an updated document?
01B02-11 Are the resources and solutions available to managers and users in line with above documents? 4 2 E2
01B02-12 Are the rules concerning information and resource protection easily accessible to all staff (for example via intranet)? 4 2 E2

01B02-13 Is there a procedure to control or audit the relevance and authenticity of the rules, pertaining to information protection and 2 3 R1
information system resources, distributed to all staff?
01B03 Classification of resources
01B03-01 Is there a hierarchy or system enabling the classification of information assets reflecting their protection as a function of the context 4 E1
of the organization and taking into account availability, integrity and confidentiality?
01B03-02 Does this categorization scheme define the marking of different types of assets according to its classification? 1 E2 7.2.2
01B03-03 Have information sources (documents, data, files, databases etc.) been classified as a function of the impact that a security breach 4 1 2 E2 7.2.1
might have on the organization?
01B03-04 Has the classification been effected for each of the criteria availability, integrity and confidentiality? 2 2 E2
01B03-05 Have sensitive resources been classified (information systems, telecom equipment, sites etc.) as a function of the impact that a 4 E2
security breach affecting these assets might have on the organization?
01B03-06 Has this classification been effected for each of the criteria availability, integrity, confidentiality? 2 E2
01B03-07 Have sensitive programs and transactions been classified as a function of the impact a security breach on these assets might have 4 E2
on the organization?
01B03-08 Has this classification been effected for the criteria availability, integrity and confidentiality? 4 E2
01B03-09 Are these classifications easily available when needed to the staff concerned? 4 2 E2
01B03-10 Is there a procedure for regular review of the classifications and is this procedure controlled? 4 3 E3 7.2.1
01B04 Asset management
01B04-01 Are the types of assets - that need to be identified and inventoried - defined? 2 E2 7.1.1
Assets can be information (databases, files, contracts, agreements, documentation, guides, procedures, plans, archives, etc.),
software (applications, firmware, middleware, tools and utilities, etc.), equipment (computers, network equipment, media, etc.),
services and supporting utilities (energy, heating, air conditioning, etc.), people or know-how, intangible assets such as reputation
or image.
01B04-02 Is an inventory of the types of assets - as identified and defined herein - kept up-to-date? 4 E2 7.1.1
01B04-03 Is an "owner" appointed for each identified and inventoried asset? 2 E2 7.1.2
An owner is the individual or the entity appointed to assume responsibility of the development, maintenance, operation, use and
security of this asset. The word owner does not mean that the individual or entity holds a property right for this asset.
01B04-04 Is an acceptable set of usage rules defined and documented for each asset? 2 E2 7.1.3
This implies, particularly, defining the private use an employee can make of the company's assets.
01B04-05 Are the rules regarding the return to the company or organization of assets entrusted to employees at the time of termination or 1 E2 8.3.2
change of functions clearly defined and set forth by Management ?
01B04-06 Are there rules regarding outside taking of asset (prior authorization, authorized individuals, log for returning or taking asset 1 E2 9.2.7
outside, deletion of unnecessary data, etc.)?
01B05 Protection of assets having value of evidence
01B05-01 Have the assets that may be used as elements of evidence been identified and itemized? 2 E2
01B05-02 Has it been identified, for each of these assets, the proclamations that it would allow to check and the associated checking 4 E2
process?
01B05-03 Has it been analyzed, for each verification process, reasons that could foil or weaken the capacity to provide conviction? 4 E2
01B05-04 Have all necessary measures been taken consequently? 2 E2

01B05-05 Is the aptness of these measures periodically reviewed? 1 R2

01B05-06 Are these measures periodically subject to an audit? 1 C1
01C Human Resource Management
01C01 Staff involvement, contractual clauses
01C01-01 Has a note been distributed to all personnel (including temporary staff) detailing staff obligations and responsibilities such that they 4 E2 6.1.5; 8.1.3
cannot deny having received it?
01C01-02 Is there, within work contracts or within internal regulations, a clause which clearly states the obligation to adhere to the security 4 E2 6.1.5; 8.1.3
rules in force?
01C01-03 Has a note been distributed to all personnel informing them of all legal, regulatory or contractual obligations? 2 E2 6.1.5
01C01-04 Are the security obligations and responsibilities embodied in contracts (in either of general or specific clauses) of all staff acting for 4 E3 6.1.5
the organization and who for this reason may have or require access to information or sensitive resources?
01C01-05 Are contractor companies, who may have access to sensitive information or systems, obliged to ensure that all staff sign a 4 E3 6.1.5
personal commitment that they will abide by the specified security clauses?
01C01-06 Is Management responsible to ensure that the personnel, contractors and third parties respect the company's security policies and 1 E2 8.2.1
procedures?
01C01-07 Is there a control procedure validating and authenticating all rules distributed to staff? 4 3 R1
01C02 Management of strategic personnel, partners and providers
01C02-01 Are strategic skills regularly identified in the organization? 4 2 E2
01C02-02 Are backup solutions available in the absence of strategic skills? 4 3 E3
01C02-03 Are strategic partners and service providers regularly identified? 4 2 E2
01C02-04 Are backup solutions ready for the unavailability of strategic partners or providers? 4 3 E3
01C02-05 Are these backup solutions regarding internal staff or providers ) able to guarantee the normal functioning of the organization 4 3 E3
without major disruption?
01C02-06 Are strategic personnel subject to specific career management? 2 E3
01C02-07 Are strategic partners subject to a specific contractual management? 2 E3
01C02-08 Is there a relevant control and update procedure for the preceding measures? 2 3 R1
01C03 Staff screening procedure
01C03-01 Is there a preliminary information procedure for the personnel (internal or contractual) regarding its duties and responsibilities, and 1 E2 8.1.1
security requirements before any assignment or hiring?
01C03-02 Is screening information collected at time of recruitment of staff likely to be involved in sensitive tasks? 4 E2 8.1.2
01C03-03 Have external contractors, working on site on sensitive tasks, been checked for security clearance approval by an official 4 E2 8.1.2
organization?
01C03-04 Is additional (clearance) information collected when staff are affected to sensitive tasks? 4 E2 8.1.2
NB: an open interview may be used in order to avoid placing people in a situation of conflict of interest
01C04 Awareness and training in security
01C04-01 Is there a program to raise awareness of staff to risks of accident, error or malevolence in the processing of information? 4 2 E1 8.2.2
01C04-02 Are all staff members trained on a regular basis in security awareness? 2 E2 8.2.2
01C04-03 Is there a program to train staff in the rules and general measures of information protection? 2 E2 8.2.2
01C04-04 Do these rules and general measures cover all relevant domains (documents, computer equipment, premises, systems and 2 E2 8.2.2
application access, telephone, fax, behavior in meetings and out of office etc.)?

01C04-05 Are these rules and general measures easily accessible to staff in case of need (intranet for example) and has communication 4 E2 8.2.2
been done on this matter?
01C04-06 Do these regulations specify reporting processes for the incidents and faults observed, and how to react? 1 E2 13.1.2
01C04-07 Do people with responsibility for security issues receive regular relevant training? 4 E2
01C04-08 Is there a dashboard detailing the effective implementation of actions related to security awareness and training? 4 3 R1
01C04-09 Is there a follow up carried out of the level of satisfaction and compliance of staff related to actions of raising awareness and 4 3 R1
training in information systems security?
01C05 Third Parties Management (partners, suppliers, clients, public, etc.)
01C05-01 Have the risks associated with access by third-party personnel (providers) to the information system (in full or in part) or on the 2 E2 6.2.1
premises containing information been assessed, and thus the necessary security measures been defined?
01C05-02 Have the risks associated with client or public's access to the information system (in full or in part) or on the premises containing 2 E2 6.2.2
information) been assessed, and thus the necessary security measures been defined?
01C05-03 Have the risks associated to information or software transfers to a third party been assessed and have the procedures and 2 E2 10.8.2
responsibilities for each party been formalized by contract?
01C05-04 Have the overall security clauses been defined, that should be included in each Agreement signed with a third party involving an 4 E2 6.2.3
access to the information system or to the premises containing information?
The information system, including any data support or means of processing, carrying or communicating information.
01C05-05 Are all accesses by a third party to the information system or on the premises containing sensitive information authorized uniquely 2 2 E3 6.2.3; 15.1.5
after a formal Agreement restating these clauses?
01C06 People Registration
01C06-01 Are there formal registration and revocation procedures for the individuals? 4 E2 11.2.1
01C06-02 Do these procedures involve personnel management and hierarchy? 4 E2 11.2.1
01C06-03 Is a unique identifier (ID) assigned to each user (employee, external, etc.) who could have access to the information system? 4 E2 11.2.1
01C06-04 Are the rights granted to the users as they register (shared services, messaging, etc.) approved by the owners of the concerned 4 E2 11.2.1
assets?
01C06-05 Are all users kept informed, at time of registration, of all the vested rights and of his/her duties regarding any adjudication of rights 4 E2 11.2.1
(vested at the time of registration or he/she could be granted afterwards)?
01C06-06 Are these procedures controlled and are possible defects documented and corrected in real time? 4 R1 11.2.1
The responsiveness of the managerial chain must forbid exception procedures that may result from delays with (de)registration
processes.
01D Insurance
01D01 Insurance against property (or material) damages
01D01-01 Are information systems covered by an insurance policy which accounts for material damage (fire damage, miscellaneous risks 2 E1
and accidents, damage to machines, all computing risks, "all risks except", named risks etc.)?
01D01-02 Does the insurance policy cover all computer and telecommunications systems, cabling and computer rooms? 4 2 E2
01D01-03 Does the insurance policy cover all usual causes of disaster: accident (fire, water damage, lightning etc.), human error, sabotage, 4 2 E2
vandalism (including by company personnel or third party engaged in operations, maintenance or upkeep)?
01D01-04 Does the insurance policy cover (real) costs of information system re-initialization incurred by a disaster (installation, restart and 4 2 E2
system test, data and media reconstruction)?

01D01-05 Does the insurance policy cover all additional operational costs (continuing expenses and fees, avoid or limit halting of work 4 2 E2
activity)?
01D01-06 Does the insurance policy cover costs incurred by the company in order to re-establish its image with clients or partners? 4 E2
01D01-07 Does the insurance policy cover the global losses incurred by the disaster? 4 3 E2
01D01-08 Is the coverage of computer and information system (exclusions, guarantees) decided jointly with Information Technology 2 E2
management and updated regularly?
01D01-09 Does the level of guarantee and deductible cover the survival of the company in the case of a disaster? 2 2 E2
01D01-10 Does the level of guarantee and deductible allow the company to survive a disaster without major consequences? 2 3 E2
01D02 Insurance of consequential losses (non-material damages)
01D02-01 Are the information systems covered by an insurance policy which covers non material damage (malevolence, non authorized 2 E1
usage, accidental loss of data or programs, denial of service)?
01D02-02 Does this policy cover all computer systems (internal systems, intranet, extranet, web sites etc.)? 4 2 E2
01D02-03 Does the contract cover the usual causes of this type of damages: accident (breakage, bugs etc.), human error (data entry errors, 4 2 E2
programming errors etc.), malicious entry (frauds, intrusions, service denial, including company personnel or third party responsible
for its operation or maintenance)?
01D02-04 Does this contract cover all (real) costs of investigation and research of the causes and consequences of the disaster? 4 2 E2
01D02-05 Does the insurance contract cover (real) costs of re-initialization of information systems affected by the disaster (restart costs and 4 2 E2
cost of tests following restart, costs of data reconstruction)?
01D02-06 Does this contract cover all additional operating costs (cover of costs and expenses liabilities, costs incurred to limit operational 4 2 E2
shutdown)?
01D02-07 Does the insurance policy cover additional costs incurred by the organization to re-establish its image with clients or partners? 4 E2
01D02-08 Does the policy cover overall loss of turnover incurred due to the disaster? 4 3 E2
01D02-09 Is the choice of computer and information system cover (exclusions, guarantees) decided jointly with Information Technology 2 E2
management and reviewed regularly?
01D03 Personal Liability Insurance (PLI)
01D03-01 Is the organization covered by personal liability insurance including the consequences of computer disasters (Professional Liability, 4 E1
Product Personal Liability)?
01D03-02 Does the contract cover the usual causes of this type of damages: accident (breakage, bugs etc.), human error (data entry errors, 2 E2
programming errors etc.), malicious entry (frauds, intrusions, service denial, including company personnel or third party responsible
for its operation or maintenance)?
01D03-04 Is the choice of computer and information system cover (exclusions, guarantees) decided jointly with Information Technology 2 E2
management and reviewed regularly?
01D04 Insurance against loss of Key Personnel

01D04-01 Is the organization covered by insurance covering exposure to loss of key personnel? 2 E2
01D04-02 Does the contract cover all possible causes of loss of key personnel such as airplane or automobile accidents, illness, individual or 4 2 E2
group resignation?
01D04-03 Does the insurance policy cover additional running costs incurred by loss of key personnel? 4 2 E2
01D04-05 Does the insurance policy cover operational losses incurred by the disaster? 4 E2
01D04-06 Is the choice of computer and information system cover (exclusions, deductibles) decided jointly with Information Technology 2 E2
management and updated regularly?
01D04-07 Does the level of guarantee and deductibles cover the survival of the company in the case of a disaster? 2 2 E2
01D04-08 Does the level of guarantee and deductibles allow the company to survive a disaster without major consequences? 2 3 E2
01D05 Management of insurance contracts
01D05-01 Is there a person responsible for the insurances within the organization? 1 E1
01D05-02 Is the level of guarantee for IT related assets the result of a specific study made in conjunction with the IT department (on the 2 E1
basis of a risk analysis carried out recently -within less than three years)?
01D05-03 Is there a regular check (at least once per year) of the insurance contracts by the insurance manager, in consultation with the 2 E2
relevant sector managers, with an adjustment of the cover with the broker or insurance agent if required?
01D05-04 Is there a regular check (at least once per year) of the insurance contracts by the insurance manager, in consultation with the 2 E2
relevant sector managers, with an adjustment of the cover with the broker or insurance agent if required?
01D05-05 Do the relevant sector managers participate in the study of the coverage limits (exclusions, deductible, ceiling, etc) defined in the 2 E2
contracts?
01D05-06 Has there been an analysis of the transfer of risks depending to the various types of partners ? 2 E2
E.g. service and product providers, hosting services, clients
01E Business continuity
01E01 Taking into account the need for business continuity
01E01-01 Has an analysis been carried out of the criticality of applications in order to underscore the requirements of service continuity? 4 2 E1 14.1.2
An in-depth analysis supposes that a list of incidents or failure scenarios and all the foreseeable consequences is established
01E01-02 Has this analysis allowed the minimum service requirements to be defined for each application and system and have these 4 2 E1 14.1.2
minimum service requirements been accepted by the users (information owners)?
01E01-03 Are there processes, regularly implemented, for risk analysis linked to information, possibly leading to a disruption of the company 2 E2 14.1.1
activities and thus a definition of the security requirements, responsibilities, procedures to apply and implement to allow the
development of a business continuity plan?
01E02 Business continuity Plans
01E02-01 Have Business Continuity Plans (BCP) been designed, from a criticality analysis, for each critical activity? 3 E1 14.1.3
01E02-02 Do these plans foresee all measures to undertake to ensure business continuity between the alert and the eventual 3 2 E2 14.1.3
implementation of alternative solutions set forth by the technical Disaster Recovery plans?
01E02-03 Do these plans cover all organizational aspects related to the "manual" continuity solution (personnel, logistics, coaching, etc.)? 3 E2 14.1.3
01E02-04 Have instructions and training been given to implied personnel for the operation of the continuity plans? 2 E2 14.1.3
01E02-05 Do the business continuity plans include procedures for returning to normal activity? 4 2 E2 14.1.3

01E02-06 Is there a crisis trigger plan associated with each of these plans? 4 E2
01E02-07 Does implementation of these plans result in an acceptable level (impact limited to 2) of all critical malfunctions? 1 2 3 E2
This question is intended to insure that the effectiveness of this service is not overstated.
01E02-08 Is there a manager responsible for the creation, monitoring, and testing of these plans? 3 C1 14.1.5
01E02-09 Are these plans tested regularly (at least once a year)? 3 2 C1 14.1.5
01E02-10 Are the test results analyzed by management and the relevant stakeholders? 3 2 C1 14.1.5
01E02-11 3 2 14.1.5
Are the business continuity plans updated regularly?
An update should be required to take account of changes in personnel concerned, technical changes, or the results of tests. C1
01E02-12 Are updates to plans audited regularly (at least once a year)? 3 2 R1
01E03 Workplace Recovery Plans (WRP)
01E03-01 Are there recovery solutions to reduce the impact if the work environment is not available (workplace unavailable, power outage, 4 2 E1
telephone outage, etc)?
01E03-02 Are these solutions described in detail in the Workplace Recovery Plans (WRP), including trigger rules, actions to take, priorities, 4 E1
people to mobilize and their contact details?
01E03-03 Are these plans tested at least once a year? 2 3 R1
01E03-04 Is the case of failure or non-availability of a crisis solution envisaged, and for each case is there a secondary backup plan? 4 3 R2
01E03-05 Are the recovery solutions usable for an unlimited period of time, and if not, has a second solution been identified to replace the 2 E2
initial solution after a predetermined time period?
01E03-06 Is the existence, relevance, and activation of the WRP audited regularly? 3 C1

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Audit Questionnaire: Sites Security 1 variant
02A Physical access control to the site and the building
Here is considered control of access to the whole of the site or the building, or a certain number of
floors, which represents the "site" in which are situated the sensitive locations
02A01 Management of access rights to the site or building
02A01-01 Are permanent or semi permanent (for a specific length of time) access rights to each site or building (or to a number of floors) 4 3 2 E1
based on typical profiles (staff on permanent or limited contracts, temporary staff, students, service providers etc.) and to
functional roles in the organization?
Access rights should be granted to activity profiles and not to named individuals.
02A01-02 Is there a list, kept up-to-date, of these profiles and the people responsible for granting access rights for each of them? 4 2 2 E2
02A01-03 Are the rights and the validity conditions attributed to profiles reviewed by the site or general security manager? 4 E2
02A01-04 Do the profiles also allow definition of working time limits (daily hours and periods in the working calendar, weekends, holidays 2 E2
etc.)?
02A01-05 Are these rights and profiles as defined above protected against any possibility of alteration or falsification during their storage or 1 3 R1
when transferred between decision makers and the personnel in charge of implementing the rights?
02A01-06 Is there a regular audit, at least once a year of all rights attributed to the various categories of personnel and a review of the 1 3 C1
pertinence of those access rights?
02A02 Management of access authorizations granted to the site or the building
02A02-01 Does the procedure of granting permanent or semi permanent access authorization require the formal acceptance of line 4 2 E1
management or of the unit managing the external contractor (at a sufficiently senior level)?
An access authorization is granted to a person, it may provide access rights based on the job profile he or she is linked to. It is
usually materialized by a badge carried by the employee.
02A02-02 Is the procedure for granting (or modification or retraction) of access authorization documented and strictly controlled? 4 2 E2
A strict control requires a formal recognition of the signature (electronic or otherwise) of the requestor, that the implementation of
the profile attributed to users is highly secure and that each operation is recorded (mentioning the date of issue of the badge and
its length of validity) that there be a reinforced access control over the modification of such records and that any modification of
records be logged and audited.
02A02-03 Are access authorizations granted to named individuals as a function of their profile? 4 E2
02A02-04 Are the access authorizations to the site materialized by a badge or a card? 2 E2
02A02-05 Are these access authorization badges or cards personalized i.e. with the name and picture of the owner? 2 E2
02A02-06 Can the list of valid access authorizations and corresponding profile be reviewed at any time? 2 E2
02A02-07 Is there a rapid and systematic process for revoking access authorizations (revocation of the badge to the automatic access 4 2 E2
control equipments) and return of the corresponding badge or card at the time of departure of internal or external personnel,
change of site attachment (when the authorization is site dependent) or at the end of mission?
02A02-08 Is there a procedure enabling the subsequent detection of irregularities in the management of access authorizations (badge or 4 C1
card not returned, usage of a lost badge, false badge etc.)?
02A03 Access control to the site or the building
02A03-01 Is the site completely enclosed by a perimeter fence which is difficult to cross or to scale? 1 1 E1 9.1.1
For a building on the public highway to be considered secure, all windows on the ground floor must be locked shut and all access
points must have been taken into consideration (garages or underground car parks, roof etc.)
Mise jour : janvier 2010 351061430.xls ! 02 Sit page 48

02A03-02 Is there an operational system (automatic or by security guard) for controlling pedestrian and vehicular access to the site? 1 1 E2 9.1.1
02A03-03 Does this system guarantee that all people entering are checked? 4 2 E3
An efficient control assumes a double or revolving door, or a security guard who allows only one person to pass at a time (for
pedestrians) and for vehicles entering the site, controls all people present in the vehicle.
02A03-04 Does such a system, if dependent on a badge, guarantee that the same badge cannot be used by a second person (by, for 4 E3
example, memorizing all entries and not allowing a further entry without an intervening exit)?
02A03-05 In the case where presentation of a badge or card is required to gain access to a site, is there the possibility to immediately 4 2 E2
validate the authenticity and validity of the card or badge?
02A03-06 Are the automatic access control systems under 24 hr surveillance enabling the detection of a failure, a system deactivation or 4 2 R1 9.1.1
the usage of emergency exits in real time?
02A03-07 Is there a procedure or automatic alert enabling the immediate intervention of security personnel in the case of failure of the 4 3 R2
access control system (or the usage of an emergency exit)?
02A03-08 Is there a control procedure enabling the detection of irregularities in the access control procedure (audit of procedures and 4 3 C1
parameters of access control systems, audit of exceptions and of interventions etc.)?
02A04 Intrusion detection to the site or the building
02A04-01 Is there an operational intrusion detection system to the site, linked to a 24 hr monitoring center? 4 E2 9.1.1
02A04-02 Does this system detect all boundary incursion, all forced attempts to open locked exits (windows and doors), all opening of 4 2 E2
emergency exits and all exits kept open abnormally?
02A04-03 Is this system backed up by a video and audio control system which allows the surveillance team to make a first analysis or 4 3 E3
dismiss uncertainty from a distance?
02A04-04 Is the surveillance team dedicated to its task, having only security responsibilities and are any alarms immediately detected and 4 3 E3
treated as the highest priority?
02A04-05 In the case of an intrusion detection alarm, does the surveillance team have the possibility of sending out an intervention team 4 2 E2
without delay to verify the cause of the alarm and to take appropriate action?
02A04-06 Sites Security 4 3 E3
02A04-07 Is there an advisory document clearly stating exactly what action to take in the case of each alarm envisaged? 2 E2
02A04-08 Is the intrusion detection system itself under surveillance (alarm in the case of inhibition, auto-surveillance by camera etc.)? 2 3 R1
02A04-09 Are intrusion control points and procedures for reaction to intrusions audited regularly? 2 3 C1
02A05 Access to the loading and unloading areas (goods receipt and consignment) or to areas open to public
02A05-01 Are there specific access control mechanisms from outside through delivery and loading zones in place? 2 E2 9.1.6
02A05-02 Are the delivery and loading zones established in such a way that the delivery men cannot have access to inner parts of the 2 E2 9.1.6
building or the site?
02A05-03 Are there specific measures allowing to isolate the moves of external public and the access from the rest of the building? 2 E2 9.1.6
02B Protection Against Miscellaneous Environmental Risks

02B01 Analysis of Miscellaneous Environmental Risks
02B01-01 Has a thorough and systematic analysis of all the conceivable environmental risks for the site been conducted? 1 E3 9.1.4
Potential risks are : Avalanche, hurricane, storm, flooding, forest fire, land slide, earthquake, Volcano, broken dam or dike,
torrential flood, falling rocks, collapse, gullies, drought

02B01-02 Has a thorough and systematic analysis of all the conceivable industrial risks for the site been conducted? 1 E3 9.1.4
Potential risks are: high risk site nearby (Seveso like), dangerous internal installations, gas station, transport of dangerous
materials...
02B01-03 Was each situation considered highly improbable or were appropriate measures taken? 2 E3 9.1.4
02C Control of access to office areas
02C01 Partitioning of office areas into protected zones
02C01-01 Has it been established a management policy for access rights to office area, built from an analysis of the security requirements 2 E1 11.1.1
based on the business stakes?
02C01-02 Have office areas been partitioned into protected security zones corresponding to homogeneous security constraints and spaces 2 E2
of confidence within which information can be freely exchanged?
02C01-03 Has it been ensured that the access control rules to assets are coherent with this partitioning into protected zones? 4 E2
Assets considered may be data, documents and equipments installed within these zones or accessible from them.
02C01-04 Have specific procedures been defined for each kind of external person, including providers, induced to intervene in the offices 2 3 E2
(consultants, maintenance or cleaning staff, etc.): specific budge, accompanying person, previous authorization mentioning the
identity of the beneficiary, etc)?
02C01-05 Is there a systematic updating process for the partitioning rules of the office zones? 2 C1
02C02 Physical access control to the protected office zones
02C02-01 Is an automatic authentication and access control system used for protected areas? 2 E2
02C02-02 Are there a procedure and calling means that people who do not have authorization can use to access the protected areas? 3 E3
02C02-03 In the case of a person without authorization entering these areas, does the procedure, guarantee that the person will be 3 E3
accompanied?
02C02-04 Is there a procedure or automatic alert enabling the immediate intervention of security personnel in the case of failure or 2 R1
invalidation of the access control system?
02C02-05 Is the access control system for protected office areas equipped with a no pass-back mechanism? 2 3 E3
02C02-06 Is authentication based on tamper-proof means associated with the user (for example a badge, smart card, or biometric 4 4 E2
recognition system)?
02C02-07 Does the mechanism use strong authentication of the user, with two identifying factors? 4 3 E3
02C02-08 Does the mechanism provide a temporary means of access, to allow for lost, stolen or forgotten badges? 2 E3
02C02-09 Does the temporary means of access grant only access to a strictly limited area? 2 3 E3
02C02-10 Does the access control system guarantee exhaustive checking of the people entering the premises (turnstile preventing more 4 4 E3
than one person from entering at a time, a process to prevent a badge being used by more than one person, etc)?
02C02-11 In addition to controlling access by the normal routes, is access by other routes (such as windows accessible from outside, 4 3 E1
emergency exits, or through false floors or ceilings) monitored?
02C02-12 Are the systems that provide automatic access control to protected areas operational and monitored permanently (24x24) so that 2 R1
any outage or deactivation is flagged in real time?
02C02-13 Are the emergency exits monitored permanently (24x24) so that their use can be checked in real time? 3 E2
02C02-14 Is there an audit process to detect, after the event, any anomalies in the access control system (audit of the procedures and 3 C1
configuration of the access control system, audit of exception procedures and intervention, etc)?

02C02-15 Is there a process for systematically updating access control policies? 2 C1
02C03 Management of access authorizations to protected office area
02C03-01 Does the procedure of granting access rights to a protected office area require the formal authorization of the manager of the 2 E1
protected area?
02C03-02 Is the authenticity of requests for attribution of access rights verifiable and verified (signature control ) ? 3 E2
02C03-03 Are the authorizations accorded to named individuals and registered (with a mention of the day of the authorization and the 4 E2
duration of its validity)?
02C03-04 Is the validity of these authorizations limited in time? 2 E3
The validity duration shall be defined accordingly to the profile of the person.
02C03-05 Is there a systematic process of removal of access rights to a protected office area at the time of departure ? 2 E2
02C03-06 Is there a systematic process of removal of access rights to a protected office area at the time of transfer or role change of staff? 2 E3
02C03-07 Is there a regular audit, at least once a year, of all access rights currently attributed to each protected office area? 2 C1
This audit should also analyze the relevance of the authorizations granted.
02C03-08 Are all entries into protected zones recorded? 3 E2
02C03-09 Are also all leavings from protected zones recorded? 2 E3
02C03-10 Is there a procedure enabling the subsequent detection of irregularities in the management or the use of access rights (badge or 4 R1
02C04 Detection of intrusions into protected office areas
02C04-01 Is there an operational system, linked to a 24 hr monitoring center, detecting the forcing of exits to the protected office zones? 2 E2
This system must monitor forced openings of exits (doors and windows), the usage of an emergency exit or their being kept
open, etc.
02C04-02 Is there an operational system detecting the presence of persons outside normal working hours, linked to a 24 hr monitoring 2 E2
center?
This system should control the presence of persons (volumetric detection, etc.). It may also be a video surveillance system linked
to a 24 hr monitoring center.
02C04-03 Is this system backed up by a video and audio control system which allows the security team to make a first analysis or remotely 3 E2
dismiss uncertainty?
02C04-04 In the case of an intrusion detection alarm, does the surveillance team have the possibility of sending out an intervention team 2 E2
02C04-05 Has the security team sufficient resources to cover the eventuality of multiple alarms set off intentionally? 3 E2
02C04-06 Is the location of electronic systems for detection and processing of alarms protected 24 hrs a day by an access control system 2 R1
and by an intrusion detection system?
02C04-07 Is the intrusion detection system itself monitored (alarm in the case of shutdown, video auto-surveillance etc.)? 3 R2
02C04-08 Are the control points for intrusion detection and the procedures for action subsequent to intrusion subject to regular audit? 3 C1
02C05 Monitoring of protected office areas

02C05-01 Is there a complementary video surveillance system, complete and coherent, for protected office areas, able to detect movement 4 3 E2
and abnormal behavior?
02C05-02 In the case of an alarm, does the surveillance team have the possibility of sending out an intervention team without delay to verify 4 E2
the cause of the alarm and to take appropriate action?

02C05-03 Has the security team sufficient resources to cover the eventuality of multiple alarms set off intentionally? 3 E2
02C05-04 Is the security surveillance team also on duty at times when cleaning of sensitive locations is done? 2 E2
02C05-05 Is video surveillance material recorded and kept for a long period? 2 E3
02C05-06 Is the intrusion detection system itself under surveillance (alarm in the case of shutdown, video auto-surveillance etc.)? 3 R2
02C05-07 Are procedures for surveillance and intervention in the case of abnormal behavior audited regularly? 3 C2
02C06 Control of movement of visitors and occasional service providers required to work in the offices
02C06-01 Is there a general control of movement of visitors and occasional service providers (time stamping at arrival and departure, 2 E1 9.1.2
signature of the person visited, etc.)?
02C06-02 Are visitors and occasional service providers always accompanied (on the way in, return to reception, intervening movements )? 2 E1 9.1.2
02C06-03 Are visitor reception zones set aside specifically for that purpose comprising only welcoming areas, meeting rooms or zones 3 E2 9.1.2
accessible to the public?
02C06-04 Have specific procedures been defined for each type of external service provider given to operate in the offices (IT service 4 E2 9.1.2
company, maintenance company, cleaning staff, etc.) such as the wearing of a personalized badge, accompaniment by staff, prior
authorization indicating the name of the operative etc?
02C06-05 Do these procedures ensure that the service provided corresponds to the expressed requirement and that the actions of the 2 E2
service provider are limited only to that requirement?
02C06-06 Are visitors and occasional service providers recorded in such a way as to enable a subsequent verification of the reason of their 3 E2
visit and has a procedure been put in place which enables the detection of dishonesty or abuse?
02C06-07 Is there a secure way to register the departure of visitors (e.g. keeping their identity card)? 2 E2
02C06-08 Are the control procedures of visitors and occasional service providers movements regularly audited? 3 C1
02D Protection of written information
02D01 Conservation and protection of important commonly used documents
02D01-01 Are there facilities available for the staff to put away, close to their desk, commonly used documents requiring a high degree of 4 E2
preservation or protection?
02D01-02 Do these facilities allow to protect important documents from risks of water damage or flooding? 4 E2
02D01-03 Do these facilities allow to protect important documents from risks of fire (fireproof vaults) ? 4 E2
02D01-04 Are the premises used for the storage of these documents equipped with reinforced access control and intrusion detection? 3 E2
02D01-05 Does the shutdown of these security systems (fire, water damage, access control, intrusion detection) trigger an alarm with a 2 R1
surveillance center able to intervene rapidly?
02D01-06 Are these storage conditions subject to regular audit? 3 3 C2
02D02 Protection of documents and removable support media
02D02-01 Do security procedures and instructions define the rules for protecting documents and information support media situated in 3 E1 10.7.1
offices (regardless of the type of support media)?
02D02-02 Do the security procedures and instructions detail the rules for protecting laptop microcomputers (storage, securing by cable 3 E1
etc.)?
02D02-03 Do the security procedures and instructions also detail the rules for protecting Tablet PCs, electronic personal assistant or 3 E2
telephones which may contain sensitive information?
02D02-03 Do the security procedures and instructions detail the rules relative to the printing of sensible documents? 3 E2

02D02-04 Do the security procedures and instructions detail the rules for the distribution of sensible documents? 3 E2
02D02-05 Do the security procedures and instructions detail the rules relative to the handling of sensible documents while carried outside 3 E2
the organization?
02D02-06 Do staff have secure storage facilities (secure cupboards ) immediately available on request, in the office or in close proximity to 4 3 E2
the office at any time?
02D02-07 Are staff regularly made aware of the necessity to protect documents and other sensitive support media in their offices ? 2 E2
02D02-08 Do security staff regularly check (effecting regular rounds) the application of document tidying rules and various support media 3 C1
situated in offices ?
02D02-09 Are these controls also effected during opening hours, in the absence of the regular occupants of the offices? 3 C2
02D02-10 Is the application of the security rules relative to the printing and distribution of sensitive documents regularly audited? 3 C2
02D03 Paper-bin collection and destruction of documents

02D03-01 Are the contents of all paper-bins subject to a system of secure destruction? 2 3 E2
02D03-02 Do staff have available a means of secure destruction for sensitive documents (shredders, special paper collection )? 4 3 E1
02D03-03 Do the paper destruction facilities available to personnel offer a solid guarantee that documents destroyed cannot be 2 3 E2
reconstituted?
For this, the shredder used must cross cut.
02D03-04 Is the capacity of the paper destruction facilities available to personnel compatible with the average volume of documents to 2 E1
destroy?
02D03-05 Has a shredder of sufficient capacity been installed next to each photocopier? 4 E2
Note: the capacity necessary must take into account the maximum thickness that photocopied document can generally attain.
02D03-06 Are all paper destruction procedures and facilities regularly audited? 2 3 C1
02D04 Security of post mail
02D04-01 Is the incoming and outgoing mail sorting and dispatching office kept locked when staff are not present? 4 E1
02D04-02 Is the incoming and outgoing mail sorting and dispatching office protected against risks of fire and water damage (automatic 3 E1
detection and triggering of an alarm with a surveillance center able to intervene rapidly?
02D04-03 Does the mail delivery round ensure that only the intended recipient department or person has access to its or their mail (locked 3 E1
post boxes, direct distribution and delivery direct to the intended person etc.)?
02D04-04 Within the office spaces, is any mail, either outgoing or incoming, kept aside so as not to be read by an unintended third party? 2 E2
02D04-05 Is confidential mail rendered neutral (double envelope with the degree of classification only being indicated on the internal 2 E2
envelope)?
02D04-06 Are important mails sent systematically registered with acknowledgement of receipt? 3 E2
02D04-07 Is the application of mail security advice and procedures regularly audited? 3 C1
02D05 Security of faxes (traditional)
02D05-01 Is there a procedure or instruction stating the modes for sending and receiving confidential faxes? 2 E1
02D05-02 Is the location of each fax machine kept locked when staff are not present? 4 E1
02D05-03 Is the incoming and outgoing faxes office protected against risks of fire and water damage (automatic detection and triggering of 3 E1
an alarm with a surveillance center able to intervene rapidly?

02D05-04 Does the fax delivery round ensure that only the intended recipients department or person has access to its or their faxes (locked 3 E1
post boxes, direct distribution and delivery direct to the intended person)?
02D05-05 Have the possibilities and modes of remote fax retrieval with password been explained to personnel and relevant advice 4 3 E2
displayed near to fax machines?
02D05-06 Is the remote retrieval with password mode obligatory for the sending or receipt of a confidential fax? 3 E2
02D05-07 Is the application of fax security advice and procedures regularly audited? 2 3 C1
02D06 Conservation and protection of important documents (to be preserved during a long period)
02D06-01 Is there a department specifically responsible for keeping and protecting important documents that need to be kept for a long 2 E2 13.2.3
period of time?
Such as important originals, elements usable as proof, documentary evidence, etc.
02D06-02 Is there a procedure which obliges users to use this service for all documents usable as proof, documentary evidence or 2 E2 13.2.3
important originals?
02D06-03 Are the corresponding documents kept in fireproof safes, themselves located in rooms with appropriate equipments for fire 3 E2
detection and extinguishing, flooding detection and water draining?
02D06-04 Are the rooms used to store these documents equipped with reinforced access control and intrusion detection systems? 3 E2
02D06-05 Does the shutdown of security systems (fire, water damage, access control, intrusion detection) trigger an alarm with a 2 R1
02D06-06 Is the capacity to work on these documents ensured on a long range? 3 C1
02D06-07 Are the storage conditions and associated security systems subject to regular audit? 3 C1
02D07 Management of archived documents
02D07-01 Is there a department specifically responsible for archiving documents to be kept for a long range? 2 E2
02D07-02 Is there a procedure which obliges users to use this archiving service for all documents to be kept for a long range? 2 E2
02D07-03 Are the delays for archiving or returning documents in accordance with the expectations of users? 4 E2
Otherwise users may prefer to keep the documents next to them.
02D07-04 Are the rooms used for archives quipped with appropriate equipments for fire detection and extinguishing, flooding detection 3 3 E2
and water draining?
02D07-05 Are these rooms equipped with reinforced access control and intrusion detection systems? 3 3 E2
02D07-06 Are the archive rooms under video-survey when they are not occupied? 3 3 E3
02D07-07 Are the cartons for archives marked without reference to their content? 3 3 E2
02D07-08 Are the correspondence tables associating the content to the reference of archives not accessible to the personnel in charge of 3 E3
managing physically the cartons of archives?
02D07-09 Are these tables subject to a saving policy ? 3 3 E2
02D07-10 Does the shutdown of security systems (fire, water damage, access control, intrusion detection) trigger an alarm with a 2 3 R1
02D07-11 Is the requester of an archive authenticated with a strong procedure? 3 3 E2
02D07-12 Is the delivery of an archive registered and logged? 3 3 E2
02D07-13 Is there a specific procedure used for the destruction of archives? 1 E2
02D07-14 Does this procedure guarantee that the requester has the appropriate rights? 4 3 E2
02D07-15 Are the archives protected against any diversion during their transport between the archiving room and the requester? 3 E2

02D07-16 Are the storage conditions for archives and associated security systems subject to regular audit? 3 3 C1

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Audit Questionnaire: Security of Premises 1 variant
Number Question R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
03A General Maintenance
03A01 Quality of energy supply
03A01-01 Does the energy supply conform to the maximum load levels specified by installed equipment suppliers and with a sufficient 2 E2 9.2.2
margin?
03A01-02 Is there an electricity regulation system which includes at least an uninterruptible power supply for the most sensitive equipment? 4 E2 9.2.2
03A01-03 Are there backup batteries (supplying one or more uninterruptible power supplies) guaranteeing sufficient autonomy that 2 E2 9.2.2
equipment shuts down safely and properly?
03A01-04 Is the energy supply system fitted with a control system which signals to the intervention team any partial or complete failure of 2 3 R1
equipment (disconnection of batteries, insufficient charge, uninterruptible supply system shutdown etc.)?
03A01-05 Are energy regulation systems checked frequently (battery capacities in particular) in comparison to system requirements 2 3 C2
(autonomy needed to ensure a proper shutdown)?
03A01-06 Is the regular replacement of intermediate batteries effected in accordance to the manufacturers' specifications? 2 2 E2
03A02 Continuity of energy supply
03A02-01 Has it been established a documented policy relative to the requirements about power supply continuity (and all fluids in 1 2 E1 9.2.2
general)?
03A02-02 Is there a backup energy supply capable of guaranteeing service continuity of critical equipment (making use a generator and 4 2 E1 9.2.2
sufficient independent supply of fuel or independent energy feed)?
03A02-03 Is the backup system tested regularly in order to define the appropriate load required (retaining only critical equipment load 4 C1
levels)?
03A02-04 Is the start-up routine for the backup system tested regularly and its compatibility with the requirements of service continuity (tests 4 2 E2
include system run-down and eventual reconfiguration needed)?
03A02-05 Is the backup energy supply system equipped with an alarm which signals to the intervention team any partial unavailability or 2 3 R1
failure of equipment (failure of the backup system, low fuel, shutdown of detection or switching system etc.)?
03A03 Air conditioning security

03A03-01 Is there an air conditioning system which regulates air quality (temperature, pressure, water content, dust) corresponding to the 4 E2 9.2.2
specifications of builders of installed equipment?
03A03-02 Is the air conditioning system regularly tested to ensure that it will continue to function even in the worst climatic conditions 4 C1
possible?
03A03-03 Will the air conditioning system continue to function within the specifications despite a simple component failure (sufficient 2 E3 9.2.2
equipment redundancy, backup air conditioning system etc.)?
03A03-04 Is the capacity of the air conditioning system tested regularly in spite of a simple equipment failure and under the worst possible 1 3 C2
climatic conditions?
03A03-05 Is there a redundancy system for the most critical air conditioning equipments? 4 E2
03A03-06 Is the accidental or deliberately caused failure (shutdown) of the air conditioning system detected and signaled to an intervention 2 2 R1
team able to react swiftly?
03A03-07 Is the security of the air-conditioning system (detection of failure, shutdown, intervention procedures) subject to a regular audit? 2 3 C1
03A04 Quality of cabling

03A04-01 Is a file maintained detailing all cable paths and bays (with a backup copy) and associated cabling cabinets and their 4 E1 9.2.3
characteristics?
Mise jour : janvier 2010 351061430.xls ! 03 Pre page 72

03A04-02 Are the cables individually labeled at each end? 2 E2 9.2.3
03A04-03 Is cabling protected from accident risk (protected conduit ends)? 4 E2 9.2.3
03A04-04 Are high and low voltage circuits properly separated? 2 E1 9.2.3
03A04-05 Is cabling quality and protection checked regularly? 2 3 C1
03A04-06 Is the update of the cabling map regularly audited? 2 2 C1
03A05 Lightning protection
03A05-01 Is the building protected by a lightning conductor? 4 E1
03A05-02 Are electrical circuits and cabling protected against surges and against lightning by specialized equipment? 4 E1
03A05-03 Is circuit protection equipment checked regularly? 2 3 C1
03A06 Dependability of service equipment
03A06-01 Is there a complete and accurate list of all the service equipment required by the IT and communications systems (cold water, air, 4 E2 9.2.2
specific supplies, etc)?
03A06-02 Is each equipment covered by a maintenance contract tailored to the requirements of the expected service? 4 C1
03A06-03 For the most critical services, is there system redundancy or a rapid replacement capability? 4 E2
03A06-04 Are all outages, whether unplanned (breakdown) or planned (stoppage), of service equipment detected and flagged to an 2 2 R1
intervention team for rapid reaction?
03A06-05 Is the dependability of service equipment (detection of breakdown or outage, intervention procedures, etc) audited regularly? 2 3 C1
03B Control of access to sensitive locations (other than office zones)

03B01 Access rights management to sensitive locations
03B01-01 Are permanent or semi permanent (for a specific length of time) access rights to sensitive locations defined in relation to standard 4 2 2 E1 9.1.2
profiles accounting for the function and status of staff?
These profiles should consider technical, telecom, general maintenance or security staff, fire brigade, service providers, students
or visitors, etc.
03B01-02 Have an inventory and a classification of all the types of sensitive locations been taken? 4 E2
03B01-03 Has, for each sensitive location or type of location, a manager been named to maintain up-to-date security access rights 4 E1
attributed to each category of personnel and has each of the managers taken up their post?
03B01-04 Do these persons in charge actually assuming this function and do they provide reports to the CISO about it? 4 2 E2
03B01-05 Do the profiles also allow definition of working time limits (daily hours and periods in the working calendar, weekends, holidays 4 E2
etc.)?
03B01-06 Are these rights and profiles as defined above protected against alteration or falsification during their storage or when 1 3 R1
transferred between decision makers and the personnel in charge of implementing the rights?
03B01-07 Is there a regular audit or inspection, at least once a year, of all rights given to the various categories of personnel and of the 1 3 C1 9.1.2
management processes for these rights as well?
03B02 Management of access authorizations granted to sensitive locations
03B02-01 Does the procedure of granting permanent or temporary access authorizations require the formal authorization of line 4 2 E1
management or of the unit managing external contractors (at a sufficiently senior level)?

03B02-02 Is the procedure for granting (or modification or revocation) of access authorizations, for each type of sensitive location, 4 2 E2
documented and strictly controlled?
the profile attributed to users is highly secure and that each operation is recorded (mentioning the date of issue of the badge and
its length of validity) that there be a reinforced access control over the modification of such records and that all record
modifications be logged and audited.
03B02-03 Are access authorizations granted to named individuals as a function of profile and materialized by a badge or a card or a key? 4 E2
03B02-04 Are badges or cards which represent access authorizations personalized using the name of the holder and his or her 4 E2
photograph?
03B02-05 Can the list of access authorizations and corresponding profile be reviewed at any time? 4 2 E3
03B02-06 Is there a rapid and systematic process of attribution and revocation of access authorizations (with invalidation of the badge in 2 2 E2
automatic control systems) and the return of the badge or corresponding card at time of change of site (if access rights depend
on the site), departure from the company or at the end of a contract and applied both to internal and external staff?
03B02-07 Are keys or badges stored in a locked secure box or cupboard resistant to break in? 4 2 E2
For example: certified safes
03B02-08 Is it prohibited to enter the sensible premises with means of photo, video, or audio taping? 1 E3 9.1.5
03B02-09 Is there a regular audit, at least once a year, of all the badges attributed to all categories of staff and of the pertinence of the 1 2 C1
corresponding authorizations?
03B02-10 Is there a procedure enabling the subsequent detection of irregularities in the management of access authorizations (badge or 4 C2
03B03 Access control to sensitive locations
03B03-01 Is use made of an automatic system controlling access to sensitive locations? 4 E1 9.1.2; 9.1.5
03B03-02 Does authentication employ user related data that cannot be falsified (smart cards or biometric data for example)? 4 3 E3
For example :(smart cards, biometric data, digital key, ...
03B03-03 Does the access control system guarantee that all personnel entering the location are verified? 4 3 E2
For example: double door limiting the number of people entering to one-at-a-time or a process which prohibits the usage of a
badge by more than one person etc.
03B03-04 Is control assured of all entry and exit points including both normal exits and others such as windows accessible from outside, 4 3 E2
emergency exits, potential access via raised flooring and false ceilings?
03B03-05 Are the automatic access control systems under 24 hr surveillance enabling the detection of a failure, a system deactivation or 2 2 R1
the usage of emergency exits in real time?
03B03-06 Is there a procedure or automatic alert enabling the immediate intervention of security personnel in the case of a shutdown alarm 2 2 R2
of the access control system (or usage of emergency exit)?
03B03-07 Is there an audit procedure enabling the detection of irregularities in the access control procedures (audit of procedures and 2 3 C1
03B04 Intruder detection in sensitive locations
03B04-01 Is there an operational on site intrusion detection system for sensitive locations linked to a 24 hr monitoring center? 4 2 E1
03B04-02 Does this system detect all attempts to force open locked exits (windows and doors), all opening of emergency exits and all 4 2 E2
normal exits abnormally kept open?
03B04-03 Does this system detect the presence of personnel outside of normal working hours? 4 2 E2

03B04-04 Is this system backed up by a video and audio control system which allows the security team to make a first analysis or dismiss 4 3 E3
uncertainty from a distance?
03B04-05 Is the surveillance team dedicated to its task, having only security responsibilities and are any alarms immediately detected 4 3 E3
03B04-06 In the case of an intrusion detection alarm, does the surveillance team have the possibility of sending out an intervention team 4 2 E2
03B04-07 Has the security team sufficient resources to cover the eventuality of multiple alarms set off intentionally? 4 3 E3
03B04-08 Is there an advisory document clearly stating exactly what action to take in the case of each alarm envisaged? 2 E2
03B04-09 Is the intrusion detection system itself under surveillance (alarm in the case of shutdown, auto-surveillance by camera etc.)? 2 3 R1
03B04-10 Are intrusion control points and procedures for reaction to intrusions audited regularly? 2 3 C1
03B05 Perimeter monitoring (surveillance of entry points and surroundings of sensitive locations)
03B05-01 Is the perimeter or surroundings of sensitive locations under complete and coherent surveillance by video or direct visual means? 4 E2
03B05-02 Is the surveillance team dedicated to its task, having only security responsibilities and are any alarms immediately detected and 4 3 E3
03B05-03 In the case of an alarm, does the surveillance team have the possibility of sending out an intervention team without delay to verify 4 E2
03B05-05 Is there an advisory document clearly stating exactly what action to take in the case of each alarm envisaged? 2 E2
03B05-06 Is video surveillance material recorded and kept for a long period? 1 E3
03B05-08 Are surveillance and intervention procedures audited regularly? 2 3 C1

03B06 Surveillance of sensitive locations
03B06-01 For sensitive locations, is there an additional, complete and coherent, video surveillance system which detects movement inside 4 3 E2 9.1.5
the sensitive location and able to detect abnormal behavior?
03B06-02 Is the surveillance team dedicated to its task, having only security responsibilities and are any alarms detected immediately 4 3 E3
03B06-03 In the case of an alarm, does the surveillance team have the possibility of sending out an intervention team without delay to verify 2 2 E2
03B06-05 Is the security surveillance team also on duty at times when cleaning of sensitive locations is done? 4 2 E2
03B06-06 Is video surveillance material recorded and kept for a long period? 1 E3
03B06-08 Are procedures for surveillance and intervention in the case of abnormal behavior audited regularly? 2 3 C1
03B07 Cabling access control
03B07-01 Is physical access to cabling protected (specific conduits difficult to access or kept locked)? 2 2 E2
03B07-02 Are all cable paths kept under video surveillance with alerts in the case of abnormal presence (to signal to staff which screen to 4 3 E3
pay particular attention to)?

03B07-03 Are locations where it would be possible to place a parasitic device on a LAN or WAN under reinforced security (named 2 2 E2
personnel with badge access, biometric security)?
03B07-04 Are locations where it would be possible to place a parasitic device on a LAN or WAN under video surveillance as soon as 2 3 E2
accessed (with an alert to surveillance personnel)?
03B07-05 Are there regular security audits of cabling? 2 3 C1
including effective control of access to conducts, audit of access rights attributed and the intervention procedures on violation of
rights, inspection of locations where parasitic devices could be placed.
03B08 Location of sensible premises.
03B08-01 Are the sensible premises located in areas not accessible to the public? 1 E2 9.1.3
03B08-02 Are the data processing premises exempt of all exterior indication of their content? 1 E2 9.1.3
03B08-03 Is the location of sensible premises not displayed in telephone directories? 1 E2 9.1.3
03C Security against water damage
03C01 Prevention of risk of water damage
03C01-01 Has there been a systematic and exhaustive analysis of all the possible points at which water might enter? 4 2 E2 9.1.4
For example: position of locations relative to natural overflows in the case of flood or violent storms, flooding from floors above,
rupture of hidden or exposed pipes, usage of fire extinguisher systems, overflow of water evacuation conduits, untimely start of
humidifier systems etc.
03C01-02 Have each of the possible water entry points been determined as low risk or have measures been taken to ensure that the risk of 4 E3
flooding is very low?
For example: pre-emptive fire extinguisher systems, one way valves on exhaust pipes, independent measurement of humidity,
etc.
03C01-03 Are each of the various systems to avoid water damage protected from shutdown and under constant monitoring? 2 3 R2
03C01-04 Is there a regular audit of the proper implementation of the measures to prevent water damage and methods to ensure that they 2 3 C2
remain pertinent (verification of risk analysis)?
03C02 Detection of water damage
03C02-01 Are there humidity detectors near to sensitive equipment (in particular in raised flooring) linked to a 24 hr monitoring center? 4 E2 9.1.4
03C02-02 Are there water detectors nearby sensitive equipment (in particular in raised flooring) linked to a 24 hr monitoring center? 4 E2 9.1.4
03C02-03 Is there a water leakage detection system on the floor above the location of sensitive equipment linked to a 24 hr monitoring 4 E3 9.1.4
center?
03C02-04 Does the security desk have the possibility of sending in a rapid intervention team which has sufficient means to act? 2 2 E2
For example: knowledge of the location of water cut off points and protected shunts, computers with up-to-date piping plans and
cut off points, plastic covers in order to protect equipment etc.
03C02-05 Has the security team sufficient resources to cover the eventuality of multiple alarms set off intentionally? 4 3 E3
03C02-06 Is there an advisory document clearly stating exactly what action to take in the case of each alarm envisaged? 2 3 E2
03C02-07 In any shutdown of detection systems systematically signaled to a 24 hr monitoring center? 2 R1
03C02-08 Is the detection equipment regularly tested and are procedures and intervention capabilities regularly audited? 2 3 C1
03C02-09 Are procedures and intervention capabilities regularly audited? 2 C1
03C03 Water evacuation
03C03-01 Are there permanent means for evacuating water (pumps, natural drain-ways etc.) and a team able to use them effectively? 2 E2

03C03-02 Is the shutdown of any water evacuation system signaled immediately to a 24 hr monitoring center? 2 2 3 E2
03C03-03 Are water evacuation systems regularly tested? 2 3 E2
03C03-04 Are procedures and intervention capabilities regularly audited? 2 3 C2
03D Fire security
03D01 Fire risk prevention
03D01-01 Has an in-depth and systematic analysis been carried out of all fire risks? 4 2 E2 9.1.4
For example: short circuits in cables, the effect of lightning, staff smoking areas, normal electrical equipment, heating equipment,
fire spread from outside, spread via technical conduits or via the air conditioning system etc.
03D01-02 Has it been possible to evaluate each risk as highly improbable or taken action to render the risk of fire starting or spreading 4 E3
highly improbable?
For example: protection of cables in specially adapted conduits, separation of transmission cables from energy supply cables,
protection of sensitive equipment from lightning strikes, smoking ban, fire resistant bins, non-inflammable materials, protection of
electrical circuits by differential circuit breakers, fire detection equipment in nearby locations and in risers etc.
03D01-03 Are the different fire protection systems protected from shutdown and under continual monitoring? 2 3 R2
03D01-04 Is there a regular audit of the electric cabling due to changes of the power supply configurations? 4 C2
For example : control of possible hot points using an infrared camera
03D01-05 Is there a regular audit of the proper implementation of fire prevention measures and methods to ensure that they remain 2 3 C2
pertinent?
verification of risk analysis
03D02 Fire detection
03D02-01 Is there an automatic fire detection system for sensitive locations (raised floors and false ceilings if they exist)? 2 E1 9.1.4
03D02-02 Does the fire detection system have at least two types of detector (for example ionic and optical smoke detector)? 4 2 E2
03D02-03 Are the automatic detectors linked to a 24 hr monitoring center, equipped with a system which clearly identifies the location of the 2 E2
alarms which have been set off?
03D02-04 Is any shutdown of fire detection systems systematically signaled to a 24 hr monitoring center? 4 2 R1
03D02-05 Is the detection equipment regularly tested? and are procedures and intervention capabilities regularly audited? 2 3 C1
03D02-06 Are procedures and intervention capabilities regularly audited? 2 3 C1
03D03 Fire extinguishing
03D03-01 Is the monitoring center able to rapidly send in a team which has sufficient means to act (precise diagnosis of the situation, 2 1 E1
manual extinguishers, triggering of automatic extinguishers, emergency call)?
03D03-02 Has the security team sufficient resources to cover the eventuality of multiple alarms? 2 3 E2
03D03-03 Is there an advisory document clearly stating exactly what action to take in the case of each alarm envisaged? 2 3 E2
03D03-04 Is there specific and regular training of intervention personnel? 4 E2
03D03-05 Are all mobile fire extinguishers regularly controlled by a competent authority (filling, usage manuals, risk reduction, location 1 E2
etc.)?
03D03-06 Are sensitive locations protected by an automatic extinguishing system (air, raised floors, false ceilings)? 4 2 E2 9.1.4
03D03-07 Are automatic extinguishing systems regularly maintained and tested by approved specialists? 2 E2
03D03-08 Is the shutdown of an automatic fire extinguisher system immediately signaled to a 24 hr monitoring center? 4 2 R1
03D03-09 Is there an installation of armed fire taps near to computer rooms and is this installation periodically and regularly verified and 4 E1
maintained?

03D03-10 Is the intervention time of the fire brigade under 15 minutes? 2 E2
03D03-11 Are regular tests of fire extinguishing equipment and procedures carried out and intervention capabilities regularly audited? 2 3 C1

Comments

Comments

Comments

Comments

Comments

Comments

Comments

0
0
0
0
0

0
0
0
0
0
0
0
0
0
0
0
0
0
0

0
0
0
0
0
0
0

0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

0
0
0
0
0
0
0
0
0
0
0
0

0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

0

Audit Questionnaire: Extended Network (intersite) 1 variant
The extended network is seen here as the network linking separate sites. It is the network architecture between independent units, each
managing their own network (LAN). Connections of mobile machines are assumed to be managed through the local network.
04A Security of the extended network architecture and service continuity
04A01 Functional security of the extended network architecture
04A01-01 Have the requirements of service continuity of the extended network been analyzed and, if necessary, has a redundant 4 2 E2
architecture been determined for network connection points, equipment and network meshing?
04A01-02 Has a systematic search for single points of failure been carried out and has it been ensured that subsidiary equipment (power 4 2 E3
supply and air conditioning etc.) does not introduce or eliminate the redundancy expected in the equipment or network
architecture?
04A01-03 Has a verification of the average and peak load been carried out for each segment of the extended network and has the 4 2 E2
compatibility of the network and associated equipment at this load level been verified and is this verification regularly repeated?
04A01-04 Has this analysis been complemented by a study of network capacity to ensure reliability of communications in all cases of failure 4 2 E3
of a single link or piece of equipment?
04A01-05 Is there a dynamic measurement of network load and are load balancing tools available? 4 E2
04A01-06 Do network monitoring and configuration tools allow real time corrective action compatible with the needs of the users? 4 2 E2
04A01-07 Are overload detection and load balancing tools accessible only by administrators and are they protected by strengthened access 2 2 R2
control?
04A01-08 Is any failure or shutdown of network overload detection and equilibrating equipment signaled immediately to the monitoring 2 3 R1
center and to network administrators?
04A01-09 Are regular performance tests of load detection equipment and reconfiguration mechanisms carried out? 2 3 C1
04A01-10 Are regular audits carried out of equipment parameters and procedures associated with the load detection and reconfiguration 1 3 C1
systems?
04A01-11 Are regular audits carried out of the procedures associated to the load detection and reconfiguration systems? 1 3 C1
04A02 Management of extended network equipment maintenance
04A02-01 Is all equipment covered by a maintenance contract? 2 E1 9.2.4
04A02-02 Has all critical production equipment been identified, has their performance capability been controlled and have the acceptable 4 E2
and maximum downtime limits been documented?
04A02-03 Have specifically adapted clauses related to these requirements been set down within maintenance contracts? 4 2 E2
04A02-04 Are the penalties of non-compliance with these clauses sufficiently persuasive for the contract holder? 4 2 E3
04A02-05 Have escalation procedures been detailed in the case of non-compliance or difficulties in maintenance and do they anticipate the 2 3 R1
intervention of specialists within a short delay commensurate with the criticality of the equipment?
04A02-06 Has the number and proximity of specialists been detailed and do they guarantee a sufficiently good level of maintenance within 4 R2
an acceptable delay?
04A02-07 Do the maintenance contracts anticipate a complete replacement of equipment in the case of significant damage which would not 4 E3
normally be taken into account by curative maintenance?
04A02-08 Are maintenance contracts and procedures regularly audited? 2 3 C1
04A03 Procedures and Business Contingency Planning following incidents on the extended network
04A03-01 Has a list been established of incidents which could affect the proper functioning of the extended network and analyzed the 2 E2
seriousness level, for each of them?
Mise jour : janvier 2010 351061430.xls ! 04 Wan page 93

04A03-02 Has it been established, for each critical incident, the solution to implement and the action to execute by operational personnel? 2 E2
04A03-03 Have sufficient means of intervention (reconfiguration) on the extended network been put in place which cover satisfactorily all of 2 2 E2
the scenarios identified and do they allow for the actions decided to be implemented within the specified delays?
04A03-04 For each possible critical incident on the extended network has an expected resolution time and escalation procedure been 4 E3
determined in the case of failure or delay of the specified corrective actions?
04A03-05 Are the diagnostic, management and reconfiguration tools of the extended network protected against all possible untimely or 4 3 R1
malicious action?
04A03-06 Do incident recovery plans and procedures cover the eventual loss of data (especially e-mail messages)? 4 E3
04A03-07 Are diagnostic and reconfiguration facilities regularly audited in order to assure a satisfactory minimum functioning of the 2 3 C1
extended network in the case of an incident?
04A04 Backup plan of extended network configurations
04A04-01 Has a backup plan been established encompassing all network configurations, defining all objects to save and the frequency of 4 E1 10.5.1
backups?
04A04-02 Has this plan been translated into automatic operational routines? 2 2 E2 10.5.1
04A04-03 Has the backup of programs, (source and executables), documentation and parameters been regularly tested in order to be able 4 2 E1 10.5.1
to reconstitute the production environment at any time?
04A04-04 Are operational automatic routines protected by a high level of protection against illicit or unintentional modification? 4 3 R1 10.5.1
Such a mechanism may be a digital seal or any equivalent protection system.
04A04-05 Are all configuration backups and files which enable the restoration of the extended network production environment also saved 4 2 E3 10.5.1
at a location off premises (recourse backup) ?
04A04-06 Are recourse backup copies stored in a secure location and protected against accidental risk or theft? 4 E3 10.5.1
Such a location must be protected by strict access control as well as protected against fire or water damage risk.
04A04-07 Are regular tests carried out to read backups and recourse backups? 2 3 C1 10.5.1
04A04-08 Are all procedures and plans for backup of configuration files regularly audited? 2 3 C1
04A05 Business Contingency Planning (BCP) of the Extended Network
04A05-01 Is there an operational recovery solution to make up for the unavailability of any critical equipment or link on the extended 4 2 E1 14.1.3
network?
04A05-02 Is this recovery solution satisfactorily operational? 4 2 E2 14.1.3
04A05-03 Are these alternative solutions described in detail in one (or several) Disaster Recovery Plan formal and complete? 4 E1 14.1.3
A complete recovery plan must include the conditions for triggering, the actions to execute, the priorities, the actors to mobilize
and their contact details as well as the conditions for considering the return to the normal state.
04A05-04 Are these plans tested in operational conditions at least once a year? 4 2 C1 14.1.5
04A05-05 Is there a formal guarantee that the capacity and compatibility of these recovery solutions will support a sufficient operational load 4 2 E2 14.1.5
which has been approved by all connected entities?
04A05-06 If the recovery solutions include delivery of hardware components which cannot be triggered during tests, is there a contractual 4 2 E2
engagement within the recovery plan for the delivery of the replacement hardware within fixed and anticipated time limits
guaranteed by the manufacturer or other third party (leaser, broker, other)?
04A05-07 If the recovery facility (hot site, equipment etc.) is subscribed through a service provider, is the number of other subscribers 2 2 E3
known and limited?
04A05-08 Has the possible unavailability or failure of the recovery facility been considered and has a second level backup been organized? 2 3 R1
04A05-09 Is the backup solution usable for an unlimited duration and, if not, has a follow on backup solution been established? 2 E3

04A05-10 Are the existence, the pertinence and the updates of the Disaster Recovery Plans regularly audited? 2 3 C1
04A06 Management of critical suppliers as regards a permanent maintenance service
04A06-01 Have the consequences of the disappearance of a supplier of equipment, network service or software been analyzed (in the case 2 E2
of failure, a bug or change requirement) and has a list of critical points been established?
04A06-02 For each critical point is there a corrective solution to cope with the failure or disappearance of a supplier (consignment of 2 E2
maintenance documentation with a trusted third party, replacement of equipment or of software by available market solutions
etc.)?
04A06-03 Is it certain that this corrective solution could be made operational to enable company activity to restart within a time delay 2 2 E3
sufficiently short to be acceptable to the users ?
04A06-04 Have variants to the primary solution been considered in case the latter might encounter unforeseen difficulties? 2 3 E3
04A06-05 Is there a regular review of critical points and corrective solutions envisaged? 2 3 C1
04B Control of connections on the extended network
04B01 Security profiles for entities connected to the extended network
04B01-01 Has a set of rules been defined such that an entity can be connected to the extended network (which is considered to be a 4 E1
domain of confidence)?
04B01-02 Do these rules cover the necessary organization for each entity connected to the network? 2 2 E3
04B01-03 Within each entity connected, are managers designed and known responsible of security in various domains (such as physical 4 2 E3
security, operating systems security, etc.)?
04B01-04 Do the rules establishing the connection criteria to the extended network define the physical security measures required to 4 2 E2
protect the network equipment and cabling?
04B01-05 Do these rules establishing the connection criteria to the extended network define the logical security measures required to 2 E2 11.4.6
protect the network equipment and cabling?
04B01-06 Do these rules detail the filtering rules required for the control of incoming as well as outgoing accesses? 4 2 E2 11.4.6
04B01-07 Do these rules detail controls to effect on the network equipment configurations? 4 3 E2
04B01-08 Do these rules detail controls to effect on the configurations of users stations? 4 3 E2
04B01-09 Do these rules define the required management methods to cover anomalies and incidents? 2 2 E3
04B01-10 Do these rules impose to send a report to a central authority for any anomaly and incident challenging the security of the 4 2 E3
extended network?
04B01-11 Is there a management procedure covering the authorization requests for the binding of any entity to the extended network and a 4 2 E2
structure empowered to analyze these requests and provide the corresponding authorization?
04B01-12 Is there a structure empowered to audit the application of the rules and to remove specific rights which are no longer needed or 4 2 E3
when the conditions are no longer met?
04B01-13 Is there a regular audit of the required conditions and application of the rules in each entity authorized to be part of the extended 4 3 C1
network?
04B01-14 Are reviews of the authorized connections (standard and non-standard) and of their relevance regularly conducted? 4 3 C1 11.4.7
04B02 Authentication of the entity for an incoming access from the extended network
04B02-01 Is there, for any access arriving from the extended network to the local area network, a mechanism controlling the authentication 4 1 E1
and access control rights of the accessing entity prior to any action?
04B02-02 Does the authentication mechanism provide a recognized "strong" level of security? 4 2 E2
Notably the usage of a simple password will always be a weakness. The only methods recognized as "strong", that is to say
observable without divulging information, are those based on cryptographic algorithms.

04B02-03 Does the security equipment that retains and uses reference data (secret elements) to support access authentication use 4 3 E2
mechanisms which guarantee inviolability and authenticity?
In the case of authentication using cryptographic procedures, the mechanisms used for the creation, modification and storage of
reference elements (public keys in particular) must guarantee a level of security comparable to the authentication protocol itself.
04B02-04 Does the transmission between systems and security equipments of reference data (secret elements, secret or public keys, etc.) 4 3 E3
use mechanisms which guarantee inviolability and authenticity?
In the case of authentication using cryptographic procedures, the mechanisms used for the transmission of reference elements
(public keys in particular) must guarantee a level of security comparable to the authentication protocol itself.
04B02-05 Does the management procedure of revoked keys systematically test that the keys have not been revoked? 4 2 E2
04B02-06 Does the management procedure of revoked keys guarantee that the control systems take in consideration in real time any 4 2 E3
revocation?
04B02-07 Are the processes that guarantee authentication under strict control? 4 3 C1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there
is an audit at least once a year of the authentication procedures and processes.
04B03 Authentication of the entity accessed for an outgoing access across the extended network
04B03-01 Is there a mechanism for the authentication of the called entity before any outgoing access from the internal network across the 4 1 E1
extended network?
04B03-02 Is the authentication mechanism recognized as "strong"? 4 2 E2
The only methods recognized as "strong", that is to say observable without divulging information, are those based on
cryptographic algorithms.
04B03-03 Does the security equipment that retains and uses reference data (secret elements) to support authentication use mechanisms 4 3 E2
which guarantee inviolability and authenticity?
In the case of authentication using cryptographic procedures, the mechanisms of modification, storage and transmission of
reference elements (public keys in particular) must use a level of security comparable to the authentication protocol itself.
04B03-04 Does the transmission between equipments of reference data (secret elements) to support authentication use mechanisms which 4 3 E3
guarantee inviolability and authenticity?
In the case of authentication using cryptographic procedures, the mechanisms of transmission of reference elements (secret
elements, public keys, etc.) must guarantee a level of security comparable to the authentication protocol itself.
04B03-05 Does the revoked keys management procedure guarantee that the control systems systematically test that the keys used have 4 2 E2
not been revoked?
04B03-06 Does the revoked keys management procedure guarantee that the control systems take into consideration in real time any 4 2 E3
revocation of keys?
04B03-07 Are the processes that guarantee authentication under strict control? 4 3 C1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that an
audit is performed at least once a year of authentication procedures and processes.
04C Security during data exchanges and communication

04C01 Encryption of exchanges on the extended network
Encryption can be effected at layer 2 (encrypting modem ), 3 (IPSEC VPN) or at level 4-5 (SSL) or directly effected by the
application (level 6-7, for example encryption before or during transmission), case really treated by domain 09
It could be systematically on the "pipeline" (physical or logical) or limited only to certain data flows (as a function of address or
type, etc.) it can also be performed on intermediate systems (VPN boxes) or end systems (stations, server) or both.
04C01-01 Have the permanent links and data exchanges which must be protected by encryption solutions been defined and such solutions 4 E2 12.3.1
been implemented on the extended network?
04C01-02 Does the encryption solution offer valid and solid guarantees and has it been approved by the Information Security Officer? 4 2 E2
The sufficient length of the key is one of among many parameters to take into consideration (as a function of the algorithm) . The
recommendation of an official organization can be a confidence factor.
04C01-03 Do the procedure and mechanisms of storage, distribution and exchange of keys and more generally the management of the 4 3 E3 12.3.2
keys offer solid guarantees which merit confidence and are they approved by the Information Security Officer?
04C01-04 Are the encryption mechanisms embodied in electronic components which are strictly protected at a physical level against 4 3 3 R2
intrusion or change?
Encryption mechanisms should be contained within protected enclosures to which it should be impossible to gain a
04C01-05 Is shutdown or by-pass of the encryption solution immediately detected and signaled to a team available 24 hrs a day capable of 4 2 R1
triggering an immediate reaction?
04C01-06 In the case of inhibition or bypass of the encryption solution or the activation of an unprotected fail-over link of the network, is 4 2 R1
there a procedure to immediately alert all users?
For example by a warning requiring the user to acknowledge its receipt.
04C01-07 Is there a regular audit, at least once a year, of all data exchange, encryption systems and associated procedures? 4 3 C1
04C02 Integrity control of exchanges on the extended network
04C02-01 Have all data exchanges and permanent links which must be protected by sealing solutions been defined and implemented on 4 E2
the extended network?
04C02-02 Does the sealing solution offer valid and solid guarantees and has it been approved by the Information Security Officer? 4 2 E2
The sufficient length of the key is one of among many parameters to take into consideration (as a function of the algorithm) . The
04C02-03 Do the procedure and mechanisms for storage, distribution and exchange of keys and more generally the management of keys 4 3 E3
offer a sufficient level of confidence and have they been approved by the Information Security Officer?
04C02-04 Are the sealing mechanisms embodied in electronic components which are in turn strictly protected at a physical level against 4 3 3 R2
Sealing mechanisms should be contained within protected enclosures to which it should be impossible to gain access. The
algorithm is contained within the microprocessor or a microprocessor card which is protected physically and logically.
04C02-05 Is shutdown or by-pass of the sealing solution immediately detected and signaled to a team available 24 hrs a day capable of 4 2 R1

04C02-06 In the case of inhibition or bypass of the sealing solution or the activation of an unprotected fail-over link, is there a procedure to 4 2 R1
immediately alert all users?
For example by a warning requiring the user to actively validate its receipt.
04C02-07 Is there a regular audit, at least once a year, of all systems of sealing of the data exchanged and associated procedures? 4 3 C1
04D Control, Detection and Handling of incidents on the extended network

04D01 Real-time monitoring of the extended network
04D01-01 Have events or successions of events which might reveal abnormal behavior or illicit action on the extended network been 4 E2 10.10.2
analyzed and, as a consequence, have specific monitoring points and indicators been established?
04D01-02 Is the system equipped with an automatic real time monitoring system in the case of an accumulation of abnormal events (for 4 E3 10.10.2
example unsuccessful connection attempts on non-open ports)?
04D01-03 Is use made of a system capable of detecting intrusion and anomalies on the extended network? 4 E2 10.10.2
04D01-04 Are there one or more applications capable of analyzing the individual anomaly diagnostic data on the extended network and of 4 E3
triggering an alert to operational personnel?
04D01-05 Is there within operational personnel a permanent dedicated team or group capable of reacting in the case of a monitoring alert 4 2 E3
on the extended network?
04D01-06 For each case of alert has the expected response from the intervention team been defined and is the availability of the 4 3 E3
intervention team sufficient to face this expectation?
04D01-07 Are the parameters defining alarms strictly protected (restricted access rights and strict authentication ) against illicit 4 R1
modification?
04D01-08 Does the inhibition of an alert system on the extended network, trigger an alarm with the surveillance team? 4 3 R1 10.10.2
04D01-09 Are the elements which enable the detection of an anomaly or incident archived (on disk, cassette or optical disk etc.)? 2 E2 10.10.3
04D01-10 Are the procedures for monitoring the extended network, for the detection of the anomalies and the reactivity of the surveillance 2 3 C1
team subject to regular audit?
04D02 Offline analysis of traces, log files and event journals on the extended network
04D02-01 Has detailed analysis been carried out of the events or succession of events on the extended network which may have had an 2 E1 10.10.1
impact on security (refused connections, re-routings, reconfigurations, changes in performance, access to sensitive data or tools
etc.)?
04D02-02 Are these events recorded as well as the parameters used for their subsequent analysis? 4 E1 10.10.1
04D02-03 Is there an application capable of analyzing these records as well as performance measures, of establishing statistics, a 4 2 3 E2
dashboard and anomaly diagnostics for examination by a competent team of specialists?
04D02-04 Is the structure empowered to analyze these summaries (or incidents logs and security related events) required to do so within a 4 E2
fixed and determined period and does it have sufficient availability?
04D02-05 Has the expected response from the surveillance team been defined for each case of alert and are its availability and staffing 4 E3
level sufficient to meet these expectations?
04D02-06 Are the parameters defining the elements to record and the analyses to effect strictly protected against unauthorized change 4 R1 10.10.3
(limited rights and strong authentication)?
04D02-07 Is any inhibition of the recording and processing system immediately signaled to the surveillance team? 4 R1
04D02-08 Are the records and summary analyses protected against any destruction or modification? 2 E2 10.10.3
04D02-09 Are the records and summary analyses kept for a long period? 2 E2 10.10.3
04D02-10 Are the procedures for recording, processing and analyzing of the records and summaries as well as the availability of the 2 C1
analysis and corrective team subject to regular audit?
04D03 Management of incidents on the extended network

04D03-01 Is there a hot-line charged with taking and recording calls related to the extended network and to escalate all incidents? 2 E1 10.10.5
04D03-02 Is this hot-line team available 24 hours a day? 2 E2 10.10.5

04D03-03 Is there a system to support incident management? 2 2 E2 10.10.5
04D03-04 Does this system centralize incidents detected both by operational personnel and by users? 2 E2 10.10.5
04D03-05 Does the system cater for a systematic follow-up of necessary actions? 4 E3 10.10.5
04D03-06 Does this system incorporate a categorization of incidents including statistics and dashboards generation destined for use by the 4 E3
Information Security Officer?
04D03-07 Is the incident management system strictly controlled with regard to unauthorized or illicit modification? 4 3 R1
A strict control requires a reinforced protection in order to modify records and an audit trail or protection by electronic seal of all
modifications of records.
04D03-08 Is each major incident on the network subject to a specific follow-up (nature and description, priority, technical solution, progress 4 E2 13.2.1
analysis, expected resolution lead time etc.)?

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Audit questionnaire: Local Area Network (LAN) 1 variant
The LAN is seen, here, as the network linking the various servers and user workstations of the site. The remote connexions from nomadic stations are
also included in this questionnaire.
Number Questions R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
05A Security of the architecture of the local area network
05A01 Partitioning of the local area network into security domains
05A01-01 Has a partitioning of the local area network been effected in order to separate what is strictly the internal network from the areas which 4 E1
communicate externally (DMZ)?
A DMZ, or demilitarized zone, is an exchange zone to the outside, isolated from the internal network (e.g. using a firewall).
05A01-02 Has the local area network been partitioned into security domains, each requiring a consistent set of security rules, and into zones of 4 2 E1 11.4.5
confidence within which controls may be specifically adapted?
05A01-03 In particular, has any wireless network (WLAN) been considered as a distinct domain, strictly isolated from the rest of the network (by 4 2 E1 11.4.5
firewall or filtering router, etc.)?
05A01-04 Have these partitions been documented and is the documentation kept up to date? 2 E2 11.4.5
05A01-05 Is there a complete description of the links and communication equipment in place? 2 E2 11.4.5
05A01-06 Is each domain isolated from the others domains, by using specific security means (filtering router, firewall, etc)? 4 2 E2 11.4.5; 11.4.6
05A01-07 Is the security proper to this filtering equipment subject to active maintenance and follow-up by an appropriate expert? 4 3 E3
05A01-08 For each of the domains, has a strictly limited list of authorized inter-domain links, communications and protocols been defined and, by 4 2 E2 11.4.6
default, are all other protocols shut off ("nothing except" policy)?
05A01-09 Is there a procedure for the management of inter-domain connection requests and a group in charge of the analysis of these requests, of 4 2 E3
their authorization and the definition of filtering rules which will be put in place (firewall, service requests, protocols etc.)?
05A01-10 Is there a group in charge of controlling the application of the defined rules and the removal of specific rights when the requirement is no 4 2 E3
longer needed or the conditions are no longer met?
05A01-11 Are any addition to the authorized connection list for a domain and any modification of its parameters logged and audited? 4 3 C1
05A01-12 Is there a regular review of all authorized connections (standard and non-standard) and of their pertinence? 4 3 C1 11.4.7
05A02 Security of the functioning of the local area network architecture
05A02-01 Has each security domain been analyzed to determine the requirements of continuity of service and, if necessary, has redundancy been 4 2 E2
incorporated into interconnection points, networking equipment and meshed links?
05A02-02 Has a systematic analysis of potential single points of failure been carried out in order to ensure that service equipments (such as 4 2 E3
energy supply, air conditioning, etc.) do not affect the redundancy planned for network equipment or architecture?
05A02-03 Has a control of the average and peak load been carried out for each element of the network and of the compatibility of the network and 4 2 E2
associated equipment at this load level and is this control regularly repeated?
05A02-04 Has this analysis been complemented by a study of network capacity to ensure reliability of communications even in the case of failure 4 2 E3
of a single link or piece of equipment?
05A02-05 Is there a dynamic measurement of network load and of the load balancing tools? 4 E2
05A02-06 Do network monitoring and reconfiguration tools allow real time corrective action compatible with the requirements of the users? 4 2 E2
05A02-07 Does the architecture of network equipment allow easy adaptation to changes of load levels (clusters, load balancing etc.)? 2 E2
Mise jour : janvier 2010 351061430.xls ! 05 Lan page 114

05A02-08 Are overload detection and load balancing appliances and devices accessible only by administrators and is their access protected by 2 2 R1
strengthened access control?
05A02-09 Is any inhibition or shutdown of network overload detection and load balancing equipment signaled immediately to the monitoring center 2 3 R1
or to network administrators?
05A02-10 Are regular performance tests of detection and reconfiguration mechanisms carried out? 2 3 C1
05A02-11 Are regular audits of the parameterization of detection and reconfiguration systems carried out? 1 3 C1
05A02-12 Are regular audits carried out of procedures associated with the detection and reconfiguration systems? 1 3 C1
05A03 Organization of the maintenance of local area network equipment
05A03-01 Are all local area network equipments covered by a maintenance contract? 2 E1 9.2.4
05A03-02 Have all equipment, critical to the provision of expected operation and performance of the network, been identified and, for each of 4 E2
them, have the required acceptable and maximum downtime delays been published?
05A03-03 Have specifically adapted clauses related to these requirements been specified within maintenance contracts? 4 2 E2
05A03-04 Are the penalties of non-compliance with these causes sufficiently persuasive for the contract holder? 4 2 E3
05A03-05 Have escalation procedures been detailed in the case of non-compliance or difficulties in maintenance and do they anticipate the 2 3 R1
intervention of specialists within a short delay commensurate with the criticality of the equipment?
05A03-06 Have the number and proximity of specialists been detailed and do they guarantee a sufficiently good level of maintenance within an 4 R1
acceptable delay?
05A03-07 Do the maintenance contracts anticipate a complete replacement of equipment in the case of significant damage which would not 4 E3
normally be taken into account by curative maintenance?
05A03-08 Are maintenance contracts and procedures regularly audited? 2 3 C1
05A04 Procedures and Recovery Plans following incidents on the local area network
05A04-01 Has a list been established of incidents which could affect the proper functioning of the local area network and, for each of them, the 2 E1
seriousness level?
05A04-02 Has it been established, for each serious incident, the solutions to implement and the actions to execute by operational personnel? 2 E1
05A04-03 Are the means of intervention over the LAN (for diagnostic as well as for reconfiguration) able to cover satisfactorily all of the scenarios 2 2 E2
identified and do they ensure that the actions can be implemented within the specified time delays?
05A04-04 For each serious incident on the local area network, have an expected resolution time and escalation procedure been determined in the 4 E3
case of failure or delay of the anticipated corrective actions?
05A04-05 Are the diagnostic, management and reconfiguration tools of the local area network protected against all possible untimely or malicious 4 3 R1
action?
05A04-06 Do incident recovery plans and procedures cover the eventual loss of data (especially loss of requests and messages)? 4 E3
05A04-07 Are diagnostic and reconfiguration means regularly audited in order to assure a satisfactory minimum functioning of the local area 2 3 C1
network in the case of an incident?
05A05 Save and Restore plans of local area network configurations
05A05-01 Has a backup plan been established, encompassing all local area network configurations, defining all objects to save and the frequency 4 E1 10.5.1
of backups?
05A05-02 Has this plan been translated into automatic operational routines? 2 2 E2 10.5.1
05A05-03 Has the backup of programs (source and executables, documentation and parameters) been regularly tested in order to be able to 4 2 E1 10.5.1
reconstitute the production environment at any time?

05A05-04 Are automatic operational backup routines protected by a high level of security against illicit or unintentional modification? 4 3 R1 10.5.1
Such a mechanism may be a digital seal or any equivalent modification detection system.
05A05-05 Are all configuration and file backups, necessary for the restoration of the local area network production environment, also saved at a 4 2 E3 10.5.1
location off premises (recourse backup)?
05A05-06 Are recourse backup copies stored in a secure location and protected against accidental or human risks? 4 E3 10.5.1
Such a location must be protected by strict access control as well as protected against fire or water damage risk.
05A05-07 Are regular tests carried out to read backups and recourse backups? 2 3 R2 10.5.1
05A05-08 Are all procedures and plans for backup of configuration files regularly audited? 2 3 C1
05A06 Disaster Recovery Plan (DRP) of the local area network
05A06-01 Is there a recovery solution to make up for the unavailability of any equipment or critical link in the local area network? 4 2 E1 14.1.3
05A06-02 Is this recovery solution fully operational? 4 2 E2 14.1.3
05A06-03 Are these solutions described in detail in one (or several) Disaster Recovery Plan? 4 E1 14.1.3
A complete Disaster Recovery plan must describe the rules for triggering, the actions to execute, the priorities, the actors to mobilize and
their contact details, as well as the conditions for return to normal operating conditions.
05A06-04 Are these plans tested operationally at least once a year? 4 2 C1 14.1.5
05A06-05 Is there a formal guarantee of compatibility and capacity that these recovery solutions will support a sufficient operational load which has 4 2 E2 14.1.5
been approved by all concerned parties?
05A06-06 If the recovery solutions include delivery of hardware components, which cannot be triggered during tests, is there a contractual 4 2 E2
engagement within the recovery plan for the delivery of hardware within fixed and anticipated time limits, guaranteed by the
manufacturer or other third party (leaser, broker, other)?
05A06-07 If the recovery equipment and/or solution are pooled, is the number of other subscribers known and limited? 2 2 E3
05A06-08 Has the unavailability or failure of the recovery facility been considered and has a second level backup been organized? 2 3 R1
05A06-09 Is the backup solution usable for an unlimited duration and if not, has a follow on solution been established? 2 E3
05A06-10 Are the existence, the pertinence and the updates of the Disaster Recovery Plans regularly audited? 2 3 C1
05A07-01 Have the consequences of the disappearance of a supplier of equipment, network service or software been analyzed (in the case of 2 E2
failure, of a bug or change requirement) and has a list of critical points been established?
05A07-02 For each critical point, is there a corrective solution to cope with the failure or disappearance of a supplier (maintenance documentation 2 E2
lodged with a trusted third party, replacement of equipment or of software by widely available market solutions etc.)?
05A07-03 Is it certain that this corrective solution could be made operational within a sufficiently short time to enable the business activity to restart 2 2 E3
and which is acceptable to the users ?
05A07-04 Have alternate options to the basic solution been considered for the case where the latter might encounter unforeseen difficulties? 2 3 E3
05A07-05 Is there a regular review of critical points and of the corrective solutions envisaged? 2 3 C1
05B Access control to the local area network
05B01 Management of access profiles on the local area network
05B01-01 Has a management policy for access rights to the local network been established according to an analysis of the security requirements 2 E1 11.1.1
as per the business stakes?

05B01-02 Is this policy documented, regularly revised and approved by the concerned managers in charge? 2 E2 11.2.2
05B01-03 Is access to the local area network and to the various parts of this network defined in terms of job profiles which regroup roles or 4 2 E1
functions within the organization (profiles define access rights which are available to the holders of the profile)?
Note: in certain circumstances, the notion of "profile" may be replaced by a notion of "group". In addition, access rights which may be
attributed to partners must also be considered.
Access profiles must comprise the access rights towards each partition of the network, for a station connected directly to the network as
well as for connections from outside the LAN (mobile users, teleworking, partners, etc.).
05B01-04 Have various variable parameters been introduced into the access rights definition rules (which determine the rights that are attributed to 4 2 E2
profiles) as a function of context, in particular, the location of the requesting station (direct LAN access, extended network (WAN),
external), the nature of the connection used (LAN, Leased line, Internet, type of protocol etc.) or the classification of the sub-network
requested?
05B01-05 Do the profiles also allow definition of working time limits (daily working hours) and calendars (weekends, holidays, etc.)? 2 E3
05B01-06 Have these profiles and the access rights attributed to the different profiles, as a function of context, been approved by the information 4 2 E2
owners and the Information Security Officer?
05B01-07 Is the process of definition and management of rights attributed to profiles under strict control? 4 3 R1
A strict control requires that the list of people allowed to change rights attributed to profiles be strictly limited, that the implementation of
these rights into tables be strictly secure at the time of transmission and storage and that there exists a reinforced access control in
order to be able to modify these rights and that any modification of these rights be logged and audited.
05B01-08 Is there a regular audit, at least once a year, of the access rights attributed to each profile and of the profile management procedures? 4 2 C1 11.2.4
05B02 Management of privileges and access authorizations (granting, delegation, revocation)

05B02-01 Does the procedure of granting access authorizations to the local area network require the formal authorization of line management or of 4 2 E1
the unit managing external contractors (at a sufficiently senior level)?
05B02-02 Are access authorizations granted to named individuals and only as a function of their profile? 2 E2
05B02-03 Is the procedure for granting (or modification or revocation) of access authorizations to the local area network (directly or via a profile) 4 2 E3 11.2.2
strictly controlled?
A strict control requires a formal recognition of the signature (electronic or otherwise) of the requestor, that the
implementation of the profile attributed to users in the form of tables is highly secure during transmission and storage
and that there be a reinforced access control over the modification of such records and that any modification of records
be logged and audited.
05B02-04 Is there a systematic process of updating the table of access authorizations at the time of departure of in house personnel? 2 E2 11.2.4
05B02-05 Is there a systematic process of updating the table of access authorizations at the time of change of function (at the end of contract for 2 E3 11.2.4
external personnel or internal change of function)?
05B02-06 Is there a list of all personnel who have access to the local area network? 1 C1
05B02-07 Is there a regular audit, at least once a year, of all access authorizations granted to the personnel to the local area network and all those 1 2 C1 11.2.4
granted to partners?
05B03 User or entity authentication for access requests to the local area network from an internal access point
This mechanism corresponds, for example, to the authentication implemented in a Windows domain controller.

05B03-01 Is there a mechanism of authentication of each user before any access to a local area network resource? 4 1 E1
05B03-02 Does the process of modification or definition of a user credential respect a set of rules which ensures its robustness? 4 2 E2 11.2.3
In the case of passwords: sufficient length (8 characters or more), obligatory mixture of types of characters, frequent change (less than
once a month), impossibility of reusing an old password, non-trivial word test using a dictionary, banning of "standard systems", first
names, anagrams of username, dates etc.
In the case of certificates or authentication based on cryptographic mechanisms, a generation process evaluated or publicly recognized,
encryption keys of a sufficient length etc.
05B03-03 Does the process of providing user credentials guarantee its inviolability? 4 2 E3
The usage of a typed password will always be a weak point. the only process which does not divulge observable information consists
either of introducing an object containing a secret code (smart card), or using a code which changes at every moment (token card ) or
using a means which contains some biometric characteristic.
05B03-04 Do the security equipment that retain and use reference data (passwords, calling number, etc.) in support of authentication use 4 3 E2
mechanisms which guarantee inviolability and authenticity?
Passwords must be stored encrypted and a preliminary control of the user must be made before usage.
In the case of authentication using cryptographic procedures, the mechanism must provide solid guarantees validated by a recognized
organization.
05B03-05 Does the transmission of reference data in support of authentication (password, calling number, etc.) between the user equipment and 4 3 E3
security systems, use mechanisms which guarantee inviolability and authenticity?
Transmission of a password must be encrypted or use an algorithm which introduces a variable at each transmission.
organization.
05B03-06 Is there an automatic process of invalidation of the calling station or the user account in the case of multiple incorrect attempts, so as to 4 2 E2
require the intervention of an administrator to reinstate the station or the user?
05B03-07 Does the procedure for the replacement of a lost or mislaid user credential (e.g. password, token card) lead to the instant deactivation of 4 2 E2
this credential?
05B03-08 Does the procedure for the replacement of a lost or mislaid user credential (e.g. password, token card) impose an effective control of the 4 2 E3
requestor's identity?
05B03-09 Are authentication parameters under strict control? 4 2 C1
A strict control requires that people allowed to change the definition rules of identifiers, the identifiers themselves, rules of surveillance of
connection attempts etc., be strictly limited and that there exists a reinforced access control to effect these modifications, that these
modifications be logged and audited and that there exists a regular general audit at least once a year of all authentication parameters.
05B03-10 Are the processes that ensure authentication under strict control? 4 3 C1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there is an
audit, at least once a year, of authentication procedures and processes.
05B04 User or requestor authentication before access to the local area network from a remote site via the extended network
05B04-01 Do membership rules of the extended network impose that all users are authenticated prior to any outgoing access using the extended 4 1 E1
network?
05B04-02 Do membership rules to the extended network and the controls effected mean that the same level of confidence can be attributed to 4 2 E2
users of the extended network as those of the local area network?

05B04-03 Is the pertinence of the rules of membership to the extended network regularly audited? 4 3 C1
05B04-04 Is a regular audit carried out to ensure that the rules of membership to the extended network are applied by all the entities which are 4 3 C1
authorized to connect to it?
05B05 User or requestor authentication for outside access to the local area network
(e.g. from the switched telephone network (POTS), X25, ISDN, broadband, Internet, etc.)
05B05-01 Is there a mechanism of authentication of all users connecting to the local area network from the outside? 4 2 E1 11.4.2
05B05-02 Does the process of modification or definition of a user credential in support of access control respect a set of rules which ensures its 4 2 E2 11.4.2
intrinsic validity?
In the case of certificates or authentication based on cryptographic mechanisms, a generation process evaluated or publicly recognized,
encryption keys of a sufficient length etc.
05B05-03 Does the process of using a credential guarantee its impregnability? 4 2 E3 11.4.2
The usage of a password will always be a weak point. the only process which does not divulge observable information consists either of
introducing an object containing a secret (smart card), or using a code which changes at every moment (token card type SecureId) or
using a means which contains some biometric characteristic.
05B05-04 Do the security equipment that retain reference data (e.g. passwords, calling number, etc.) to support access authentication use 4 3 E2
mechanisms which guarantee impregnability and authenticity?
organization.
05B05-05 Does the transmission of reference data in support of authentication (e.g. passwords, calling address, etc.) between user equipment and 4 3 E3
security systems use mechanisms which guarantee impregnability and authenticity?
organization.
05B05-06 Is there an automatic process of invalidation of the calling station or the user account in the case of multiple incorrect attempts, so as to 4 2 E2
this credential?
05B05-09 Are authentication parameters under strict control? 4 2 C1
A strict control requires that people allowed to change the definition rules of identifiers, the identifiers themselves, rules of surveillance of
connection attempts etc., be strictly limited and that there exists a reinforced access control to effect these modifications, that these
05B05-10 Are the processes that ensure authentication under strict control? 4 3 C1
audit, at least once a year, of authentication procedures and processes.

05B06 User or requestor authentication for access requests to the local area network from a WiFi sub-network
05B06-01 Are all WiFi networks isolated from the local area network by a firewall? 4 2 E1
05B06-02 Is there a method of authentication of all users connecting to the local area network from a WiFi sub-network? 4 2 E1
05B06-03 Does the process of definition or modification of user credential for access control from a WiFi sub network respect a set of rules which 4 2 E2
ensures its intrinsic validity?
In the case of certificates or authentication based on cryptographic mechanisms, the generation process must be evaluated or publicly
recognized, encryption keys of a sufficient length etc.
In the case of simple access identifiers (e.g. calling phone number), a call back procedure is recommended.
05B06-04 Does the authentication system guarantee the impregnability of the user's credential? 4 2 E3
05B06-05 Do the security equipment that retain reference data (e.g. passwords, calling address, etc.) to support access authentication use 4 3 E2
mechanisms which guarantee impregnability and authenticity?
organization.
05B06-06 Does the transmission of reference data in support of authentication (e.g. passwords, calling address, etc.) between calling user 4 3 E3
equipment and authentication systems use mechanisms which guarantee impregnability and authenticity?
organization.
05B06-07 Is there an automatic process of invalidation of the user account and/or workstation in the case of multiple incorrect attempts so as to 4 2 E2
this credential?
05B06-10 Are authentication parameters for the access from a WiFi sub-network under strict control? 4 2 C1
A strict control requires that people able to change the definition rules of identifiers, the identifiers themselves, rules of monitoring
connection attempts etc., be strictly limited and that there exist a reinforced access control to effect these modifications, that these
05B06-11 Are the processes that guarantee authentication from a WiFi sub network under strict control? 4 3 C1
audit, audit, at least once a year, of authentication procedures and processes.
05B07 General filtering of access to the local area network
05B07-01 Do all access to the local area network require the use of an identifier recognized by the system? 2 E1
05B07-02 Is there a one to one correspondence between an identifier and a real physical person? 4 2 E2
05B07-03 Have all generic or by-default accounts and passwords been changed or deleted? 4 2 E2

05B07-04 Is the identifier provided for access to the local area network systematically subject to authentication? 4 2 E1
Systematic authentication requires that the control process be in place for all possible access paths (internal access, all types of access
from the outside including reserved ports such as an those used for remote maintenance).
05B07-05 Is there a systematic control of the context of the access requestor (local area network, extended network, external link, nature of the 4 2 E3
link and protocols used )?
05B07-06 Is there a systematic control of the profile and the context of the connection of the requestor and the appropriateness of that profile and 4 2 E3
context with the access requested?
05B07-07 Is there an automatic invalidation of the user identifier in the absence of traffic after a defined delay, which requires user re-identification 4 E2
and re-authentication?
05B07-08 For connections requiring it, is there an identification for the calling equipment (MAC address, IP address, etc.) as per the access control 3 E3 11.4.3
rules?
05B07-09 Are the processes of definition and management of access filtering rules under strict control? 4 2 R1
A strict control requires that the list of persons allowed to change the filtering security parameters be extremely limited, and that there be
a reinforced access control in order to be able to effect such modification and that any modification be logged and audited.
05B07-10 Are there regular penetration tests into the network carried out in addition to detailed technical audits? 2 3 C1 15.2.2
05B08 Routing control of outgoing access
05B08-01 Do all outgoing accesses require the use of an identifier recognized by the system? 2 E1 11.4.2
05B08-02 Does this identifier correspond to a unique and directly or indirectly identifiable physical person? 1 E2 11.4.2
05B08-03 Is the identifier used in outgoing access control systematically subject to authentication? 4 2 E2 11.4.2
Systematic authentication requires that there is a process in place for all access paths and all outgoing ports.
05B08-04 Has it been defined, in a security policy relatively to outgoing accesses, rules specifying the connections authorized (type of external 4 2 E2
network, authorized links and protocols) function of the internal sub-networks considered?
05B08-05 Is there, before authorizing any outgoing access, a control of the rules defined in the security policy? 4 2 E2
05B08-06 Is there an automatic invalidation of the user identifier in the absence of traffic after a defined delay which requires user re-identification 4 E2
and re-authentication?
05B08-07 Are the processes of definition and management of outgoing access filtering rules under strict control? 4 2 R1
A strict control requires that the list of persons allowed to change the filtering security parameters be extremely limited, and that there be
a reinforced access control in order to be able to effect such modification and that any modification be logged and audited.
05B08-08 Are there regular penetration tests of the network carried out and regular specialized technical audits effected? 2 3 C1
05B09 Authentication of the external entity accessed for outgoing access to sensitive sites
05B09-01 Is there a possibility to declare sites or remote access points as sensitive and, as such, requiring an authentication of the entity 4 1 E2
accessed?
05B09-02 Is there a mechanism of authentication of the entity called before access to sensitive sites from the internal network? 4 1 E2
05B09-03 Does the authentication mechanism of the accessed entity provide a recognized "strong" level of security? 4 2 E3
Notably the usage of a simple password will always be a weakness. The only methods recognized as "strong", that is observable without
divulging information, are those based on cryptographic algorithms.

05B09-04 Do the security equipment that retain credentials (e.g. passwords, calling number, etc.) use mechanisms which guarantee their 4 3 E2
impregnability and authenticity?
organization.
05B09-05 Does the transmission of credentials (e.g. passwords, calling address, etc.) between calling user equipment and authentication systems 4 3 E3
use mechanisms which guarantee their impregnability and authenticity?
organization.
05B09-06 Does the revoked keys management procedure guarantee that the control systems take into consideration in real time any revocation of 4 2 E2
keys?
05B09-07 Does the revoked keys management procedure guarantee that the control systems systematically test that the keys used have not been 4 2 E3
revoked?
05B09-08 Are the processes that guarantee the authentication of the accessed entities under strict control? 4 3 R1
audit at least once a year of the authentication procedures and processes.
05C Security of data exchange and communication on the local network

05C01 Encryption of exchanges on the local area network
Encryption can be effected at layer 3 (IPSEC VPN) or at level 4-5 (SSL) or directly effected by the application (level 6-7, for example
encryption before or during transmission), case really treated by domain 09.
It could be systematic on the "pipeline" (physical or logical) or limited only to certain data flows (as a function of address or type, etc.) it
can also be performed on intermediate systems (VPN boxes) or end systems (stations, server) or both.
05C01-01 Have the permanent links and data exchanges which must be protected by encryption solutions been defined and such solutions been 4 E1 12.3.1
implemented on the local area network?
The sufficient length of the keys is one of among many parameters to take into consideration (as a function of the algorithm) . The
05C01-03 Do the procedures and mechanisms for storage, distribution and exchange of keys and more generally the management of keys offer a 4 3 E2 12.3.2
sufficient level of confidence and have they been approved by the Information Security Officer?
05C01-04 Are the encryption mechanisms embodied in electronic components which are strictly protected at a physical level against intrusion or 4 3 3 R2
change?
Encryption mechanisms should be contained within protected enclosures to which it should be impossible to gain access, i.e. within a
microprocessor or smart cards and protected physically and logically.
05C01-05 Is shutdown or by-pass of the encryption solution immediately detected and signaled to a team available 24 hrs a day capable of 4 2 R1
05C01-06 In the case of inhibition or bypass of the encryption solution or the activation of an unprotected fail-over link of the network, is there a 4 2 R1
procedure to immediately alert all users?
For example by a warning requiring the user to acknowledge its receipt.
05C01-07 Is there a regular audit, at least once a year, of all data exchange, encryption systems and associated procedures? 4 3 C1
05C02 Integrity control of exchanges on the local area network

05C02-01 Have the permanent links and data exchanges which must be protected by sealing solutions been defined and implemented on the 4 E1
local area network?
The sufficient length of the keys is one of among many parameters to take into consideration (as a function of the algorithm). The
05C02-03 Do the procedure and mechanisms of storage, distribution and exchange of keys and more generally the management of the keys offer 4 3 E2
solid guarantees which merit confidence and have they been approved by the Information Security Officer?
05C02-04 Are the sealing mechanisms embodied in electronic components which are in turn strictly protected at a physical level against intrusion 4 3 3 R2
or change?
Sealing mechanisms should be contained within protected appliances to which it should be impossible to gain access, i.e. within a
microprocessor or smart card, and protected physically and logically.
05C02-05 Is shutdown or by-pass of the sealing solution immediately detected and signaled to a team available 24 hrs a day capable of triggering 4 2 R1
an immediate reaction?
05C02-06 In the case of inhibition or bypass of the sealing solution or the activation of an unprotected fail-over link, is there a procedure to 4 2 R1
immediately alert all users?
For example by a warning requiring the user to actively validate its receipt.
05C02-07 Is there a regular audit, at least once a year, of all systems of data integrity protection and of associated procedures? 4 3 C1
05C03 Encryption of exchanges in the case of remote access to the local area network
05C03-01 Have encryption solutions been defined and implemented for exchanges with users connecting from outside (mobile staff, authorized 4 E1 12.3.1
service providers etc.) ?
05C03-03 Do the procedure and mechanisms of storage, distribution and exchange of keys, and more generally the management of the keys, offer 4 3 E2 12.3.2
solid guarantees which merit confidence and are they approved by the Information Security Officer?
05C03-04 Are the encryption mechanisms embodied in physical electronic components which are strictly protected at a physical level against 4 3 3 R1
Encryption mechanisms should be contained within protected enclosures to which it should be impossible to gain access, i.e. within a
microprocessor or smart card and protected physically and logically.
05C03-05 Is access to the network from the outside impossible without using encryption 4 2 R1
05C04 Protection of the integrity of exchanges in the case of remote access to the local area network
05C04-01 Have solutions for sealing or integrity control of exchanges with users connecting from the outside (mobile staff, authorized service 4 E2
providers etc.) been defined and implemented?
05C04-03 Do the procedures and mechanisms of storage, distribution and exchange of keys and more generally the management of keys offer 4 3 E3
solid guarantees which merit confidence and have they been approved by the Information Security Officer?

05C04-04 Are the sealing mechanisms embodied in electronic components which are in turn strictly protected at a physical level against intrusion 4 3 3 R2
or change?
Sealing mechanisms should be contained within protected enclosures to which it should be impossible to gain access, i.e. within a
microprocessor or smart card and protected physically and logically.
05C04-05 Is access to the network from the outside impossible without using integrity control? 4 2 R1
05D Control, detection and resolution of incidents on the local network
05D01 Real-time monitoring of the local area network
05D01-01 Have events or successions of events been analyzed which might reveal abnormal behavior or illicit action on the local area network 4 E2 10.10.2
and as a consequence have specific monitoring indicators or control points been identified?
05D01-02 Is the system equipped with an automatic real time monitoring system in the case of an accumulation of abnormal events (for example 4 E3 10.10.2
unsuccessful connection attempts on non-open ports)?
05D01-03 Is use made of an intrusion detection system or capable of detecting anomalies on the local area network? 4 E2 10.10.2
05D01-04 Are there one or more applications capable of analyzing the individual anomaly diagnostic data on the local area network and of 4 E3
triggering an alert to operational personnel?
05D01-05 Is there within operational personnel a team available 24 hrs a day or group capable of reacting in the case of a monitoring alert on the 4 2 E3
network?
05D01-06 For each case of alert has the expected response from the intervention team been defined and is the availability of the intervention team 4 3 E3
sufficient to face this expectation?
05D01-07 Are the parameters defining alarms strictly protected (restricted access rights and strict authentication) against illicit modification? 4 R1
05D01-08 Does any stoppage of the alarm system, linked to the local area network, trigger an alarm towards the surveillance team? 4 3 R1 10.10.2
05D01-09 Are the elements enabling the detection of an anomaly or incident archived (on disk, cassette or optical disk etc.)? 2 E2 10.10.3
05D01-10 Are the monitoring procedures of the local area network, the detection of the anomalies and the availability of the surveillance team 2 3 C1
subject to regular audit?
05D02 Offline analysis of traces, log files and event journals on the local area network
05D02-01 Has detailed analysis been carried out of the events or succession of events on the local area network which may have an impact on 2 E1 10.10.1
security (refused connections, re-routings, reconfigurations, changes in performance, access to sensitive data or tools etc.)?
05D02-02 Are these events recorded as well as the parameters used for their subsequent analysis? 4 E1 10.10.1
05D02-03 Is there an application capable of analyzing these records as well as performance measures, of establishing statistics, a dashboard and 4 2 3 E2
anomaly diagnostics for examination by a competent team of specialists?
05D02-04 Is the structure, empowered to analyze these summaries (or incidents logs) and security related events, required to do so within a fixed 4 E2
and determined period and does it have sufficient availability?
05D02-05 Has the expected reaction from the surveillance team been defined for each case of alert and are its availability and staffing level 4 E3
sufficient to meet these expectations?
05D02-06 Are the parameters defining the elements to record and the analyses to effect strictly protected against unauthorized change (limited 4 R1 10.10.3
rights and strong authentication)?
05D02-07 Is any inhibition of this recording and processing system immediately signaled to the surveillance team? 4 R1
05D02-08 Are the records and summary analyses protected against any alteration or destruction?? 2 E2 10.10.3
05D02-09 Are the records and summary analyses kept for a long period? 2 E2 10.10.3

05D02-10 Are the procedures for recording, processing and analysis of the records and summaries as well as the availability of the analysis and 2 C1
corrective team subject to regular audit?
05D03 Management of incidents on the local area network
05D03-01 Is there a hot-line charged with taking, recording and escalating all calls related to the local area network incidents? 2 E1 10.10.5
05D03-02 Is this hot-line available 24 hours a day? 2 E2 10.10.5
05D03-03 Is there a system to support incident management? 2 2 E2 10.10.5
05D03-04 Does this system centralize incidents detected both by operational personnel and by users? 2 E2 10.10.5
05D03-05 Does this system cater for a systematic follow-up of necessary actions? 4 E3 10.10.5
05D03-06 Does this system incorporate a categorization of incidents including statistics and dashboards generation destined for use by the 4 E3
05D03-07 Is the incident management system strictly controlled with regard to unauthorized or illicit modification? 4 3 R1
A strict control requires a reinforced protection in order to modify records and an audit trail or protection by electronic seal of all
modifications of records.
05D03-08 Is each major incident on the network subject to a specific follow-up (nature and description, priority, technical solution, analysis in 4 E2 13.2.1
progress, expected resolution lead time etc.)?

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Audit Questionnaire: Network Operations 1 variant
06A Security of operations procedures
06A01 Security in the relationship with operational personnel (employees, suppliers or service providers)
06A01-01 Is there a security policy specifically aimed at operational network personnel covering all the aspects of information security 4 1 E1
(confidentiality of information, service and information availability, integrity of information and configurations, trace ability, etc. )?
06A01-02 Is operational network personnel required to sign contract clauses of adherence to that security policy (no matter their status: 4 E2
permanent or temporary staff, students, etc.)?
06A01-03 Do these clauses make clear that the obligation to respect security applies to all information no matter what the medium is (paper, 2 2 E3
magnetic, optical, etc.)?
06A01-04 Do these clauses make clear, if necessary and legally possible, that the obligation to respect the security policy applies without 4 2 E3
limitation in time?
This applies, in particular, to the clauses concerning confidentiality, they may (and often must) continue after the end of the
contract linking (directly or indirectly) the employee or service provider or partner to the company
06A01-05 Do these clauses make clear that the personnel has an obligation not to tolerate any action contrary to security from other 4 3 E3
people?
06A01-06 Does the signature of these clauses represent a formal commitment? 4 3 E2
In order to achieve a formal commitment, the personnel should explicitly state that his/her signature implies having understood
and accepted the security policy
06A01-07 Are these same clauses obligatory for contractors working on network operations? 4 2 E2
Practically, the contractors should ensure that their personnel sign individually and explicitly under the same conditions than
internal staff.
06A01-08 Is there a mandatory and well adapted training course aimed at network operations personnel? 2 E2
06A01-09 Are the confidentiality agreements, signed by personnel, securely kept (at least in a locked cupboard )? 2 3 R1
06A01-10 Are the confidentiality agreements, signed by external contractors, securely kept (at least in a locked cupboard )? 2 3 R1
06A01-11 Is there a regular audit, at least once a year, of the effective application of the signature procedure by operational personnel 2 3 C1
(directly employed by the company or indirectly through a service company) ?
06A02 Control of the implementation or upgrade of software or hardware
06A02-01 Is there a control procedure for change decisions, equipment and system evolutions (registration, planning, formal approbation, 2 2 E1 10.1.2
communication to all concerned individuals, etc.)?
06A02-02 Are the change decisions based on an analysis of the capacity of the new equipment and systems in ensuring the required load 2 E2 10.3.1
taking into account the evolution of foreseeable requests?
06A02-03 Do the installations take into account physical protection (protected access, no direct external view to equipments, absence of 2 E2 9.2.1
physical threats, climate conditions, protection against thunderbolts, protection against dust, etc.)?
06A02-04 Is there a definite review, involving Information Security Office personnel, of the potential risks related to functional changes 2 E2 12.4.1; 10.3.2
associated to each new or revised network software or equipment?
06A02-05 Does this review contain an analysis of the risks that may arise from these functional changes? 2 2 E2 12.4.1; 10.3.2
06A02-06 Has operational staff received specific formal training in risk analysis? 1 E3
06A02-07 Does operational staff obtain appropriate advice when needed? 4 E3
06A02-08 Are security measures, to be implemented to counter any new risks identified, subject to formal review and control before start of 4 E2 10.3.2
production?
Mise jour : janvier 2010 351061430.xls ! 06 Nop page 150

06A02-09 Are security parameters and configuration rules (removal of all generic accounts, changing of generic passwords, closure of all 4 E2 11.4.4; 10.3.2
ports not specifically requested and authorized, access control and authentication parameters, control of routing tables etc.)
detailed and kept up to date and are they reviewed before any start of production of a new version?
06A02-10 Are the security parameters and configuration rules controlled before any new version is installed and operated? 4 E2 11.4.4; 10.3.2
06A02-11 Is it considered the possible impact over the continuity plans due the system changes? 2 E2 10.3.2
06A02-12 Are any dispensations from the prior risk analysis and control of security parameters subject to strict procedures requiring the 4 R1
signature of a senior manager?
06A02-13 Is the start of production of new equipment or software only possible by operational staff? 4 2 E2 12.4.1; 6.1.4
06A02-14 Is the start of production of new equipment or software only possible following a defined validation and authorization process? 2 3 E3 12.4.1; 6.1.4
06A02-15 Are all the control procedures related to start of production subject to regular audit? 2 3 C1
06A03 Control of maintenance operations
06A03-01 Is it kept a trace of all maintenance operations? 1 E2 9.2.4
06A03-02 Are all maintenance operations required to terminate with a systematic verification of all security parameters (as defined at the 4 2 E2
start of production)?
06A03-03 Are all maintenance operations required to terminate with a systematic verification of security log files parameters (events to be 4 3 E3
recorded, context of events to be recorded, duration of retention, etc.)?
06A03-04 Are all maintenance operations required to terminate with a systematic verification of administration control parameters 4 3 E3
(necessary profile, authentication type, removal of standard logins, etc.)?
06A03-05 Is a formal dispensation, signed by a responsible manager, required if the above mentioned procedures are not observed? 4 E3
06A03-06 Is the totality of start of production (after maintenance) control procedures regularly audited? 2 3 C1
06A04 Control of Remote Maintenance
06A04-01 In the case of remote maintenance, is there a secure authentication procedure of the remote maintenance center? 2 E2 11.4.4
06A04-02 In the case of remote maintenance is there a secure authentication procedure for maintenance personnel? 4 2 E2 11.4.4
06A04-03 Is there a set of procedures covering the attribution of access rights for a new maintenance operative, the revocation of rights and 2 E3 11.4.4
the attribution of rights in emergency situations?
06A04-04 Have the procedures and protocols for the exchange and storage of secret data etc., been approved by the Information Security 4 E3
Officer or a specialized organization?
06A04-05 Does the usage of the remote maintenance line require the prior agreement (for each usage) of operational personnel (following 4 E2 11.4.4
the provider's request specifying the nature, date and time of the intervention )?
06A04-06 Is the equipment allocated for remote maintenance protected against inhibition or modification of access conditions, resulting in 2 2 R1
the triggering of an alarm?
06A04-07 Are all the control procedures for remote maintenance regularly audited? 2 3 C1
06A05 Management of Operating Procedures for Network Operation
06A05-01 Do the network operating procedure result from the study of the overall cases to be covered by said procedure (normal operating 4 E2 10.1.1
cases and incidents)?
06A05-02 Are the operating procedures documented and kept up to date? 4 E2 10.1.1
06A05-03 Are these operating procedures readily available upon request by any accredited individual? 4 E2 10.1.1
06A05-04 Does the Management approve changes to procedures ? 2 E2 10.1.1

06A05-05 Are these procedures protected from unauthorized alterations? 2 R1
06A05-06 Are the operating procedures audited regularly for authenticity and relevance? 2 C1
06A06 Management of service providers relating to networks
06A06-01 Is it ensured regularly that the network security services allocated to suppliers or service providers are efficiently implemented 4 C1 10.2.1
and maintained by them?
06A06-02 Is it ensured that the above suppliers have efficiently prepared the appropriate arrangements to ensure that the services are 2 E2 10.2.1
provided as agreed?
06A06-03 Is the respect of the security provisions by the suppliers or service providers under control and regularly reviewed? 4 E1 10.2.2
06A06-04 Is it ensured that the suppliers report and document any security incident concerning information or networks? 4 E2 10.2.2
06A06-05 Is there a regular review of these incidents or malfunctions with the concerned suppliers? 2 E2 10.2.2
06A06-06 Are any changes in the contract relationship (e.g. Mandatory duties, service levels) analyzed for impact on resulting potential 2 E3 10.2.3
risks?
06A07 Taking into account the confidentiality during maintenance operations on network equipment.
06A07-01 Is there a procedure describing in detail the operations to execute before conducting maintenance thus avoiding their access to 4 E2 9.2.6; 9.2.4
critical data (encryption keys, network protection, equipment security configuration, etc.)?
06A07-02 Is there a procedure or a contractual provision regarding the maintenance personnel (internal and external) specifying that any 4 E2 9.2.4
support containing sensitive information must be wiped out before its disposal?
06A07-03 Is there a systems' integrity verification procedure after a maintenance is conducted (no spyware, no Trojan horse, etc.)? 2 E2
06A07-05 Are the above procedures regularly audited? 2 3 C1

06A08 Contract Management of Network Services
06A08-01 Have service levels been identified for each network service? 4 E1 10.6.2
Service levels apply not only to the services rendered to users, but also the security features required and the commitments of
each party involved.
06A08-02 Have these service levels been included in a contractual agreement (whatever the services are ensured internally or by an 4 E2 10.6.2
external provider)?
06A08-03 Does Management control the application of corresponding measures? 2 C1 10.6.2
06B Parameters setting and control of hardware and software configurations
06B01 Network equipment customizing and compliance control of configurations
06B01-01 Is there a document or set of documents or an operational procedure detailing all security parameters for network equipment? 4 2 E1
which is derived from the network protection policy and determined filtering rules?
Such a document must result from the network protection policy and describe the filtering rules decided. It should also state the
reference versions of the systems so it is possible to check the status of the updates;
06B01-02 Does this document (or documents) require the removal of all generic or by default accounts and does it detail the list of such 4 2 E2
accounts?
06B01-03 Does this document or procedure impose a synchronization feature, based on a reliable time reference? 4 E2 10.10.6
06B01-04 Are these parameters set and updated regularly in line with latest information and in cooperation with expert authorities 2 3 E3
(specialized audits, subscription to a service center, regular consultation with CERTs, etc.)?
CERT : Computer Emergency Response Team.

06B01-05 Are these referenced documents (or copies of installed parameters considered as references) protected, by secure sealing 2 3 R1
methods, against untimely or illicit alteration?
06B01-06 Is the integrity of system configurations regularly tested against the configuration theoretically expected (at least weekly if not 4 2 E3 15.2.2
each time systems are activated)?
06B01-07 Are regular audits carried out of the list of security parameters specified? 2 R1 10.1.4; 15.2.2
06B01-08 Are regular audits carried out of the exception or escalation procedures in case of difficulties? 2 C1 10.1.4; 15.2.2
06B01-09 Are the development and test systems separated from the operational systems? 1 E2 10.1.4
06B02 Control of the network access configurations of user equipment
06B02-01 Is there a document detailing all parameters to check on user workstations related to external connections capability (modem, 4 2 E2
WiFi, etc.)?
06B02-02 Is this document regularly updated in line with the latest information and in cooperation with expert authorities (specialized audits, 4 2 E2
subscription to a service center, regular consultation with CERTs, etc.)?
06B02-03 Is this reference document protected against all undue or illicit modification by strong security methods (electronic sealing )? 4 3 R1
06B02-04 Is the configuration of network equipment of user workstations checked systematically for compliance against this reference 2 3 E2
document?
06B02-05 Is this control effected systematically, at each connection to the network? 4 E3
06B02-06 Are there automatic routines which systematically analyze the use of the telephone network for data transmission? 4 E3
06B02-07 Are there automatic routines which test for the presence of non declared wireless network (WiFi) access points? 4 E3
06B02-08 Are user workstations protected against the possibility of installing systems software and of modifying configurations? 4 E3
06B02-09 Is there a regular audit of the user configuration reference document and is the configuration control procedure regularly 2 3 C1
executed?
06C Control of administrative rights
06C01 Control of special access rights to network equipment
06C01-01 Has a management policy for privileged access rights on the network equipment been established, based on a pre-analysis of 2 E1 11.1.1
the security requirements and business stakes?
06C01-02 Is this policy documented, regularly reviewed, and approved by the affected managers? 2 E2
06C01-03 Have profiles been defined, as part of network operations, corresponding to each type of activity (equipment administration, the 1 E1 10.1.3; 10.6.1;
administration of security equipment, network management, management of backup medias and contents etc.)? 11.2.2
06C01-04 For each profile have the necessary administrative rights been defined? 4 2 E1 10.1.3; 10.6.1
06C01-05 Does the process of attribution of administrative rights require the formal authorization of management (or the manager 4 2 E2 10.1.3
responsible for external service providers) at a sufficiently high level?
06C01-06 Does the process of attribution of administrative rights effected uniquely in relation to the profile of the holder? 4 2 E2 10.1.3
06C01-07 Is the process of granting (modification or retraction) of special rights to an individual strictly controlled? 4 2 3 R1 11.2.2
A strict control requires a formal recognition of the signature (electronic or not) of the requestor, that there be an access control in
order to attribute or modify such rights and that any modification of special rights be logged and audited.
06C01-08 Is there a systematic process of removal of administrative rights at the time of departure or role change of staff? 4 3 E2 11.2.4
06C01-09 Is there a regular audit, at least once a year, of all administrative rights attributed ? 1 2 C1 11.2.4

06C02 Authentication of administrators and operational personnel
06C02-01 Is the process of authentication of network administrators or holders of administrative rights considered to be secure? 4 2 E2
An authentication protocol is considered secure if it is not susceptible to being broken by a listening device on the network or
rendered inoperable by specialists tools (in particular password crack tools ). Such security usually uses cryptographic methods.
06C02-02 Are the rules, for instance in the case of passwords, considered to be very strict? 2 2 E2
Strict rules impose the use of tested non-trivial passwords and the use of a mixture of different types of character of a reasonable
length (ten or more characters). It is desirable that such rules be decided or agreed upon by the CISO.
06C02-03 Is a strong authentication used for the connection of administrators to the supervision system as well as for the connection of the 4 2 E2
supervision system to network equipments?
If the administrator connects to a hypervisor (such as HP OpenView, IBM TIVOLI, CA Unicenter, BMC Patrol or Bull OpenMaster)
with secure authentication and effective access control, an equivalent level of security is needed for the objects that are managed
(avoiding for example visible passwords, default public and community groups, access via telnet or simple SQL) in order to avoid
malicious direct action on the equipment.
06C02-04 Is there a consistent control of the administrator's rights, of its context, and of the suitability of this context with the requested 4 E2
access, as per formal rules of access control?
06C02-05 Are authentication parameters under strict control? 4 2 R1
A strict control requires that the list of people able to change authentication rules, the identifiers themselves and the rules for
monitoring connection attempts be strictly limited, that there be a reinforced access control in order to be able to modify these
rights and that any modification of these rights be logged and audited and that there be a general audit at least once a year of all
authentication parameters.
06C02-06 Are the processes that guarantee authentication under strict control? 4 3 R1
06C02-07 Is there a regular audit of existing profiles having administrative rights? 4 3 C1 11.2.4
06C02-08 Is there a regular audit of the procedures for granting profiles and the security parameters protecting the profiles and the rights? 4 3 C1
06C03 Surveillance of administrative actions on the network

06C03-01 Has a detailed analysis been carried out of the operations performed with administrative rights which may potentially have an 2 E2 10.10.4; 10.6.1
impact on network security (configuration of security systems, access to sensitive information, usage of sensitive tools, download
or modification of administrative tools etc.)?
06C03-02 Are all these events recorded on a log file as well as all parameters required for their subsequent analysis? 4 E2 10.10.4; 10.6.1
06C03-03 Is there a system which enables the detection of the modification or deletion of a past record and to immediately trigger an alarm 4 2 E3 10.10.4
to a manager?
06C03-04 Is there a summary of these records which enables management to detect abnormal behavior? 4 3 E3 10.10.4
06C03-05 Is there a system which enables the detection of any modification of recording parameters and to immediately trigger an alarm to 4 2 R1 10.10.4
a manager?
06C03-06 Does any inhibition of the recording system and processing of logged events trigger an alarm to a manager? 4 3 E3 10.10.4
06C03-07 Are all records or summary analyses protected against destruction or modification? 2 R1 10.10.4
06C03-08 Are all records or summary analyses kept for a long period? 2 R1 10.10.4

06C03-09 Are the procedures for recording and analyzing operations executed with administrative rights regularly audited? 2 3 C1
06C04 Control of networking operational tools and utilities
06C04-01 Is there an exhaustive inventory of the sensitive networking tools or utilities (administration of rights, configuration management, 4 E1
backups, copies, hot system restarts etc.) allowed for each type of operational staff profile?
06C04-02 Can the tools or sensitive utilities only be used by the holders of the corresponding profiles following a secure and individual 2 2 E2
authentication (authentication token, smart card etc.)?
06C04-03 Is it forbidden to add or create tools or utilities without formal authorization? 2 2 E2
06C04-04 Is this forbidding rule regularly enforced by an automatic procedure which may trigger an alert to a manager? 2 2 E3
06C04-05 Do the rights attributed to operational teams prohibit them from modifying operational tools and utilities or at the very least is 4 2 E3
there a control of any such modification with triggering of an alert to a manager?
06C04-06 Are the attribution of profiles and the implementation of the security measures mentioned above regularly audited? 2 2 C1
06D Audit and Network Control Procedures
06D01 Audit Control Operation
06D01-01 Has the management established the requirements and procedures to follow during the audits conducted on the networks? 4 E2 15.3.1
06D01-02 Are the rules related to network audits, relevant procedures and associated responsibilities defined and documented? 3 E2 15.3.1
The limits to be determined concern the type of access to the equipment, the controls and authorized processing, the deletion of
sensitive data obtained, the flagging of certain operations, ... and the empowerment of the individuals conducting the audits.
06D01-03 Are the auditors independent of the concerned activities? 2 E2 15.3.1

06D01-04 Are the audit operations conducted for critical data recorded? 2 E3 15.3.1
06D01-05 Are the possible actions of the auditors well delimited? 2 E2 15.3.2
Such limitations are recommended in the case of external auditors.
06D02 Protection of Tools and Audit Results
06D02-01 Are the audit tools protected to avoid any unauthorized or abusive use? 3 E2 15.3.2
This applies particularly to intrusion testing and vulnerability assessments.
06D02-02 Are the audit results protected against any modification or disclosure? 3 E2 15.3.2
06D02-03 Is the use of audit tools and results strictly limited? 2 E2 15.3.2
Such limitations are recommended in the case of external auditors.

Comments

Comments

Comments

Comments

Comments

Comments

Audit Questionnaire: Security and Architecture of Systems 1 variant
07A Control of access to systems

07A01 Management of access profiles (rights and privileges granted by functional profile)
07A01-01 Has a management policy for access rights to the systems been established, built from an analysis of the security requirements 2 E1 11.1.1
based on the business stakes?
07A01-02 Is access to the various parts of the information system (applications, data bases, systems, equipments, etc) defined in terms of 4 2 E1 11.2.2
job profiles which regroup roles or functions within the organization (profiles define access rights which are available to holders of
the profile)?
Note: in certain circumstances the notion of "profile" may be replaced by the notion of "group".
07A01-03 Is it possible to adjust the access rights attributed to a given profile, based on the nature of the connection and equipment used 4 E2
(location, link, network, protocol, encryption, etc) and on the classification of the resources accessed?
07A01-04 Do the profiles also allow definition of working time limits (daily hours and periods in the working calendar, weekends, holidays 2 E3 11.5.6
etc.)?
07A01-05 Have these profiles and the access rights attributed to the different profiles, as a function of context, been approved by the 4 2 E2 11.5.6
information owners and the Information Security Officer?
07A01-06 Is the process of definition and management of rights attributed to profiles under strict control? 4 3 R1
A strict control requires that the list of people able to change rights attributed to profiles be strictly limited and that the
implementation of these rights into tables be strictly secure during transmission and storage and that there exists a reinforced
access control in order to be able to modify these rights and that any modification of these rights be logged and audited.
07A01-07 Is it possible to review at any time, the complete list of profiles and of the rights attributed to each profile? 2 2 C1
07A01-08 Is there a regular audit at least once a year of all rights attributed to each profile and the profile management procedures? 4 2 C1 11.2.4
07A02 Management of access authorizations and privileges (granting, delegation, revocation)

07A02-01 Does the procedure of granting access authorization require the formal approval of line management (at a sufficiently high level)? 4 2 E1
07A02-02 Are authorizations granted to named individuals only as a function of their profile? 2 E1
07A02-03 Is the procedure for granting (or changing or revoking) authorization to an individual (either directly or via his profile) strictly 4 2 3 E2 11.2.2
controlled?
the profile attributed to users in the form of tables is highly secure during transmission and storage and that there be a reinforced
access control over the modification of such records and that any modification of records be logged and audited.
07A02-04 Is there a systematic process of updating the table of access authorizations at the time of departure of personnel (either internal 4 3 E2 11.2.4
or external)?
07A02-05 Is there a systematic process of updating the table of access authorizations at the time of change of function? 4 E3 11.2.4
07A02-06 Is there a strictly controlled process (as above) which allows to delegate his/her own authorizations, in part or in whole, to a 4 E3
person of choice for a determined period (in case of absence)?
In this case, the delegated rights must no longer be authorized to the person who has delegated them during this time. The owner
however, must have the possibility of taking them back, by which process he or she effectively ends the delegation.
07A02-07 Is it possible to control at any time, for all users, the rights, authorizations and privileges in force? 2 C1
Mise jour : janvier 2010 351061430.xls ! 07 Sys page 168

07A02-08 Is there a regular audit, at least once a year, of the profiles and authorizations granted to all users and of the procedures for 1 2 C1 11.2.4
management of attributed profiles?
07A03 Authentication of the access requestor (user or entity)
07A03-01 Does the process of distribution or modification of the user credentials guarantee that only the holder of the identifier can have 2 1 E1 11.5.3
access to them (initial communication is confidential, password change is under the exclusive control of the user, etc.)?
07A03-02 Does the process of definition or modification of user credentials respect a set of rules which ensures their intrinsic validity? 4 2 E2 11.2.3; 11.5.3
In the case of passwords: sufficient length (8 characters or more), obligatory mixture of types of characters, frequent change (less
than once a month), impossibility of reusing an old password, non-trivial word test using a dictionary, banning of "standard
systems", first names, anagrams of username, dates etc. In the case of certificates and authentications based on cryptographic
mechanisms: generation process evaluated or publicly recognized, keys of a sufficient length etc.
07A03-03 Does the process of presenting a user password guarantee its inviolability? 4 2 E3 11.5.1; 11.5.3
The usage of a password will always be a weak point. The only process which does not divulge observable information consists
of either introducing an object containing a secret (smart card), or entering a code which changes at every moment (token card
type SecureId) or using a biometric characteristic.
07A03-04 Is the logon process secured? 1 E3 11.5.1; 11.5.3

A secure logon should not give any information before the process is satisfactorily executed, not display the authenticators'
password, display date and time of last connection, display eventual connection attempts that have failed, etc.
07A03-05 Do the mechanisms for retention and usage of credentials by the user (or by the equipment representing the user) or by the 2 2 3 E2 11.5.1; 11.5.3
target systems guarantee inviolability and authenticity of these credentials?
Passwords must be stored encrypted and a preliminary access control must be made before being accessible to the user.
In the case of authentication using cryptographic procedures, the mechanism must propose solid guarantees validated by a
recognized organization.
07A03-06 Do the mechanisms used for the transmission of the credentials between the user and target equipments guarantee inviolability 2 2 3 E3 11.5.1; 11.5.3
and authenticity of these credentials?
In the case of authentication using cryptographic procedures, the mechanism must propose solid guarantees validated by a
07A03-07 In the case of multiple incorrect authentication attempts, is there an automatic process which temporarily invalidates the identifier 4 2 E2 11.5.1; 11.5.3
used or, possibly, the user workstation itself, or which slows down the authentication process so as to inhibit any automatic
routine from connecting?
07A03-08 Does the procedure for the replacement of a lost or mislaid user credential (password, token card) allow the instant deactivation 2 2 E2 11.5.3
of the old credential?
07A03-09 Does the procedure for the replacement of a lost or mislaid user credential (password, token card) allow an effective control of 2 2 E3 11.5.3
the requestor's identity?

07A03-10 Are authentication parameters under strict control? 4 2 R1

A strict control requires that the list of people allowed to change the definition rules of credentials, the credentials themselves, the
rules of surveillance of connection attempts etc., be strictly limited and that there exists a reinforced access control to effect these
modifications, that these modifications be logged and audited and that there exists a regular general audit at least once a year of
all authentication parameters.
07A03-11 Are the processes that ensure authentication under strict control? 4 3 C1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (close with a seal)
and that there be an audit at least once a year of authentication procedures and processes (including the processes which aim to
detect intrusion attempts and the processes which respond to these intrusion attempts).
07A04 Access filtering and management of associations

07A04-01 Does any access to a system require the use of an identifier recognized by the system? 1 2 E1 11.5.2
07A04-02 Is there a direct or indirect correspondence between any identifier and a real physical person? 4 2 E1 11.5.2
In the case where an application calls another or executes a system call, it may be that the application does not transfer to the
target system the identifier which originally made the request. The link between the call, the identifier and the user himself must
remain traceable after the fact.
07A04-03 Have all generic or by-default accounts been deleted? 4 2 E2 11.5.2

07A04-04 Is the acceptance of the identifier by the system systematically subject to authentication? 2 2 E2 11.5.2
Systematic authentication requires that the process be implemented for all subsystems (Remote process monitors, database
management systems, batch processes, etc.), for all application requests and for all access routes, including ports reserved for
remote maintenance.
07A04-05 May the authentication process be renewed during an open session for those transactions considered to be sensitive? 4 E3
07A04-06 Is there an automatic invalidation of the user session in the absence of traffic after a defined duration, thus requiring user re- 4 E3 11.5.5
identification and re-authentication?
07A04-07 Is there a systematic control, based upon definite access rules, of the profile of the requestor, of the association context and of 4 2 E3
the appropriateness of that profile and context for the access requested?
07A04-08 Are the parameters for the definition and management of access filtering rules under strict control? 4 2 R1
A strict control requires that the list of persons allowed to change the security parameters for access filtering be extremely limited,
and that there be a reinforced access control in order to be able to effect such modification and that any modification be logged
and audited.
07A04-09 Are the processes that guarantee access filtering under strict control? 4 3 C1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (close with a seal)
and that there be an audit at least once a year of access filtering procedures and processes (including the processes which aim
to detect intrusion attempts and the processes which respond to these intrusion attempts).
07A04-10 Are regular tests carried out to attempt to break into the information system and are there detailed technical audits run by 2 3 R2
specialists?
07A05 Authentication of the server for access to sensitive servers
07A05-01 Is there a possibility to declare servers as sensitive and, as such, requiring an authentication of the server accessed? 4 1 E2

07A05-02 Is there a mechanism of authentication of the server called before access to a sensitive server from the internal network? 4 1 E2
07A05-03 Does the authentication mechanism of the accessed servers provide a recognized "strong" level of security? 4 2 E3
Notably the usage of a simple password will always be a weakness. The only methods recognized as "strong", that is observable
without divulging information, are those based on cryptographic algorithms.
07A05-04 Do the security equipment that retain credentials (e.g. passwords, calling number, etc.) use mechanisms which guarantee their 4 3 E2
In the case of authentication using cryptographic procedures, the mechanism must provide solid guarantees validated by a
07A05-05 Does the transmission of credentials (e.g. passwords, calling address, etc.) between calling user equipment and authentication 4 3 E3
systems use mechanisms which guarantee their impregnability and authenticity?
07A05-06 Does the revoked keys management procedure guarantee that the control systems take into consideration in real time any 4 2 E2
revocation of keys?
07A05-07 Does the revoked keys management procedure guarantee that the control systems systematically test that the keys used have 4 2 E3
not been revoked?
07A05-08 Are the processes that guarantee the authentication of the accessed entities under strict control? 4 3 R1
07B Containment of environments

07B01 Control of access to residual data
07B01-01 Has a detailed analysis been carried out for each type of system to identify residual data files, their storage areas and access 4 E2
paths to such files and storage areas?
07B01-02 Have storage systems (and medias) been identified which once stored sensitive information and which have been re-affected to 4 E1
other usages?
07B01-03 Does the system use an access rights control mechanism which prohibits user access to the contents of resources which have 4 E2
been freed up by another process (areas of memory, temporary resources )?
07B01-04 Are the tools which enable access to sensitive remnant data or temporary files reserved only for the use of systems operators 4 E3
and does access to those tools require a secure authentication?
07B01-05 Are there procedures of physical erasure of residual files (in main memory or for storage media)? 4 E3
07B01-06 Are these procedures implemented systematically and automatically by the relevant systems each time a logical resource is 4 3 E2
freed?
07B01-07 Is the invalidation of such procedures alerted to an operational IT manager? 4 3 R1
07B01-08 Is there a procedure which guarantees that sensitive information contained on discarded media will be protected until the 4 E2 10.7.2
destruction of the supporting media?
07B01-09 Are all security procedures and parameters protecting access to residual data subject to regular audit? 4 3 C1
07C Management and saving of logs
07C01 Recording access to sensitive resources

07C01-01 Has a specific analysis been carried out to determine which access requests and related parameters will be logged? 4 E2 10.10.2
07C01-02 Is a tool or control application used which is able to log accesses to sensitive resources (applications, files, databases, etc.)? 4 E2 10.10.2
07C01-03 Are the rules, specifying which accesses to log and retain, formalized? 2 E2
07C01-04 Have the rules, specifying which accesses to log and retain, been approved by the information owners or the Information Security 4 E3
Officer?
07C01-05 Do the rules which specify which accesses will be logged include the necessary elements to carry out a subsequent investigation 2 E2 10.10.1
in the case of anomaly?
These rules should specify for each type of access (system, database management system, etc. ) the fundamental elements to
record; for example user ID, the service or application requested, date and time, the point from where the access was requested
if known etc.
07C01-06 Have these rules been validated by Legal Department (particularly for logs containing personal data)? 2 2 E3 10.10.1
07C01-07 Are all these records archived (on disk, cassettes, optical disk, etc.) and conserved for a long period in such a way as to be un- 2 E2 10.10.1; 10.10.3
modifiable?
07C01-08 Are the parameters for definition and management of recording connections (login) and called applications under strict control? 4 2 R1 10.10.3
A strict control requires that the list of persons allowed to change the definition parameters and the management of the recording
rules for the logins and called applications be strictly limited and that there exist a reinforced access control to effect these
modifications and that these modifications be logged and audited.
07C01-09 Are the processes which ensure the recording of connections and called applications under strict control? 4 3 C1
A strict control requires that the software used for recording has been validated and undergoes a regular test for integrity (closed
with seal) and that there be an audit at least once a year of recording procedures and processes (including the processes which
aim to detect modification attempts and the processes which respond to these modification attempts).
07C02 Recording privileged system calls

07C02-01 Has a specific analysis been carried out of privileged system calls to log and of parameters related to these calls which should be 4 E2 10.10.2
recorded?
07C02-02 Is use made of a tool or control application which is able to record privileged system calls (tools which require special access 4 E2 10.10.2
rights, access to security files, administration of security parameters etc.)?
07C02-03 Have the rules specifying the privileged system calls to be logged been formalized? 2 E2
07C02-04 Have the rules specifying the privileged system calls to be logged been approved by the information owners or the Information 4 E3
Security Officer?
07C02-05 Do the rules specifying the accesses to privileged system calls to be logged include the relevant elements needed for subsequent 2 E2 10.10.1
investigation in the case of anomaly?
The rules must specify for each type of system call (create, read, update or delete) the basic elements to record, for example, the
nature of the event, the user identifier, the systems services required, date and time etc.
07C02-06 Have these rules been validated by Legal Department (particularly for logs containing personal data)? 2 2 E3 10.10.1
07C02-07 Are all these records archived (on disk, cassettes, optical disk, etc.) and conserved for a long period in such a way as to be un- 2 E2 10.10.3; 10.10.1
falsifiable?

07C02-08 Are the parameters for definition and management of the rules for recording privileged system calls under strict control? 4 2 R1 10.10.3
A strict control requires that the list of persons allowed to change the recording parameters be strictly limited and that there exists
a reinforced access control to effect these modifications and that these modifications be logged and audited.
07C02-09 Are the processes which ensure the recording of privileged system calls under strict control? 4 3 C1
A strict control requires that the software used for recording has been validated and undergoes a regular test for integrity (closed
with seal) and that there be an audit at least once a year of recording procedures and processes (including the processes which
aim to detect modification attempts and the processes which respond to these modification attempts).
07D Security of the architecture

07D01 Service continuity of the architecture and of its components
07D01-01 Has an analysis been carried out of the various shared equipment and systems (apart from the architecture of the applications 4 2 E2
but including general peripheral systems such as backup systems and robots, print servers and centralized printing equipment) in
order to highlight the needs of service continuity?
An in depth analysis assumes that a list of failure scenarios has been established and that the consequences of such events
have been analyzed.
07D01-02 Has this analysis allowed to detail the minimum performance levels that must be maintained for each system and have these 4 2 E2
performance levels been accepted by users or information owners?
07D01-03 Has the appropriate level of architectural redundancy been determined (e.g. clusters or disk replication ) for the servers or 4 2 E2
equipment concerned?
07D01-04 Does the architecture and its implementation guarantee that the minimum performance levels will be exceeded in the case of an 4 2 E2
incident of failure?
Such a guarantee supposes that either failsafe systems are entirely automatic or that sufficient detection systems and staff are in
place so as to manually reconfigure them.
07D01-05 Is there an assurance in this case that secondary equipment (power supply, air-conditioning, etc. ) does not introduce any 2 E3
additional risk and does not eliminate redundancy envisaged for the systems architecture or equipment?
07D01-06 Does any shutdown or inhibition of redundant equipment or system devoted to detecting the need for human intervention or for 2 R1
automatic reconfiguration trigger an alarm to an operational manager?
07D01-07 Are regular tests made to demonstrate that security equipment is able to guarantee minimum performance levels required in the 2 3 C1
case of an incident or failure?
07D02 Isolation of Sensitive Systems
07D02-01 Has the systems' sensitivity been analyzed (based on the applications and data processed) including peripheral systems or 3 E2 11.6.2
robots used for storage or archiving, print servers or central printing equipment, etc.) to highlight their security requirements?
A thorough analysis implies the establishment of a list of incident scenarios (A, I, C), for which all foreseeable consequences
were analyzed.
07D02-02 Did this analysis allow to formalize minimum requirements for each system and were these minimum requirements accepted by 3 E2 11.6.2
the users (information owner)?
07D02-03 Have appropriate isolation measures (physical and logical) been determined for these servers and equipment? 3 E2 11.6.2
These measures may impose to use different data centers for sensitive servers or applications from other servers.

Commentaires

Commentaires

Commentaires

Commentaires

Commentaires

Commentaires

Audit Questionnaire: IT Production Environment 1 variant
08A Security of operational procedures
08A01 Consideration of security in relation with operational personnel (permanent and temporary staff)
08A01-01 Is there a security policy, specifically aimed at operations personnel, related to information systems? 4 E1 9.2.1
This policy should cover the requirements for the protection of information as well as the protection of physical assets and
processes and mention the forbidden behaviors
08A01-02 Is information systems operations personnel required to sign contract clauses of adherence to that security policy (no matter their 4 E2
status: permanent or temporary staff, students, etc.)?
08A01-03 Do these clauses make clear that the obligation to respect that security policy applies to information at large (whichever the 2 2 E2
support : paper, magnetic, optical, etc.)?
08A01-04 Do these clauses make clear, if necessary and legally possible, that the obligation to respect the security policy applies without 4 2 E3
limitation in time?
This applies, in particular, to the clauses concerning confidentiality, they may (and often must) continue after the end of the contract
linking (directly or indirectly) the employee or service provider or partner to the company
08A01-05 Do these clauses make clear that the personnel has an obligation not to tolerate any action contrary to security from other people? 4 3 E3

In order to achieve a formal commitment, the personnel should explicitly state that his/her signature implies having understood and
accepted the security policy
08A01-07 Are these same clauses obligatory for contractors working on systems operations? 4 2 E2
internal staff.
08A01-08 Is there a mandatory and well adapted training course aimed at systems operation personnel? 2 E2
08A01-09 Are the security policy compliance agreements, signed by personnel, securely kept (at least in a locked cupboard )? 2 3 R1
08A01-10 Are the security policy compliance agreements, signed by external contractors, securely kept (at least in a locked cupboard )? 2 3 R1
08A02 Control of the operational tools and utilities
08A02-01 Have different profiles been defined for the systems operation staff (administration and management of configurations, 4 E1
administration of security equipment, monitoring, audit and investigation)?
08A02-02 Are all members of systems operation staff attributed with one of these profiles? 4 E2
08A02-03 Have all the sensitive system tools and utilities (rights administration, configuration management, backups, copies, hot restarts, 4 E2 11.5.4
etc.) been exhaustively audited and listed for each profile?
08A02-04 Is it possible only for holders of a certain profile to use the corresponding tools and utilities subsequent to proper strong 2 2 E3 11.5.4
authentication (smart card or token card)?
08A02-05 Is it forbidden to create or add sensitive tools or utilities without formal authorization? 2 2 E2 11.5.4
08A02-06 Is there a regular automated check to enforce this rule which triggers an alert to an appropriate manager? 2 2 E3 11.5.4
08A02-07 Does the segregation of rights of systems operation staff prevent undue modification of sensitive tools or utilities or at least, is 4 2 E3 11.5.4
there an automatic routine which checks that no modification has been made and which may trigger an alert to a manager if so?
08A02-08 Are the granting of administrative profiles and the implementation of the aforementioned security measures subject to regular 2 2 C1
audit?
Mise jour : janvier 2010 351061430.xls ! 08 Sop page 186

08A03 Acceptance control of systems introduction or modification
Systems here include operating systems, applications and associated middleware
08A03-01 Are the decisions to change or update equipment and systems significantly subject to a control procedure (registration, planning, 4 E1 10.1.2
formal approval, communication to all concerned individuals, etc.)?
08A03-02 Are the change decisions based on an analysis of the capacity of the new equipment and systems to ensure the required load and 2 E2 10.3.1
take into account the evolution of foreseeable requests?
08A03-03 Do the installations take into account physical protection (protected access, no direct external view on equipments, no multiple 2 E2 9.2.1; 12.5.1
physical threats, weather conditions, protection against thunderbolts, protection against dust, etc.)?
08A03-04 Is any new or modified functionality linked to a new system or new version of a system, systematically documented before moving 4 2 E2 12.4.1; 12.5.1
into production?
08A03-05 Is such new functionality (or change in functionality), linked to a new system or new version of a system, formally and 2 E2 12.4.1; 10.3.2
systematically reviewed in conjunction with the IT security function?
08A03-06 Does this review include an analysis of the risks that may result from the changes? 2 2 E2 12.4.1; 10.3.2
08A03-07 Have system operations staff received formal appropriate training in risk analysis? 1 E3
08A03-08 May the operation staff obtain an appropriate support specially competent on risk analysis? 4 E3
08A03-09 Are the security measures, determined to counter the new identified risks, formally reviewed before implementation? 4 2 E3 10.3.2
08A03-10 Are security parameters and configuration rules (deletion of generic accounts, changing of any default passwords, blocking of 4 E3 11.4.4; 10.3.2
unauthorized communications ports, setting of access rights and authentication parameters, etc.) listed in detail and regularly
updated?
08A03-11 Are the security parameters and configuration rules controlled prior to any start of production of a new version? 4 E3 11.4.4; 10.3.2
08A03-12 Has the eventual impact of the systems' changes regarding the continuity plans been considered? 2 E2 10.3.2
08A03-13 Are any derogations from the prerequisite risk analysis and control of security parameters subject to strict procedures, including a 4 R1 12.4.1
signature from senior management?
08A03-14 Can the start of production of new systems and applications be only carried out by operations personnel? 2 2 E3 12.4.1; 6.1.4
08A03-15 Is the start of production of new versions of systems or applications possible by the use of a defined validation and authorization 2 2 E3 12.4.1; 6.1.4
process?
08A03-16 Are the start of production control procedures regularly audited? 2 3 C1
08A04-02 Are all maintenance operations required to terminate with a systematic control of security parameters (as defined at time of start of 4 2 E2
production)?
08A04-03 Are all maintenance operations required to terminate with a systematic control of the recording parameters for security events and 4 3 E3
the life span of records?
08A04-04 Are all maintenance operations required to terminate with a systematic control of system administration parameters (required 4 3 E3
profile, authentication type, removal of standard logins etc.)?
08A04-06 Is the effective implementation of these controls regularly audited? 2 3 C1

08A05 Confidentiality considerations during maintenance of the production systems
08A05-01 Is there a procedure describing, in detail, all the operations to execute before contacting maintenance in order to prevent 4 E1 9.2.4; 9.2.6
maintenance staff gaining access to operational production data (disconnection of disk arrays and cartridges, deletion of
operational data etc.)?

08A05-02 Is there a binding clause in maintenance personnel contracts stipulating that any storage media which contained sensitive data be 4 E2 9.2.4; 9.2.6
destroyed before disposal?
08A05-03 Is there a procedure of checking for system integrity after maintenance intervention (absence of spyware, or trojans etc.)? 2 E2
08A05-04 Is a formal dispensation, signed by a responsible manager, required if the above mentioned procedures are not observed? 2 3 E3
08A05-05 Are the above procedures subject to regular audit? 2 3 C1

08A06 Control of remote maintenance
08A06-01 In the case of remote maintenance, is the remote maintenance desk's access subject to a secure authentication procedure? 2 2 E2 11.4.4
08A06-02 In the case of remote maintenance, are maintenance staff subject to a secure authentication procedure? 4 2 E2 11.4.4
08A06-03 Is there a set of procedures covering the granting and revocation of access rights for remote maintenance operatives and the 2 E3 11.4.4
granting of rights in urgent situations?
08A06-04 Have the procedures and protocols for transmission and retention of secret conventions (in the case of remote maintenance) been 4 E3
approved by the Information Security Officer or a qualified specialist?
08A06-05 Does the usage of the remote maintenance line require the prior agreement (for each usage) of system operations personnel 4 3 E3 11.4.4
(upon request by the manufacturer or editor specifying the nature, date and time of the intervention)?
08A06-06 Are data or command exchanges during remote maintenance protected by encryption? 4 2 E3
08A06-07 Are data or command exchanges during remote maintenance protected by integrity control (sealing)? 4 2 E3
08A06-08 Is the usage of the remote maintenance line under strict control ? 4 3 E2
A strict control supposes that each use of the line, the name of the maintenance operative and the actions carried out is registered,
and that there be a subsequent audit of the appropriateness of the actions and their conformity with the rules laid down by
maintenance managers.
08A06-09 Are the equipment accessible for remote maintenance protected against inhibition or modification of the access conditions for 2 2 R1
remote maintenance (e.g. by the triggering of an alarm)?
08A06-10 Are control procedures for remote maintenance regularly audited? 2 3 C1
08A07 Protection of sensitive printed documents and reports
08A07-01 Are all sensitive documents and reports printed in secure premises? 4 E1
08A07-02 Are all sensitive documents and reports protected against diversion while being produced? 4 3 E1
08A07-03 Are all sensitive documents and reports protected against diversion while waiting for distribution? 4 3 E1
08A07-04 Does the distribution system for printouts and reports ensure protection against theft (locked cabinets and carrying cases during 4 3 E2
transportation)?
08A07-05 Does the distribution system for printouts and reports ensure protection against prying consultation? 4 3 E2
08A07-06 Does the distribution system for printouts and reports require the addressee to be authenticated prior to their delivery? 4 3 E3
08A07-07 Are printed documents and reports labeled anonymously without showing any particular classification? 4 E2
08A07-08 Are these measures adapted to the maximum security level of the information within (temporary storage in locked strong boxes 4 E2
and hand delivery for very sensitive information)?
08A07-09 Are sensitive printed documents and reports put on the scrap destroyed in a secure way so that they cannot be exploited? 4 3 E2
08A07-10 Are the security procedures for distribution of printed material regularly audited? 2 3 C1
08A08 Management of Operating Procedures for IT production

08A08-01 Do the operating procedures result from the study of the overall cases to be covered by said procedure (normal operating cases 4 E2 10.1.1
and incidents)?
08A08-03 Are the operating procedures readily available upon request by any accredited individual? 4 E2 10.1.1
08A08-04 Is the IT operation Management required to approve changes to procedures ? 4 E2 10.1.1
08A09 Management of service suppliers and providers relating to IT operations
08A09-01 Is it regularly ensured that the security services allocated to suppliers or providers are efficiently implemented and maintained by 4 E1 10.2.1
them?
08A09-02 Is it ensured that the service suppliers or providers have efficiently prepared the appropriate arrangements to ensure that the 2 E2 10.2.1
services are provided as agreed?
08A09-03 Is the respect of the security provisions by the suppliers or providers regularly reviewed? 4 C1 10.2.2
08A09-04 Is it ensured that the suppliers and providers report and document any security incident concerning information or systems? 4 E2 10.2.2
08A09-05 Is there a regular review of these incidents or malfunctions with the concerned suppliers and providers? 2 E2 10.2.2
08A09-06 Are any changes in the contract relationship (obligations, service levels, etc.) analyzed for resulting potential risks? 2 E3 10.2.3
08B Control of hardware and software configurations
08B01 Conformity control of systems parameters and configurations
08B01-01 Is there a document (or a set of documents ) or an operational procedure which describes all security parameters for the systems? 4 2 E1
Such a document should be derived from the security policy and describe all the filtering rules decided. It should also mention the
reference to the system versions so as to check the status of the updates.
08B01-02 Does this document require that all generic or by default accounts be deleted and their list established? 4 2 E2 11.4.4
08B01-03 Are the system versions, fixes and parameters updated regularly in line with latest information? 2 3 E2 10.7.4; 12.6.1
This should be done in cooperation with expert authorities (specialized audits, subscription to a service center, regular consultation
with CERTs, etc.)
08B01-04 Does the resulting document or procedure impose a synchronization feature, based on a reliable time reference? 4 E3 10.10.6
08B01-05 Are these reference documents protected, by secure methods, against untimely or illicit alteration (sealing)? 2 3 R1 10.7.4
08B01-06 Is the integrity of system configurations checked, regularly (at least weekly) if not at each system start-up, against the configuration 4 2 E3 15.2.2
theoretically expected?
08B01-07 Are regular audits carried out of the compliance to the specifications for security parameters? 2 R1 15.2.2
08B01-08 Are regular audits carried out of the exception and escalation procedures in the case of difficulty or installation problems? 2 R1 15.2.2
08B01-09 Are the development and test environments separated from the operational environments? 1 C1
08B02 Conformity control of operational software configurations (including packages)
08B02-01 Is there a document (or a set of documents ) or an operational procedure which describes the security parameters for all 4 2 E1
applications?
These parameters should result from the security architecture retained for the applications
08B02-02 Is this document updated for each change of version? 2 2 E2
08B02-03 Does this document require that all generic or by default accounts be deleted and their list established? 4 2 E2

08B02-04 Are the application software versions, fixes and parameters updated regularly in line with latest information? 2 3 E2 10.7.4; 12.6.1
with CERTs, etc.)
08B02-06 Is the integrity of application configurations regularly checked against the configuration theoretically expected (weekly)? 4 2 E3 10.7.4; 15.2.2
08B02-07 Are regular audits carried out of possible differences between the security parameters expected and effectively implemented? 2 R1 15.2.2
08B03 Conformity control of reference programs (source code and executables)

08B03-01 Do IT operations manage a reference version for each product installed in production (source code and executables)? 4 2 E1 12.4.1
08B03-02 Is this reference version protected against all possible illicit or untimely modification (signed media kept by a senior manager, 2 R1
electronic sealing, etc.)?
08B03-03 Is this protection considered to be inviolable (sealing by cryptographic algorithm approved by the Information Security Officer)? 4 R2
08B03-04 Is the protective seal controlled automatically (otherwise it may be an authoritative signature) at each new installation? 4 R2
08B03-05 Is a check made of the proof of origin and integrity of received maintenance module or a new version, from the editor or the 4 E2
manufacturer (for operating systems)?
08B03-06 Are the sealing and sealing control tools protected against any unauthorized usage? 4 R2
08B03-07 Does the inhibition of the automatic control of seals trigger an alarm to a manager? 4 E3
08B03-08 Are there regular audits of protection procedures for reference programs? 4 C1
08C Management of storage media for data and programs
08C01 Management of storage media
08C01-01 Are all media removals from the media library controlled by a dedicated person or department responsible for the media handling? 4 E1 10.7.1
08C01-02 Are media returns after use by the operations controlled by the same person or department? 4 E2 10.7.1
08C01-03 Is the removal of storage media systematically registered (date and time, individual responsible for media, etc.) ? 4 E2 10.7.1
08C01-04 Is the disposal of storage media systematically registered (date and time, individual responsible for media, etc.) ? 4 E2 10.7.1; 10.7.2
08C01-05 Is there a procedure to erase data on media before exit or disposal? 1 E3 10.7.1; 9.2.6
08C01-06 Are any missing items systematically subject to a search procedure and a follow-on form included in the overall operational 4 E2
dashboard?
08C01-07 Are all movements of storage media into or out of the library strictly controlled with respect to production systems planning? 4 E3
08C01-08 Are the files related to storage media management under strict control? 4 2 R1
A strict control requires that people authorized to access the files be registered and in limited number, that there be a reinforced
access control to be able to modify the files and that any modification be logged and audited.
08C01-09 Are the processes which ensure the management of storage media under strict control? 4 3 C1
A strict control requires to control that the software has been effectively, that a regular data integrity test (seal) be performed and
that there is an audit, at least once a year, of media management procedures and processes (including handling the anomalies
detected in the course of storage media management).
08C02 Labeling of storage media (live, backups and archives)

08C02-01 Are magnetic media marked neutrally without any mention of their classification level? 4 E1
08C02-02 Are the files accompanying the marking system (files which make the link between the label of the media and its contents) under 4 2 E2
strict control?
access control to be able to modify them and that any modification be logged and audited.
08C02-03 Are the processes which ensure the management of storage media marking under strict control? 4 3 C1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there is
an audit at least once a year of support media marking procedures and processes (including a management of anomalies detected
in the course of support media marking).
This presupposes that there be a document which details all of the requirements of support media marking.
08C03 Physical security of media kept on site

08C03-01 Is there an automatic and systematic access control to the location used for on site storage of operation media? 4 E1
08C03-02 Does authentication, for access control to the storage rooms of production media, employ user related data that cannot be falsified 4 3 E2
(smart cards or biometric data for example)?
08C03-03 Does the access control system guarantee that all personnel entering the location are verified (double door limiting the number of 4 3 E2
people entering to one-at-a-time, process which prohibits the usage of a badge by more than one person etc.)?
08C03-04 In addition to access control for the normal exits, is there a specific control for non authorized exits (windows accessible from 4 3 E3
outside, emergency exits, potential access via false panels, flooring and ceilings, etc)?
08C03-05 Are the automatic access control systems under 24 hr surveillance enabling to detect in real time the failure or deactivation of the 2 2 R1
system or the usage of emergency exits?
08C03-06 Is there an audit procedure enabling later to uncover irregularities in the access control procedures (audit of procedures and 2 3 C1
08C03-07 Is there an operational intrusion detection system for the storage locations, linked to a 24 hr monitoring center? 4 2 R2
08C03-08 Are the on site locations for production storage media placed under 24 hours surveillance (video surveillance of the location itself)? 4 3 R2
08C03-09 Is the transfer of production media, between the production and on site storage locations, under strict control (specific moving 2 E2
procedures, secured containers etc.)?
08C03-10 Is the storage location of production storage media protected against accidental risk (fire detection and extinguisher equipment, 4 E2
protection from water damage, etc.)?
08C03-11 Is the storage location for production storage media regulated and supervised for temperature and humidity? 4 E2 10.7.1
08C03-12 Are the automatic fire, flood and humidity detection systems, under 24 hour operational control enabling to detect in real time a 2 2 R1
failure, a deactivation or an alarm?
08C03-13 Is there a procedure or automatic routine which triggers the immediate intervention of specialized personnel in the case of an 2 2 C1
alarm (of the access control system or the incident detection system)?
08C04 Physical security of storage media (kept in an external site)
08C04-01 Is use made of a specialized company, which offers contractual guarantees of security, for the storage of archives outside the 4 E1
production site?
08C04-02 Does the contract signed with the outside media storage company ensure a high level of security (strong access authentication, 4 3 E2
control of access points and emergency exits, intrusion detection, video surveillance, protection against natural risk, intervention
team, etc.)?
08C04-03 Does the procedure used for the transfer of sensitive media to the external storage location require a high level of security (like 4 E2 10.8.3
secure containers and transporters accredited by the company)?

08C04-04 Are there contractual clauses or annex clauses, which stipulate the conditions of restitution of storage media, guaranteeing that the 4 E3
person to whom to the media is returned has the correct authorization even in the case of an emergency procedure?
08C04-05 Is there a regular audit of the security measures used by the company ensuring the external storage of archives and backups? 2 3 C2
08C04-06 Is there a regular audit of the management procedures related to storage media (transport and return )? 2 3 C1
08C04-07 Is there a regular audit of the contractual clauses specifying relations with the company ensuring the external storage of archives 2 3 C1
and backups?
08C05 Verification and turnover of archive storage media
08C05-01 Are the storage media which retain data for long periods (archives) regularly verified (as a function of the frequency of updates and 4 E2
the classification of the information)?
08C05-02 Are the storage media which retain data for long periods (archives) periodically copied to new storage media with the maintenance 4 E2
of an inventory and redundancy of media?
08C05-03 Is there a regular verification of the technical compatibility between the storage media and the operational solution used to effect 2 E3
restoration of data?
08C05-04 Are regular tests carried out of archived media readability? 4 E2
08C05-05 Do the reread tests contain controls of the authenticity of the information stored? 4 E3
08C05-06 Are the files used for the management of storage media rotation and sampling under strict control? 4 3 R2
access control to be able to modify them and that any modification be logged and audited.
08C05-07 Are the procedures concerning the verification of archived storage media regularly audited? 2 3
08C06 Security of storage networks (SAN : Storage Area Network and NAS)
08C06-01 Are the storage networks physically or logically isolated from other data networks? 4 E1
08C06-02 Are the storage networks protected by a firewall which only allows data and administrative flows related to storage? 4 2 E1
08C06-03 Is access to storage bays subject to strong authentication, for authorized elements (servers and administration stations)? 4 3 E2
08C06-04 Do the data storage protocols contain a protection against replay? 2 E3

08C06-05 Is data stored using a storage network encrypted before transmission to the network? 4 3 E3 12.3.1
08C06-06 Do the solutions, protecting access to data stored on the storage network, offer valid and solid guarantees? 2 2 E2
A cryptographic solution with keys of sufficient length is one of among many parameters to take into consideration (as a function of
the algorithm) .
The recommendation of an official organization can be a confidence factor. At least the solution should have been approved b the
CISO.
08C06-07 Are the security mechanisms for access to data protected against infraction or alteration? 4 3 R1
08C06-08 Is the switching off or bypass of security mechanisms immediately detected and signaled to a responsible team? 4 2 R1
08C06-09 Is this team available 24 hrs a day and capable of intervening immediately? 4 2 R1
08C06-10 Is there a procedure detailing the actions to carry out in the case of error or alert? 3 C1
08C07 Physical Security of Transiting Medias
08C07-01 Are the transfer of medias between sites (internal or external) strictly controlled (specific procedures, follow-up or secured 2 E1 10.8.3
containers, etc.) ?
08C07-02 Are the medias marked anonymously, without reference to any classification, while in transit? 4 E2

08C07-03 Is any abnormality or media loss immediately reported? 2 E2
08C07-04 Is any abnormality or media loss followed by an investigation? 2 E2
08C07-05 Are the media transfers regularly audited? 2 3 C1
08D Service continuity
08D01 Organization of hardware maintenance (for operational equipment)
08D01-01 Is all equipment covered by a maintenance contract? 2 E1 9.2.4
08D01-02 Are there specific maintenance contracts for all hardware which require a high availability and for which the replacement must be 4 E2
made within limited delays?
08D01-03 Do the contracts stipulate maximum delays before intervention and compatible with the requirements of availability? 4 2 E2
08D01-04 Do the contracts detail the required time slots and days of intervention (24h/7d for example) compatible with the requirements of 4 2 E3
availability?
08D01-05 Do the contracts stipulate the conditions of escalation in case of difficulty? 4 3 R1
08D01-06 Do the contracts detail specific clauses for when the hardware downtime exceeds the specific times stipulated (penalties, hardware 4 3 E3
replacement, etc.)?
It is desirable that these clauses be general and apply to all cases no matter what the reasons (technical difficulty, staff strikes,
etc.)
08D01-07 Do the maintenance contracts anticipate the complete replacement of equipment in the case of important damage which might not 4 E3
be taken into consideration by reparative maintenance?
08D01-08 Are the maintenance contracts, the choice of subcontractors and associated maintenance procedures subject to regular audit? 2 3 C1
08D02 Organization of software maintenance (systems, middleware and applications)

08D02-01 Are there maintenance contracts for all acquired software products (systems software, middleware and applications)? 4 E1
08D02-02 Do the suppliers provide a technical software support center which guarantees a quick and competent telephone assistance? 2 E2
08D02-03 Do the software maintenance contracts anticipate the regular release of new versions taking into account all applicable fixes to the 4 E2
product?
08D02-04 Are there specific maintenance contracts for software products (systems, middleware and applications) which require corrective 4 E2
delays that standard maintenance cannot cover?
08D02-05 Do these contracts detail specific maximum intervention delays, compatible with the availability requirements? 4 2 E2
08D02-06 Do the contracts detail the required time slots and days of intervention (24h/7d for example) compatible with the requirements of 4 2 E3
availability?
08D02-07 Do the contracts stipulate the conditions of escalation in case of difficulty? 4 3 R1
08D02-08 Do the contracts specify specific clauses when system downtime exceeds specific durations stipulated (penalties, replacement of 4 3 E3
hardware, etc.)?
etc.)
08D02-09 Are the maintenance contracts, the choice of subcontractors and associated maintenance procedures subject to regular audit? 2 3 C1
08D03 Application recovery procedures and plans following incidents during operation

08D03-01 Has a list been established, for all applications, of incidents which could occur during production and, for each of these, the 4 E1
seriousness of possible consequences?
Critical consequences may relate to data consistency and continuity of service
08D03-02 For each incident during operation have the corresponding diagnostic means been identified? 4 E2
08D03-03 For each incident during operation, has a solution been established as well as the operations to carry out by system operation 4 E2
personnel?
08D03-04 For each possible incident during operation, have an acceptable resolution delay and an escalation procedure been determined in 2 E3
the case of failure or lateness of the anticipated corrective actions?
08D03-05 Are the diagnostic means, needed by system operation personnel, protected against any possible inhibition or unauthorized 2 3 R1
modification?
08D03-06 Are the corrective means, needed by system operation personnel, to solve a critical operation incident protected against any 2 3 R2
possible inhibition or unauthorized modification?
08D03-07 Are there regular tests concerning the efficiency of the procedures and facilities which survey and diagnose the applications' 2 C1
operation?
08D03-08 Are there regular checks concerning the update of the corresponding documentation? 2 C2
08D03-09 Are regular tests made of the effective capacity to restore data and restart the application after an incident during operation? 2 3 C1
08D03-10 For encrypted data retrieval, does the Key Management provide the recovery for lost or altered keys? 2 E3 12.3.2
08D04 Backup of software configurations (system, applications and configuration parameters)
08D04-01 Has a backup plan been established which covers all programs and defines all objects to save and the frequency of backups? 4 E1 10.5.1
08D04-02 Does the plan also cover system and middleware configuration parameters to save? 4 3 E2 10.5.1
08D04-03 Does the plan also cover application parameters to save? 4 3 E2 10.5.1
08D04-04 Is the plan implemented by automatic production routines? 2 3 E2 10.5.1
08D04-05 Are there regular tests that the backup copies of programs (source code and/or executables) enable the effective restoration of the 4 2 E2 10.5.1; 14.1.5
production environment at any time?
These tests should consider all the backups (including documentation and parameters files) of legitimate elements.
08D04-06 Are the production routines which ensure backups protected, against illicit or undue modification, by secure mechanisms? 4 3 R1 10.5.1
Such mechanisms might be electronic seal or any equivalent modification detection system.
08D04-07 Are regular tests made of the readability of backups? 2 3 R2 10.5.1

08D04-08 Are all software backup plans and procedures subject to regular audit? 2 3 C1
08D05 Backup of application data
08D05-01 Has a preliminary study been made, in conjunction with the users, to identify the scenarios which backups must be able to cover? 1 E1 10.5.1
08D05-02 Has an analysis been carried out with the users in order to define for each file the maximum acceptable time between two 2 E1 10.5.1
backups?
These studies are to be based on the capacity to rebuild lost information and permit to define the required backup cycle
08D05-03 Have studies been made of the necessary synchronization between bound backups for all platforms in order to ensure the proper 2 E1 10.5.1
functioning of the resumed applications and the coherence of the data necessary for this resumption?

08D05-04 From above studies, have the various procedures been recorded in a backup plan comprising, for each class of files, the 4 2 E2 10.5.1
frequency, the details of constitution and the necessary synchronizations?
08D05-05 Does the backup plan integrate a control plan pointing out the various control points (size of files, duration, reread, etc.) and their 2 E3 10.5.1
frequency?
08D05-06 Does the control plan mention the actions to effect in the case of incident or anomaly? 2 E3 10.5.1
08D05-07 Is the backup plan updated each time the operation's environment is changed? 2 E2 10.5.1
Updates should occur in particular at the time of addition or modification of applications
08D05-08 Has the backup plan been translated to automatic operational routines? 2 E2 10.5.1
08D05-09 Are regular controls carried out to ensure that a restart or start up is possible from the backups made (i.e. a complete test which 4 2 E2 10.5.1; 14.1.5
verifies all functionality and the absence of synchronization or coherence problems)?
08D05-10 Are production routines which effect backups under strict control with regard to illicit or undue modification? 4 3 R1 10.5.1
A strict control requires a reinforced access control to modify these routines, a logging and an audit of all modification and/or an
integrity control by electronic sealing of the automatic operational routines.
08D05-11 Do the data saving and retention procedures offer guarantees of compliance to regulations and commitments from the organization 1 E3 10.5.1
regarding confidentiality and integrity?
08D05-12 Are there regular tests to reread backups of application data? 2 3 E2 10.5.1
08D05-13 Are several generations of files systematically kept in order to guard against any losses or illegibility by organizing, for example, the 4 E3 10.5.1
rotation of backup storage media?
08D05-14 Are all data backup plans and procedures regularly audited? 2 3 C1
08D06 Disaster Recovery Planning for IT operations
08D06-01 Have all the scenarios which may impact the IT infrastructure and services been considered and, for each scenario, the 4 E1 14.1.3
consequences in terms of service unavailability for users?
08D06-02 For each scenario, and in agreement with the users, have a list and schedule of IT service resume been defined? 4 2 E2 14.1.3
Loss of information, means to reconstruct them and temporary operational procedures must be considered.
08D06-03 Has an activity recovery solution been defined and implemented to resolve each scenario identified above, in accordance with user 4 2 E1 14.1.3
requirements?
08D06-04 Are the technical, organizational and human resources sufficient to address the organization's requirements for IT continuity? 4 E2 14.1.3
This means being able to correct personnel deficiencies
08D06-05 Are the technical, organizational and human resources educated to address the organization's requirements for IT continuity? 4 E2 14.1.3
This implies to train appropriately all concerned staff.
08D06-06 Are all these solutions described in detail in Disaster Recovery Plans including the conditions for triggering the plan, the actions to 4 E1 14.1.3
execute, the priorities, the actors to mobilize and their contact details?
08D06-07 Are these plans tested at least once a year? 4 2 E2 14.1.5
08D06-08 Are above tests able to guarantee that the staff capacity and the recovery systems can cope, under full operational load, the 4 3 E2 14.1.5
minimum IT services required by users?
The tests required to obtain this guarantee are preferably full scale tests of each variant of scenario, involving all users. The results
of the tests have to be registered and analyzed in order to improve the capability of the organization to answer to the situations
considered.

08D06-09 If the recovery solutions include delivery of hardware components (which cannot be triggered during tests), is there a contractual 4 2 E2
commitment by the manufacturer or any relevant third party (leaser, broker, distributor) to deliver the replacement hardware within
fixed and anticipated time limits as stated in the recovery plan?
08D06-10 Has the unavailability or failure of the recovery facility been considered and has a replacement solution been defined and validated 2 3 E2
(second level recovery)?
08D06-11 Has this (second level recovery) solution been validated? 2 3 E3
08D06-12 Is the recovery solution usable for an unlimited duration and, if not, has a follow on replacement solution been established? 2 3 E3
08D06-13 Are the existence, the pertinence and the updates of the IT services Recovery Plans regularly controlled? 2 3 C1
08D06-14 Is the updating of the above procedures within the recovery plan subject to regular audit? 2 3 C1
08D07 Anti virus protection for production servers
08D07-01 Have the measures to be taken by the IT staff been defined so as to prevent, detect and correct any attacks by malevolent code 2 3 E2 10.4.1
(virus, spyware, other)?
08D07-02 Are production servers (including office and mail servers) protected by anti virus or malevolent code software? 4 E1 10.4.1
08D07-03 Are several antivirus software (from different editors) simultaneously operating for the protection of the operation servers? 4 E2
08D07-04 Are antivirus software products regularly and automatically updated (daily)? 4 2 E2
08D07-05 Is a subscription held with an emergency response center able to warn and anticipate large scale virus attacks for which the 4 3 E3
installed antivirus software is not yet up to date?
08D07-06 Is there an emergency committee which can be implemented quickly in the case of alert or detection of viral infection? 4 3 E2
08D07-07 Is the activation and the update of antivirus software on servers subject to regular audit? 2 3 C1
08D08 Management of critical systems (regarding maintenance continuity)
08D08-01 Have the consequences of the disappearance of a supplier been analyzed (in the case of failure, a bug or change requirement) 2 E2
and has a list of critical systems been established?
This is valid for hardware, software or service providers
08D08-02 For all critical systems, has a corrective solution been analyzed to cope with the failure or disappearance of a supplier 2 E2
(consignment of maintenance documentation or source code with a trusted third party, hardware replacement by standard market
solutions etc.)?
08D08-03 Is there a guarantee that the corrective solutions could be made operational within time delays compatible with the continuity of the 2 2 E2
business and accepted by the users?
08D08-04 Have variants to the primary solution been considered in case it might encounter unforeseen difficulties? 2 3 E3
08D08-05 Is there a regular review of critical systems and corrective solutions envisaged? 2 3 C1
08D09 Off site emergency (recourse) backups
08D09-01 Are all software backups and configuration files, which enable the restoration of the production environment, also saved at a 4 3 E1
location off premises (recourse backup)?
08D09-02 Are all data saved for backup also saved at a location off premises (recourse backup)? 4 2 E1
08D09-03 Are regular tests carried out that these emergency backups can be read? 2 3 E2
08D10 Maintaining user accounts
08D10-01 Has it been defined with the users the maximum acceptable delay for reinstating their rights following the accidental or deliberate 4 E1
blocking of their accounts (application, system, or network?
08D10-02 Is the procedure to follow if an account is blocked defined? 4 E2

08D10-03 Is this procedure known to users? 2 E2
08D10-04 Does this procedure respect the maximum acceptable delay in the case of isolated blockage of several accounts (denial of service 2 2 E2
attack)?
08D10-05 Is the possibility of simultaneous blockage of many accounts allowed for? 4 3 E3
08D10-06 Has the procedure to follow if many accounts are simultaneously blocked been defined with users? 4 3 E3
08D10-07 Are user account preservation procedures audited regularly? 2 2 C1
08E Management and handling of incidents

08E01 Online detection and treatment of IT related abnormal events and incidents
08E01-01 Has a detailed analysis been carried out of the events or succession of events which may reveal abnormal behaviors or illicit 4 E2
actions and, as a consequence, have specific monitoring indicators or control points been identified?
08E01-02 Is the system equipped with an automatic real time monitoring system in the case of an accumulation of abnormal events (for 4 E3
example unsuccessful connection attempts on non-open ports)?
08E01-03 Is there one application able to analyze the individual anomaly diagnostic data and trigger an alert to operational personnel? 4 E3
08E01-04 Is there, within operational personnel, a team or individual available 24 hrs a day and capable of reacting in the case of an alert 4 2 E3
after this application has detected an anomaly?
08E01-05 Has the expected response time from the surveillance team been defined for each case of alert and are its availability and staffing 4 E3
level sufficient to meet these expectations?
08E01-06 Are the alarm definition parameters strictly protected (restricted access rights and strong authentication ) against illicit 4 3 R1
modification?
08E01-07 Does the shutdown of the alarm system trigger an alert with the surveillance team? 4 3 R1
08E01-08 Are all the elements which enabled the detection of an anomaly or incident archived (on disk, cassette or DON etc.)? 2 E2
08E01-09 Are the procedures of detection of the anomalies and the availability of the surveillance team subject to regular audit? 2 3 C1
08E02 Offline management of traces, logs and event journals
08E02-01 Has a detailed analysis been carried out of the events or succession of events which may have an impact on security (refused 2 E1
connections, reconfigurations, changes in performance, access to sensitive data or tools etc.)?
08E02-02 Are these events recorded as well as the parameters useful for their subsequent analysis? 4 E1
08E02-03 Is there an application able to analyze these records as well as performance measurements and to infer statistics, a dashboard, 4 2 3 E2
anomaly diagnostics, etc. for examination by a competent team?
08E02-04 Is the structure in charge of the analysis of these summaries (or incident logs and security related events) obliged to do so at 4 E2
regular intervals and does it have sufficient availability?
08E02-05 Has the expected reaction from the surveillance team been defined for each case of alert and is its availability level sufficient to 4 E3
meet these expectations?
08E02-06 Are the parameters defining the elements to record and the summaries effected on these elements strictly protected against 4 R1
unauthorized change (limited rights and strong authentication)?
08E02-07 Is any inhibition of the recording and processing system immediately signaled to the surveillance team? 4 R1
08E02-08 Are the records and summary analyses kept for a long period? 2 E2
08E02-09 Are the procedures for recording, processing and analysis of the records and summaries as well as the availability of the analysis 2 C1
and corrective team subject to regular audit?
08E03 Management of system and application incidents

08E03-01 Is there a hot-line charged with taking and recording calls and to log and escalate all incidents? 2 E1
08E03-02 Is this hot-line team available 24 hours a day? 2 E2
08E03-03 Is there a system to support incident management? 1 E2
08E03-04 Does this system centralize incidents detected both by operational personnel and by users? 4 2 E2
08E03-05 Does the system cater for a systematic follow-up of necessary actions? 4 E3
08E03-06 Does this system incorporate a categorization of incidents with statistics generation and dashboards destined for use by the 4 E3
08E03-07 Is the incident management system strictly controlled with regard to unauthorized or inadvertent modification? 4 3 R1
A strict control requires a reinforced protection in order to modify records and an audit trail of all modifications of records or
protection by electronic seal on all records modification.
08E03-08 Is each a major incident on systems or applications subject to a specific follow-up (nature and description, priority, technical 4 E2
solution, progress analysis, expected resolution lead time etc.)?
08F Control of administrative rights
08F01 Control of administrative access rights granted on systems
08F01-01 Have profiles been defined, within IT operations staff, corresponding to each type of activity (system administration, administration 1 E1 10.1.3; 11.2.2
of security equipment, system monitoring, management of data storage and backup functions etc.)?
08F01-02 For each profile have the necessary rights and privileges been defined? 4 2 E1 10.1.3
08F01-03 Does the process of attributing special rights require the formal authorization of management (or the manager responsible for 4 2 E2 10.1.3
external service providers) at a sufficiently high level?
08F01-04 Is the process of attributing special rights allocated only in relation to the profile of the holder? 4 2 E2 10.1.3
08F01-05 Is the process of granting (modification or revocation) of special rights to an individual strictly controlled? 4 2 3 R1 11.2.2
A strict control requires a formal recognition of the signature (electronic or not) of the requestor, that there be a tight control of
access in order to attribute or modify such rights and that any modification of special rights be logged and audited.
08F01-06 Is there a systematic process of removal of special rights at the time of departure or role change of IT operations staff? 2 E2 11.2.4
08F01-07 Is there a regular audit, at least once a year, of all special rights attributed ? 1 2 C1 11.2.4
08F02 Authentication of administrators and operational personnel
08F02-01 Is the authentication protocol used for administrators or holders of special rights considered to be secure? 4 4 E2
08F02-02 Are the rules, for instance in the case of passwords, considered to be very strict? 2 E2
Strict rules impose the use of tested non-trivial passwords, using a mixture of different types of characters and of a reasonable
length (ten characters). It is desirable that these rules have been approved by the Information Security Officer
08F02-03 Is there a consistent control of the administrator's rights, of its context, and of the suitability of this context with the requested 4 E2

08F02-04 Are authentication parameters under strict control? 4 2 R1
A strict control requires that the list of people able to change authentication rules, the credentials themselves and the surveillance
rules of connection attempts be strictly limited, that there be a reinforced access control in order to be able to modify these rights
and that any modification of these rights be logged and audited and that there be a general audit at least once a year of all
08F02-05 Are the processes that guarantee authentication under strict control? 4 3 R1
an audit at least once a year of the authentication procedures and processes.
08F02-06 Is there a regular audit of the privileged profiles effectively granted? 4 3 C1 11.2.4
08F02-07 Is there a regular audit of the procedures of granting privileged rights and the security parameters attached to protecting profiles 4 3 C1
and rights?
08F03 Surveillance of system administrators' actions
08F03-01 Has a detailed analysis been carried out of the events and operations carried out with administrative rights which may potentially 2 E2 10.10.4; 10.6.1
have an impact on system security (configuration of security systems, access to sensitive information, usage of sensitive tools,
download or modification of administrative tools etc.)?
08F03-02 Are these events recorded as well as all parameters which may be useful for their subsequent analysis? 4 E2 10.10.4; 10.6.1
08F03-03 Is there a system able to detect any modification or deletion of a past record and to immediately trigger an alarm to a manager? 4 2 E3 10.10.4
08F03-04 Is there a summary of these records enabling management to detect abnormal behavior? 4 3 E3 10.10.4
08F03-05 Is there a system enabling the detection of any modification of recording parameters and to immediately trigger an alarm to a 4 2 E3 10.10.4
manager?
08F03-06 Does any inhibition of the recording and processing of the logged events system trigger an alarm to a manager? 4 E3 10.10.4
08F03-07 Are all records or summary analyses protected against any falsification or destruction? 2 E2 10.10.4
08F03-08 Are all records or summary analyses kept for a long period? 2 E2 10.10.4
08F03-09 Are the procedures, which record and process privileged operations, regularly audited? 2 C1 10.10.4
08G Audit and control Procedures relative to Information Systems
08G01 Operation of Audit Control
08G01-01 Have requirements and enforced procedures for the audit of IT systems been enacted by Management? 4 E2 15.3.1
08G01-02 Are the rules related to Information System audits, relevant procedures and associated responsibilities defined and documented? 3 E2 15.3.1
The restrictions concern the type of access to data and applications, the authorized controls and processing, the deletion of
sensitive data obtained, the flagging of certain operations, ... and the empowerment of the individuals conducting the audits.
08G01-03 Are the auditors independent of the concerned activities? 2 E2 15.3.1

08G01-04 Are audit operations conducted for critical data recorded? 2 E3 15.3.1
08G02 Protection of Tools and Audit Results
08G02-01 Are the audit tools protected to avoid any unauthorized or malevolent use? 3 E2 15.3.2
This applies particularly to intrusion testing and vulnerability assessments.
08G02-02 Are the audit results protected against any modification or disclosure? 3 E2 15.3.2
08G02-03 Are the auditors' activities delimited? 2 E2 15.3.2
Such a delimitation is especially recommended regarding external auditors

08H Management of IT related archives
08H01 Organization of the management for IT archives
08H01-01 Is there an organization in charge of archiving IT files that require to be kept over a long period? 4 E2
08H01-02 Is there a procedure forcing users to use this archiving service for all the files that require to be kept over a long period? 4 E2
08H01-03 Has a list of conditions been established and updated by each owner of data requiring to be archived concerning the archiving 4 1 E1
rules?
08H01-04 Are the requirements for external (legal and regulatory) and internal archiving defined and tackled by the entity owning the data 4 E1 13.2.3; 15.1.3
and accepted by the top management at the highest level?
The consequences (legal, financial, image) of non compliance (partial or total) of the archiving requirements must be endorsed by
the board of managers.
08H01-05 Are service agreements negotiated with the IT department, considered as agents only for the data? 4 1 E2 15.1.3
Each agreement must state the requirements: content of the archives, retention duration, durability, capacity to trace, imputability,
non disclosure, procedures and delay for disposal, administrative constraints, etc.
A clear separation must be stated between the content of the archives, under responsibility of the owner of data, and the container
(media, disks, tapes, cartridges) under the responsibility of the IT department.
08H01-06 Are the resources necessary for archiving the data known and financed over the longer term? 2 1 E2 15.1.3
08H01-07 Are there regular readability tests of the archives? 4 C1
08H01-08 Are the possible modifications resulting from technological or regulatory evolutions, that may modify the content or the containers 4 2 E2
of the archives, taken into account, documented and accepted by the management?
These evolutions cannot be avoided on the long term and all the external regulations must be respected in order to guarantee the
conformity of the data to the original ones.
08H01-09 Is the existence of the hardware and software tools for the processing of the archives regularly controlled? 2 C1
08H01-10 Is there a regular control of the procedures stated for the archiving and any deviation related to the data owners? 4 2 C1
The controls must also look for eliminating the possibilities of fraud involving the persons in charge of the operations as well as
those who may have an access to the contents or the containers.
08H01-11 Are all the procedures concerning the archiving policy audited regularly? 4 3
08H02 IT Archives access management
08H02-01 Have the requirements and procedures to be followed to access the archives been specified by management? 2 E2 15.3.1
08H02-02 Does each archive or set of archives have a designated owner? 4 E2
08H02-03 Are requests for extracts from the archives accepted only from the designated owner? 4 2 E2
08H02-04 Is a request from the owner subject to authentication? 4 2 E2
08H02-05 Is this authentication check considered to be strong? 4 3 E3
08H02-06 Given that users do not have access to the archives, does the archival department always keep the original version? 4 3 E3
08H02-07 Is access to the archives by archival personnel subject to strong authentication? 4 3 E3
08H02-08 Is each access recorded in a secure manner? E3
4 3
08H02-09 Is transfer of an archive or of a copy to the requester carried out in a secure manner? 4 3 E3
08H02-10 Are the conditions of access to the archives and the associated security systems audited regularly 3 2 C1
08H03 Management of IT archive safety

08H03-01 Are the archive storage locations equipped with suitable fire detection and extinction systems and water leakage detection and 3 2 E2
evacuation?
08H03-02 Are the archive storage locations equipped with an access control system backed up with intruder detectors? 3 E2
08H03-03 Are the archive storage locations under video surveillance when not occupied? 2 3 E2
08H03-04 Are the archive storage locations under permanent video surveillance? 2 3 E2
08H03-05 Are archive media labeled without reference to the content? 3 E2

08H03-06 Are the index tables used to associate content to an archive media number inaccessible to the staff managing the archive media? 3 3 E2
08H03-07 Are these index tables backed up? 3 3 E2

08H03-08 Does stopping or interrupting the safety systems (fire, water, access control, intrusion detection) cause an alarm at a monitoring 3 3 R1
center for rapid intervention?
08H03-09 Are the storage conditions for archives and the associated safety systems audited regularly? 3 2 C1

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Audit Questionnaire: Application Security 1 variant
Quest. Nr Question R-V1 R-V2 R-V3 R-V4 P Max Min Typ ISO 27002
09A Application access control
09A01 Management of application data access profiles
09A01-01 Has a management policy for access rights to data and information been established, built from an analysis of the security 2 E1 11.1.1
requirements based on the business stakes?
09A01-02 Is access to applications and associated data defined in terms of job profiles which regroup roles or functions within the 4 2 E1 11.2.2; 11.6.1
organization (a profile defines access rights available to holders of the profile)?
Note: in certain circumstances the notion of "profile" may be replaced by the notion of "group".
09A01-03 Is it possible to adjust the access rights (that establish rights attributed to a given profile), variable parameters based on the 4 E2
connection context such as the origin of the request or network paths used, or depending on protection means used (protocol,
encryption, etc) and on the classification of the resources accessed?
09A01-04 Do the access profiles also allow definition of working time limits and periods in the working calendar (daily hours, weekends, 2 E3 11.5.6
holidays etc.)?
09A01-05 Have these profiles and the access rights attributed to the different profiles been approved by the information owners and/or the 4 E2
09A01-06 Are the processes of definition and management of rights attributed to profiles under strict control? 4 2 R1
A strict control requires that the list of people allowed to change rights attributed to profiles be strictly limited and that the
implementation of these rights (e.g. into tables) be strictly secure and that there exist a reinforced access control for any
modification of these rights and that any modification be logged and audited.
09A01-07 Is it possible to review at any time the list of profiles and the rights attributed to each profile? 2 2 C1
09A01-08 Is there a regular audit, at least once a year, of the totality of rights attributed to each profile and the profile management 4 2 C1 11.2.4
procedures?
09A02 Management of access authorizations to application data (granting, delegation, revocation)
09A02-01 Does the procedure of granting access authorization to applications require the formal authorization of line management (at a 4 2 E1 11.6.1
sufficiently senior level)?
09A02-02 Are authorizations granted to named individuals and only as a function of their profile? 2 E1 11.6.1
09A02-03 Is the procedure for granting (or modification or revocation) of access rights (directly or via a profile) strictly controlled? 4 2 3 E2 11.2.2
the profile attributed to users in the form of tables is highly secure and that there be a reinforced access control over the
modification of such records and that any modification of records be logged and audited.
09A02-04 Is there a systematic process of updating the table of access rights at the time of departure of personnel (internal or external 4 E2 11.2.4
personnel)?
09A02-05 Is there a systematic process of updating the table of access rights at the time of change of function? 4 E3 11.2.4
09A02-06 Is there a strictly controlled process (see below) which allows rights to be delegated, in part or in whole, to a person of choice for a 4 E3
determined period (in case of absence )?
In this case, the delegated rights must no longer be available to the person who has delegated them during this time. The latter
however, must have the possibility of taking them back, by which process he or she effectively ends the delegation.
09A02-07 Is it possible to control at any time, for all users, the rights, authorizations and privileges in force? 2 C1
09A02-08 Is there a regular audit, at least once a year, of the profiles and authorizations granted to all personnel and the procedures for 1 2 C1 11.2.4
management of attributed profiles?
09A03 Authentication of the access requestor
Mise jour : janvier 2010 351061430.xls ! 09 App page 234

09A03-01 Does the process of distribution or modification of the user credentials guarantee that only the holder of the identifier has access 2 1 E1 11.5.3
(initial communication is confidential, password change is under the exclusive control of the user, etc.)?
09A03-02 Does the process of creation or modification of a user credentials respect a set of rules which ensures its intrinsic validity? 4 2 E2 11.2.3; 11.5.3
In the case of passwords: sufficient length (8 characters or more), obligatory mixture of types of characters, frequent change (less
than once a month), impossibility of reusing an old password, non-trivial word test using a dictionary, banning of "standard
systems", first names, anagrams of username, dates etc.
In the case of certificates or use made of cryptographic mechanisms for authentication: a generation process evaluated or publicly
recognized, encryption keys of a sufficient length etc.
09A03-03 Does the presentation of his credentials by the user guarantee their inviolability? 4 2 E3 11.5.3
Typing a password will always be a weak point. The only processes whose observation does not divulge information consist either
of introducing an object containing a secret (smart card), or using a code which changes at every moment (token card) or using a
means of which contains some biometric characteristic.
09A03-04 Is there a guarantee that the credentials, used for authentication, will remain inviolable and authentic while kept or presented by 2 2 3 E2 11.5.3
the user or by the user agent?
Passwords must be stored encrypted and a preliminary access control must be made before usage.
In the case of authentication using cryptographic processing, the mechanism must provide solid guarantees validated by a
reference organization.
09A03-05 Is there a guarantee that the credentials, used for authentication, will remain inviolable and authentic while transmitted between the 2 2 3 E3 11.5.3
user and the target systems?
In the case of authentication using cryptographic processing, the mechanism must provide solid guarantees validated by a
reference organization.
09A03-06 In the case of multiple incorrect authentication attempts, is there a process which automatically invalidates the user identifier, even 4 2 E2 11.5.3
the user workstation itself, or a slowing of the authentication process (aimed at preventing connection from an automatic routine)?
09A03-07 Does the procedure for the replacement of lost or mislaid user authentication means (password, token card) allow for the instant 2 2 E2 11.5.3
deactivation of the user account?
09A03-08 Does the procedure for the replacement of lost or mislaid user authentication means (password, token card) allow for an effective 2 2 E3 11.5.3
control of the requestor's identity?
09A03-09 Are authentication parameters under strict control? 4 2 R1
A strict control requires that people able to change the definition rules of credentials, the credentials themselves, rules of
surveillance of connection attempts etc., be strictly limited and that there exists a reinforced access control to effect these
modifications, that these modifications be logged and audited and that a general audit be run at least once a year of all
09A03-10 Are the processes that guarantee authentication under strict control? 4 3 C1
A strict control requires that the software used has been validated and undergoes a regular test for integrity (seal) and that there be
an audit at least once a year of authentication procedures and processes (including the processes which aim to detect violations
attempts and the processes which respond to these violation attempts).

09A04-01 Does any access to the system require the use of an identifier recognized by the system? 1 2 E1 11.5.2; 11.6.1

09A04-02 Is there a direct or indirect correspondence between any identifier and a real physical person? 4 2 E1 11.5.2; 11.6.1
In the case where an application calls another one or calls a system, it may be that the application does not transfer to the target
system the identifier which originally made the request. However, the link between that call and the original user identifier must
remain traceable after the fact.
09A04-03 Have all generic or by-default accounts and passwords been changed or deleted? 4 2 E2 11.5.2
09A04-04 Is the acceptance of the account identified by the system systematically followed by authentication control? 2 2 E2 11.5.2
Systematic authentication requires that the process be implemented for all subsystems (remote processing monitor, database
management system, batch processes, etc. ), for all application requests, for all access routes and for all ports, including ports
reserved for remote maintenance.
09A04-05 May the authentication process be repeated during an open session for transactions considered to be sensitive? 4 E3 11.5.6
09A04-06 Is there an automatic invalidation of the user identifier in the absence of traffic after a defined delay, which requires user re- 4 E3 11.5.5
identification and re-authentication?
09A04-07 Are there application access controls which limit the view and access to very sensitive information? 4 E3 11.6.1
09A04-08 Is there a systematic control of the profile and connection context of the requestor and of their appropriateness for the access 4 2 R1
requested?
09A04-09 Is the process of definition and management of access filtering rules under strict control? 4 2 C1
A strict control requires that the list of persons able to change the filtering security parameters be extremely limited, and that there
be a reinforced access control in order to be able to effect such modification and that any modification be logged an audited.
09A04-10 Are the processes that guarantee access filtering under strict control? 4 3 R2
an audit at least once a year of access control procedures and processes (including the processes which aim to detect change
attempts and the processes which respond to these change attempts).
09A05 Authentication of the application for access to sensitive applications

09A05-01 Is there a possibility to declare applications as sensitive and, as such, requiring an authentication of the application accessed? 4 1 E2
09A05-02 Is there a mechanism of authentication of the application called before access to a sensitive application from the internal network? 4 1 E2
09A05-03 Does the authentication mechanism of the accessed sensitive applications provide a recognized "strong" level of security? 4 2 E3
Notably the usage of a simple password will always be a weakness. The only methods recognized as "strong", that is observable
without divulging information, are those based on cryptographic algorithms.
09A05-04 Do the security equipment that retain credentials (e.g. passwords, calling number, etc.) use mechanisms which guarantee their 4 3 E2
09A05-05 Does the transmission of credentials (e.g. passwords, calling address, etc.) between calling user equipment and authentication 4 3 E3
systems use mechanisms which guarantee their impregnability and authenticity?

09A05-06 Does the revoked keys management procedure guarantee that the control systems take into consideration in real time any 4 2 E2
revocation of keys?
09A05-07 Does the revoked keys management procedure guarantee that the control systems systematically test that the keys used have not 4 2 E3
been revoked?
09A05-08 Are the processes that guarantee the authentication of the accessed entities under strict control? 4 3 R1
09B Control of data integrity

09B01 Sealing of sensitive data
09B01-01 Have integrity sensitive files been identified which must be protected by sealing solutions and have such solutions been 4 E2
implemented at the application level?
09B01-02 Are the seals controlled automatically by the corresponding applications? 4 2 E3
09B01-03 Does the sealing solution offer valid and solid guarantees and has it been approved by the Information Security Officer? 4 2 E3
The sufficient length of the key is one of the parameters to take into consideration. The recommendation of an official organization
can be a confidence factor.
09B01-04 Do the procedures and mechanisms for storage, distribution and exchange of keys and more generally the management of keys 4 3 R1
09B01-05 Are the sealing mechanisms strictly protected against violation or change? 4 3 3 R2
In the case of hardware sealing and appliances, they should be physical protected against access to the sealing mechanisms. If a
software solution is used, it must itself contain an integrity control.
09B01-06 Is shutdown or by-pass of the sealing solution immediately detected and signaled to a team available 24 hrs a day and capable of 4 2 R2
09B01-07 Is there a procedure detailing the actions to carry out in the case of error or alert? 3 2 R2
09B01-08 Are sealing mechanisms, their parameters and associated procedures subject to regular audit? 4 3 C1
09B02 Protection of integrity of exchanged data
09B02-01 Have all data exchanges which must be protected by sealing solutions been defined and have such solutions been implemented at 4 E2 12.2.3
the application level?
09B02-02 Are the seals controlled automatically by the corresponding applications? 4 2 E3 12.2.3
09B02-03 Does the sealing solution offer valid and solid guarantees and has it been approved by the Information Security Officer? 4 2 E2 12.2.3
The sufficient length of the key is one of the parameters to take into consideration (as a function of the algorithm). The
09B02-04 Do the procedures and mechanisms for storage, distribution and exchange of keys and more generally the management of keys 4 3 R1
09B02-05 Are the sealing mechanisms strictly protected against violation or change? 4 3 3 R2
In the case of hardware sealing and appliances, they should be physical protected against access to the sealing mechanisms. If a
09B02-06 Is shutdown or by-pass of the sealing solution immediately detected and signaled to a team available 24 hrs a day or by direct call 4 2 R2
and capable of triggering an immediate reaction?

09B02-07 Is there a procedure detailing the actions to carry out in the case of error or alert? 3 2 R2
09B02-08 Are sealing mechanisms, their parameters and associated procedures subject to regular audit? 4 3 C1
09B03 Control of data entry
09B03-01 Are sensitive data strictly controlled by the person entering them (auto-control)? 2 E1 12.2.1
09B03-02 Are sensitive data subject to data entry control by an other person? 4 2 E1 12.2.1
09B03-03 Are sensitive data subject to means allowing to ascribe their entry or modification to their author? 4 E3 12.2.1
09B03-04 Are there incentives for data entry without error (individual bonuses, departmental bonuses, penalties in the case of too many 2 E2 12.2.1
errors etc.)?
09B03-05 Is there an overall control of series of data items entered (sum, range, min, max, etc.)? 4 E2 12.2.1
09B03-06 Is data entry subject to coherence checks incorporated into the data entry process? 4 E2 12.2.1
09B03-07 Are these additional checks (range, coherence, etc.) strongly protected against any illicit alteration ? 4 R1
09B03-08 Have the procedures to correct data entry errors been defined? 4 R1 12.2.1
09B03-09 Is the checking process subject to regular audit? 2 3 C1
09B04 Permanent checks (accuracy, etc) relating to data
09B04-01 Has a review been carried out with users to determine suitable controls of the pertinence of data entered or modified (correction in 4 E1 12.2.1; 12.2.4
relation to data ranges, ratios between data entered independently, coherence checks, evolution and comparison with statistics)
and have the corresponding controls been implemented in applications?
09B04-02 Have control parameters (values of data ranges, etc.) been stored in tables separate from the application and which may be easily 4 E2
checked?
09B04-03 Are the processes that guarantee these permanent controls under strict control themselves? 4 3 R1
an audit at least once a year of the control procedures and processes.
09B04-04 Are the parameters of permanent controls under strict control? 4 2 R1
A strict control requires that the list of people able to change control parameters be strictly limited and that there be a reinforced
access control in order to be able to modify these parameters and that any modification of these parameters be logged and
audited.
09B04-05 When these controls exist, are they the integrated into an operational process for alert and processing of errors? 4 E2
09B05 Continuous (plausibility, ) checks on data processing
09B05-01 Have the checks that should be made to verify consistency of the data after processing by the application been analyzed with the 4 E1 12.2.1; 12.2.4
users (test variables, ratios, evolution and comparison before and after processing, etc.), and have the corresponding checks been
implemented in the applications?
09B05-02 Are the parameters for these checks recorded in tables separated from the application code and easily verifiable? 4 E2
09B05-03 Are the processes insuring continuous checking of the data processing under strict control? 4 3 R1
Strict control requires that the corresponding software is validated and is subject to a regular integrity check (sealing) and that
there is an audit at least once a year of the control process and procedures (including procedures for detecting attempts at
modification and for reacting to these attempts).
09B05-04 Are the check parameters under strict control? 4 2 R1

Strict control requires that the list of people authorized to change the control parameters is very limited, that strong access control
is applied to all modifications, and that the modifications are logged and audited.
09B05-05 Are the checks that exist integrated into an operational procedure that signals and handles any errors? 4 E2
09C Control of data confidentiality

09C01 Encryption of data exchanges
Here we consider the encryption effected directly by the application (ISO layers 6-7, prior to or during transmission).
09C01-01 Have the messages which must be protected by encryption solutions been defined and such solutions been implemented at the 4 E1 12.3.1
application level?
The sufficient length of the key is one of among many parameters to take into consideration (as a function of the algorithm). The
09C01-03 Does the procedure and mechanisms of storage, distribution and exchange of keys and more generally the management of the 4 3 E2 12.3.2
keys offer solid guarantees which merit confidence and are they approved by the Information Security Officer?
09C01-04 Are the encryption mechanisms strictly protected against violation or change? 4 3 3 R2
In the case of hardware encryption and appliances, they should be physical protected against access to the encryption
mechanisms. If a software solution is used, it must itself contain an integrity control.
09C01-05 Is shutdown or by-pass of the encryption solution immediately detected and signaled to a team available 24 hrs a day or by direct 4 2 R1
call and capable of triggering an immediate reaction?
09C01-06 Are encryption mechanisms, their parameters and associated procedures subject to regular audit? 4 3 C1
09C02 Encryption of stored data
09C02-01 Have the files or storage zones which must be protected by encryption solutions been defined and have such solutions been 4 E1 12.3.1
implemented in the application architecture?
09C02-02 Is this encryption systematically applied (as a function of information classification ) and/or automatic (as a function of storage 2 3 E2
media) each time data is written to the storage media or each time the application session closes?
09C02-03 Is this encryption systematically applied each time files are transferred or remotely-loaded by the relevant applications? 2 3 E2
09C02-05 Do the procedures and mechanisms for storage, distribution and, more generally, management of keys offer a sufficient level of 4 3 E2 12.3.2
confidence and have they been approved by the Information Security Officer?
The possibility of having to recover these data on another hardware system or another version of the operating system needs to be
anticipated.
09C02-06 Are the encryption mechanisms strictly protected against intrusion or change? 4 3 3 E3
In the case of hardware encryption and appliances, they should be physical protected against access to the encryption
mechanisms. If a software solution is used, it must itself contain an integrity control.
09C02-07 Is shutdown or by-pass of the encryption solution immediately detected and signaled to a team available 24 hrs a day or by direct 4 2 R1
09C02-08 Are encryption mechanisms for stored data, their parameters and associated procedures (in particular the management and 4 3 C1
protection of keys) subject to regular audit?
09C03 Anti electromagnetic radiation protection
09C03-01 Are means used to prevent radiation from equipment hosting very sensitive applications (Tempest, cable shielding, faradizations of 2 E2
the offices)?
09C03-02 Are radiation levels regularly controlled for equipment hosting these sensitive applications? 2 2 E3

09D Data availability
09D01 Very high security recording
09D01-01 Are specific procedures applied to verify that all data recorded can be reread? 4 2 E2
09D01-02 Are there procedures or an architecture of a very high security level which records all data with redundancy (RAID disks, mirroring, 4 3 E2
etc.)?
09D01-03 Do these very high security procedures enable the reconstitution of data in the case of an error or readability issue for a few 4 E3
sectors?
09D01-04 Have scenarios been defined for which very high security recording is to be used and has the physical protection of storage media 4 E2
been tested to ensure that it is suited to meet the requirements of these scenarios?
09D02 Management of access to data files
09D02-01 Is the list of data file formats that must be readable verified and maintained? 4 3 E1
09D02-02 Are the hardware and software required for reading all these types of data files available or easily made available? 4 3 E1
09D02-03 Do the procedures for allocating and customizing the mechanisms for encryption and protection of files guarantee that the files can 4 3 E2
be accessed, even in the event of the absence or departure of the file owners?
09D02-04 Are the means of recovering access keys or encryption keys protected against accidental or malicious loss? 4 3 E2
09D02-05 Are there regular audits of these means and procedures to guarantee permanent access to the data files? 2 3 E2
09E Service continuity
09E01 Hardware reconfiguration
09E01-01 Has a fail-safe architecture been established, including redundancy and system mirroring for critical equipment or servers? 4 2 E2 14.1.4
09E01-02 Does the implementation of this architecture guarantee the minimum performance levels required in the case of incident or failure? 4 2 E2
Such a guarantee supposes either that failsafe systems features are entirely automatic or that systems will detect failures and staff
will have the specifications and capability to manually reconfigure failed systems.
09E01-03 Is there some assurance in this case that ancillary equipment (power supply, air-conditioning, etc. ) do not introduce any additional 2 E3
risk and do not ruin the redundancy expected from the equipment or network architecture?
09E01-04 Does the shutdown or invalidation of any redundant equipment or failure dtection system (requiring human intervention) trigger an 2 R1
alarm to an operational manager?
09E01-05 Are regular tests made to demonstrate that security equipment is able to guarantee minimum performance levels required in the 2 2 C1
case of an incident or failure?
09E02 Application service continuity plans
09E02-01 Have application service continuity plans been established for each business application, based on its criticality classification 3 E1 14.1.3
level?
09E02-02 Are these continuity plans compatible with the Disaster Recovery Plans for the hardware and systems used by the process or 3 2 E1 14.1.3
application?
09E02-03 Do these continuity plans detail all the actions necessary to ensure service continuity between the time of an alert and the effective 3 2 E2 14.1.3
implementation of solutions prescribed by the Disaster Recovery Plans?
09E02-04 Do these plans treat all the organizational aspects related to a manual emergency solution (personnel, logistic, management etc.)? 3 E2 14.1.3
09E02-05 Have the appropriate instructions and training been given to staff in order to deal with a "manual" emergency solution? 2 E2 14.1.3
09E02-06 Have the application service continuity plans anticipated all the procedures required for a return to normal service? 4 2 E2 14.1.3

09E02-07 Is there a plan which regroups all emergency solutions designed to overcome critical process and application shutdowns? 4 E2 14.1.3
09E02-08 Is the crisis plan initiation compliant with the above application service continuity plan? 4 E2
09E02-09 Are these plans regularly tested under full scale conditions (with operational data volumes) and updated at least once a year? 3 2 C1 14.1.5
09E02-10 Are the updates of these plans regularly audited (at least once a year)? 3 2 C1
09E03 Management of critical applications (with regard to maintenance continuity)
09E03-01 Have the consequences of the disappearance of an application or package editor been analyzed (in the case of failure of a bug or 2 E2
the need for evolution) and has a list of critical applications been deduced?
09E03-02 For each critical application, is there a corrective solution to cope with the failure or disappearance of a supplier (consignment of 2 E2
maintenance documentation and source code with a trusted third party, replacement of equipment or of software by standard
package etc.)?
09E03-03 Is it certain that this corrective solution could be made operational to enable company activity to restart within a time delay 2 2 E2
sufficiently short to be acceptable to users?
09E03-04 Have variants to the primary solution been considered in case the latter might encounter unforeseen difficulties? 2 3 E3
09E03-05 Is there a regular review of critical applications and corrective solutions envisaged? 2 3 C1
09F Control of origin and receipt of data
09F01 Proof of origin, electronic signature
09F01-01 Have sensitive transactions been identified which must be protected by electronic signature solutions implemented at the 4 E2 12.3.1
application level?
09F01-02 Is the conformity of signatures controlled automatically by the application? 4 2 E2
09F01-03 Does the electronic signature solution offer valid and solid guarantees and has it been approved by the Information Security 4 2 E2
Officer?
09F01-04 Do the procedure and mechanisms of storage, distribution and exchange of keys and more generally the management of the keys 4 3 E2 12.3.2
offer solid guarantees which merit confidence and are they approved by the Information Security Officer?
09F01-05 Are the electronic signature mechanisms strictly protected against violation or change? 4 3 3 R2
In the case of hardware solution or appliance, it should be physical protected against access to the signature mechanisms. If a
09F01-06 Is shutdown or by-pass of the signature solution immediately detected and signaled to a team available 24 hrs a day or by direct 4 2 R1
09F01-07 Is there a procedure which details the operations to carry out in the case of error or alert? 3 2 R1
09F01-08 Are electronic signature mechanisms, their parameters and associated procedures subject to regular audit? 4 3 C1
09F02 Prevention of message duplication and replay (numbering, sequencing)
09F02-01 Have sensitive transactions been identified which must be protected by sequencing control solutions implemented at the 4 E2
application level (or at the network level)?
09F02-02 Is the coherence of the numbers and sequences controlled automatically by the application or by the middleware used? 4 2 E2
09F02-03 Does the numbering and sequencing solution offer valid and solid guarantees and has it been approved by the Information 4 2 E2
Security Officer?
The recommendation of an official organization can be a confidence factor.

09F02-04 Are the numbering and numbering control mechanisms strictly protected against violation or change? 4 3 3 R2
In the case of hardware solution or appliance, it should be physical protected against access to the sequencing mechanisms. If a
09F02-05 Is shutdown or by-pass of the numbering system immediately detected and signaled to a team available 24 hrs a day or by direct 4 2 R1
09F02-07 Are numbering mechanisms, their parameters and associated control procedures subject to regular audit? 4 3 C1
09F03 Acknowledgements of receipt
09F03-01 Is there a procedure which requires an acknowledgement of receipt to be sent for all sensitive messages? 4 E1
Note: in certain cases, checks may be based on the signature.
09F03-02 Is an alert triggered when an acknowledgement of receipt is not sent (or received) for sensitive messages? 4 2 E2
09F03-03 Is the acknowledgement of receipt emitted only after the message has been effectively considered by the target application? 4 3 E3
No acknowledgement should be sent for a message still waiting for treatment
09F03-04 Is the acknowledgement of receipt mechanism protected against all undesirable intervention? 2 3 R1
09F03-06 Is the acknowledgement of receipt system subject to regular audit? 3 2 C1
09G Detection and management of application incident and anomalies
09G01 Detection of application anomalies
09G01-01 Have events or successions of events been analyzed which might reveal abnormal behavior or illicit action and, as a consequence, 4 E2
have specific monitoring points been identified?
09G01-02 Are features, detecting and recording sensitive events, installed in applications (with type of event, user identifier, date and time, 4 3 E2
etc.)?
09G01-03 Is there an audit trail within certain sensitive processes which records the events which would enable later diagnosis of 4 3 E3
anomalies?
09G01-04 Are sensitive applications provided with an automatic monitoring function dealing in real time with large numbers of abnormal 4 3 E3
events (for example many unsuccessful connection attempts on user workstations or unsuccessful attempts to use sensitive
transactions)?
09G01-05 Are all these diagnostic elements registered? 2 E2
09G01-06 Are there one or more applications capable of analyzing the individual anomaly diagnostic data and triggering an alert to 4 2 E3
operational personnel?
09G01-07 Does the anomaly diagnostic system trigger an alarm in real time to a permanent surveillance team able or by direct call and able 4 3 E3
to react without delay?
09G01-08 For each case of alert has the expected response from the intervention team been defined and is the availability of the intervention 4 E3
team sufficient to face this expectation?
09G01-09 Are the parameters defining the elements to record and the diagnostic analyses effected on these elements strictly protected 4 R2
(restricted access rights and strict authentication ) against illicit modification?
09G01-10 Does the stopping of the recording and record processing system trigger an alarm with the surveillance team? 4 R1
09G01-11 Are the procedures for recording, processing and diagnostic analysis and the availability of the intervention team regularly audited? 2 C1
09H E-commerce
09H01 Security of the e-commerce Sites

09H01-01 Have the security requirements specific to e-commerce been analyzed and thus defined the necessary protections? 2 E2 10.9.1
09H01-02 Have the security requirements specific to on-line trades been analyzed and thus defined the necessary protections? 2 E2 10.9.2
09H01-03 Have the security requirements specific to making information available to the public been analyzed and thus defined the 2 E2 10.9.3
necessary protections?

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Audit Questionnaire: Security of Application Projects and Developments 1 variant
Number Question R-V1 R-V2 R-V3 R-V4 P Max Min Type ISO 27002
Domain 10 of MEHARI represents a particular point of view that can be summarized as follows: the challenge of security in application
development and maintenance is to protect against the introduction of weaknesses. Quality insurance for the developments, which aims to ensure
that needs are well specified, developments are effected in conformity to a recognized method, that specifications are properly applied and that the
application functions correctly, etc. is not considered within this security domain.
10A Security of application projects and developments
10A01 Consideration of security in application development
10A01-01 Is there a systematic analysis, from the start of project specification, of the dysfunctions which could be induced by the application 4 E1 12.1.1
or applications following the project or during one of the components of the project?
Notes : A project may consist simply of the installation of a software package or of a full internal development.
Possible dysfunctions must be analyzed on two levels: at the level of company activity and its operational processes (do new or
deleted functions represent an additional risk?) and at the IT architecture level (do new or changed infrastructure, operating
system, middleware, applications, data represent additional risk?).
10A01-02 Is an analysis carried out with user managers of the level of impact and probability of possible dysfunction taking into consideration 4 E2 12.1.1
the security measures already in place and the additional or specific measures envisaged in the specifications of the project?
10A01-03 Are there project reviews during which these risks are presented, decisions are taken about their acceptability or not and about 4 2 E1 12.1.1
any additional security measures needed?
10A01-04 Has the possibility of information leaks through hidden canals been considered within risk studies and have adapted controls been 4 2 E3 12.5.4
implemented?
10A01-05 Is the implementation of security measures, specific to the project, formally tracked during the project lifecycle? 4 C1
The tracking may consist of an obligatory review point at each project phase, followed up by documentation detailing the choice of
solutions and the status of their implementation.
10A01-06 Is there a support group, specialized in project risk analysis, assisting the management of the project with the risk analysis 4 E2
process?
10A01-07 Is the Information Security Office implicated, directly or indirectly, in security related decisions in the projects? 10A08 has been 4 E2
deleted
10A02 Change management
10A02-01 Are all change requests for an application subject to a formal review procedure (requestor, rationale, decision process)? 2 E2 12.5.1
10A02-02 Are all automatic software changes or updates made impossible? 2 R2 12.5.1
10A02-03 Are the versions of all software kept up? 2 E2 12.5.1
10A02-04 Are the versions of all associated documentation kept up? 2 E2
10A02-05 When changes are made to the operating systems, is there a review and test of their impact on the applications? 4 E2 12.5.2
10A02-06 Does the change management procedure impose non regression tests to be run? 4 E2 12.5.2
Non regression tests check that the modifications do not change the characteristics nor the performances of the other functions of
the application.
10A02-07 Is the impact on the continuity plans of the changes introduced into the applications taken into account? 2 E2 12.5.2; 14.1.5
10A03 Externalization of software development
10A03-01 When the software development is subcontracted, have the issues regarding license agreement and intellectual property of the 2 E2 12.5.5
code developed been handled?
10A03-02 Were requirements regarding the quality and the security level of the code formally integrated in the contracts? 2 2 E2 12.5.5
10A03-03 Have access rights allowing to audit the quality of the work effected by subcontractors been agreed upon? 2 2 E2 12.5.5
Mise jour : janvier 2010 351061430.xls ! 10 Dev page 264

10A03-04 Have pre-installation tests of new applications been anticipated in order to detect eventual malevolent code? 2 E2 12.5.5
10A03-05 Have security measures regarding code custody, including all accompanying documents, been taken in case of default by a third 2 2 E2 12.5.5
party?
10A04 Organization of application maintenance
10A04-01 Does application maintenance have at its disposal a technical software support center which guarantees rapid, competent 2 E1
assistance in case of difficulty or bug?
10A04-02 Is there a special service agreement for all in-house software requiring high availability and for which standard maintenance would E2
not be provided within acceptable delays? 4 2
10A04-03 Does this special service agreement anticipate the conditions of escalation in the case of intervention difficulty and the possibilities E2
and conditions for calling in the most qualified specialists? 4 3
10A04-04 Is there a guarantee that the competence and availability of the maintenance staff enable them to respond in a satisfactory manner E2
to the maintenance requests of users ?
This agreement should consider weekend and holiday periods as well. 4 2
10A04-05 Is the respect of the maintenance service agreement subject to regular audit? 2 3 C1
10A05 Modification of software packages
10A05-01 Is it avoided, as far as possible, to modify software packages? 2 E2 12.5.3
10A05-02 Is it applied a strict control of changes when obligated to modify software packages? 2 E2 12.5.3
10A05-03 Specifically, has the editor's consent to proceed with said changes been obtained? 2 E2 12.5.3
10A05-04 Have the consequences of those changes on the maintenance provided by the editor been examined? 2 2 E2 12.5.3
10B Ensuring security in the development and maintenance processes
10B01 Ensuring security in the organization of application developments
10B01-01 Do application development procedures impose a strict separation between detailed specification, design, unit test and integration, 4 E1
with the attribution of specific profiles to the various members of the development team specific to the task involved?
10B01-02 Is the attribution of profiles and tasks to application development personnel done on an individual and nominative basis? 2 2 E2
10B01-03 Is a trace kept of the tasks effected by each member of development staff? 2 E2
10B01-04 Are the application development, test and integration environments strictly separated? 4 E1 12.4.1
10B01-05 Have strict and separated access rights been defined for these environments, based on profile and project? 4 E2
A strict access control supposes that it is necessary to get the right profile in order to access to a given environment
10B01-06 Is the authentication protocol for development personnel holding privileged rights considered as strong? 4 4 E3
10B01-07 In the particular case of passwords, can the imposed rules be considered as very strict? 2 E2
Very strict rules impose the use of tested non-trivial passwords, using a mixture of different types of characters and of a reasonable
length (ten characters or more). It is desirable that these rules have been approved by the Information Security Officer.
10B01-08 Do application development procedures require that a person never have sole responsibility for a task? 2 R1
10B01-09 Do application development procedures require that, for sensitive functions, a verification of code is made by an independent 4 3 R2
team?
10B01-10 Do application development procedures require a formal validation, by users, of the coverage of functional tests? 4 E2

10B01-11 Do application development procedures require that the security function provide a formal validation of the coverage of tests 4 3 E3
related to security functions or mechanisms?
10B01-12 In the case of software packages or developments conferred on IT service companies are the above conditions contractually 2 E1
imposed on the editor, partner or subcontractor?
10B01-13 Are the management control parameters of rights attributed to development personnel under strict control? 4 C2
A strict control requires that the list of people able to change per project rights attributed to development staff, the access control
parameters to development environments and objects be strictly limited and that there be a reinforced access control in order to be
able to modify these rights and that any modification of these rights be logged and audited.
10B01-14 Are the organization of tasks within development teams and the application of clear segregation and control rules regularly 2 C1
audited?
10B02 Ensuring confidentiality in application developments
10B02-01 Do the development procedures impose an analysis of the confidentiality of applications developed and a classification of objects 4 E1
implemented in the course of developments (documentation, source code, executable code, study notes, etc.)?
10B02-02 In the case of development of a confidential application, are their special procedures for management of documentation? 4 E1
10B02-03 In the case of development of a confidential application, are profiles put in place which enable the distribution of confidential 4 2 E1
information to be limited only to people who have a real need?
10B02-04 Are source code, executable code and documentation protected by a strict access control procedure which details, as a function of 4 2 E2 12.4.3
development phase, the authorized profiles having access to these objects as well as the storage conditions and corresponding
access control rules?
An access control procedure using strict access conditions should guarantee that all code or documentation modification is made
by an authorized person under authorized conditions.
10B02-05 Are the control parameters related to the management of rights attributed to development personnel under strict control? 2 3 R2
A strict control requires that the list of people able to change rights attributed to development personnel by project and the access
control parameters to development environment and objects be strictly limited and that there be a reinforced access control in
order to modify these rights and that any modification of these rights be logged and audited.
10B02-06 Are the processes which ensure the filtering of access to development objects (documentation and code ) under strict control ? 2 3 R3
an audit at least once a year of the procedures and processes of access filtering (including the process aiming to detect
modification attempts and the processes which respond to these modification attempts).
10B02-07 In the case of developments of packages or conferred on IT service companies are the above conditions contractually imposed on 2 2 E1
the editor, partner or subcontractor?
10B02-08 Is the management of access rights to development objects, protection procedures and mechanisms subject to a regular audit? 2 3 C1
10B03 Security within Internal Processing of Applications

10B03-01 During the design or implementation of applications, is it conducted a detailed study of the processing failures that could result in 4 E2 12.2.2
an integrity loss?

10B03-02 Specifically, is it made sure that the use of the functions "Add", "Modify", "Delete" could not result in a loss of integrity (referential 2 E2 12.2.2
integrity, etc)?
10B03-03 Has the processing sequence of execution been validated and has the restart sequence after failure of a previous processing 2 E2 12.2.2
been anticipated?
10B03-04 Have prevention controls against buffer overflow attacks been anticipated? 2 E2 12.2.2
10B04 Protection of Data during tests
10B04-01 For testing, is the use of functional databases containing personal information or any other sensitive information avoided? 4 E1 12.4.2
10B04-02 If sensible or personal data have to be used, is it ensured deleting sensitive details and contents before using them (or make them 2 2 E2 12.4.2
anonymous)?
10B04-03 When using operations data, do the access control procedure that apply to the running applications also apply to the test 2 2 E2 12.4.2
applications?
10B04-04 Is the operating information used by a test application deleted immediately after the test is completed? 2 E2 12.4.2
10B04-05 Is there a log of all copy or use of operating data during tests to create a audit trail? 2 C1 12.4.2
10B05 Security of application maintenance
10B05-01 Do application maintenance procedures impose a strict separation between detailed specification, design, unit test and integration 4 E1
tasks, with the attribution of specific profiles to the various members of the maintenance staff?
10B05-02 Is the attribution of profiles and tasks to maintenance personnel done on an individual and named basis? 2 2 E2
10B05-03 Is a trace kept of the tasks effected by each member of the maintenance staff? 2 2 E2
10B05-04 Are the application maintenance, test and integration environments strictly separated? 4
10B05-05 Have strict and separated access rights been defined for these environments, based on profile and project? 4 E2
A strict access control supposes that it is necessary to get the right profile in order to access to a given environment
10B05-06 Is the authentication protocol for development personnel holding privileged rights considered as strong? 4 4 E3
10B05-07 In the particular case of passwords, can the imposed rules be considered as very strict? 2 E2
Very strict rules impose the use of tested non-trivial passwords, using a mixture of different types of characters and of a reasonable
length (ten characters or more). It is desirable that these rules have been approved by the Information Security Officer.
10B05-08 Do application maintenance procedures require that a person never be the only person responsible for a task? 2 E2
10B05-09 Do application maintenance procedures require that, for sensitive functions, a verification of code is a made by an independent 4 3 E2
team?
10B05-10 Do application maintenance procedures require a formal validation, by users, of the coverage of functional tests? 4 E2
10B05-11 Do application maintenance procedures require that a formal validation be run by the security function of the coverage of tests 4 3 E3
related to security functions or mechanisms?
10B05-12 In the case of application maintenance conferred on outside contractors, are the above conditions contractually imposed on the 2 E1
partner or subcontractor?
Note: when the maintenance is assured by a software editor and/or in a another country, separated by considerable distance, the
guarantees made in respect of maintenance conditions must be reviewed with great care.

10B05-13 Are the control parameters related to the management of rights attributed to application maintenance personnel under strict 4 C2
control?
A strict control requires that the list of people able to change profiles by project attributed to application maintenance personnel and
the access control parameters to maintenance environments and objects be strictly limited and that there be a reinforced access
control in order to be able to modify these rights and that any modification of these rights be logged and audited.
10B05-14 Are the organization of tasks within application maintenance and the application of clear segregation and control rules regularly 2 C1
audited?
10B06 Hot Maintenance
10B06-01 Is real-time (hot) maintenance, when done directly in the production environment, subject to the triggering of a formal procedure 4 2 E1
including, in particular, the formal agreement of the operational director and the manager responsible for the application domain (or
data owner) concerned?
10B06-02 Is a full backup of the production environment (systems and applications) made before any real time maintenance, which would 4 2 E2
enable a return to the previous situation in case of a problem?
10B06-03 Is a full backup of operational data (synchronized) made before any real time maintenance so as to enable a return to the prior 4 2 E2
situation in case of a problem?
10B06-04 Is a trace kept of all operations effected and commands launched during any real time maintenance in order to be able to 4 E2
investigate afterwards, or even to cancel them, if the sequence of operations finished improperly?
10B06-05 Are the procedures of real time maintenance and their application subject to regular audit? 4 3 C1

Comments

Comments

Comments

Comments

Comments

Audit questionnaire: Protection of users' work equipment 1 variant
Number Question P Max Min Typ ISO 27002
R-V1 R-V2 R-V3 R-V4
11A Security of the operational procedures for the whole set of users' equipment
11A01 Control of the installation of new software or system versions on the users' equipment
11A01-01 Are the decisions to change or update users' software versions subject to a control procedure (registration, planning, formal 4 E1 10.1.2; 10.3.1
approval, communication to all concerned individuals, etc.)?
11A01-02 Are the new versions validated on pilot equipment before general installation throughout the user stations? 2 E2
11A01-03 Is the remotely ordered validation of new installations on users' equipment reserved to a limited list of administrators in charge of 2 E2
users work equipment?
11A01-04 Are security parameters and configuration rules of user equipment listed in detail and regularly updated? 4 E3 10.3.2
11A01-05 Are security parameters and configuration rules controlled following any configuration evolution of user equipment? 4 E3 10.3.2
11A01-06 Has the eventual impact of the user equipment configuration changes regarding the continuity plans been considered? 2 E2 10.3.2
11A01-07 Are all the control procedures related to user configurations subject to regular audit? 2 3 C1
11A02 Control of the compliance of user configurations
11A02-01 Has a list of authorized software for the user equipment been established? 4 E2
This list should state the reference versions authorized and the possible parameterization options accepted.
11A02-02 Has a list of additional equipment authorized on the user work stations been established? 4 E2
This list should contain the authorized reference versions and possibly the parameter options used
11A02-03 Are these lists protected against untimely or illicit alteration by a robust sealing process? 2 R2
11A02-04 Are the rights provided to users preventing them to modify the system configurations of their equipment (addition of hardware or 4 E2
software)?
11A02-05 Is the conformity of the hardware configurations for user workstations regularly controlled relatively to the authorized options? 4 2 E3 15.2.2
11A02-06 Is the conformity of the software configurations for user workstations regularly controlled relatively to the authorized options? 4 2 E3 15.2.2
11A02-07 Does the inhibition of the control process trigger an alarm to a manager? 4 3 E3
11A02-08 Is it also controlled that the users do not possess the access rights required for the installation of additional hardware or software? 2 3 E3
11A02-09 Are the processes of control themselves subject to regular audits? 4 C1

11A03 Control of software and software package licenses
11A03-01 Does the security policy state that it is strictly forbidden to load any piece of software on the workstation without a proper license? 4 E1 15.1.2
11A03-02 Is a permanent inventory held up to date of the software officially installed and declared on each work station? 2 E2 15.1.2
11A03-03 Is there a regular control of the conformity of the software installed to those declared or that they possess an authorized license? 4 2 E2 15.1.2
11A03-04 Are these controls covering the equipment base? 2 3 E3

11A03-05 Is the application of these controls subject to a regular audit? 2 3 C1
11A04 Conformity control of the reference programs (source and executable) for user software
11A04-01 Does the IT operation manage a reference for each software product installed on the user workstations (source code and 4 2 E1 12.4.1
executable)?
11A04-02 Is this reference version protected against untimely or illicit alteration (media signed and kept by a responsible person of high rank, 2 R1
Mise jour : janvier 2010 351061430.xls ! 11 Mic page 279

R-V1 R-V2 R-V3 R-V4
11A04-03 Is this protection considered as inviolable (cryptographic sealing approved by the CISO)? 4 R2
11A04-04 Is there an automatic control of the sealing (or, at least, a deposited signature) for each new installation of a user workstation? 4 R2
11A04-05 Is a check made of the proof of origin and integrity of received maintenance module or a new version, from the editor or the 4 E2
11A04-06 Are there regular audits of protection procedures for reference programs? 4 C1
11A05 Management of service suppliers and providers relating to the operation and handling of the user workstations base
11A05-01 Is it regularly ensured that the security services allocated to suppliers or providers for the operation and handling of the user 4 C1 10.2.1
workstations are efficiently implemented and maintained by them?
11A05-02 Is it ensured that the service suppliers or providers for the operation and handling of the user workstations have efficiently 2 E2 10.2.1
prepared the appropriate arrangements to ensure that the services are provided as agreed?
11A05-03 Is the respect of the security provisions by the suppliers or providers regularly reviewed? 4 E1 10.2.2
11A05-04 Is it ensured that the suppliers and providers report and document any security incident concerning operation and handling of the 4 E2 10.2.2
user workstations?
11B Protection of workstations
11B01 Control of access to workstations
11B01-01 Is access to the workstation itself (even for local use) protected by a password or authentication system? 4 E1
11B01-02 Does the process of creation or modification of user authentication means respect a set of rules which ensures its intrinsic validity? 4 E1 11.2.3
In the case of passwords: sufficient length (8 characters or more), mandatory mixture of types of characters, frequent change
(less than once a month), impossibility of reusing an old password, non-trivial word test using a dictionary, banning of "standard
systems", first names, anagrams of username, dates etc. In the case of authentication based on cryptographic mechanisms and of
certificates: a generation process evaluated or publicly recognized, encryption keys of a sufficient length etc.
11B01-03 Does the process of providing credentials for authentication (like user password) guarantee its inviolability? 4 E2
The usage of a password will always be a weak point. The only process which does not divulge observable information consists
either of introducing an object containing a secret (smart card), or using a code which changes at every moment (token card type
SecureId) or providing some biometric character.
11B01-04 Is the authentication process permanent (smart card)? 2 E2

11B01-05 If the authentication process is not permanent, must it be reinitialized after a short period of inactivity? 2 E2
11B01-06 Is the workstation protected against the installation of software by anyone apart from workstation administrators? 2 E1
11B01-07 Is there a procedure allowing an authorized administrator to access to the workstation in the event of departure or of 2 E2
disappearance of its holder?
11B01-08 Are the workstations protected against any use by individuals other than the incumbent (particularly if the post is left temporarily, 3 E2 11.3.2
for more than 10 min for example)?
11B01-09 Is the shutdown of the access control system detected dynamically at the time of connection to the enterprise network? 2 R1
11B01-10 Are the procedures and services for access control subject to regular audit? 3 C1

R-V1 R-V2 R-V3 R-V4
11B02 Work effected off company premises
11B02-01 Have a security policy and associated recommendations relative to working off premises been established? 4 E1 9.2.5; 11.7.1;
The recommendations and directives should cover the precautions to take working at home, when on business travel, on public 11.7.2
transport and should cover the protection of mobile computers, the usage of firewalls and up to date antivirus software,
connections to public or third party networks, precautions to take concerning written documents, instant message services,
telephone and conversations.
11B02-02 Has it been established a security policy and recommendations relative to teleworking using remote connections to the office 4 E1 11.7.2
network)?
The recommendations and instructions should cover the precautions and means to implement and cover the security of the
connection to the company network (reinforced authentication, VPN, etc.), possible restriction of access authorizations,
precautions concerning the use of personal workstations by individuals other than the incumbent (family, friends, etc.).
11B02-03 Does the security policy formally forbid to carry out of the premises documents classified or carrying a value of proof? 4 E2 9.2.5; 11.71
11B02-04 Are personnel likely to work off site made aware of and receive training on the measures to be applied in order to protect 4 E2 9.2.5; 11.71
documents, systems and the data they contain?
These measures cover physical and logical protection against theft as well as disclosure or unauthorized access by family
members as well as by other persons.
11B02-05 Are the computing systems used off site only those belonging to the company and configured specifically for that purpose (in 2 E2 11.7.2
particular if they permit an access to the internal network)?
11B02-06 Is the configuration of computing systems used for work outside company buildings (portable computers) regularly checked? 3 C1
11B03 Use of personal equipment or external equipment (not owned by the organization)
11B03-01 Has an exhaustive analysis of all the work situations or professional exchanges using equipments that do not belong to the 4 E2
organization?
11B03-02 Has an exhaustive analysis of all the external peripheral connection possibilities to the Information Systems of the organization 4 E2
(USB ports, bluetooth, etc...) ?
11B03-03 Are these analyses regularly updated ? 2 C2
A technological survey should be effected so as to improve knowledge of new types of devices and new vulnerabilities.
11B03-04 Has it been deduced from them a security policy regarding the use of personal equipment for work purposes? 2 E2 6.1.4; 11.7.2
The instructions should consider the introduction and use of personal equipment such as laptops, PDAs, external disks, optical
supports, USB keys, etc.
11B03-05 Have means of control regarding the use of personal equipment been defined and implemented? 2 E2 6.1.4
Such as specific parameters of the operating systems, filtering capabilities, etc.
11B03-06 Are the means of control protected against untimely or illicit alteration? 2 R1
11B03-07 Is there a regular audit of the procedures and means of control? 2 C1
11C Protection of data on the workstation
11C01 Protection of the confidentiality of data on the workstation or on a data server (logical disk for the workstation)
11C01-01 Is confidential data stored encrypted, whether on the user workstation or hosted on a data server (logical disk)? 4 E2 11.7.1; 12.3.1

R-V1 R-V2 R-V3 R-V4
11C01-02 Are all elements of the encryption process securely protected against any alteration, modification or inhibition? 3 E3
11C01-03 Are workstations equipped with an effective file erasing system which ensures that any file deleted (whether from a local or shared 4 E2
disk) cannot be subsequently reread?
11C01-04 Are workstations equipped with a true and efficient system which erases temporary files after their use (whether on a local or a 4 E2
shared disk)?
11C01-05 Is the process or the directives concerning file encryption extended to messages and message attachments? 4 E2
11C01-06 Does the process or the directives concerning file encryption extended to information residing on the address book? 2 E3
11C01-07 Have users received an appropriate training on file encryption and erasing systems, indicating in particular the rules to follow to 2 E3
ensure that encryption is not circumvented?
11C01-08 Are regular audits carried out on the usage of file encryption and erasing facilities by users? 3 C1
11C02 Protection of the confidentiality of data stored on removable media
11C02-01 Is confidential data stored encrypted on removable media? 4 E2
11C02-02 Are the elements used for the encryption process protected strongly against any illicit alteration, modification or blocking ? 4 E3
11C02-03 Is the encryption process applied whichever media type (external disk, USB key, PDA, etc.)? 4 E2
11C03 Confidentiality considerations during maintenance operations on user workstations
11C03-01 Is there a procedure which details the actions to carry out before calling maintenance to ensure that unauthorized staff do not gain 4 E2 9.2.6
access to sensitive information which may be stored on the workstation (physical erasing of sensitive data and of temporary files,
retaining of disks etc.)?
11C03-02 Is there a written procedure and a binding clause in personnel maintenance contracts stipulating that any storage media which 2 E2
contained sensitive data be destroyed before disposal?
11C03-03 Is there a procedure of checking for system integrity after maintenance intervention (absence of spyware, or trojans etc.)? 3 E2
11C03-04 Are the procedures described above obligatory in all circumstances and do any derogations require the signature of senior 3 R2
management?
11C03-05 Are the above procedures subject to regular audit? 3 C2
11C04 Protection of the integrity of files stored on workstations or on data servers (logical disk for workstations)
11C04-01 Are integrity sensitive files (whether stored on workstations or hosted on a data server) write-protected and is there an integrity 4 E2
control mechanism?
Such a mechanism may authorize the creation of modifiable working copies while guaranteeing the integrity of the original
11C04-02 Are the components of the integrity control process security protected against any alteration, modification or inhibition? 3 R2
11C04-03 Is the process or the directives concerning integrity control extended to messages and message attachments? 4 E2
11C04-04 Is the process or the directives concerning integrity control extended to information contained in address books 4 E3
11C04-05 Have users undergone training on integrity control means indicating in particular the rules to respect such that integrity control 2 E2
cannot be circumvented?
11C04-06 Are regular audits carried out on the usage of means of integrity control by users? 3 C2
11C05 Security of Email and Electronic Information Exchanges
11C05-01 Is there a security policy specific to emails defining precautions for use and security measures to implement? 2 E1 10.8.4

R-V1 R-V2 R-V3 R-V4
11C05-02 Does this policy state the rules concerning the use of email address out of the internal space (internet site, forum, etc...)? 2 E2
It is advisable to use aliases rather than professional email address
11C05-03 Does this policy impose that message sent with a high importance be systematically requesting an acknowledgement of receipt 3 E2
controlled by the sender?
11C05-04 Is there also a security policy attached to various other electronic exchange of information (telephonic or video conference, 2 E1 10.8.5
cooprative work, document sharing, FTP services, instant messaging, etc.) defining the security measure and precautions to
implement?
11C05-05 Has it been implemented an encrypted electronic messaging service? 3 E2 10.8.4
11C05-06 Has it been implemented a digital signature service? 3 E3 10.8.4
11C05-07 Is a service in charge of collection and treatment of undesirable messages? 3 E3
Undesirable messages (spams, virus, false virus alerts, etc...) must be immediately sent to this service, which will estimate the
threat and put in place counter measures: specific filtering, internal warning, etc...
11C05-08 Are regular audits carried out on the procedures and instructions concerning email and electronic exchanges security? 2 C1
11C06 Protection of documents printed on shared printers

11C06-01 Are the shared printers located in rooms with controlled access? 2
11C06-02 Is the access control system considered as sufficiently strong? 4
11C06-03 Is the access to the printer's room reserved to persons of the same service sharing the same rights? 4
11C06-04 Is it possible for this personnel to cancel, if necessary, a printout in the waiting list? 4
11C06-05 Is it possible for this personnel to destroy printed documents put on scrap in a secure way? 4
11C06-06 Are regular audits conducted on the protective measures for printouts from a shared printer? 2
11D Service continuity of the work environment
11D01 Organization of user hardware maintenance
11D01-01 Is all computing hardware covered by a maintenance contract (personal computers, peripherals, etc.)? 2 E1 9.2.4
11D01-02 Are there specific maintenance contracts for all hardware requiring a high availability and for which repair or swap is required 2 E1
swiftly?
11D01-03 Do these maintenance contracts include specific obligation to provide an equivalent equipment? 3 E1
11D01-04 Do the maintenance contracts include specific obligations stipulating maximum intervention and reparation times which are 2 E1
compatible with availability requirements?
11D01-05 Are maintenance contracts, selection of service providers and the associated maintenance procedures regularly audited? 3 C1
11D02 Organization of user software maintenance (system, middleware and application)

11D02-01 Are there maintenance contracts for all software installed on user workstations? 2 E1
11D02-02 Is a technical support center available for each software supplier which guarantees rapid and qualified telephone support? 2 E1
11D02-03 Are there specific maintenance contracts for all software requiring high availability and for which standard repair times are not 2 E1
acceptable?
11D02-04 Are maintenance contracts, selection of service providers and the associated procedures regularly audited? 3 C1
11D03 Users' configurations backup plans

R-V1 R-V2 R-V3 R-V4
11D03-01 Has it been established a backup plan including all the configuration parameters of the user workstations? 4 E1 10.5.1
11D03-02 Is this backup plan included into automated operational processes? 2 3 E2 10.5.1
11D03-03 Is there a regular test that the backup of the configuration parameters of the user workstations allow the effective rebuild of the 4 2 E2 10.5.1; 14.1.5
user working environment upon a new station or a complete restoring, within time limits compatible to the business requirements?
11D03-04 Are the production routines which ensure backups of user configurations protected, against illicit or undue modification, by secure 4 3 R1 10.5.1
mechanisms?
11D03-05 Are user configuration backup plans and procedures subject to regular audit? 2 3 C1
11D04 Backup plans for user data stored on data servers
11D04-01 Is all user data stored on data servers systematically backed up? 4 3 E1 10.5.1
11D04-02 Has the frequency of backups been communicated to users? 2 E1 10.5.1
11D04-03 Are several generations of save files available in order to guard against missing or unreadable files, by organizing, for example a 2 E2 10.5.1
rotation of backup media?
11D04-04 Is a complete quarterly or six-monthly backup set kept to serve as an emergency archive? 2 E2 10.5.1
11D04-05 Are the backup procedures, for office data stored on servers, subject to a regular audit? 3 C1
11D05 Backup plan for data stored on user workstations.
11D05-01 Are the users made aware and trained to backup operations for sensitive data possibly stored in their workstation? 3 E1 10.5.1
11D05-02 Is all user data (stored on workstations) systematically backed up (by users, at a fixed frequency or when connecting to the internal 4 E1 10.5.1; 11.7.1
network)?
11D05-03 Do users also have the possibility to effect a backup themselves if necessary? 4 E1 10.5.1
11D05-04 Are several generations of saved files available in order to guard against missing or unreadable files, by organizing, for example a 2 E2 10.5.1
rotation of backup media?
11D05-05 Is a complete quarterly or six-monthly backup set kept to serve as an emergency archive? 2 E2 10.5.1
11D05-06 Are the backup procedures for user data subject to a regular audit? 3 C1
11D06 Anti virus (malware, unauthorized executable code, etc.) protection for user workstations.
11D06-01 Has it been defined a policy to prevent risks of attack from malevolent codes (virus, Trojan Horse, worms, etc.) like prohibit the use 2 E1 10.4.1
of unauthorized software, protection measures during file retrieval via external networks and reviews of installed software?
11D06-02 Are user workstations equipped with a means to protect from viruses and malware? 4 E1
11D06-03 Is the anti virus product regularly updated? 2 E1
With internet, new threats are instantaneous thus forcing to control at least every day of the existence of a corrective update
11D06-04 Is there a regular and automatic analysis of all the files on the workstations? 2 E2
11D06-05 Have actions to be taken by users' support team in case of an attack by malevolent code (alert, confinement measures, triggering 3 E2 10.4.1
of a crisis management process, etc.) been defined?
11D06-06 Is it possible for the users' support team to make, at any time, a complete check of the users' workstation base? 2 E2

R-V1 R-V2 R-V3 R-V4
11D06-07 Has it been defined a policy and protection measures to fight against unauthorized executable codes (applets, ActiveX controls, 3 E2 10.4.2
etc.) (blocking or environment control where the codes execute, control of accessible resources by mobile codes, issuer
authentication, etc.)?
11D06-08 Is the activation and update of anti-virus systems on workstations regularly audited? 3 C1
11D07 Recovery Plans for the users' workstations
11D07-01 Have all the scenarios which may impact the users' workstation base been considered and, for each scenario, the consequences 4 E1 14.1.3
in terms of service unavailability for users?
11D07-02 Has it been defined, to resolve each scenario identified above, a sequence of minimal services recovery in accordance with user 4 2 E2 14.1.3
requirements?
The user services need to be considered qualitatively and quantitatively (percentage of the base to be reinstalled)
11D07-03 Has an activity recovery solution been defined and implemented to resolve each scenario identified above, in accordance with 4 2 E1 14.1.3
user requirements?
11D07-04 Are the technical, organizational and human resources sufficient to address the organization's requirements? 4 E2 14.1.3
11D07-05 Are the technical, organizational and human resources educated to address the organization's requirements? 4 E2 14.1.3
11D07-06 Are all these solutions for the continuity of users' services related to the workstations base described in detail in Disaster Recovery 4 E1 14.1.3
Plans including the conditions for triggering the plan, the actions to execute, the priorities, the actors to mobilize and their contact
details?
11D07-07 Are these plans tested at least once a year? 4 2 E2 14.1.5
11D07-08 Are above tests able to guarantee the capacity of the recovery solution to cope, under full operational load, the minimum services 4 3 E2 14.1.5
required by users?
The tests required to obtain this guarantee are preferably full scale tests of each variant of scenario, involving all users. The
results of the tests have to be registered and analyzed in order to improve the capability of the organization to answer to the
situations considered.
11D07-09 If the recovery solutions include delivery of hardware components (which cannot be triggered during tests), is there a contractual 4 2 E2
commitment by the manufacturer or any relevant third party (distributor) to deliver the replacement hardware within fixed and
anticipated time limits as stated in the recovery plan?
11D07-10 Are the existence, the pertinence and the updates of the users' workstations Recovery Plans regularly controlled? 2 3 C1
11D07-11 Is the updating of the above procedures within the recovery plan subject to regular audit? 2 3 C1
11D08 Access management to office data and files
11D08-01 Is the list of office file formats, that are required to be accessible, kept up to date? 4 3 E1
11D08-02 Are the necessary hardware and software elements required for the access to all the types of office files put in archive available or 4 3 E1
easily made available?
11D08-03 Do the procedures of allocation and personalization of office files encryption and protection capabilities guarantee possibilities to 4 3 E2
access the files, even if their owners are absent or have left the organization?
11D08-04 Are the recovery capabilities of the access or encryption keys protected against accidental or malevolent unavailability? 4 3 E2
11D08-05 Are there regular audits of the mechanisms and procedures that guarantee the continuity of access to office files? 2 3 E2
11E Control of administrative rights
11E01 Management of privileged access rights granted on user workstations (administrative rights)

R-V1 R-V2 R-V3 R-V4
11E01-01 Have profiles been defined, within users workstation operations staff, corresponding to each type of activity (assistance, 1 E1 10.1.3; 11.2.2
installation, maintenance, etc.)?
11E01-02 For each profile have the necessary rights and privileges been defined? 4 2 E1 10.1.3
11E01-03 Does the process of attributing special rights require the formal authorization of management (or the manager responsible for 4 2 E2 10.1.3
11E01-04 Is the process of attributing special rights allocated only in relation to the profile of the holder? 4 2 E2 10.1.3
11E01-05 Is the process of granting (modification or revocation) of special rights to an individual strictly controlled? 4 2 3 R1 11.2.2
11E01-06 Is there a systematic process of removal of special rights at the time of departure or role change of user support operations staff? 2 E2 11.2.4
11E01-07 Is there a regular audit, at least once a year, of all special rights attributed ? 1 2 C1 11.2.4
11E02 Authentication and control of the access rights of administrators and operational personnel
11E02-01 Is the authentication of the administrator required before taking control of a user workstation? 4 4 E2
11E02-02 Is the authentication protocol used for administrators or holders of special rights considered to be secure? 4 4 E2
11E02-03 Are the rules, for instance in the case of passwords, considered to be very strict? 2 E2
11E02-04 Is there a consistent control of the administrator's rights, of its context, and of the suitability of this context with the requested 4 E2
11E02-05 Are authentication parameters under strict control? 4 2 R1
11E02-06 Are the processes that guarantee authentication under strict control? 4 3 R1
11E02-07 Is there a regular audit of the procedures of the security parameters attached to protecting profiles and rights? 4 3 C1
11E03 Surveillance of system administrators' actions over the users' workstations
11E03-01 Has a detailed analysis been carried out of the events and operations carried out with administrative rights on the users' 2 E2 10.10.4
workstations which may potentially have an impact on system security?
11E03-02 Are these events recorded as well as all parameters which may be useful for their subsequent analysis? 4 E2 10.10.4
11E03-03 Is there a system able to detect any modification or deletion of a past record and to immediately trigger an alarm to a manager? 4 2 E3 10.10.4
11E03-04 Is there a summary of these records enabling management to detect abnormal behavior? 4 3 E3 10.10.4

R-V1 R-V2 R-V3 R-V4
11E03-05 Is there a system enabling the detection of any modification of recording parameters and to immediately trigger an alarm to a 4 2 E3 10.10.4
manager?
11E03-06 Does any inhibition of the recording and processing of the logged events system trigger an alarm to a manager? 4 E3 10.10.4
11E03-07 Are all records or summary analyses protected against any falsification or destruction? 2 E2 10.10.4
11E03-08 Are all records or summary analyses kept for a long period? 2 E2 10.10.4
11E03-09 Are the procedures, which record and process privileged operations, regularly audited? 2 C1 10.10.4

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Audit questionnaire: Telecommunications operations 1 variant
The architecture and operations concerning voice are often effected by a different entity than data networks
12A01-01 Is there a security policy, specifically aimed at operations personnel, related to telecommunications? 4 E1 9.2.1
This policy should cover the requirements for the protection of information as well as the protection of physical assets and
processes and mention the forbidden behaviors
12A01-02 Is telecommunication operations personnel required to sign contract clauses of adherence to that security policy (no matter their 4 E2
status: permanent or temporary staff, students, etc.)?
12A01-03 Do these clauses make clear that the personnel has an obligation not to tolerate any action contrary to security from other people? 4 3 E3

In order to achieve a formal commitment, the personnel should explicitly state that his/her signature implies having understood and
accepted the security policy
12A01-05 Are these same clauses obligatory for contractors working on systems operations? 4 2 E2
internal staff.
12A01-06 Is there a mandatory and well adapted training course aimed at systems operation personnel? 2 E2
12A01-07 Are the security policy compliance agreements, signed by personnel, securely kept (at least in a locked cupboard )? 2 3 R1
12A01-08 Are the security policy compliance agreements, signed by external contractors, securely kept (at least in a locked cupboard )? 2 3 R1
12A02 Control of the implementation of new equipments or upgrade of existing systems
Equipments for classical telephony : PABX, ...
With ToIP : call server, gateway converter to classical telephony, routers, switches
Equipments dedicated to users: telephone terminal, fax machines (often combined with printing, scanning and photocopy
capabilities , ...), tele and videoconferencing, ...
These systems may provide configuration, management, directory, billing and storage (answering machine, voice mail) services,
12A02-01 Are the decisions to change or update equipment and systems significantly subject to a control procedure (registration, planning, 4 E1 10.1.2; 10.3.1
formal approval, communication to all concerned individuals, etc.)?
The possible separation (physical or logical, using VLAN) of data and voice flows shall be analyzed when moving to ToIP and
revised based on the observed load changes, the same applies to interconnection capabilities between the two networks
12A02-02 Are the change decisions based on an analysis of the capacity of the new equipment and systems to ensure the required load and 2 E2 10.3.1
take into account the evolution of foreseeable requests?
12A02-03 Do the installations take into account physical protection? 2 E2 9.2.1
Protected access, no direct external view on equipments, no multiple physical threats, continuity of power supply, weather
conditions, protection against thunderbolts, protection against dust, etc.
12A02-04 Is any new or modified functionality linked to a new system or new version of a system, systematically documented before moving 4 2 E2
into production?
12A02-05 Is such new functionality (or change in functionality), linked to a new system or new version of a system, formally and 2 E2 10.3.2
systematically reviewed in conjunction with the IT security function?
Mise jour : janvier 2010 351061430.xls ! 12 Top page 306

12A02-06 Does this review include an analysis of the risks that may result from the changes? 2 2 E2 10.3.2
12A02-07 Have telecommunication operations staff received formal appropriate training in risk analysis? 1 E3
This should include service continuity as well as confidentiality and integrity of the data and the transmissions
12A02-08 May the operation staff obtain an appropriate support specially competent on risk analysis? 4 E3
12A02-09 Are the security measures, determined to counter the new identified risks, formally reviewed before implementation? 4 2 E3 10.3.2
12A02-10 Are security parameters and configuration rules (deletion of generic accounts, changing of any default passwords, blocking of 4 E3 10.3.2; 11.4.4
unauthorized communications ports, setting of access rights and authentication parameters, etc.) listed in detail and regularly
updated?
12A02-11 Are the security parameters and configuration rules controlled prior to any start of production of a new version? 4 E3 10.3.2; 11.4.4
12A02-12 Has the eventual impact of the systems' changes regarding the continuity plans been considered? 2 E2 10.3.2
12A02-13 Are any derogations from the prerequisite risk analysis and control of security parameters subject to strict procedures, including a 4 R1
signature from senior management?
12A02-14 Can the start of production of new systems and applications be only carried out by operations personnel? 2 2 E3 6.1.4; 12.4.1
12A02-15 Is the start of production of new versions of systems or applications possible by the use of a defined validation and authorization 2 2 E3 6.1.4; 12.4.1
process?
12A02-16 Are the start of production control procedures regularly audited? 2 3 C1
12A03-02 Are all maintenance operations required to terminate with a systematic control of physical or recorded configurations and security 4 2 E2
parameters (as defined at time of start of production)?
12A03-03 Are all maintenance operations required to terminate with a systematic control of the recording parameters for security events and 4 3 E3
the life span of records?
12A03-04 Are all maintenance operations required to terminate with a systematic control of system administration parameters (required 4 3 E3
profile, authentication type, removal of standard logins etc.)?
12A03-06 Is the effective implementation of these controls regularly audited? 2 3 C1

12A04-01 In the case of remote maintenance, is the remote maintenance desk's access subject to a secure authentication procedure? 2 2 E2 11.4.4
12A04-02 In the case of remote maintenance, are maintenance staff subject to a secure authentication procedure? 4 2 E2 11.4.4
12A04-03 Is there a set of procedures covering the granting and revocation of access rights for remote maintenance operatives and the 2 E3 11.4.4
granting of rights in urgent situations?
12A04-04 Does the usage of the remote maintenance line require the prior agreement (for each usage) of telecommunication operations 4 3 E3 11.4.4
personnel (upon request by the manufacturer or editor specifying the nature, date and time of the intervention)?
12A04-05 Is the usage of the remote maintenance line under strict control ? 4 3 E2
A strict control supposes that each use of the line, the name of the maintenance operative and the actions carried out is registered,
and that there be a subsequent audit of the appropriateness of the actions and their conformity with the rules laid down by
maintenance managers.

12A04-06 Are control procedures for remote maintenance regularly audited? 2 3 C1
12A05 Management of Operating Procedures for Telecommunication Operation
12A05-01 Do the operating procedures result from the study of the overall cases to be covered by said procedure (normal operating cases 4 E2 10.1.1
and incidents)?
12A05-03 Are the operating procedures readily available upon request by any accredited individual? 4 E2 10.1.1
12A05-04 Is the telecommunications operation Management required to approve changes to procedures ? 4 E2 10.1.1
12A06 Management of service providers relating to telecommunication
12A06-01 Is it regularly ensured that the security services allocated to suppliers or providers are efficiently implemented and maintained by 4 C1 10.2.1
them?
12A06-02 Is it ensured that the telecommunications service suppliers or providers have efficiently prepared the appropriate arrangements to 2 E2 10.2.1
ensure that the services are provided as agreed?
12A06-03 Is the respect of the security provisions by the suppliers or providers regularly reviewed? 4 E1 10.2.2
12A06-04 Is it ensured that the suppliers and providers report and document any security incident concerning information or networks? 4 E2 10.2.2
12B01-01 Is an exact inventory of the equipments kept up to date by the concerned responsible persons? 2 E2
Of key importance with ToIP for the move of terminal equipments and their configuration (including configured emergency call
numbers)
12B01-02 Is there a document (or a set of documents ) or an operational procedure which describes all security parameters for the 4 2 E1
equipments and systems?
Such a document should be derived from the security policy and describe all the filtering rules decided. It should also mention the
reference to the system versions so as to check the status of the updates.
12B01-03 Does this document require that all generic or by default accounts be deleted and their list established? 4 2 E2 11.4.4
12B01-04 Are the system versions, fixes and parameters updated regularly in line with latest information? 2 3 E2 10.7.4; 12.6.1
with CERTs, etc.)
12B01-05 Does the resulting document or procedure impose a synchronization feature, based on a reliable time reference? 4 E3 10.10.6
12B01-07 Is the integrity of system configurations checked, regularly (at least weekly) if not at each system start-up, against the configuration 4 2 E3 15.2.2
theoretically expected?
12B01-08 Are regular audits carried out of the compliance to the specifications for security parameters? 2 R1 15.2.2
12B01-10 Are the development and test environments separated from the operational environments? 1 C1

12B01-11 Is it possible to control, each time it is needed, the compliance of the architecture and of the configurations of the equipments ? 2 2 R2
12B02 Conformity control of operational software to a reference version

12B02-01 Do the telecommunications operations manage a reference version for each equipment or system in operation (source and 4 2 E1
executable code)?
12B02-02 Is this reference version protected against all possible illicit or untimely modification (signed media kept by a senior manager, 2 R1
12B02-03 Is this protection considered to be inviolable (sealing by cryptographic algorithm approved by the Information Security Officer)? 4 R2
12B02-04 Is the protective seal controlled automatically (otherwise it may be an authoritative signature) at each new installation? 4 R2
12B02-05 Is a check made of the proof of origin and integrity of received maintenance module or a new version, from the editor or the 4 E2
12B02-06 Are the sealing and sealing control tools protected against any unauthorized usage? 4 R2
12B02-07 Does the inhibition of the automatic control of seals trigger an alarm to a manager? 4 E3
12B02-08 Are there regular audits of protection procedures for reference programs? 4 C1
12C Service continuity
12C01 Organization of operational equipment maintenance
12C01-01 Is all equipment covered by a maintenance contract? 2 E1 9.2.4
12C01-02 Are there specific maintenance contracts for all hardware which require a high availability and for which the replacement must be 4 E2
made within limited delays?
12C01-03 Do the contracts stipulate maximum delays before intervention and compatible with the requirements of availability? 4 2 E2
12C01-04 Do the contracts detail the required time slots and days of intervention (24h/7d for example) compatible with the requirements of 4 2 E3
availability?
12C01-05 Do the contracts stipulate the conditions of escalation in case of difficulty? 4 3 R1
12C01-06 Do the contracts detail specific clauses for when the hardware downtime exceeds the specific times stipulated (penalties, hardware 4 3 E3
replacement, etc.)?
etc.)
12C01-07 Do the maintenance contracts anticipate the complete replacement of equipment in the case of important damage which might not 4 E3
be taken into consideration by reparative maintenance?
A special attention should be born on the confidentiality of data stored on the disk of the replaced equipments
12C01-08 Are the maintenance contracts, the choice of subcontractors and associated maintenance procedures subject to regular audit? 2 3 C1
12C02 Organization of software maintenance (systems and attached services)

12C02-01 Are there maintenance contracts for all acquired software products (systems software, middleware and applications)? 4 E1
12C02-02 Do the suppliers provide a technical software support center which guarantees a quick and competent telephone assistance? 2 E2
12C02-03 Are there specific maintenance contracts for software products (systems, middleware and applications) which require corrective 4 E2
delays that standard maintenance cannot cover?

12C02-04 Do these contracts detail specific maximum intervention delays, compatible with the availability requirements? 4 2 E2
12C02-05 Do the contracts detail the required time slots and days of intervention (24h/7d for example) compatible with the requirements of 4 2 E3
availability?
12C02-06 Do the contracts stipulate the conditions of escalation in case of difficulty? 4 3 R1
12C02-07 Do the contracts specify specific clauses when hardware downtime exceeds specific durations stipulated (penalties, replacement 4 3 E3
of hardware, etc.)?
etc.)
12C02-08 Are the maintenance contracts, the choice of subcontractors and associated maintenance procedures subject to regular audit? 2 3 C1
12C03 Backup of software configurations (system, services and configuration parameters)

12C03-01 Has a backup plan been established which covers all programs and defines all objects to save and the frequency of backups? 4 E1 10.5.1
12C03-02 Does the plan also cover configuration parameters of the telecommunication equipments to save? 4 3 E2 10.5.1
12C03-03 Is the plan implemented by automatic production routines? 2 3 E2 10.5.1
12C03-04 Are there regular tests that the backup copies of configurations enable the effective restoration of the production environment at 4 2 E2 10.5.1; 14.1.5
any time?
These tests should consider all the backups (including documentation and parameters files) of legitimate elements.
12C03-05 Are the production routines which ensure backups protected, against illicit or undue modification, by secure mechanisms? 4 3 R1 10.5.1
12C03-06 Are regular tests made of the readability of backups? 2 3 R2 10.5.1

12C03-07 Are all software backup plans and procedures subject to regular audit? 2 3 C1
12C04 Disaster Recovery Plans
12C04-01 Have all the scenarios which may impact the telecommunications infrastructure and services been considered and, for each 4 E1 14.1.3
scenario, the consequences in terms of service unavailability for users?
ToIP creates additional requirements for power supply continuity and ability to reconfigure of terminal equipments
12C04-02 For each scenario, and in agreement with the users, have a list and schedule of service resume been defined? 4 2 E2 14.1.3
Loss of information, means to reconstruct them and temporary operational procedures must be considered.
12C04-03 Has an activity recovery solution been defined and implemented to resolve each scenario identified above, in accordance with user 4 2 E1 14.1.3
requirements?
12C04-04 Are the technical, organizational and human resources sufficient to address the organization's requirements for IT continuity? 4 E2 14.1.3
12C04-05 Are the technical, organizational and human resources educated to address the organization's requirements for continuity? 4 E2 14.1.3
12C04-06 Are all these solutions described in detail in Disaster Recovery Plans including the conditions for triggering the plan, the actions to 4 E1 14.1.3
execute, the priorities, the actors to mobilize and their contact details?
12C04-07 Are these plans tested at least once a year? 4 2 E2 14.1.5

12C04-08 Are above tests able to guarantee that the staff capacity and the recovery systems can cope, under full operational load, the 4 3 E2 14.1.5
minimum service levels required by users?
The tests required to obtain this guarantee are preferably full scale tests of each variant of scenario, involving all users. The results
of the tests have to be registered and analyzed in order to improve the capability of the organization to answer to the situations
considered.
12C04-09 If the recovery solutions include delivery of hardware components (which cannot be triggered during tests), is there a contractual 4 2 E2
commitment by the manufacturer or any relevant third party (leaser, broker, distributor) to deliver the replacement hardware within
fixed and anticipated time limits as stated in the recovery plan?
12C04-10 Has the unavailability or failure of the recovery facility been considered and has a replacement solution been defined and validated 2 3 E2
(second level recovery)?
12C04-11 Has this (second level recovery) solution been validated? 2 3 E3
12C04-12 Is the recovery solution usable for an unlimited duration and, if not, has a follow on replacement solution been established? 2 3 E3
12C04-13 Are the existence, the pertinence and the updates of the services Recovery Plans regularly controlled? 2 3 C1
12C04-14 Is the updating of the above procedures within the recovery plan subject to regular audit? 2 3 C1
12C05 Management of critical systems (regarding maintenance continuity)
12C05-01 Have the consequences of the disappearance of a supplier been analyzed (in the case of failure, a bug or change requirement) 2 E2
and has a list of critical systems been established?
This is valid for hardware, software or service providers
12C05-02 For all critical systems, has a corrective solution been analyzed to cope with the failure or disappearance of a supplier 2 E2
(consignment of maintenance documentation or source code with a trusted third party, hardware replacement by standard market
solutions etc.)?
12C05-03 Is there a guarantee that the corrective solutions could be made operational within time delays compatible with the continuity of the 2 2 E2
business and accepted by the users?
12C05-04 Have variants to the primary solution been considered in case it might encounter unforeseen difficulties? 2 3 E3
12C05-05 Is there a regular review of critical systems and corrective solutions envisaged? 2 3 C1
12D Use of end-user telecommunication equipment
12D01 Control of the compliance of user configurations
12D01-01 Has a list of the telecommunication software authorized on the users' stations been established? 4 E2
This list should indicate the reference versions authorized and possibly the parameterization options
12D01-02 Are these lists protected against untimely or illicit alteration by a robust sealing process? 2 R2
12D01-03 Are the rights provided to users preventing them to modify the specific telecommunication (telephone, audio or video conferencing, 4 E2
etc. )configurations of their equipment?
12D01-04 Is the conformity of the telecommunication configurations for user workstations regularly controlled relatively to the authorized 4 2 C1
options?
12D01-05 Does the inhibition of the control process trigger an alarm to a manager? 4 3 C2
12D01-06 Are the processes of control themselves subject to regular audits? 4 C1
12D02 Training and awareness setting for users
12D02-01 Are the users made aware of the risks of tapping resulting from the use of telecommunication equipment and services? 4 E1

12D02-02 Are the users informed of risks resulting from the malevolent usage, locally or remotely, of their communication equipment? 4 E2
In addition to the use of their colleagues' equipment without their knowing.
12D02-03 Are the deactivation procedures explained to users at the installation or replacement time of their equipment? 2 E2
12D02-04 Are the control and security procedures documented? 4 E2
12D02-05 Are all the users trained about these procedures? 4 3 E2
12D03 Utilization of cryptographic equipment
12D03-01 Are encryption of exchanges mechanisms settable in accordance to the non-disclosure requirements established? 4 E2
12D03-02 Are the encryption capabilities explained to all the staff? 4 E2
12D03-03 Have the user functions requiring a protection of the telecommunication exchanges been analyzed? 4 3 E2
12D03-04 Have encryption functions been installed on all the corresponding user equipment? 4 3 E2
12E01 Management of privileged access rights granted on equipments and systems (administrative rights)
12E01-01 Have profiles been defined, within telecommunication operations staff, corresponding to each type of activity (system 1 E1 10.1.3; 11.2.2
administration, administration of security equipment, system monitoring, management of data storage and backup functions etc.)?
12E01-02 For each profile have the necessary rights and privileges been defined? 4 2 E1 10.1.3
12E01-03 Does the process of attributing special rights require the formal authorization of management (or the manager responsible for 4 2 E2 10.1.3
12E01-04 Is the process of attributing special rights allocated only in relation to the profile of the holder? 4 2 E2 10.1.3
12E01-05 Is the process of granting (modification or revocation) of special rights to an individual strictly controlled? 4 2 3 R1 11.2.2
12E01-06 Is there a systematic process of removal of special rights at the time of departure of telecommunication operations staff? 2 E2 11.2.4
12E01-07 Is there a systematic process of removal of special rights at the time of rle change of telecommunication operations staff? 2 E2 11.2.4
12E01-08 Is there a regular audit, at least once a year, of all special rights attributed ? 1 2 C1 11.2.4
12E02-01 Is the authentication protocol used for administrators or holders of special rights considered to be secure? 4 4 E2
12E02-02 Are the rules, for instance in the case of passwords, considered to be very strict? 2 E2
12E02-03 Is there a consistent control of the administrator's rights, of its context, and of the suitability of this context with the requested 4 E2

12E02-04 Are authentication parameters under strict control? 4 2 R1
12E02-05 Are the processes that guarantee authentication under strict control? 4 3 R1
12E02-06 Is there a regular audit of the security parameters attached to protecting profiles and rights? 4 3 C1
12E03 Surveillance of system administrators' actions over the equipments and systems
12E03-01 Has a detailed analysis been carried out of the events and operations carried out with administrative rights which may potentially 2 E2 10.10.4
have an impact on system security (configuration of security systems, access to sensitive information, usage of sensitive tools,
download or modification of administrative tools etc.)?
12E03-02 Are these events recorded as well as all parameters which may be useful for their subsequent analysis? 4 E2 10.10.4
12E03-03 Is there a system able to detect any modification or deletion of a past record and to immediately trigger an alarm to a manager? 4 2 E3 10.10.4
12E03-04 Is there a summary of these records enabling management to detect abnormal behavior? 4 3 E3 10.10.4
12E03-05 Is there a system enabling the detection of any modification of recording parameters and to immediately trigger an alarm to a 4 2 E3 10.10.4
manager?
12E03-06 Does any inhibition of the recording and processing of the logged events system trigger an alarm to a manager? 4 E3 10.10.4
12E03-07 Are all records or summary analyses protected against any falsification or destruction? 2 E2 10.10.4
12E03-08 Are all records or summary analyses kept for a long period? 2 E2 10.10.4
12E03-09 Are the procedures, which record and process privileged operations, regularly audited? 2 C1 10.10.4

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Audit Questionnaire: Management Processes 1 variant
13A Protection of personal information (PPI)
13A01 Policy and instructions related to PPI
13A01-01 Is there a set of legal provisions and regulations concerning the protection of personal information (PPI)? 2 E2 15.1.2
13A01-02 Is this set updated annually? 2 E2 15.1.2
13A01-03 Is there a policy and are there directives concerning PPI? 4 E1 15.1.4
13A01-04 Has this policy been approved by the governing bodies? 2 E2 15.1.4
13A01-05 Does the policy indicate that PPI must be taken into consideration in the development of projects related to information 4 E2
technology?
13A01-06 Do the PPI directives cover all legal obligations, including those related to collection, access, communication, use, preservation 4 3 E2
and destruction of such information?
13A01-07 Has the adequacy of the directives with respect to all the relevant laws and regulations been verified by independent audit? 4 3 E2
13A01-08 Has a manager responsible for PPI been appointed? 4 E2

13A01-09 Is the PPI manager known to all members of staff? 2 E2
13A01-10 Does the PPI policy (or the management framework) clearly define the responsibilities of the various stakeholders: the PPI 4 E1
manager, Digital Information Security Manager, internal control, etc.?
13A01-11 Is there a committee related to the governing bodies that is charged with developing PPI policy and with periodically studying any 4 E2
related problems?
13A01-12 If such a committee exists, is it composed of the PPI manager and representatives from senior management, security, audit, IT, 2 E2
legal, document management, and users?
13A01-13 Is the PPI policy revised regularly? 2 3 E2
13A02 PPI training and awareness program
13A02-01 Is there a PPI awareness and training program? 2 E1
13A02-02 Is this program approved by the PPI manager? 2 E2
13A02-03 Is this program offered to the staff who process information covered by the legal provisions related to PPI? 2 E2
13A02-04 Is this program tailored to the tasks performed? 4 E2

13A02-05 Does this program take into account PPI issues relating to the use of IT and telecommunications systems? 4 E2
13A02-06 Does this program include training or awareness of the consequences of not respecting the legal provisions relating to PPI? 4 E2
13A02-07 Is the level of knowledge of members of staff concerning PPI periodically evaluated by survey or other mechanism? 4 3 E3
13A02-08 Are members of staff periodically reminded of the existence of this program by poster, or other communication? 2 E2
13A02-09 Is this program revised at least every five years? 2 3 R1
13A02-10 Is the enforcement of this program subject to a periodic audit? 2 3 C1
13A03 Applicability of the PPI policy
13A03-01 Have the conditions necessary for implementing the PPI policy been analyzed? 2 C1
13A03-02 Have the corresponding resources (technical and human) been put in place? 4 3 E2
13A03-03 Is the level of resource necessary for the application of PPI audited regularly? 1 3 E2
13A04 Monitoring the implementation of the PPI policy
Mise jour : janvier 2010 351061430.xls ! 13 Man page 330

13A04-01 Is the implementation of the PPI policy audited regularly? 4 3 C1
13A04-02 Are sanctions defined in case of nonconformity or failure to apply the policy? 4 3 E2
13A04-03 Have these sanctions been communicated to staff? 2 3 E2
13B Communication of financial data
For example, the Financial Security Law (loi Mer) in France and the Sarbanes Oxley Act in the United States
13B01 Policy and instructions related to Communication of financial data
13B01-01 Is there a reference document stating the set of rules related to the collection, treatment and presentation of results leading to 4 E3
Communication of financial data?
13B01-02 Is this reference document updated annually? 2 E2
13B01-03 Is there a policy and are there precise directives concerning Communication of financial data? 4 E1
13B01-04 Has this policy been approved by the governing bodies? 2 E2
13B01-05 Does the policy concerning Communication of financial data encompass all the legal requirements in that matter? 4 3 E2
13B01-06 Has the upper management conducted an evaluation of the effectiveness of internal control regarding the procedures and controls 4 E2
ensuring that financial statements are produced in line with external regulations?
13B01-07 Has the quality evaluation document been evaluated and approved by financial auditors? 2 2 E2
This approval implies that the auditors must obtain all the necessary elements in time for them to control
13B01-08 Has the upper management certified the efficiency of the procedures and controls implemented to ensure the veracity of financial 2 E2
statements?
13B01-09 Is there an audit commission charged with choosing external auditors, fixing their remuneration levels and supervising their 4 E2
activities?
13B01-10 Are the members of the audit commission totally independent? 2 2 E3
i.e. they do not exercise any operational authority within the company, are not affiliated to any person exercising authority within
the company and receive no remuneration apart from that related to their function on the audit commission
13B01-11 Does the application of this frame of reference enable all information published to be traced back? 2 2 C1
This includes the capacity to trace back the chain of treatments so as to identify the original data (references to the facts,
accounting data entries, ... ) and the decisions related to the origin of the information
13B01-12 Has a manager responsible for Communication of financial data been appointed? 4 E2
13B01-13 Does the policy concerning Communication of financial data (or its management framework) clearly establish the responsibilities of 4 E1
each of the contributors?
13B01-14 Is there a committee related to the governing bodies that is charged with developing the Communication of financial data policy 4 E2
and with periodically studying any related problems?
13B01-15 Is the Communication of financial data policy revised regularly? 2 3 E2
13B02 Communication of financial data training and awareness program
13B02-01 Is there a Communication of financial data awareness and training program? 2 E1
13B02-02 Is this program approved by the manager responsible or in charge of the Communication of financial data? 2 E2
13B02-03 Is this program available to the staff who process information covered by the legal provisions related to Communication of financial 2 E2
data?
13B02-04 Is this program tailored to the tasks performed? 4 E2

13B02-05 Does this program take into account Communication of financial data issues relating to the use of IT and telecommunications 4 E2
systems?
13B02-06 Does this program include training or awareness of the consequences of not respecting the legal provisions relating to 4 E2
Communication of financial data?
13B02-07 Is the level of knowledge of members of staff concerning the Communication of financial data periodically evaluated by survey or 4 3 E3
other mechanism?
13B02-09 Is this program revised at least every five years? 2 3 R1
13B02-10 Is the enforcement of this program subject to a periodic audit? 2 3 C1
13B03 Applicability of the Communication of financial data policy
13B03-01 Have the conditions necessary for implementing the Communication of financial data policy been analyzed? 2 C1
13B03-02 Have the corresponding resources (technical and human) been put in place? 4 3 E2
13B03-03 Is the level of resource necessary for the application of Communication of financial data audited regularly? 1 3 E2
13B04 Monitoring the implementation of the Communication of financial data policy
13B04-01 Is the implementation of the Communication of financial data policy audited regularly? 4 3 C1
13B04-02 Are sanctions defined in case of nonconformity or failure to apply the policy? 4 3 E2
13B04-03 Have these sanctions been communicated to staff? 2 3 E2
13C Respect of regulations concerning the verification of computerized accounting (VCA)
13C01 Preservation of accounting data and treatments
13C01-01 Is there a list of the types of recordings to preserve and of the procedures and protections to apply until their end of life? E2
This list should consider media like : paper, microfiches, files and their protection during the requested retention durations.
4 1
13C01-02 Are the basic accounting data preserved in compliance with the VCA regulations? 4 E2
The elementary data are individual, not yet aggregated, data considered since their origin, for example: historic files of movements
(orders, bills, stocks...), written evidences, statements, permanent data, operations of files' updates...
13C01-03 Are files which contain long term or reference information (accounting schemas, client files, suppliers, tariffs, 4 E2
products) kept in compliance with the VCA?
13C01-04 Are operational procedures kept in compliance with VCA regulations? 4 E2
13C01-05 Are operational systems which have a direct or indirect link with the accounting system kept in compliance with 4 E2
VCA regulations?
13C01-06 Are all accounting applications and applications which feed the accounting system, via intermediate or interface 4 E2
files, kept?
13C01-07 Are analytical or budgetary applications used to determine expenses and incomes kept? 4 E3
13C01-08 Are constraints related to the migration of systems and applications respected ? 4 C1
In the case of migrations, the company must be able to supply either copies of the history of each data file or the
tools and processes used for converting existing data files towards the new system. It is not therefore necessary to
retain a working version of the old system.
13C02 Documentation of accounting data, procedures and treatments

13C02-01 Is an inventory of applications and documentation likely to be checked as parts of a VCA audit kept up-to-date? 4 E2

13C02-02 Is a complete documentation maintained which lists all IT accounting systems required? 4 E2
The documentation must contain evidence elements such as: an analysis of the information systems organization,
an inventory and description of hardware used, the overall architectural concept, functional specifications,
computerized applications and treatments (description of processing chains, of data and transactions, of source
code used), maintenance, configuration, user documentation, operation documentation, internal control
procedures, archiving plans.
13C02-03 Is this documentation preserved as required by the regulation (either on paper or electronically)? 1 E2
13C02-04 Is this documentation updated using a precise system of follow up of documents version numbers? 4 E2
13C02-05 Is the source code of programs related to VCA accessible? 4 E2
13C02-06 Are all documents, data and transactions, subject to legal control, preserved and accessible in the host country 1 E2
13C02-07 itself?
Is the retention plan for data and information, including documentation, compliant with the rules in force (duration 1 E2
and nature of support media)?
13C02-08 Do IT contracts with third parties contain a specific legal clause taking into account VCA regulations such as the availability of 1 E2
source code, documentation and technical assistance in the case of a VCA audit?
Such third parties include outsourcing, software editors, suppliers, etc.
13C02-09 Does the documentation, issued from application developments and updates, comply to VCA regulation (for all 1 E2
applications within the scope of VCA regulations)?
13C02-10 In the case of company acquisitions is there a clause which guarantees the respect of obligations related to VCA? 1 E2
13C02-11 Is there a control procedure related to VCA elements covering backup plan, operations technical documents, data, 1 C1
processing, version of the saved elements, etc. ?
13C03 Verification of computerized accounting data training and awareness program
13C03-01 Is there a VCA awareness and training program? 2 E1
13C03-02 Is this program approved by the VCA manager? 2 E2
13C03-03 Is this program offered to the staff who process information covered by the legal provisions related to VCA? 2 E2
13C03-04 Is this program tailored to the tasks performed? 4 E2

13C03-05 Does this program take into account VCA issues relating to the use of IT and telecommunications systems? 4 E2
13C03-06 Does this program include training or awareness of the consequences of not respecting the legal provisions relating to VCA? 4 E2
13C03-07 Is the level of knowledge of members of staff concerning VCA periodically evaluated by survey or other mechanism? 4 3 E3
13C03-09 Is this program revised at least every five years? 2 3 R1
13C03-10 Is the enforcement of this program subject to a periodic audit? 2 3 C1
13C04 Applicability of the VCA policy
13C04-01 Have the conditions necessary for implementing the VCA policy been analyzed? 2 C1
13C04-02 Have the corresponding resources (technical and human) been put in place? 4 3 E2
13C04-03 Is the level of resource necessary for the application of VCA audited regularly? 1 3 E2
13C05 Monitoring the implementation of the VCA policy
13C05-01 Is the implementation of the VCA policy audited regularly? 4 3 C1
13C05-02 Are sanctions defined in case of nonconformity or failure to apply the policy? 4 3 E2

13C05-03 Have these sanctions been communicated to staff? 2 3 E2
13D Protection of intellectual property rights (IPR)
13D01 Policy and instructions relative to the Protection of intellectual property rights
13D01-01 Is there a collection of all applicable legal and regulatory rules and measures regarding the protection of intellectual property 2 E2
rights?
13D01-02 Is this collection revised every year? 2 E2
13D01-03 Is there a policy and are there precise directives concerning intellectual property rights? 4 E1
13D01-04 Are these directives explicitly forbidding the use of software without a proper license and limitation of copies of software, 2 2 E2
commercial recordings (video, audio) and documents ?
13D01-05 Has this policy been approved by the governing bodies? 2 E2
13D01-06 Does the policy concerning the protection of intellectual property rights encompass all the legal requirements in that matter? 4 3 E2
13D01-07 Has the adequacy of the directives with respect to all the relevant laws and regulations been verified by independent audit? 4 3 E2
13D01-08 Has a manager responsible for IPR been appointed? 4 E2

13D01-09 Is the IPR responsible manager known to all members of staff? 2 E2
13D01-10 Does the IPR policy (or the management framework) clearly define the responsibilities of the various stakeholders? 4 E1
13D01-11 Is there a committee related to the governing bodies that is charged with developing IPR directions and with periodically studying 4 E2
any related problems?
13D01-12 Is the IPR policy revised regularly? 2 3 E2
13D02 Intellectual property rights training and awareness program
13D02-01 Is there an IPR awareness and training program? 2 E1
13D02-02 Is this program approved by the IPR manager or respondent? 2 E2
13D02-03 Is this program offered to the staff concerned? 2 E2
13D02-04 Does this program take into account IPR issues relating to the use of IT and telecommunications systems? 4 E2
13D02-05 Does this program include training or awareness of the consequences of not respecting the legal provisions relating to IPR? 4 E2
13D02-06 Is the level of knowledge of members of staff concerning IPR periodically evaluated by survey or other mechanism? 4 3 E3
13D02-07 Is this program revised at least every five years? 2 3 R1
13D02-08 Is the enforcement of this program subject to a periodic audit? 2 3 C1
13D03 Applicability of the intellectual property rights policy
13D03-01 Have the conditions necessary for implementing the IPR policy been analyzed? 2 C1
13D03-02 Have the corresponding resources (technical and human) been put in place? 4 3 E2
13D03-03 Is the level of resource necessary for the application of IPR audited regularly? 1 3 E2
13D04 Monitoring the implementation of the intellectual property rights policy
13D04-01 Is the implementation of the IPR policy audited regularly? 4 3 C1
13D04-02 Are sanctions defined in case of nonconformity or failure to apply the policy? 4 3 E2
13D04-03 Have these sanctions been communicated to staff? 2 3 E2
13E Protection of computerized systems

13E01 Policy and instructions relative to the Protection of computerized systems
13E01-01 Is there a collection of all applicable legal and regulatory rules and measures regarding the protection of computerized systems? 2 E2
13E01-02 Is this collection revised every year? 2 E2

13E01-03 Is there a policy and are there precise directives concerning the protection of computerized systems? 4 E1
13E01-04 Has this policy been approved by the governing bodies? 2 E2
13E01-05 Does the policy concerning the protection of computerized systems encompass all the legal requirements in that matter? 4 3 E2
13E01-06 Has the adequacy of the directives with respect to all the relevant laws and regulations been verified by independent audit? 4 3 E2
13E01-07 Has a manager responsible for the protection of computerized systems been appointed? 4 E2
13E01-08 Is the protection of computerized systems responsible manager known to all members of staff? 2 E2
13E01-09 Does the protection of computerized systems policy (or the management framework) clearly define the responsibilities of the 4 E1
various stakeholders?
13E01-10 Is there a committee related to the governing bodies that is charged with developing directions for the protection of computerized 4 E2
systems and with periodically studying any related problems?
13E01-11 Is the protection of computerized systems policy revised regularly? 2 3 E2
13E02 Protection of computerized systems training and awareness program
13E02-01 Is there a protection of computerized systems awareness and training program? 2 E1
13E02-02 Is this program approved by the protection of computerized systems manager or respondent? 2 E2
13E02-03 Is this program offered to the staff concerned? 2 E2
13E02-04 Does this program include training or awareness of the consequences of not respecting the legal provisions relating to the 4 E2
protection of computerized systems?
13E02-05 Is the level of knowledge of members of staff concerning the protection of computerized systems periodically evaluated by survey 4 3 E3
or other mechanism?
13E02-06 Is this program revised at least every five years? 2 3 R1
13E02-07 Is the enforcement of this program subject to a periodic audit? 2 3 C1
13E03 Applicability of the protection of computerized systems policy
13E03-01 Have the conditions necessary for implementing the protection of computerized systems policy been analyzed? 2 C1
13E03-02 Have the corresponding resources (technical and human) been put in place? 4 3 E2
13E03-03 Is the level of resource necessary for the application of the protection of computerized systems audited regularly? 1 3 E2
13E04 Monitoring the implementation of the protection of computerized systems policy
13E04-01 Is the implementation of the protection of computerized systems policy audited regularly? 4 3 C1
13E04-02 Are sanctions defined in case of nonconformity or failure to apply the policy? 4 3 E2
13E04-03 Have these sanctions been communicated to staff? 2 3 E2
13F Human safety and protection of the environment
13F01 Policy and instructions relative to Human safety and protection of the environment
13F01-01 Is there a collection of all applicable legal and regulatory rules and measures relative to the human safety and protection of the 2 E2
environment?
13F01-02 Is this collection revised every year? 2 E2

13F01-03 Is there a policy and are there precise directives relative to the human safety and protection of the environment? 4 E1
13F01-05 Has this policy been approved by the governing bodies? 2 E2
13F01-06 Does the policy relative to the human safety and protection of the environment encompass all the legal requirements in that 4 3 E2
matter?
13F01-07 Has the adequacy of the directives with respect to all the relevant laws and regulations been verified by independent audit? 4 3 E2
13F01-08 Has a manager responsible for human safety and protection of the environment been appointed? 4 E2
13F01-09 Is the responsible manager relative to the human safety and protection of the environment known to all members of staff? 2 E2
13F01-10 Does the policy (or the management framework) relative to human safety and protection of the environment clearly define the 4 E1
responsibilities of the various stakeholders?
13F01-11 Is there a committee related to the governing bodies that is charged with developing directions for relative to the human safety and 4 E2
protection of the environment and with periodically studying any related problems?
13F01-12 Is the policy relative to the human safety and protection of the environment revised regularly? 2 3 E2
13F02 Human safety and protection of the environment training and awareness program
13F02-01 Is there a Human safety and protection of the environment awareness and training program? 2 E1
13F02-02 Is this program approved by the Human safety and protection of the environment manager or respondent? 2 E2
13F02-03 Is this program offered to the staff concerned? 2 E2
13F02-04 Does this program include training or awareness of the consequences of not respecting the legal provisions relating to the Human 4 E2
safety and protection of the environment?
13F02-05 Is the level of knowledge of members of staff concerning the Human safety and protection of the environment periodically 4 3 E3
evaluated by survey or other mechanism?
13F02-06 Is this program revised at least every five years? 2 3 R1
13F02-07 Is the enforcement of this program subject to a periodic audit? 2 3 C1
13F03 Applicability of the Human safety and protection of the environment policy
13F03-01 Have the conditions necessary for implementing the Human safety and protection of the environment policy been analyzed? 2 C1
13F03-02 Have the corresponding resources (technical and human) been put in place? 4 3 E2
13F03-03 Is the level of resource necessary for the application of the Human safety and protection of the environment audited regularly? 1 3 E2
13F04 Monitoring the implementation of the Human safety and protection of the environment policy
13F04-01 Is the implementation of the Human safety and protection of the environment policy audited regularly? 4 3 C1
13F04-02 Are sanctions defined in case of nonconformity or failure to apply the policy? 4 3 E2
13F04-03 Have these sanctions been communicated to staff? 2 3 E2
13G Rules related to the use of encryption
13G01 Policy and instructions relative to the use of encryption
13G01-01 Is there a collection of all applicable legal and regulatory rules and measures regarding the use of encryption? 2 E2
13G01-02 Is this collection revised every year? 2 E2
13G01-03 Is there a policy and are there precise directives concerning the use of encryption? 4 E1
13G01-04 Has this policy been approved by the governing bodies? 2 E2

13G01-05 Does the policy concerning the use of encryption encompass all the legal requirements in that matter? 4 3 E2
13G01-06 Has the adequacy of the directives with respect to all the relevant laws and regulations been verified by independent audit? 4 3 E2
13G02 Use of encryption training and awareness program

13G02-01 Is there a use of encryption awareness and training program? 2 E1
13G02-02 Is this program offered to the staff concerned? 2 E2
13G03 Monitoring the implementation of the use of encryption policy
13G03-01 Is the implementation of the use of encryption policy audited regularly? 4 3 C1
13G03-02 Are sanctions defined in case of nonconformity or failure to apply the policy? 4 3 E2
13G03-03 Have these sanctions been communicated to staff? 2 3 E2

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Audit questionnaire : Information Security management 1 variant
This questionnaire controls whether the organisation realises effectively a continuous process of management and reduction of the
risks also called ISMS .
It is recommanded to integrate this questionnaire into MEHARI complete process of risk treatment, preferrably associated
together with domain 01 (Organisation), which corresponds to the management responsibility and audits parts of the standard.
Number Question R-V1 R-V2 R-V3 R-V4 P Max Min Comments
14A Establish the management system

14A01 Define the boundaries of the ISMS
14A01-01 Are the boundaries and scope of the ISMS resulting from a preliminary study of the expectations of the top management and the 4
stakeholders?
14A01-02 Do the boundaries contain the processes and assets of vital value for the organization? 2
They should specify the sites, organizational units and business activities as well as external interfaces.
Any exclusions from the scope must be documented and justified.
14A02 Define the ISMS policy
14A02-01 Does the ISMS policy result from a preliminary study of the expectations of the stakeholders? 4
14A02-02 Does this policy state clearly and precisely the commitments of the management relative to information security? 1
14A02-03 Does this policy take into account the requirements of the organization towards criteria such as Availability, Integrity and non 2
disclosure?
14A02-04 Does this policy take into account legal and regulatory requirements? 2
14A02-05 Does this policy take into account the commitment to use precise evaluation of risks? 2
14A02-06 Have clear risk reduction and management objectives been established? 4
14A02-07 Has this policy been approved by the top management of the organization? 2 2
14A02-08 Has the management of the organization reserved the necessary resources and funding over the long term? 1
14A03 Define the risk assessment approach and associated metrics
14A03-01 Has a risk assessment method that fits to the requirements of the organization been selected? 4
14A03-02 Does the method permit to analyze the information security requirements for each asset in accordance to the business, laws and 2 2
regulations?
14A03-03 Does the method permit to classify the feared dysfunctions on a scale applicable to the entire organization? 1
14A03-04 Does the method provide precise metrics allowing a rational and reproducible risk assessment? 1
The seriousness of each risk being classified within a previously defined scale.
14A04 Identification of the risks
14A04-01 Does this risk analysis method used allow to identify the supporting assets attached to each operational process and to each 4
primary asset?
14A04-02 Does the method permit to identify the threats and their consequences relative to the security objectives ( e.g. Availability, integrity, 4
Confidentiality)?
14A04-03 Does the method permit to identify, in a precise way, the vulnerabilities according to the security measures in place? 2
14A04-04 Does the method permit to describe finely the scenarios that may exploit the threats and vulnerabilities? 2
14A04-05 Does the method permit to identify the impacts on the activity for each scenario (through a precise criteria and asset)? 4
14A04-06 Does the method permit to identify the links between each asset and the owners of data and processes? 2
14A05 Analysis and evaluation of the risks
Mise jour : janvier 2010 351061430.xls ! 14 ISM page 354

14A05-01 Does the risk analysis method permit to assess the levels of risk reduction resulting from the security measures in place or 2
planned?
14A05-02 Does the method provide the elements allowing to assess the likelihood of each risk scenario? 4
14A05-03 Does the method permit to reduce the likelihood of the scenarios resulting from the current (and planned) security measures (or 2
controls)?
14A05-04 Is it possible to adapt the likelihood levels resulting from changes in the organization? 2
14A05-05 Is the risk seriousness level clearly related to the impact and likelihood values for each scenario ? 1
14A05-06 Does the method provide the elements allowing to classify the seriousness level for each risk scenario? 4
His level should be used to determine whether each risk is acceptable or require further treatment
14A06 Selection of risk treatment options
14A06-01 Does the method permit to figure out the risk treatment options appropriate for the organization ? 2
Based on the possible options (Accept, Avoid, Transfer or Reduce lye risk) and the criteria of acceptance already established.
14A06-02 Does the method permit to analyze the risk acceptance criteria for each scenario? 2
14A07 Selection of the measures (controls) for risk reduction
14A07-01 Does the organization have at its disposal the elements allowing to select the most efficient security measures required? 4 1
The method used must permit to propose improvement directions for each risk situation and to optimize the selection based on the
objectives and constraints of the organization.
14A07-02 Does the method permit to identify the residual risks after treatment of these risks? 3 2
14A07-03 Are the residual risks, either after treatment or acceptance, presented to the management for validation? 2 2
14A08 Selection of the security measures in accordance to the statement of applicability (SOA)
14A08-01 Is a list of decisions and security measures applicable to the organization formally established? 4
14A08-02 Does the statement of applicability describe the security measures already in place? 2 2
14A08-03 Are the security measures excluded or differed documented and justified? 2 2
14B Implement the management system
14B01 Formulation of a risk treatment plan
14B01-01 Has a risk treatment plan been established? 4 1
14B01-02 Does this plan identify the actions to be taken including the appropriate resources, responsibilities, deadlines, and priorities? 2
14B01-03 Has this plan been validated by senior management? 2 2

14B02 Implementation of the risk treatment plan
14B02-01 Has this risk treatment plan been put in place? 4 1
14B02-02 Does the implementation cover the entire risk treatment plan? 2
14B02-03 Does the implementation effectively cover all the goals and security measures that were defined during the establishment phase 2 2
(risk assessment) of the Information Security Management System (ISMS)?
14B02-04 Does this plan define goals for achieving the measures decided (dates, level of risk reduction achieved)? 2
14B02-05 Is this plan monitored regularly by senior management? 2 2
14B03 Selection and implementation of ISMS indicators
14B03-01 Have evaluation methods been defined for effectiveness of the selected measures (indicator, audit, etc)? 4
14B03-02 Has the manner in which the results of these evaluations will be interpreted been defined (scale, maximum or minimum 2 2
thresholds, quality of service objective, etc)?
14B03-03 Are these evaluations comparable and reproducible? 2

14B03-04 Have the evaluation methods been validated by senior management? 2 2
14B03-05 Have these evaluations been implemented? 2 2
14B03-06 Are these evaluations monitored regularly by senior management? 2 2
14B04 Implementation of training and awareness plan
14B04-01 Has a program of training and awareness raising been implemented for the various security staff within the organization? 4
14B04-02 Is this program based on an analysis of the security skills and competences required by the various actors of the organization? 3
14B05-03 Has this program been effectively implemented? 2 2
14B04-04 Is the effectiveness of the program evaluated through an analysis of its results? 2 3
14B04-05 Is the documentation associated with this program stored and used? 2 3
For example, yearly programs, attendance records and participant evaluations, course content, skills acquired, etc.
14B05 Incident detection and response
14B05-01 Have procedures and measures been implemented to enable rapid detection and response to security incidents? 4
14C Monitor the management system
14C01 Monitoring execution of the security procedures and measures
14C01-01 Has the organization put in place procedures for review and monitoring of the ISMS? 4
14C01-02 Are these procedures intended to rapidly detect anomalies in the output of data processing? 2 3
14C01-03 Do these procedures enable rapid identification of security failures and incidents? 2
14C01-04 Do these procedures enable the responsible managers to determine whether the procedures or delegated security measures have 2 2
been carried out in conformance with the system?
14C01-05 Are there indicators in place that enable detection or prevention of security incidents? 2
14C01-06 Are reviews of the efficiency and application of the ISMS regularly planned and carried out? 2
14C01-07 Do the conclusions of these reviews take into account the experiences and suggestions of the parties concerned? 1
14C02 Steering the audit program
14C02-01 Do the implementation of the organization requirements of the ISMS, and the implementation of various action plans, fall within the 4
scope of the Audit program?
For example, concerning organization requirements: risk enumeration from a risk analysis, Information Security Policy or
documented ISMS plan, etc.
Concerning the various action plans: the actions agreed upon following a risk analysis, the implementation of an Information
Security Policy, or other audits.
14C02-02 Are all audits findings presented to management for review? 2 2
14C02-03 Are all audit findings the subject of a proposal for risk reduction presented to management? 2 3
14C02-04 Is the audit program monitored by a set of indicators presented during management reviews? 2 3
14C03 Review of risks and security measures
14C03-01 Are risk evaluation reviews regularly conducted? 4
14C03-02 Do these risk evaluation reviews enable validation of the effectiveness of the security measures put in place? 2
Such measures may be organizational or technical.
14C03-03 Do these reviews lead to revision of the security plans whenever this is necessary? 2
14C03-04 Are the boundaries and goals of the security management policy reviewed regularly? 2
14C03-05 Does the planning for these reviews take account of changes in the information security environment? 2
For example, changes in the organization, technology, threats, procedures, requirements of activities, and regulations.
14C03-06 Is a structured record kept of observations and of significant security incidents? 2
14C03-07 At least once year, is there a management review of the ISMS, covering all aspects of ISMS steering (results of risk analysis, 2 2
dashboards, audit results, etc.), enabling management to make decisions about the ISMS implementation policy (evolution of the
Information Security Policy, ISMS scope, audit program, requirements to be taken into account, resources assigned, etc.)?

14D Improve the management system
14D01 Continuous improvement
14D01-01 Have already identified improvements to the ISMS been implemented? 4
14D01-02 Does senior management review these actions? 4 2
14D01-03 Are the results of these actions recorded in a log? 2
14D01-04 Has an analysis been carried out to confirm that the actions lead to an improvement in the effectiveness of the ISMS? 1
14D02 Actions to correct nonconformities
14D02-01 Are nonconformities in the application of the ISMS identified regularly? 4
Concerning the security policies, the processes and procedures
14D02-02 Are the necessary corrective actions planned? 2
14D02-03 Have the causes of the nonconformities been identified? 1
14D02-04 Has a plan covering all the corrective actions been formulated? 2
14D02-05 Have the corrective actions been implemented? 2
14D02-06 Have measures been taken to prevent non-conformities from reoccurring? 1
14D02-07 Have the results of the corrective actions been recorded for later review? 2
14D02-08 Has an analysis been made to confirm that the corrective actions effectively reduce the nonconformities? 1
14D03 Actions to prevent nonconformities
14D03-01 Have potential nonconformities been identified? 2
14D03-02 Have the causes of the potential nonconformities been identified? 2
14D03-03 Have preventative actions been determined? 2
14D03-04 Have these preventative actions been implemented? 2
14D03-05 Have the results of the implemented preventative actions been recorded in a log? 2
14D03-06 Has an analysis been carried out to confirm that the preventative actions avoided nonconformities? 1
14D04 Communication to stakeholders
14D04-01 Are the corrective actions and improvements communicated to all the parties concerned? 2
The communication must be sufficiently precise and detailed..
14D04-02 Is agreement obtained from all relevant parties concerning the improvement actions? 2
14E Documentation
14E01 Documentation management
14E01-01 Is there a procedure describing how System Management documentation must be managed? 4 2
14E01-02 Is a named person responsible for application of this procedure? 2 2
14E01-03 Does the procedure indicate that every document must have an owner? 2
14E01-04 Is this procedure distributed widely to all the relevant services? 2
14E02 Document approval
14E02-01 Is the approval procedure for each document defined? 4
14E02-02 Is the physical location of the approved documents clearly defined? 2
For example, a shared folder on a server.
14E03 Updates
14E03-01 Are the people authorized to update the documents clearly identified? 4
14E03-02 Is it clearly stated that all updates must be approved? 2
14E04 Document naming and versioning management

14E04-01 Is there a consistent numbering scheme for the documents that takes into account various versions? 2
14E04-02 Are all modifications summarized in a document history section? 2
14E05 Documentation disposal
14E05-01 Is there a document classification scheme that defines the level of access rights for different users? 4 2
14E05-02 Is there a mechanism in place for publishing information according to the users' access rights? 2
14E06 Withdrawing of obsolete documents
14E06-01 Is the procedure for withdrawing obsolete documents described? 2
14E06-02 Is the implementation of this procedure regularly checked by the responsible managers? 2

SECURITY SERVICES & SUB-SERVICES
DOMAINS Objective values to be handled (if 1): 1
SERVICES
SUB-SERVICES Theme Min Obj Fin
01 Organization of security V1 V2 V3 V4
01A01 Organization and piloting of general security A1
1.0 1.0
01A02 Organization and piloting of Information Systems security A1
1.0 1.0
01A03 General reporting system and incident management system A1
1.0 1.0
01A04 Organization of audits and audit program A1
1.0 1.0
01A05 Crisis management related to information security A1
1.0 1.0
01B01 Obligations and responsibilities of personnel and management A2
1.0 1.0
01B02 General directives related to information protection A2
1.0 1.0
01B03 Classification of resources A2
1.0 1.0
01B04 Asset management A2
1.0 1.0
01B05 Protection of assets having value of evidence A2
1.0 1.0
01C01 Staff involvement, contractual clauses A2
1.0 1.0
01C02 Management of strategic personnel, partners and providers A2
1.0 1.0
01C03 Staff screening procedure A2
1.0 1.0
01C04 Awareness and training in security A2
1.0 1.0
01C05 Third Parties Management (partners, suppliers, clients, public, etc.) A2
1.0 1.0
01C06 People Registration A2
1.0 1.0
01D Insurance
01D01 Insurance against property (or material) damages A1
1.0 1.0
01D02 Insurance of consequential losses (non-material damages) A1
1.0 1.0
01D03 Personal Liability Insurance (PLI) A1
1.0 1.0
01D04 Insurance against loss of Key Personnel A1
1.0 1.0
01D05 Management of insurance contracts A1
1.0 1.0
01E01 Taking into account the need for business continuity F1 1.0 1.0
01E02 Business continuity Plans F1 1.0 1.0
01E03 Workplace Recovery Plans (WRP) F1 1.0 1.0
02 Sites security V1 V2 V3 V4
02A01 Management of access rights to the site or building B1
1.0 1.0
02A02 Management of access authorizations granted to the site or the building B1
1.0 1.0
02A03 Access control to the site or the building B1
1.0 1.0
02A04 Intrusion detection to the site or the building B1
1.0 1.0
02A05 Access to the loading and unloading areas (goods receipt and consignment) or to areas open to B1
public 1.0 1.0
02B Protection Against Miscellaneous Environmental Risks
02B01 Analysis of Miscellaneous Environmental Risks B2
1.0 1.0
02C01 Partitioning of office areas into protected zones B1
1.0 1.0
02C02 Physical access control to the protected office zones B1
1.0 1.0
02C03 Management of access authorizations to protected office area B1
1.0 1.0
02C04 Detection of intrusions into protected office areas B1
1.0 1.0
02C05 Monitoring of protected office areas B1
1.0 1.0
02C06 Control of movement of visitors and occasional service providers required to work in the offices B1
1.0 1.0
02D01 Conservation and protection of important commonly used documents E3
1.0 1.0
02D02 Protection of documents and removable support media E3
1.0 1.0
02D03 Paper-bin collection and destruction of documents E3
1.0 1.0
02D04 Security of post mail E3
1.0 1.0
02D05 Security of faxes (traditional) E3
1.0 1.0
02D06 Conservation and protection of important documents (to be preserved during a long period) E3
1.0 1.0
02D07 Management of archived documents E3
1.0 1.0
03 Security of Premises V1 V2 V3 V4
03A01 Quality of energy supply B2
1.0 1.0
03A02 Continuity of energy supply B2
1.0 1.0
03A03 Air conditioning security B2
1.0 1.0
03A04 Quality of cabling B2
1.0 1.0
03A05 Lightning protection B2
1.0 1.0
03A06 Dependability of service equipment B2
1.0 1.0
03B01 Access rights management to sensitive locations B1 1.0 1.0
03B02 Management of access authorizations granted to sensitive locations B1 1.0 1.0
03B03 Access control to sensitive locations B1 1.0 1.0
03B04 Intruder detection in sensitive locations B1 1.0 1.0
03B05 Perimeter monitoring (surveillance of entry points and surroundings of sensitive locations) B1
1.0 1.0
03B06 Surveillance of sensitive locations B1 1.0 1.0
03B07 Cabling access control B1 1.0 1.0
03B08 Location of sensible premises. B1 1.0 1.0
03C01 Prevention of risk of water damage B2 1.0 1.0
03C02 Detection of water damage B2 1.0 1.0
03C03 Water evacuation B2 1.0 1.0
03D Fire security
03D01 Fire risk prevention B2
1.0 1.0
03D02 Fire detection B2
1.0 1.0
03D03 Fire extinguishing B2
1.0 1.0
04 Extended Network (intersite) V1 V2 V3 V4
04A01 Functional security of the extended network architecture C1
1.0 1.0
04A02 Management of extended network equipment maintenance F3
1.0 1.0
04A03 Procedures and Business Contingency Planning following incidents on the extended network E1
1.0 1.0
04A04 Backup plan of extended network configurations F2
1.0 1.0
04A05 Business Contingency Planning (BCP) of the Extended Network F1
1.0 1.0
04A06 Management of critical suppliers as regards a permanent maintenance service F3
1.0 1.0
04B01 Security profiles for entities connected to the extended network D1
1.0 1.0
04B02 Authentication of the entity for an incoming access from the extended network D1
1.0 1.0
04B03 Authentication of the entity accessed for an outgoing access across the extended network D1
1.0 1.0
04C01 Encryption of exchanges on the extended network C2
1.0 1.0
04C02 Integrity control of exchanges on the extended network C2
1.0 1.0
04D01 Real-time monitoring of the extended network H1
1.0 1.0
04D02 Offline analysis of traces, log files and event journals on the extended network H1
1.0 1.0
04D03 Management of incidents on the extended network H1
1.0 1.0
05 Local Area Network (LAN) V1 V2 V3 V4
05A01 Partitioning of the local area network into security domains C1
1.0 1.0
05A02 Security of the functioning of the local area network architecture C1
1.0 1.0
05A03 Organization of the maintenance of local area network equipment F3
1.0 1.0
05A04 Procedures and Recovery Plans following incidents on the local area network E1
1.0 1.0
05A05 Save and Restore plans of local area network configurations F2
1.0 1.0
05A06 Save and Restore plans of local area network configurations F1
1.0 1.0
05A07 Management of critical suppliers as regards a permanent maintenance service F3
1.0 1.0
05B01 Management of access profiles on the local area network D1
1.0 1.0
05B02 Management of privileges and access authorizations (granting, delegation, revocation) D1
1.0 1.0
05B03 User or entity authentication for access requests to the local area network from an internal access D1
point
This mechanism corresponds, for example, to the authentication implemented in a Windows
domain controller.
1.0 1.0
05B04 User or requestor authentication before access to the local area network from a remote site via D1
the extended network 1.0 1.0
05B05 User or requestor authentication for outside access to the local area network D1
(e.g. from the switched telephone network (POTS), X25, ISDN, broadband, Internet, etc.) 1.0 1.0
05B06 User or requestor authentication for access requests to the local area network from a WiFi sub- D1
network 1.0 1.0
05B07 General filtering of access to the local area network D1
1.0 1.0
05B08 Routing control of outgoing access D1
1.0 1.0
05B09 Authentication of the external entity accessed for outgoing access to sensitive sites D1
1.0 1.0
05C01 Encryption of exchanges on the local area network C2
Encryption can be effected at layer 3 (IPSEC VPN) or at level 4-5 (SSL) or directly effected by the
application (level 6-7, for example encryption before or during transmission), case really treated
by domain 09.
It could be systematic on the "pipeline" (physical or logical) or limited only to certain data flows (as
a function of address or type, etc.) it can also be performed on intermediate systems (VPN boxes)
or end systems (stations, server) or both.
1.0 1.0
05C02 Integrity control of exchanges on the local area network C2
1.0 1.0
05C03 Encryption of exchanges in the case of remote access to the local area network C2
1.0 1.0
05C04 Protection of the integrity of exchanges in the case of remote access to the local area network C2
1.0 1.0
05D01 Real-time monitoring of the local area network H1
1.0 1.0
05D02 Offline analysis of traces, log files and event journals on the local area network H1
1.0 1.0
05D03 Management of incidents on the local area network H1
1.0 1.0
06 Network operations V1 V2 V3 V4
06A01 Security in the relationship with operational personnel (employees, suppliers or service providers) E1
1.0 1.0
06A02 Control of the implementation or upgrade of software or hardware E1
1.0 1.0
06A03 Control of maintenance operations E1
1.0 1.0
06A04 Control of Remote Maintenance E1
1.0 1.0
06A05 Management of Operating Procedures for Network Operation E1
1.0 1.0
06A06 Management of service providers relating to networks E1
1.0 1.0
06A07 Taking into account the confidentiality during maintenance operations on network equipment. E1
1.0 1.0
06A08 Contract Management of Network Services E1
1.0 1.0
06B01 Network equipment customizing and compliance control of configurations E1
1.0 1.0
06B02 Control of the network access configurations of user equipment E1
1.0 1.0
06C01 Control of special access rights to network equipment D1
1.0 1.0
06C02 Authentication of administrators and operational personnel D1
1.0 1.0
06C03 Surveillance of administrative actions on the network H1
1.0 1.0
06C04 Control of networking operational tools and utilities E1
1.0 1.0
I1 1.0 1.0
I1 1.0 1.0
07 Security and architecture of systems V1 V2 V3 V4
07A01 Management of access profiles (rights and privileges granted by functional profile) D1
1.0 1.0
07A02 Management of access authorizations and privileges (granting, delegation, revocation) D1
1.0 1.0
07A03 Authentication of the access requestor (user or entity) D1
1.0 1.0
07A04 Access filtering and management of associations D1
1.0 1.0
07A05 Authentication of the server for access to sensitive servers D1
1.0 1.0
07B01 Control of access to residual data D1
1.0 1.0
O7C Management and saving of logs
07C01 Recording access to sensitive resources H1
1.0 1.0
07C02 Recording privileged system calls H1
1.0 1.0
07D01 Service continuity of the architecture and of its components C1
1.0 1.0
07D02 Isolation of Sensitive Systems C1
1.0 1.0
08 IT Production environment V1 V2 V3 V4
08A01 Consideration of security in relation with operational personnel (permanent and temporary staff) E1
1.0 1.0
08A02 Control of the operational tools and utilities E1
1.0 1.0
08A03 Acceptance control of systems introduction or modification E1
Systems here include operating systems, applications and associated middleware 1.0 1.0
1.0 1.0
08A05 Confidentiality considerations during maintenance of the production systems D2
1.0 1.0
08A06 Control of remote maintenance E1
1.0 1.0
08A07 Protection of sensitive printed documents and reports E3
1.0 1.0
08A08 Management of Operating Procedures for IT production E1
1.0 1.0
08A09 Management of service suppliers and providers relating to IT operations E1
1.0 1.0
08B01 Conformity control of systems parameters and configurations E1
1.0 1.0
08B02 Conformity control of operational software configurations (including packages) E1
1.0 1.0
08B03 Conformity control of reference programs (source code and executables) E1
1.0 1.0
08C01 Management of storage media E2
1.0 1.0
08C02 Labeling of storage media (live, backups and archives) E2
1.0 1.0
08C03 Physical security of media kept on site E2
1.0 1.0
08C04 Physical security of storage media (kept in an external site) E2
1.0 1.0
08C05 Verification and turnover of archive storage media E2
1.0 1.0
08C06 Security of storage networks (SAN : Storage Area Network and NAS) E2
1.0 1.0
08C07 Physical Security of Transiting Medias E2
1.0 1.0
08D01 Organization of hardware maintenance (for operational equipment) F3
1.0 1.0
08D02 Organization of software maintenance (systems, middleware and applications) F3
1.0 1.0
08D03 Application recovery procedures and plans following incidents during operation E1
1.0 1.0
08D04 Backup of software configurations (system, applications and configuration parameters) F2
1.0 1.0
08D05 Backup of application data F2
1.0 3.0 3.0
08D06 Disaster Recovery Planning for IT operations F1
1.0 1.0
08D07 Anti virus protection for production servers D2
1.0 1.0
08D08 Management of critical systems (regarding maintenance continuity) F3
1.0 1.0
08D09 Off site emergency (recourse) backups F2
1.0 3.0 3.0
08D10 Maintaining user accounts E1
1.0 1.0
08E01 Online detection and treatment of IT related abnormal events and incidents H1 1.0 1.0
08E02 Offline management of traces, logs and event journals H1 1.0 1.0
08E03 Management of system and application incidents H1 1.0 1.0
08F01 Control of administrative access rights granted on systems D1 1.0 1.0
08F02 Authentication of administrators and operational personnel D1 1.0 1.0
08F03 Surveillance of system administrators' actions H1 1.0 1.0
I1 1.0 1.0
I1 1.0 1.0
08H01 Organization of the management for IT archives E2
1.0 1.0
08H02 IT Archives access management E2
1.0 1.0
08H03 Management of IT archive safety E2
1.0 1.0
09 Application security V1 V2 V3 V4
09A01 Management of application data access profiles D1 1.0 1.0

09A02 Management of access authorizations to application data (granting, delegation, revocation) D1 1.0 1.0
09A03 Authentication of the access requestor D1 1.0 1.0
09A04 Access filtering and management of associations D1 1.0 1.0
09A05 Authentication of the application for access to sensitive applications D1 1.0 1.0
09B01 Sealing of sensitive data D2 1.0 1.0

09B02 Protection of integrity of exchanged data D2 1.0 1.0
09B03 Control of data entry D2 1.0 1.0
09B04 Permanent checks (accuracy, etc) relating to data D2 1.0 1.0
09B05 Continuous (plausibility, ) checks on data processing D2 1.0 1.0
09C01 Encryption of data exchanges D2 1.0 1.0

09C02 Encryption of stored data D2 1.0 1.0
09C03 Anti electromagnetic radiation protection D2 1.0 1.0
09D01 Very high security recording D2 1.0 1.0

09D02 Management of access to data files D2 1.0 3.0 3.0
09E01 Hardware reconfiguration C1 1.0 1.0
09E02 Application service continuity plans F1 1.0 1.0
09E03 Management of critical applications (with regard to maintenance continuity) F3 1.0 1.0
09F01 Proof of origin, electronic signature D2 1.0 1.0

09F02 Prevention of message duplication and replay (numbering, sequencing) D2 1.0 1.0
09F03 Acknowledgements of receipt D2 1.0 1.0
09G01 Detection of application anomalies H1 1.0 1.0

09H Security of the e-commerce Sites
09H01 Security of the e-commerce Sites D2 1.0 1.0
10 Security of application projects and developments V1 V2 V3 V4
10A01 Consideration of security in application development G1 1.0 1.0
10A02 Change management G1 1.0 1.0
10A03 Externalization of software development G1 1.0 1.0
10A04 Organization of application maintenance G1 1.0 1.0
10A05 Modification of software packages G1 1.0 1.0
10B01 Ensuring security in the organization of application developments G1 1.0 1.0
10B02 Ensuring confidentiality in application developments G1 1.0 1.0
10B03 Security within Internal Processing of Applications G1 1.0 1.0
10B04 Protection of Data during tests G1 1.0 1.0
10B05 Security of application maintenance G1 1.0 1.0
10B06 Hot Maintenance G1 1.0 1.0
11 Protection of users' work equipment V1 V2 V3 V4
11A01 Control of the installation of new software or system versions on the users' equipment E1
1.0 1.0
11A02 Control of the compliance of user configurations E1
1.0 1.0
11A03 Control of software and software package licenses E1
1.0 1.0
11A04 Conformity control of the reference programs (source and executable) for user software E1
1.0 1.0
11A05 Management of service suppliers and providers relating to the operation and handling of the user E1
workstations base 1.0 1.0
11B01 Control of access to workstations D2
1.0 1.0
11B02 Work effected off company premises D2
1.0 1.0
11B03 Use of personal equipment or external equipment (not owned by the organization) D2
1.0 1.0
11C01 Protection of the confidentiality of data on the workstation or on a data server (logical disk for the D2
workstation) 1.0 1.0
11C02 Protection of the confidentiality of data stored on removable media D2
1.0 1.0
11C03 Confidentiality considerations during maintenance operations on user workstations D2
1.0 1.0
11C04 Protection of the integrity of files stored on workstations or on data servers (logical disk for D2
workstations) 1.0 1.0
11C05 Security of Email and Electronic Information Exchanges D2
1.0 1.0
11C06 Protection of documents printed on shared printers D2
1.0 1.0
11D01 Organization of user hardware maintenance F3
1.0 1.0
11D02 Organization of user software maintenance (system, middleware and application) F3
1.0 1.0
11D03 Users' configurations backup plans F2
1.0 1.0
11D04 Backup plans for user data stored on data servers F2
1.0 1.0
11D05 Backup plan for data stored on user workstations. F2
1.0 1.0
11D06 Anti virus (malware, unauthorized executable code, etc.) protection for user workstations. D2
1.0 1.0
11D07 Recovery Plans for the users' workstations F2
1.0 1.0
11D08 Access management to office data and files F2
1.0 1.0
11E01 Management of privileged access rights granted on user workstations (administrative rights) D1
1.0 1.0
11E02 Authentication and control of the access rights of administrators and operational personnel D1
1.0 1.0
11E03 Surveillance of system administrators' actions over the users' workstations H1 1.0 1.0
12 Telecommunications operations V1 V2 V3 V4
12A01 Consideration of security in relation with operational personnel (permanent and temporary staff) E1
1.0 1.0
12A02 Control of the implementation of new equipments or upgrade of existing systems E1
Equipments for classical telephony : PABX, ...
Equipments dedicated to users: telephone terminal, fax machines (often combined with printing,
scanning and photocopy capabilities , ...), tele and videoconferencing, ...
These systems may provide configuration, management, directory, billing and storage (answering
machine, voice mail) services,
1.0 1.0
1.0 1.0
12A04 Control of Remote Maintenance E1
1.0 1.0
12A05 Management of Operating Procedures for Telecommunication Operation E1
1.0 1.0
12A06 Management of service providers relating to telecommunication E1
1.0 1.0
12B01 Network equipment customizing and compliance control of configurations E1
1.0 1.0
12B02 Conformity control of operational software to a reference version E1
1.0 1.0
F3 1.0 1.0
F3 1.0 1.0
12C03 Backup of software configurations (system, services and configuration parameters) F2 1.0
1.0
12C04 Disaster Recovery Plans F1
1.0 1.0
F3 1.0 1.0
E1
1.0 1.0
A2
1.0 1.0
C2
1.0 1.0
12E01 Management of privileged access rights granted on equipments and systems (administrative D1
rights) 1.0 1.0
12E02 Authentication and control of the access rights of administrators and operational personnel D1
1.0 1.0
12E03 Surveillance of system administrators' actions over the equipments and systems H1 1.0 1.0
13 Management processes V1 V2 V3 V4
13A01 Policy and instructions related to PPI A2
1.0 1.0
13A02 PPI training and awareness program A2
1.0 1.0
13A03 Applicability of the PPI policy A1
1.0 1.0
13A04 Monitoring the implementation of the PPI policy A1
1.0 1.0
For example, the Financial Security Law (loi Mer) in France and the Sarbanes Oxley Act in the United States
13B01 Policy and instructions related to Communication of financial data A2
1.0 1.0
13B02 Communication of financial data training and awareness program A2
1.0 1.0
13B03 Applicability of the Communication of financial data policy A1
1.0 1.0
13B04 Monitoring the implementation of the Communication of financial data policy A1
1.0 1.0
13C01 Preservation of accounting data and treatments A2
1.0 1.0
13C02 Documentation of accounting data, procedures and treatments A2
1.0 1.0
13C03 Verification of computerized accounting data training and awareness program A2
1.0 1.0
13C04 Applicability of the VCA policy A1
1.0 1.0
13C05 Monitoring the implementation of the VCA policy A1
1.0 1.0
13D Protection of intellectual property rights (IPR) 1.0
13D01 Policy and instructions relative to the Protection of intellectual property rights A2
1.0 1.0
13D02 Intellectual property rights training and awareness program A2
1.0 1.0
13D03 Applicability of the intellectual property rights policy A1
1.0 1.0
13D04 Monitoring the implementation of the intellectual property rights policy A1
1.0 1.0
13E01 Policy and instructions relative to the Protection of computerized systems A2 1.0 1.0
13E02 Protection of computerized systems training and awareness program A2 1.0 1.0
13E03 Applicability of the protection of computerized systems policy A1 1.0 1.0
13E04 Monitoring the implementation of the protection of computerized systems policy A1 1.0 1.0
13F01 Policy and instructions relative to Human safety and protection of the environment A2 1.0 1.0
13F02 Human safety and protection of the environment training and awareness program A2 1.0 1.0
13F03 Applicability of the Human safety and protection of the environment policy A1 1.0 1.0
13F04 Monitoring the implementation of the Human safety and protection of the environment policy A1
1.0 1.0
13G01 Policy and instructions relative to the use of encryption A2
1.0 1.0
13G02 Use of encryption training and awareness program A2
1.0 1.0
13G03 Monitoring the implementation of the use of encryption policy A1
1.0 1.0
14 Information security management V1 V2 V3 V4
1.0 1.0
1.0 1.0
1.0 1.0
1.0 1.0
1.0 1.0
1.0 1.0
1.0 1.0
1.0 1.0
1.0 1.0
1.0 1.0
1.0 1.0
1.0 1.0
1.0 1.0
1.0 1.0
1.0 1.0
1.0 1.0
1.0 1.0
1.0 1.0
1.0 1.0
1.0 1.0
14E Documentation
14E01 Documentation management 1.0 1.0
14E02 Document approval 1.0 1.0
14E03 Updates 1.0 1.0
14E04 Document naming and versioning management 1.0 1.0
14E05 Documentation disposal 1.0 1.0
14E06 Withdrawing of obsolete documents 1.0 1.0
MEHARI Security themes
N Name Referenced Services

A1 Roles and organization 01A, 01D
A2 Security awareness and training, 01B, 01C, 12D02
Human resources management
B1 Physical access control (sites, 02A, 02C, 03B
buildings and premises)
B2 Miscellaneous Risks 02B, 03A, 03C, 03D
C1 Networks and Systems Architecture 04A01, 05A01, 05A02, 07D, 09E01
C2 Control of the exchanges 04C, 05C, 12D03
D1 Logical access control 04B, 05B, 06C01, 06C02, 07A, 07B, 08F01, 08F02, 09A, 11E01, 11E02,
12E01, 12E02
D2 Security of data 08A05, 08D07, 09B, 09C, 09D, 09F, 09H, 11B, 11C, 11D06
E1 Operational procedures 04A02, 04A03, 05A03, 05A04, 06A, 06B, 06C04, 08A01 08A04, 08A06,
O8A08, 08A09, 08B, 08D03, 08D10, 11A, 12A, 12B, 12D01
E2 Management of data containers 08C, 08H
E3 Protection of documents and written 02D, 08A07
information
F1 Recovery Plans 01E, 04A05, 05A06, 08D06, 09E02, 09E04, 12C04
F2 Backups 04A04, 05A05, 08D04, 08D05, 08D09, 11D03, 11D04, 11D05, 11D07, 12C03
F3 Maintenance 04A02, 04A06, 05A03, 05A07, 08D01, 08D02, 08D08, 09E03, 11D01, 11D02,
12C01, 12C02, 12C05
G1 Projects and developments 10A, 10B
H1 Incident management 04D, 05D, 06C03, 07C, 08E, 08F03, 09G, 11E03, 12E03
I1 Audit management 06D, 08G
J1 Compliance management 13
K1 Information security management 14
system
351061430.xls ! Themes 383 Dcembre 2006

ISO 27002
ISO 27002 : 2005 Correspondance and scoring
Questions or services used for scoring Score

5 Security policy
5.1 Information security policy
5.1.1 Information security policy document 01A02-01 0.0
5.1.2 Review of the information security policy 01A02-02 0.0
6 Organizing information security
6.1 Internal organization
6.1.1 Management committment to information security 01A02-09 0.0
6.1.2 Information security co-ordination 01A02-03:05 0.0
6.1.3 Allocation of information security responsibilities 01A02-06:07 0.0
6.1.4 Authorization process for information processing facilities 06A02-13:14;08A03-14:15;11B03-04:05;12A02-14:15 0.0
6.1.5 Confidentiality agreements 01C01-01:05 0.0
6.1.6 Contact with authorities 01A02-10 0.0
6.1.7 Contact with special interest groups 01A02-11 0.0
6.1.8 Independent review of information security 01A02-13 0.0
6.2 External parties
6.2.1 Identification of risks related to external parties 01C05-01 0.0
6.2.2 Addressing security when dealing with customers 01C05-02 0.0
6.2.3 Addressing security in third party agreements 01C05-04:05 0.0
7 Asset management
7.1 Responsibility for asset
7.1.1 Inventory of assets 01B04-01:02 0.0
7.1.2 Ownership of assets 01B04-03 0.0
7.1.3 Acceptable use of assets 01B04-04 0.0
7.2 Information classification
7.2.1 Classification guidelines 01B03-03;01B03-10 0.0
7.2.2 Information labeling and handling 01B02-04;01B03-02 0.0
8 Human resources security
8.1 Prior to employement
8.1.1 Roles and responsibilities 01C03-01 0.0
8.1.2 Screening 01C03-02:04 0.0
8.1.3 Terms and conditions of employment 01C01-01:02 0.0
8.2 During employement
351061430.xls ! ISO 27002 384 Dcembre 2006

ISO 27002
8.2.1 Management responsiblities 01C01-06 0.0

8.2.2 Information security awareness, education and training 01C04-01:05 0.0
8.2.3 Disciplinary process 01B01-07 0.0
8.3 Termination or change of employment
8.3.1 Termination responsibilities 01B01-09 0.0
8.3.2 Return of assets 01B04-05 0.0
8.3.3 Removal of access rights 01B01-10 0.0
9 Physical and environmental security
9.1 Secure areas
9.1.1 Physical security perimeter 02A03-01:02;02A03-06;02A04-01 0.0
9.1.2 Physical entry controls 02C06-01:04;03B01-01;03B01-07;03B03-01 0.0
9.1.3 Securing offices, rooms and facilities 03B08-01:03 0.0
9.1.4 Protecting against external and environmental threats 02B01-01:04;03C01-01;03C02-01:03;03D01-01;03D02-01;03D03-
06 0.0
9.1.5 Working in secure areas 03B02-08;03B03-01;03B06-01 0.0
9.1.6 Public access, delivery and loading areas 02A05-01:03 0.0
9.2 Equipment security
9.2.1 Equipment siting and protection 06A02-03;08A01-01;08A03-03;12A01-01;12A02-03 0.0
9.2.2 Supporting utilities 03A01-01:03;03A02-01:02;03A03-01;03A03-03 0.0
9.2.3 Cabling security 03A04-01:04 0.0
9.2.4 Equipment maintenance 04A02-01;05A03-01;06A03-01;06A07-01:02;08A04-01;08A05-
01:02;08D01-01;11D01-01;12A03-01;12C01-01 0.0
9.2.5 Security of equipment off-premises 11B02-01;11B02-03 0.0
9.2.6 Secure disposal or re-use of equipment 06A07-01;08A05-01:02;08C01-05;11C03-01 0.0
9.2.7 Removal of property 01B04-06 0.0
10 Communications and operations management
10.1 Operational procedures and responsibilities
10.1.1 Documented operating procedures 06A05-01:04;08A08-01:04;12A05-01:04 0.0
10.1.2 Change management 06A02-01;08A03-01;11A01-01;12A02-01 0.0
10.1.3 Segregation of duties 06C01-03:06;08F01-01:04;11E01-01:04;12E01-01:04 0.0
10.1.4 Separation of development, test, and operational facilities 06B01-07:09 0.0
10.2 Third party service delivery agreement
10.2.1 Service delivery 06A06-01:02;08A09-01:02;11A05-01:02;12A06-01:02 0.0
10.2.2 Monitoring and review of third party services 06A06-03:05;08A09-03:05;11A05-03:05;12A06-03:05 0.0
10.2.3 Managing changes to third party services 06A06-06;08A09-06;11A05-06;12A06-06 0.0
10.3 System planning and acceptance
351061430.xls ! ISO 27002 385 Dcembre 2006

ISO 27002
10.3.1 Capacity management 06A02-02;08A03-02;11A01-01;12A02-01:02 0.0

10.3.2 System acceptance 06A02-04:05;06A02-08:11;08A03-05:06;08A03-09:12;11A01-
04:06;12A02-05:06;12A02-09:12 0.0
10.4 Protection against malicious and mobile code
10.4.1 Controls against malicious code 08D07-01:02;11D06-01;11D06-05 0.0
10.4.2 Controls against mobile code 11D06-07 0.0
10.5 Back-up
10.5.1 Information back-up 04A04-01:07;05A05-01:07;08D04-01:07;08D05-01:13;11D03-
01:04;11D04-01:04;11D05-01:05;12C03-01:06 0.0
10.6 Network security management
10.6.1 Network controls 06C01-03:04;06C03-01:02 0.0
10.6.2 Security of network services 06A08-01:03 0.0
10.7 Media handling
10.7.1 Management of removable media 02D02-01;08C01-01:05;08C03-11 0.0
10.7.2 Disposal of media 07B01-08;08C01-04 0.0
10.7.3 Information handling procedures 01B02-03:07 0.0
10.7.4 Security of system documentation 08B01-03;08B01-05;08B02-04:05;12B01-04;12B01-06 0.0
10.8 Exchange of information
10.8.1 Information exchange policies and procedures 01B02-03:05;01B02-07:08 0.0
10.8.2 Exchange agreements 01C05-03 0.0
10.8.3 Physical media in transit 08C04-03;08C07-01 0.0
10.8.4 Electronic messaging 11C05-01;11C05-05:06 0.0
10.8.5 Business information systems 11C05-04 0.0
10.9 Electronic commerce services
10.9.1 Electronic commerce 09H01-01 0.0
10.9.2 On-line transactions 09H01-02 0.0
10.9.3 Publicly available information 09H01-03 0.0
10.10 Monitoring
10.10.1 Audit logging 04D02-01:02;05D02-01:02;07C01-05:07;07C02-05:07 0.0
10.10.2 Monitoring system use 04D01-01:03;04D01-08;05D01-01:03;05D01-08;07C01-
01:02;07C02-01:02 0.0
10.10.3 Protection of log information 04D01-09;04D02-06;04D02-08:09;05D01-09;05D02-06;05D02-
08:09;07C01-07:08;07C02-07:08 0.0
10.10.4 Administrator and operator logs 06C03-01:07;08F03-01:07;11E03-01:09;12E03-01:09 0.0
10.10.5 Fault logging 04D03-01:05;05D03-01:05 0.0
351061430.xls ! ISO 27002 386 Dcembre 2006

ISO 27002
10.10.6 CPrek synchronization 06B01-03;08B01-04;12B01-05 0.0

11 Access control
11.1 Business requirement for access control
11.1.1 Access control policy 02C01-01;05B01-01;06C01-01;07A01-01;09A01-01 0.0
11.2 User access management
11.2.1 User registration 01C06-01:06 0.0
11.2.2 Privilege management 05B01-02;05B02-03;06C01-03;06C01-07;07A01-02;07A02-
03;08F01-01;08F01-05;09A01-02;09A02-03;11E01-01;11E01-
05;12E01-01;12E01-05 0.0
11.2.3 User password management 05B03-02;07A03-02;09A03-02;11B01-02 0.0
11.2.4 Review of user access rights 05B01-08;05B02-04:05;05B02-07;06C01-08:09;06C02-07;07A01-
08;07A02-04:05;07A02-08;08F01-06:07;08F02-06;09A01-
08;09A02-04:05;09A02-08;11E01-06:07;12E01-06:08 0.0
11.3 User responsibilities
11.3.1 Password use 01B01-02 0.0
11.3.2 Unattended user equipment 01B01-03;11B01-08 0.0
11.3.3 Clear desk and clear screen policy 01B02-07 0.0
11.4 Network access control
11.4.1 Policy on use of network services 01B02-05 0.0
11.4.2 User authentication for external connections 01B02-01:02;05B05-01:03;05B08-01:03 0.0
11.4.3 Equipment identification in networks 05B07-08 0.0
11.4.4 Remote diagnostic and configuration port protection 06A02-09:10;06A04-01:03;06A04-05;08A06-01:03;08A06-
05;08B01-02;12A02-10:11;12A04-01:04;12B01-03 0.0
11.4.5 Segregation in networks 01B02-02;05A01-02:06 0.0
11.4.6 Network connection control 04B01-05:06;05A01-06;05A01-08 0.0
11.4.7 Network routing control 04B01-14;05A01-12 0.0
11.5 Operating system access control
11.5.1 Secure log-on procedures 07A03-03:07 0.0
11.5.2 User identification and authentication 07A04-01:04;09A04-01:04 0.0
11.5.3 Password management system 07A03-01:09;09A03-01:08 0.0
11.5.4 Use of system utilities 08A02-03:07 0.0
11.5.5 Session time-out 07A04-06;09A04-06 0.0
11.5.6 Limitation of connection time 07A01-04:05;09A01-04;09A04-05 0.0
11.6 Information and application access control
11.6.1 Information access restriction 09A01-02;09A02-01:02;09A04-01:02;09A04-07 0.0
11.6.2 Sensitive system isolation 07D02-01:03 0.0
351061430.xls ! ISO 27002 387 Dcembre 2006

ISO 27002
11.7 Mobile computing and teleworking

11.7.1 Mobile computing and communications 01B02-08;11C01-01;11B02-01;11B02-03;11D05-01 0.0
11.7.2 Teleworking 11B02-01:02;11B02-04;11B03-04 0.0
12 Information systems acquisition, development and maintenance
12.1 Security requirements of information systems
12.1.1 Security requirements analysis and specification 10A01-01:03 0.0
12.2 Correct Identification of applicable legislation
12.2.1 Input data validation 09B03-01:06;09B03-08;09B04-01;09B05-01 0.0
12.2.2 Control of internal processing 10B03-01:04 0.0
12.2.3 Message integrity 09B02-01:03 0.0
12.2.4 Output data validation 09B04-01;09B05-01 0.0
12.3 Cryptographic controls
12.3.1 Policy on the use of cryptographic controls 04C01-01;05C01-01;05C03-01;08C06-05;09C01-01;09C02-
01;09F01-01;11C01-01 0.0
12.3.2 Key management 04C01-03;05C01-03;05C03-03;08D03-10;09C01-03;09C02-
05;09F01-04 0.0
12.4 Security of system files
12.4.1 Control of operational software 06A02-04:05;06A02-13:14;08A03-04:06;08A03-13:15;08B03-
01;10B01-03;11A04-01;12A02-14:15 0.0
12.4.2 Protection of system test data 10B04-01:05 0.0
12.4.3 Access control to program source code 10B02-04 0.0
12.5 Security in development and support process
12.5.1 Change control procedures 08A03-03:04;10A02-01:03 0.0
12.5.2 Technical review of applications after operating system 10A02-05:07 0.0
12.5.3 changes
Retrictions of changes to software packages 10A05-01:04 0.0
12.5.4 Information leakage 10A01-04 0.0
12.5.5 Outsourced software development 10A03-01:05 0.0
12.6 Technical vulnerability management
12.6.1 Control of technical vulnerabilities 08B01-03;08B02-04;12B01-04 0.0
13 Information security incident management
13.1 Reporting information security events and weaknesses
13.1.1 Reporting information security events 01A02-12;01A03-01:04 0.0
13.1.2 Reporting security weaknesses 01C04-06 0.0
13.2 Management of information security events and improvement
13.2.1 Responsibilities and procedures 01A02-12;01A03-04;04D03-08;05D03-08;08E03-08 0.0
13.2.2 Learning from information security incidents 01A03-05 0.0
351061430.xls ! ISO 27002 388 Dcembre 2006

ISO 27002
13.2.3 Collection of evidences 01A03-06;02D06-01:02;08H01-04 0.0

14 Business continuity management
14.1 Information security aspects of business continuity management
14.1.1 Including information security in the business continuity 01E01-03
management process 0.0
14.1.2 Business continuity and risk assessment 01E01-01:02 0.0
14.1.3 Developing and implementing continuity plans including 01E02-01:05;04A05-01:03;05A06-01:03;08D06-01:06;09E02-
information security 01:07;11D07-01:06;12C04-01:06 0.0
14.1.4 Business continuity planning framework 09E02-07 0.0
14.1.5 Testing, maintaining and re-assessing business continuity 01E02-08:11;04A05-04:05;05A06-04:05;08D04-05;08D05-
plans 09;08D06-07:08;09E02-09;10A02-07;11D03-03;11D07-
07:08;12C03-04;12C04-07:08 0.0
15 Compliance
15.1 Compliance with legal requirements
15.1.1 Identification of applicable legislation 01B02-10 0.0
15.1.2 Intellectual property rights 11A03-01:03;13D01-01:10;13D02-01:04;13D04-01 0.0
15.1.3 Protection of organizational records 01B02-09;08H01-04:06 0.0
15.1.4 Data protection and privacy of personal information 13A01-01:06;13A02-01:04;13A04-01 0.0
15.1.5 Prevention of misuse of information processing facilities 01B01-05;01C05-05;13E01-01:06;13E02-01:03;13E04-01 0.0
15.1.6 Regulation of cryptographic controls 13G01-01:06;13G02-01:02;13G03-01 0.0
15.2 Compliance with security policies and standards and technical compliance
15.2.1 Compliance with security policies and standards 01B01-12 0.0
15.2.2 Technical compliance checking 05B07-10;06B01-06:08;08B01-06:08;08B02-06:08;11A02- 0.0
05:06;12B01-07:09
15.3 Information systems audit considerations
15.3.1 Information systems audit controls 06D01-01:04;08G01-01:04 0.0
15.3.2 Protection of Information systems audit controls 06D01-05;06D02-01:03;08G02-01:03 0.0
351061430.xls ! ISO 27002 389 Dcembre 2006

Table of events : types of events and natural exposure
Code
Family type Event description Code
type
Absence of personnel due to an Absence of personnel from partner AB.P.Pep

AB.P
accident Absence of internal personnel AB.P.Per
Absence of service : Air conditioning AB.S.Cli
Absence of service : Power supply AB.S.Ene
Absence or unavailability of service, Absence of service : Impossibility to have access to the premises AB.S.Loc
AB.S
due to an accident
Absence or impossibility of application software maintenance AB.S.Maa
Absence or impossibility of information system maintenance AB.S.Mas
Lightning AC.E.Fou
Environmental serious accident AC.E Fire AC.E.Inc
Flooding AC.E.Ino
Equipment breakdown AC.M.Equ
Hardware accident AC.M
Accessory equipment breakdown AC.M.Ser
Voluntary absence of personnel AV.P Social conflict with strike AV.P.Gre
Software blocking or malfunction due to a design or programming error (in-house
Conceptual error ER.L ER.L.Lin
software)
Lost or forgotten document or media ER.P.Peo
Hardware error or behavioral error by
ER.P Error of operation or non compliance of a procedure ER.P.Pro
personnel
Typing or data entry error ER.P.Prs
Damage due to ageing (of equipment) IC.E.Age
Water damage IC.E.De
Incident due to environment IC.E
Pollution damage IC.E.Pol
Electrical boosting or over load IC.E.Se
Production incident IF.L.Exp
Software blocking or malfunction (information system or software package) IF.L.Lsp

Logical or functional incident IF.L
Saturation due to an external cause (worm) IF.L.Ver
Virus IF.L.Vir
Deliberate blocking of accounts MA.L.Blo
Deliberate erasure or massive pollution of system configurations MA.L.Cfg
Deliberate erasure of files, data bases or media MA.L.Del
Electromagnetic pick up MA.L.Ele
Malevolent action (logical or Deliberate corruption of data or functions MA.L.Fal

MA.L
functional) Forging of messages or data MA.L.Fau
Fraudulent replay of transaction MA.L.Rej
Deliberate saturation of IT equipments or networks MA.L.Sam
Deliberate total erasure of files and backups MA.L.Tot
Diversion of files or data (tele-load or copy) MA.L.Vol
Tampering or falsification of equipment MA.P.Fal
Terrorism MA.P.Ter
Malevolent action (physical) MA.P
Vandalism or hooliganism MA.P.Van
Theft of physical asset MA.P.Vol
Inadequate procedures PR.N.Api
Procedures not applied due to lack of resource or means PR.N.Naa
Non compliance to procedures PR.N
Procedures not applied due to ignorance PR.N.Nam
Procedures not applied deliberately PR.N.Nav
Natural
Natural Natural
exposure
exposure exposure Selection Comments
(standard
(decided) (resulting)
CLUSIF)
3 3 1
2 2 1
2 2 1
3 3 1
2 2 1
3 3 1
2 2 1
2 2 1
2 2 1
3 3 1
3 3 1
3 3 1
2 2 1
3 3 1
3 3 1
3 3 1
3 3 1
2 2 1
3 3 1
2 2 1
2 2 1
3 3 1
2 2 1
3 3 1
4 4 1
2 2 1
2 2 1
2 2 1
3 3 1
3 3 1
3 3 1
2 2 1
3 3 1
2 2 1
3 3 1
2 2 1
2 2 1
2 2 1
2 2 1
2 2 1
2 2 1
2 2 1
2 2 1
Reference Base of scenarios
ASSET VULNERABILITY THREAT
Supporting Type of Event Circumstances Actor
Scenario Family
Family Code
Code
ASSET Sub
AICE Asset damage Type Place Time Access Process
type Type
D01-A Loss of data used by applications

F01-EA1 D01 A File erasure Fic.eff IF.L Exp Exp
File erasure ER.P Pro Exp Ain Ual

F01-ER1 D01 A Fic.eff
F01-ER1 D01 A File erasure Fic.eff ER.P Pro Exp Ain Uai
F01-ER1 D01 A File erasure Fic.eff ER.P Pro Exp Ain Una
F01-ER1 D01 A File erasure Fic.eff ER.P Pro Exp Ain E
F01-ER1 D01 A File erasure Fic.eff ER.P Pro Exp Ain M
F01-EM1 D01 A File erasure Fic.eff MA.L Del Exp Ain Ual
File erasure MA.L Del Exp Ain Uai

F01-EM1 D01 A Fic.eff
File erasure MA.L Del Exp Ain Una

F01-EM1 D01 A File erasure Fic.eff MA.L Del Exp Ain E
F01-EM1 D01 A File erasure Fic.eff MA.L Del Exp Ain M
File erasure MA.L Del Exp Atm Tie

File erasure MA.L Tot Atm E

F01-PA1 D01 A File Pollution Fic.pol ER.P Pro Mal M
F01-PA1 D01 A File Pollution Fic.pol ER.P Pro Mac M
File Pollution IF.L Exp

F01-PA1 D01 A Fic.pol
File Pollution MA.L Fal Ain Exp Uai

F01-PM1 D01 A Fic.pol
Mise jour : janvier 2010

Scenario Family
Family Code
Code
ASSET Sub
type Type
File Pollution MA.L Fal Ain Exp Una

F01-PM1 D01 A Fic.pol
F01-PM1 D01 A File Pollution Fic.pol MA.L Fal Ain Exp E
F01-PM1 D01 A File Pollution Fic.pol MA.L Fal Ain Exp M
Media Destruction AC.E Inc Exp

F02-AC1 D01 A Med.des
Media Destruction AC.E Ino Exp

F02-AC1 D01 A Media Destruction Med.des AC.E Inc Md.
F02-AC1 D01 A Media Destruction Med.des AC.E Ino Md.
Media disappearance ER.P Peo Md.

F03-AC1 D01 A Med.dis
F03-AC1 D01 A Media disappearance Med.dis ER.P Peo Exp
Media disappearance MA.P Vol Exp Pna

F03-MA1 D01 A Med.dis
F03-MA1 D01 A Media disappearance Med.dis MA.P Vol Exp E
F03-MA1 D01 A Media disappearance Med.dis MA.P Vol Exp Pse
F03-MA1 D01 A Media disappearance Med.dis MA.P Vol Md. Pna
F03-MA1 D01 A Media disappearance Med.dis MA.P Vol Md. E
F03-MA1 D01 A Media disappearance Med.dis MA.P Vol Md. Pse
Media inoperability AC.M Equ Exp

F04-AC1 D01 A Med.ine
Media inoperability IC.E De Exp


Scenario Family
Family Code
Code
ASSET Sub
type Type
Media inoperability IC.E Se Exp

Media inoperability IF.L Exp Exp

Media inoperability IC.E Pol Md.

Media inoperability IC.E De Md.

F05-ER D01 A Access disappearance Cle.dis ER.P Pro

means
Access disappearance MA.P Vol
F05-MA D01 A means Cle.dis
D02-A Loss of shared office data

F01-EA1 D02 A File erasure Fic.eff IF.L Vir Exp
File erasure ER.P Pro Exp Ain Ual
File erasure ER.P Pro Exp Ain Uai

File erasure ER.P Pro Exp Ain M

File erasure MA.L Del Exp Ain Ual

File erasure MA.L Del Exp Ain Uai

File erasure MA.L Del Exp Ain Una

File erasure MA.L Del Exp Ain E

File erasure MA.L Del Exp Ain M


Scenario Family
Family Code
Code
ASSET Sub
type Type
F01-EM3 D02 A File erasure Fic.eff MA.L Tot Ain E



Media disappearance MA.P Vol Exp E

Media disappearance MA.P Vol Exp Pse





Access disappearance ER.P Pro

F05-ER D02 A means Cle.dis

D03-A Loss of personal office data

F01-EA1 D03 A File erasure Fic.eff IF.L Vir Bur
File erasure ER.P Pro Bur Apc Ua

F01-ER1 D03 A File erasure Fic.eff ER.P Pro Bur Ain E

Scenario Family
Family Code
Code
ASSET Sub
type Type
F01-ER1 D03 A File erasure Fic.eff ER.P Pro Bur M
F01-ER1 D03 A File erasure Fic.eff ER.P Pro Exp Abs Apc Una
F01-EM1 D03 A Files erasure Fic.eff MA.L Del Bur Abs Apc Una
F01-EM1 D03 A Files erasure Fic.eff MA.L Del Bur Hho Apc Una
F01-EM1 D03 A Files erasure Fic.eff MA.L Del Bur Ain E
F01-EM1 D03 A Files erasure Fic.eff MA.L Del Bur M
F02-AC1 D03 A Media Destruction Med.des AC.E Inc Bur
F02-AC1 D03 A Media Destruction Med.des AC.E Ino Bur
Media disappearance ER.P Peo Bur

F03-AC1 D03 A Media disappearance Med.dis ER.P Peo Ext
PC disappearance MA.P Vol Bur Per

PC disappearance MA.P Vol Bur Pse

F03-MA1 D03 A PC disappearance Med.dis MA.P Vol Bur Vis
F03-MA1 D03 A PC disappearance Med.dis MA.P Vol Ext
disappearance MA.P Vol Bur Per

F03-MA1 D03 A Media Med.dis
disappearance MA.P Vol Bur Pse

F03-MA1 D03 A Media Med.dis
disappearance Med.dis MA.P Vol Bur Vis

F03-MA1 D03 A Media
Media inoperability AC.M Equ Bur
F04-AC1 D03 A Media inoperability Med.ine IC.E De Bur

Scenario Family
Family Code
Code
ASSET Sub
type Type
Media inoperability IC.E Se Bur

Media inoperability IC.E Age Bur

Access disappearance ER.P Pro

F05-ER D03 A means Cle.dis

D04-A Loss of documents

Document inoperability IC.E De
F08-AC D04 A Med.ine
Document Destruction AC.E Inc

F08-AC D04 A Med.des
Document Destruction AC.E Ino

Document disappearance ER.P Peo

F08-ER D04 A Med.dis
Document disappearance ER.P Peo Ext

F08-ER D04 A Med.dis
Document disappearance MA.P Vol Abs Per

F08-MA D04 A Med.dis
F08-MA D04 A Document disappearance Med.dis MA.P Vol Abs Vis
Document disappearance MA.P Vol Hho Per

Document disappearance MA.P Vol Hho Pse

F08-MA D04 A Document disappearance Med.dis MA.P Vol Ext
D06-A Loss of data during transfers or of messages

Scenario Family
Family Code
Code
ASSET Sub
type Type
Messages loss IF.L Exp

F07-AC1 D06a A Dtr.per
Messages loss AC.M Equ

Messages loss AC.E Inc

Messages loss AC.E Ino

data erasure MA.L Del E

F07-MA1 D06a A Dtr.des
data erasure MA.L Del Pna

F07-MA1 D06a A Dtr.des
D07-A Loss of e-mails (during sending or receipt)

e-mails loss IF.L Exp
F07-AC1 D07 A Dtr.per
e-mails loss AC.M Equ

e-mails loss AC.E Inc

e-mails loss AC.E Ino

e-mails erasure ER.P Pro Tru Ua

F07-ER1 D07 A Dtr.per
e-mails erasure ER.P Pro Exp E

e-mails erasure ER.P Pro Mai M

e-mails erasure MA.L Del E

F07-MA1 D07 A Dtr.per
e-mails erasure MA.L Del Pna


Scenario Family
Family Code
Code
ASSET Sub
type Type
D08-A Loss of documents while transferred (during sending or receipt)

fax Destruction IC.E De Emi
fax Destruction AC.E Inc Emi

fax Destruction AC.E Ino Emi

fax loss AC.M Equ Emi

F07-AC2 D08 A post mail Destruction Dtr.per IC.E De Emi
F07-AC2 D08 A post mail Destruction Dtr.per AC.E Inc Emi
post mail Destruction AC.E Ino Emi

fax loss ER.P Pro Bur Tru

post mail loss ER.P Pro Bur Tru

fax disappearance MA.P Vol Lof Pna

fax disappearance MA.P Vol Dis Per

F07-MA2 D08 A fax Transfer Dtr.per MA.L Fal

post mail disappearance MA.P Vol Loc Pna
post mail disappearance MA.P Vol Dis Per

D09-A Loss or unusability of archived documents

Document inoperability IC.E De Arc
F08-AC D09 A Med.ine

Scenario Family
Family Code
Code
ASSET Sub
type Type
Document Destruction AC.E Inc Arc

Document Destruction AC.E Ino Arc

Document loss of reference ER.P Pro Arc

F08-ER D09 A Med.dIs
Document disappearance MA.P Vol Arc Hou Pa

F08-MA D09 A Med.dIs
Document disappearance MA.P Vol Arc Hho Pse

Document disappearance MA.P Vol Arc Hou Pna

Document disappearance MA.P Vol Arc Hho Pna

Document disappearance MA.P Vol Dis Tran Pna

Document Destruction MA.P Ter Arc Tve

D10-A Loss of digital archives

F01-ER1 D10 A File erasure Fic.eff ER.P Pro Exp Ain Ua

Scenario Family
Family Code
Code
ASSET Sub
type Type
F01-EM1 D10 A File erasure Fic.eff MA.L Del Exp Ain Ual
F01-EM1 D10 A File erasure Fic.eff MA.L Del Exp Ain Uai
F01-EM1 D10 A File erasure Fic.eff MA.L Del Exp Ain Pna
F02-AC1 D10 A Media Destruction Med.des AC.E Inc Md.
F02-AC1 D10 A Media Destruction Med.des AC.E Ino Md.
F03-AC1 D10 A Media disappearance Med.dis ER.P Peo Arc
F03-AC1 D10 A Media disappearance Med.dis ER.P Peo Exp
F03-MA1 D10 A Media disappearance Med.dis MA.P Vol Arc Pa
F03-MA1 D10 A Media disappearance Med.dis MA.P Vol Arc Pna
F03-MA1 D10 A Media disappearance Med.dis MA.P Vol Arc Pse
F03-MA1 D10 A Media disappearance Med.dis MA.P Vol Dis Pna
Media inoperability IC.E Age Arc

F04-AC1 D10 A Media inoperability Med.ine IC.E De Arc
F05-ER D10 A Media loss of reference Cle.dis ER.P Pro Dis

D11-A Unavailability or loss of data published on internal or public web sites

F01-ER1 D11 A File erasure Fic.eff ER.P Pro Exp Ain Ual
F01-ER1 D11 A File erasure Fic.eff ER.P Pro Exp Ain Uai

Scenario Family
Family Code
Code
ASSET Sub
type Type
F01-ER1 D11 A File erasure Fic.eff ER.P Pro Exp M
F01-EM1 D11 A File erasure Fic.eff MA.L Del Exp Ain Una
F01-EM1 D11 A File erasure Fic.eff MA.L Del Exp M
File Pollution ER.P Pro Mal M

File Pollution ER.P Pro Mac M




Media Destruction AC.E Inc Md.

Media Destruction AC.E Ino Md.

Media disappearance ER.P Peo Exp



Scenario Family
Family Code
Code
ASSET Sub
type Type
Media disappearance MA.P Vol Exp E

Media disappearance MA.P Vol Exp Pse





D01-I Distortion (undetected) of data files

F09-AC1 D01 I File tampering Fic.alt ER.P Pro Mal M
File tampering ER.P Pro Mac M

F09-AC1 D01 I Fic.alt
File tampering IF.L Exp

F09-ER D01 I File tampering Fic.alt ER.P Pro Ain Tru Ual
File tampering ER.P Pro Ain Tru Uai

F09-ER D01 I Fic.alt
File tampering ER.P Pro Ain Tru Una

File tampering ER.P Pro Mal M


Scenario Family
Family Code
Code
ASSET Sub
type Type
File tampering MA.L Fal Ain Exp Uai

F09-MA1 D01 I Fic.alt
File tampering MA.L Fal Ain Exp Una

F09-MA1 D01 I File tampering Fic.alt MA.L Fal Ain Exp E
F09-MA1 D01 I File tampering Fic.alt MA.L Fal Exp M
File tampering MA.L Fal Atm Exp Tie

F09-MA1 D01 I Media tampering Fic.alt MA.L Fal Tran Pa
Media swap MA.P Fal Exp Pa

F09-ME1 D01 I Med.ech
Media swap MA.P Fal Exp Pna

Media swap MA.P Fal Tran Pa

D02-I Distortion (undetected) of shared office files

File tampering ER.P Pro Ain Tru Ual




Scenario Family
Family Code
Code
ASSET Sub
type Type

File tampering MA.L Fal Ain Exp E

File tampering MA.L Fal Ain Exp M

Media swap MA.P Fal Ain Exp Pa

Media swap MA.P Fal Ain Exp Pna

D03-I Distortion (undetected) of personal office files

File tampering ER.P Pro Apc Tru Ual
File tampering ER.P Pro Apc Tru Una

File tampering MA.L Fal Ain Stp E

File tampering MA.L Fal Stp M

Media tampering MA.L Fal Stm Pa

File tampering MA.L Fal Abs Apc Act Una

Media swap MA.P Fal Stm Pa


Scenario Family
Family Code
Code
ASSET Sub
type Type
D06-I Distortion (undetected) of data or of transmitted data that are individually sensitive
data tampering ER.P Prs
F10-ER D06b I Fic.alt
data tampering MA.L Fal Ain Exp Ual

F10-MA D06b I Fic.alt
data tampering MA.L Fal Ain Exp Pna

data tampering MA.L Fal Ain Exp Uai

F10-MA D06b I data tampering Fic.alt MA.L Fal Exp E
F10-MA D06b I data tampering Fic.alt MA.L Fal Exp M
data tampering MA.L Fal Ext Are Ere Tie

F10-MA D06c I Dtr.alt
data tampering MA.L Fal Ere E

data tampering MA.L Fal Aerl Are Pna

data tampering MA.L Fal Aerl Are E

data tampering MA.L Fal Erl Pna

data tampering MA.L Fal Erl E

F10-MA D06c I Transaction replay Dtr.alt MA.L Rej Una

Message Usurpation MA.L Fal Una

Scenario Family
Family Code
Code
ASSET Sub
type Type
D07-I Distortion of e-mails during their sending or receipt

e-mail tampering MA.L Fal Tie
F10-MA D07 I Fic.alt
e-mail tampering MA.L Fal E

F10-MA D07 I Fic.alt
F10-FA1 D07 I e-mail tampering Fic.alt MA.L Fau Exp Tie

D08-I Distortion of faxes during their sending or receipt
F10-FA2 D08 I fax tampering Fic.alt MA.L Fal Tie
D10-I Distortion of computerized archives
File tampering MA.L Fal E
File tampering MA.L Fal Ain Pna

Media swap MA.P Fal Ain Pa

Media swap MA.P Fal Ain Pna

Media swap MA.P Fal Ain Tran Tie

D11-I Distortion of data published on internal or public sites

File tampering ER.P Pro Mac M
File tampering IF.L Exp

File tampering ER.P Pro Ain Tru Ual




Scenario Family
Family Code
Code
ASSET Sub
type Type


File tampering MA.L Fal Exp E

File tampering MA.L Fal Exp M

D01-C Disclosure of data files

F11-ER1 D01 C data disclosure Fic.dif ER.P Pro Exp E
F11-ER1 D01 C data disclosure Fic.dif ER.P Pro Mam E
F11-ER1 D01 C data disclosure Fic.dif ER.P Pro Tde D
data disclosure ER.P Pro Mal M

F11-ER1 D01 C Fic.dif
F11-MA1 D01 C File disclosure Fic.dif MA.L Vol Ain Tru Ual
data file disclosure MA.L Vol Ain Tru Uai

F11-MA1 D01 C Fic.dif
data file disclosure MA.L Vol Ain Tru Una

F11-MA1 D01 C data file disclosure Fic.dif MA.L Vol Exp E
data file disclosure MA.L Vol Ain Exp Tie

data file disclosure MA.L Vol Aerl Exp Tie

data file disclosure MA.L Vol Atm Exp Tie


Scenario Family
Family Code
Code
ASSET Sub
type Type
data file disclosure MA.L Vol Asan Exp Tie

F11-MA1 D01 C data file disclosure Fic.dif MA.L Vol Mai M
Media disappearance MA.P Vol Tran Pa

F12-MA1 D01 C Med.dis
Media disappearance MA.P Vol Sti Pa

Media disappearance MA.P Vol Ste Pa


Media disappearance MA.P Vol Tran Pna

Media disappearance MA.P Vol Sti Pna

Media disappearance MA.P Vol Ste Pna

D02-C Disclosure of shared office files

File disclosure ER.P Pro Exp E
File disclosure ER.P Pro Mam E

data file disclosure MA.L Vol Ain Tru Ual

data file disclosure MA.L Vol Ain Tru Uai

data file disclosure MA.L Vol Ain Tru Una


Scenario Family
Family Code
Code
ASSET Sub
type Type
F11-MA1 D02 C data file disclosure Fic.dif MA.L Vol Exp E
data file disclosure MA.L Vol Mai M

data file disclosure MA.L Vol Ain Exp Tie

data file disclosure MA.L Vol Aerl Exp Tie

data file disclosure MA.L Vol Asan Exp Tie

Media disappearance MA.P Vol Exp Pa









Scenario Family
Family Code
Code
ASSET Sub
type Type
D03-C Disclosure of personal office files

File disclosure ER.P Pro Tru

data file disclosure MA.L Vol Abs Apc Pna

data file disclosure MA.L Vol Hho Apc Pna

data file disclosure MA.L Vol Exp E

data file disclosure MA.L Vol Mai M

Media disappearance ER.P Peo Ext

F12-ER D03 C Med-dis
Media disappearance MA.P Vol Bur Abs Per

Media disappearance MA.P Vol Bur Abs Vis

Media disappearance MA.P Vol Bur Hho Per

Media disappearance MA.P Vol Bur Hho Ser

Media disappearance MA.P Vol Ext

PC disappearance MA.P Vol Bur Abs Per


Scenario Family
Family Code
Code
ASSET Sub
type Type
PC disappearance MA.P Vol Bur Abs Vis

PC disappearance MA.P Vol Bur Hho Per

PC disappearance MA.P Vol Bur Hho Ser

PC disappearance MA.P Vol Ext

D04-C Disclosure of documents

Document disappearance ER.P Pro Ext
F14-ER1 D04 C Med.dis
Document disappearance MA.P Vol Bur Hho Per

Document disappearance MA.P Vol Bur Abs Uai

Document disappearance MA.P Vol Bur Ser

Document disappearance MA.P Vol Bur Abs Per

Document disappearance MA.P Vol Bur Abs Vis

F14-MA1 D04 C Document disappearance Med.dis MA.P Vol Ext
Document disappearance MA.P Vol Imp Per

F14-MA1 D04 C Document disappearance Med.dis MA.P Vol Imp Vis
Document disappearance MA.P Vol Dif Per


Scenario Family
Family Code
Code
ASSET Sub
type Type
F14-MA1 D04 C Document disappearance Med.dis MA.P Vol Dif Vis
F14-MA3 D04 C Document disappearance Med.dis MA.P Vol Crc
D05-C Disclosure of listings or printouts

printouts disclosure ER.P Pro Dif E
F14-ER2 D05 C Med.dis
printouts disappearance MA.P Vol Exp Pa

F14-MA2 D05 C printouts disappearance Med.dis MA.P Vol Exp Ser
printouts disappearance MA.P Vol Exp Pna

printouts disappearance MA.P Vol Dif Per

F14-MA2 D05 C printouts disappearance Med.dis MA.P Vol Dif Vis

scrapped disappearance MA.P Vol Exp Crc
printouts
D06-C Disclosure of data after consultation or harnessing
screen disclosure MA.L Vol Bur Ain Uai
F13-MA1 D06 C Dtr.div
screen disclosure MA.L Vol Bur Ain Tie

screen disclosure MA.L Vol Bur Ain E

screen disclosure MA.L Vol Ext Aerl Tie

F13-MA1 D06 C screen harnessing Dtr.div MA.L Ele Ext Aem Tie
Rsidu disclosure MA.L Vol Aru E


Scenario Family
Family Code
Code
ASSET Sub
type Type
data harnessing MA.L Vol Ext Are Pna

F13-MA2 D06 C transferred Dtr.div
data harnessing MA.L Vol Ain Per

data harnessing MA.L Fal Amer Per

data harnessing MA.L Fal Amer E

transferred
data harnessing MA.L Fal Ext Amdertm Tie
data harnessing MA.L Vol Amderuf Main Tie

data disclosure MA.L Vol Ext Auie Tie

data disclosure MA.L Vol Ext Auis E

D07-C Disclosure of e-mails during their sending or receipt

F19-ER1 D07 C e-mails disclosure Dtr.div ER.P Pro Ua
e-mails disclosure MA.L Vol E
F19-MA D07 C Dtr.div
F19-MA D07 C e-mails disclosure Dtr.div MA.L Vol M
F19-MA D07 C e-mails disclosure Dtr.div MA.L Vol Pna
D08-C Disclosure of post mails or faxes during their sending or receipt

F19-ER2 D08 C post mail disclosure Dtr.div ER.P Pro
F19-ER3 D08 C fax disclosure Dtr.div ER.P Pro
F19-MA1 D08 C post mail disappearance

Dtr.div
MA.P Vol Loc Col

Scenario Family
Family Code
Code
ASSET Sub
type Type
F19-MA1 D08 C post mail disappearance

Dtr.div
MA.P Vol Bur Col
fax disappearance MA.P Vol Lof

fax disappearance MA.P Vol Col

fax disclosure MA.L Fal

D09-C Disclosure of printed or written archive

F16-MA D09 C Document disappearance Med.dis MA.P Vol Arc Pa
F16-MA D09 C Document disappearance Med.dis MA.P Vol Arc Pna
Document disappearance MA.P Vol Tran Pna

F16-MA D09 C Med.dis
Document disclosure MA.P Vol Arc Pna

D10-C Disclosure of files or digitalized archives

Media disappearance MA.P Vol Arc Pa
Media disappearance MA.P Vol Arc Pna

Media disappearance MA.P Vol Dis Pna

G01-A Unavailability of the working environment of users

F17-AC G01 A premises unavailability Loc.ina AC.E Inc
premises unavailability AC.E Ino

F17-AC G01 A Loc.ina
premises unavailability AB.S Ene
F17-AC G01 A Loc.ina
F17-AC G01 A premises unavailability Loc.ina AB.S Loc

Scenario Family
Family Code
Code
ASSET Sub
type Type
G02-A Unavailability of telecommunication services (voice, faxes, video conferencing)

File erasure IF.L Exp Exp
F01-EA2 G02 A Cfl.eff
File erasure ER.P Pro Exp M

F01-ER4 G02 A Cfl.eff
File erasure MA.L Del Exp E

F01-EM2 G02 A Cfl.eff
File erasure MA.L Del Exp M

F01-EM2 G02 A Cfl.eff
telecom damaging IC.E De Exp

F06-AC1 G02 A equipment Eq.hs
telecom damaging IC.E Se Exp

telecom Destruction AC.E Fou Exp

equipment
F06-AC2 G02 A Eq.des
telecom Destruction AC.E Inc Exp

F06-AC2 G02 A equipment Eq.des
telecom Destruction AC.E Ino Exp

equipment
F06-AC2 G02 A Eq.des
telecom unavailability AC.M Equ

auxiliary unavailability AC.M Ser

F06-AC3 G02 A elements Eq.hs

Scenario Family
Family Code
Code
ASSET Sub
type Type
auxiliary unavailability AB.S Ene

elements
F06-AC3 G02 A Eq.hs
telecom damaging MA.P Van Exp Pa

equipment
F06-MA1 G02 A Eq.hs
telecom damaging MA.P Van Exp Pna

equipment
F06-MA1 G02 A Eq.hs
telecom damaging MA.P Van Tve

equipment
F06-MA1 G02 A Eq.hs
telecom damaging MA.P Van Tvi

equipment
F06-MA1 G02 A Eq.hs
telecom Destruction MA.P Ter Tve

F06-MA2 G02 A equipment Eq.des
telecom unavailability AB.S Mas

F18-AR G02 A equipment Eq.hs
R01-A Unavailability of the extended network service

software erasure IF.L Exp Exp
F01-EA4 R01 A configuration Cfl.eff
software erasure ER.P Pro Exp E

F01-ER4 R01 A configuration Cfl.eff
software erasure ER.P Pro Exp M

software erasure MA.L Del Exp Una

F01-EM4 R01 A Cfl.eff
configuration

Scenario Family
Family Code
Code
ASSET Sub
type Type
software erasure MA.L Del Exp E

configuration
software erasure MA.L Del Exp M
configuration
software erasure MA.L Tot E
F01-EM5 R01 A configuration Cfl.eff
network damaging IC.E De Exp

F06-AC1 R01 A equipment Eq.hs
network damaging IC.E Se Exp

network Destruction AC.E Fou Exp

F06-AC2 R01 A equipment Eq.des
network Destruction AC.E Inc Exp

network Destruction AC.E Ino Exp

network unavailability AC.M Equ


F06-AC3 R01 A elements Eq.hs

network damaging MA.P Van Exp Pa

F06-MA1 R01 A equipment Eq.hs
network damaging MA.P Van Exp Pna


Scenario Family
Family Code
Code
ASSET Sub
type Type
network damaging MA.P Van Tve

network damaging MA.P Van Tvi

network Destruction MA.P Ter Tve

F06-MA2 R01 A equipment Eq.des
network unavailability MA.L Cfg E

network unavailability MA.L Cfg M

network unavailability AB.S Mas

F18-AR R01 A equipment Eq.hs
network unavailability AV.P Gre

F18-AR R01 A equipment Eq.mo
network unavailability AB.P Per

network unavailability AB.P Pep

F18-AR R01 A network lock Eq.hs IF.L Ver
R02-A Unavailability of the local area network service

F01-EA4 R02 A configuration Cfl.eff



Scenario Family
Family Code
Code
ASSET Sub
type Type
software erasure MA.L Del Exp Una

configuration
software erasure MA.L Del Exp E
configuration
software erasure MA.L Del Exp M
configuration
software erasure MA.L Tot E
F01-EM5 R02 A configuration Cfl.eff
network damaging IC.E De Exp

network damaging IC.E Se Exp

network Destruction AC.E Fou Exp

network Destruction AC.E Inc Exp

network Destruction AC.E Ino Exp

network unavailability AC.M Equ



network damaging MA.P Van Exp Pa


Scenario Family
Family Code
Code
ASSET Sub
type Type
network damaging MA.P Van Exp Pna

network damaging MA.P Van Tve

network damaging MA.P Van Tvi

network Destruction MA.P Ter Tve

F06-MA2 R02 A equipment Eq.des
network unavailability MA.L Cfg E

network unavailability MA.L Cfg M

network unavailability AB.S Mas

F18-AR R02 A equipment Eq.hs
network unavailability AV.P Gre

network unavailability AB.P Per

network unavailability AB.P Pep

network lock IF.L Ver

F18-AR R02 A Eq.hs
S01-A Unavailability of application service

program file erasure IF.L Exp Exp
F01-EA2 S01 A Cfl.eff
program file erasure ER.P Pro Exp Ual

F01-ER2 S01 A Cfl.eff

Scenario Family
Family Code
Code
ASSET Sub
type Type
F01-ER2 S01 A program file erasure Cfl.eff ER.P Pro Exp Uai
F01-ER2 S01 A program file erasure Cfl.eff ER.P Pro Exp Una
F01-ER2 S01 A program file erasure Cfl.eff ER.P Pro Exp E
F01-ER2 S01 A program file erasure Cfl.eff ER.P Pro Exp M
F01-EM2 S01 A program file erasure Cfl.eff MA.L Del Exp Ual
program file erasure MA.L Del Exp Uai

F01-EM2 S01 A Cfl.eff
program file erasure MA.L Del Exp Una

F01-EM2 S01 A program file erasure Cfl.eff MA.L Del Exp E
F01-EM2 S01 A program file erasure Cfl.eff MA.L Del Exp M
program file erasure MA.L Tot E

F01-EM3 S01 A Fic.eff
program file Pollution ER.P Pro Mal M

F01-PA2 S01 A Cfl.pol
F01-PA2 S01 A program file Pollution Cfl.pol ER.P Pro Mac M
program file Pollution IF.L Exp

program file Pollution MA.L Fal Exp Uai

F01-PM2 S01 A Cfl.pol
program file Pollution MA.L Fal Exp Una

F01-PM2 S01 A program file Pollution Cfl.pol MA.L Fal Exp E
F01-PM2 S01 A program file Pollution Cfl.pol MA.L Fal Exp M

Scenario Family
Family Code
Code
ASSET Sub
type Type
media Destruction AC.E Inc Exp

F02-AC2 S01 A storing Med.des
program
media Destruction AC.E Ino Exp
program
media
F02-AC2 S01 A storing Destruction Med.des AC.E Inc Md.
program
media
F02-AC2 S01 A storing Destruction Med.des AC.E Ino Md.
program
media disappearance ER.P Peo Md.
F03-AC2 S01 A storing Med.dis
program
media
disappearance ER.P Peo Exp
program
media
disappearance MA.P Vol Exp Pna
F03-MA2 S01 A storing Med.dis
program
media
disappearance MA.P Vol Exp E
program
media
disappearance MA.P Vol Exp Pse
program
media
F03-MA2 S01 A storing disappearance Med.dis MA.P Vol Md. Pna
program
media disappearance MA.P Vol Md. E
program
media
F03-MA2 S01 A storing disappearance Med.dis MA.P Vol Md. Pse
program
media inoperability AC.M Equ Exp
F04-AC2 S01 A storing Med.ine
program
media inoperability IC.E De Exp
program
media inoperability IC.E Se Exp
program
media inoperability IF.L Exp Exp
program

Scenario Family
Family Code
Code
ASSET Sub
type Type
media inoperability IC.E Pol Md.

program
media inoperability IC.E De Md.
program
media inoperability IC.E Age Md.
program
application damaging IC.E De Exp
F06-AC1 S01 A server Eq.hs
application damaging IC.E Se Exp

application Destruction AC.E Fou Exp

F06-AC2 S01 A server Eq.des
application Destruction AC.E Inc Exp

application Destruction AC.E Ino Exp

application unavailability AC.M Equ


F06-AC3 S01 A elements Eq.hs

auxiliary unavailability AB.S Cli

application damaging MA.P Van Exp Pa

F06-MA1 S01 A server Eq.hs

Scenario Family
Family Code
Code
ASSET Sub
type Type
application damaging MA.P Van Exp Pna

application damaging MA.P Van Tve

application damaging MA.P Van Tvi

application Destruction MA.P Ter Tve

F06-MA2 S01 A server Eq.des
application unavailability MA.L Cfg E

application unavailability MA.L Cfg M

application unavailability AB.S Mas

F18-AR S01 A server Eq.hs
Application lock AB.S Maa Exp

F18-AR S01 A Eq.hs
application unavailability AV.P Gre

F18-AR S01 A server Eq.mo
application unavailability AB.P Per

application unavailability AB.P Pep

F18-BL S01 A application lock Cfl.bug IF.L Lsp Exp
F18-BL S01 A application lock Cfl.bug ER.L Lin Exp
F18-BL S01 A application lock Cfl.bug IF.L Exp Exp

Scenario Family
Family Code
Code
ASSET Sub
type Type
F18-BL S01 A application lock Cfl.bug MA.L Sam Exp
F18-BC S01 A account lock Cpt.blo MA.L Blo
S02-A Unavailability of the common office services

File erasure IF.L Exp Exp
File erasure ER.P Pro Exp Ual

F01-ER2 S02 A File erasure Cfl.eff ER.P Pro Exp Uai
F01-ER2 S02 A File erasure Cfl.eff ER.P Pro Exp Una
F01-ER2 S02 A File erasure Cfl.eff ER.P Pro Exp E
F01-ER2 S02 A File erasure Cfl.eff ER.P Pro Exp M
F01-EM2 S02 A File erasure Cfl.eff MA.L Del Exp Ual
File erasure MA.L Del Exp Uai

File erasure MA.L Del Exp Una

F01-EM2 S02 A File erasure Cfl.eff MA.L Del Exp E
F01-EM2 S02 A File erasure Cfl.eff MA.L Del Exp M
Files erasure MA.L Tot E

F01-PA2 S02 A File Pollution Cfl.pol ER.P Pro Mal M
F01-PA2 S02 A File Pollution Cfl.pol ER.P Pro Mac M


Scenario Family
Family Code
Code
ASSET Sub
type Type
File Pollution MA.L Fal Exp Uai

File Pollution MA.L Fal Exp Una

F01-PM2 S02 A File Pollution Cfl.pol MA.L Fal Exp E
F01-PM2 S02 A File Pollution Cfl.pol MA.L Fal Exp M

program
program
media
program
media
program
program
media
disappearance ER.P Peo Exp
program
media disappearance MA.P Vol Exp Pna
program
media disappearance MA.P Vol Exp E
program
media
disappearance MA.P Vol Exp Pse
program
media
program
program
media
program

Scenario Family
Family Code
Code
ASSET Sub
type Type

program
program
program
program
program
program
program
Server damaging IC.E De Exp
F06-AC1 S02 A Eq.hs
Server damaging IC.E Se Exp

F06-AC1 S02 A Eq.hs
Server Destruction AC.E Fou Exp

F06-AC2 S02 A Eq.des
Server Destruction AC.E Inc Exp

Server Destruction AC.E Ino Exp

Server unavailability AC.M Equ

F06-AC3 S02 A Eq.hs

Scenario Family
Family Code
Code
ASSET Sub
type Type

F06-AC3 S02 A elements Ser.hs

Server damaging MA.P Van Exp Pa

F06-MA1 S02 A Eq.hs
Server damaging MA.P Van Exp Pna

F06-MA1 S02 A Eq.hs
Server damaging MA.P Van Tve

F06-MA1 S02 A Eq.hs
Server damaging MA.P Van Tvi

F06-MA1 S02 A Eq.hs
Server Destruction MA.P Ter Tve

F06-MA2 S02 A Eq.des
Server unavailability MA.L Cfg E

F06-MA4 S02 A Eq.hs
Server unavailability MA.L Cfg M

F06-MA4 S02 A Eq.hs
Server unavailability AB.S Mas

F18-AR S02 A Eq.hs
application lock AB.S Maa Exp

F18-AR S02 A Eq.mo
Server unavailability AV.P Gre

F18-AR S02 A Eq.mo

Scenario Family
Family Code
Code
ASSET Sub
type Type
Server unavailability AB.P Per

F18-AR S02 A Eq.mo
Server unavailability AB.P Pep

F18-AR S02 A Eq.mo
S03-A Unavailability of interface services or terminals for users (PC, local printers, peripherals, specific interfaces, etc.)
F01-EA5 S03 A configuration Cfl.eff

F01-ER5 S03 A configuration Cfl.eff

F01-ER5 S03 A configuration Cfl.eff

F01-EM6 S03 A configuration Cfl.eff
work stations unavailability IF.L Vir Exp

F06-AC4 S03 A Eq.hs
work stations Destruction AC.E Fou Exp

F06-AC4 S03 A Eq.hs
work stations Destruction AC.E Inc Exp

F06-AC4 S03 A Eq.hs
work stations Destruction AC.E Ino Exp

F06-AC4 S03 A Eq.hs
work stations unavailability AB.S Ene

F06-AC4 S03 A Eq.hs

Scenario Family
Family Code
Code
ASSET Sub
type Type
work stations damaging MA.P Van Exp Pa

work stations damaging MA.P Van Exp Tie

shared unavailability AC.M Equ

F06-AC5 S03 A equipment Eq.hs
S04-A Unavailability of common system services: messaging, archiving, printing, editing, etc.

F01-ER2 S04 A program file erasure Cfl.eff ER.P Pro Exp Uai
F01-ER2 S04 A program file erasure Cfl.eff ER.P Pro Exp Una
F01-ER2 S04 A program file erasure Cfl.eff ER.P Pro Exp E
F01-ER2 S04 A program file erasure Cfl.eff ER.P Pro Exp M
F01-EM2 S04 A program file erasure Cfl.eff MA.L Del Exp Ual


F01-EM2 S04 A program file erasure Cfl.eff MA.L Del Exp E
F01-EM2 S04 A program file erasure Cfl.eff MA.L Del Exp M


Scenario Family
Family Code
Code
ASSET Sub
type Type
F01-PA2 S04 A program file Pollution Cfl.pol ER.P Pro Mal M
F01-PA2 S04 A program file Pollution Cfl.pol ER.P Pro Mac M



F01-PM2 S04 A program file Pollution Cfl.pol MA.L Fal Exp E
F01-PM2 S04 A program file Pollution Cfl.pol MA.L Fal Exp M

program
program
media
program
media
program
program
media disappearance ER.P Peo Exp
program
program
program
media
F03-MA2 S04 A storing disappearance Med.dis MA.P Vol Exp Pse
program

Scenario Family
Family Code
Code
ASSET Sub
type Type
media
program
program
media
program
program
program
program
program
program
program
media
inoperability IC.E Age Md.
program
F06-AC1 S04 A Eq.hs

F06-AC1 S04 A Eq.hs



Scenario Family
Family Code
Code
ASSET Sub
type Type


F06-AC3 S04 A Eq.hs


auxiliary unavailability AB.S Cli


F06-MA1 S04 A Eq.hs

F06-MA1 S04 A Eq.hs

F06-MA1 S04 A Eq.hs

F06-MA1 S04 A Eq.hs


F18-AR S04 A Eq.hs

F18-AR S04 A Eq.hs

Scenario Family
Family Code
Code
ASSET Sub
type Type

F18-AR S04 A Eq.mo

F18-AR S04 A Eq.mo

F18-AR S04 A Eq.mo
F18-BL S04 A application lock Cfl.bug ER.L Lin Exp
F18-BL S04 A application lock Cfl.bug IF.L Exp Exp
S05-A Unavailability of the publishing service on a web site (internal or public)


program file erasure ER.P Pro Exp Uai

program file erasure ER.P Pro Exp Una

program file erasure ER.P Pro Exp E

program file erasure ER.P Pro Exp M


Scenario Family
Family Code
Code
ASSET Sub
type Type
program file erasure MA.L Del Exp Ual



program file erasure MA.L Del Exp E

program file erasure MA.L Del Exp M


program file Pollution ER.P Pro Mal M

program file Pollution ER.P Pro Mac M





Scenario Family
Family Code
Code
ASSET Sub
type Type
program file Pollution MA.L Fal Exp E

program file Pollution MA.L Fal Exp M


program
program
media Destruction AC.E Inc Md.
program
media Destruction AC.E Ino Md.
program
program
media disappearance ER.P Peo Exp
program
program
program
media disappearance MA.P Vol Exp Pse
program
media disappearance MA.P Vol Md. Pna
program

Scenario Family
Family Code
Code
ASSET Sub
type Type

program
media disappearance MA.P Vol Md. Pse
program
program
program
program
program
program
program
program
F06-AC1 S05 A Eq.hs

F06-AC1 S05 A Eq.hs


Scenario Family
Family Code
Code
ASSET Sub
type Type



F06-AC3 S05 A Eq.hs



F06-MA1 S05 A Eq.hs

F06-MA1 S05 A Eq.hs

F06-MA1 S05 A Eq.hs

F06-MA1 S05 A Eq.hs
Server unavailability MA.L Cfg E

F06-MA4 S05 A Eq.hs
Server unavailability MA.L Cfg M

F06-MA4 S05 A Eq.hs

Scenario Family
Family Code
Code
ASSET Sub
type Type


F18-AR S05 A Eq.hs

F18-AR S05 A Eq.hs

F18-AR S05 A Eq.mo

F18-AR S05 A Eq.mo

F18-AR S05 A Eq.mo
application lock IF.L Lsp Exp

F18-BL S05 A Cfl.bug
application lock ER.L Lin Exp

application lock IF.L Exp Exp

application lock MA.L Sam Exp

G02-I Altration of the telecommunication functions

equipment tampering ER.P Pro M
F09-ER G02 I configuration Cfl.alt
equipment tampering ER.P Pro E

F09-ER G02 I configuration Cfl.alt

Scenario Family
Family Code
Code
ASSET Sub
type Type
equipment tampering MA.L Fal M

F09-MA4 G02 I configuration Cfl.alt
equipment tampering MA.L Fal E

equipment tampering MA.L Fal Ain Una

equipment tampering MA.L Fal Atm Tie

configuration
F09-MA4 G02 I Cfl.alt
R01-I Alteration of the extended network service

F09-ER R01 I configuration Cfl.alt


F09-MA4 R01 I configuration Cfl.alt

equipment tampering MA.L Fal Una

R02-I Alteration of the local area network service




Scenario Family
Family Code
Code
ASSET Sub
type Type

equipment tampering MA.L Fal Una

S01-I Alteration of the application services

program file tampering ER.P Pro D
F09-AC2 S01 I Cfl.alt
program file tampering ER.P Pro M

program file tampering ER.P Pro E

program file tampering MA.L Fal D

F09-MA2 S01 I Cfl.alt
program file tampering MA.L Fal M

program file tampering MA.L Fal E

program file tampering MA.L Fal Una

media
swap MA.P Fal Exp Pa
F09-ME2 S01 I storing Med.ech
program
media swap MA.P Fal Exp Pna
program
media swap MA.P Fal Tran Pa
program
connection tampering MA.L Fal Con E
F09-FC S01 I process Cfl.alt
connection tampering MA.L Fal Con D


Scenario Family
Family Code
Code
ASSET Sub
type Type
connection tampering MA.L Fal Con M

security tampering ER.P Pro Res E

F09-AC3 S01 I configuration Cfl.alt
security tampering ER.P Pro Res M

security tampering MA.L Fal Res E

F09-MA3 S01 I configuration Cfl.alt
security tampering MA.L Fal Res M

security tampering MA.L Fal Res Pna

S02-I Alteration of the common office services

software tampering ER.P Pro M
F09-ER S02 I configuration Cfl.alt
software tampering ER.P Pro E

software tampering MA.L Fal M

software tampering MA.L Fal E

software tampering MA.L Fal Una


Scenario Family
Family Code
Code
ASSET Sub
type Type




S04-I Alteration of the common system services

software tampering ER.P Pro M
software tampering ER.P Pro E

software tampering MA.L Fal M

software tampering MA.L Fal E

software tampering MA.L Fal Una





Scenario Family
Family Code
Code
ASSET Sub
type Type

S05-I Alteration of the publishing services for web sites, public or internal
program file tampering ER.P Pro D
program file tampering ER.P Pro M

program file tampering ER.P Pro E

program file tampering MA.L Fal D

program file tampering MA.L Fal M

program file tampering MA.L Fal E

program file tampering MA.L Fal Una

media swap MA.P Fal Exp Pa

program
media swap MA.P Fal Exp Pna
program
media swap MA.P Fal Tran Pa
program

Scenario Family
Family Code
Code
ASSET Sub
type Type
connection tampering MA.L Fal Con E

process
F09-FC S05 I Cfl.alt
connection tampering MA.L Fal Con D

process
connection tampering MA.L Fal Con M

process

configuration

configuration

configuration
security tampering MA.L Fal Res M

configuration

configuration
S01-C Disclosure linked to the application service

File disclosure ER.P Pro Exp E
F11-ER2 S01 C Programme Cfl.dif

Scenario Family
Family Code
Code
ASSET Sub
type Type

File disclosure ER.P Pro Tde D

File disclosure ER.P Pro Mal M

File disclosure MA.L Vol Tru Ual

F11-MA2 S01 C Programme Cfl.dif
File disclosure MA.L Vol Tru Uai

File disclosure MA.L Vol Tru Una

File disclosure MA.L Vol Exp E

File disclosure MA.L Vol Mai M


F12-MA1 S01 C Med.dis






Scenario Family
Family Code
Code
ASSET Sub
type Type

C01-E Non compliance of processes attached to the protection of personal information

compliance Non application PR.N Api Exp
F20-NC C01 E of processes Pro.inf
compliance Non application PR.N Naa Exp

compliance Non application PR.N Nam Exp

compliance Non application PR.N Nav Exp

C02-E Non compliance of processes attached to the financial communication




C03-E Non compliance of processes attached to the verification of accounting


Scenario Family
Family Code
Code
ASSET Sub
type Type



C04-E Non compliance of processes attached to the protection of intellectual property




C05-E Non compliance of processes attached to the protection of computing systems





Scenario Family
Family Code
Code
ASSET Sub
type Type
C06-E Non compliance of processes attached to the protection of human beings and environment




Consideration of Security services if 1 : 1
Effect of security measures (formulas)

DESCRIPTION
Intrinsic security decided calculated
Accept (A) or transfer (T)

values measures values values
Seriousness for plans

Direct Selection
Confinability
Dissuasion Prevention Confining
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
EFF-DISS EFF-PREV EFF-CONF
Exposure
Palliation
Impact
Accidental erasure of files of data, due to a production incident 1 A A 3 1 1 1 3 1 3 08A03 08E03
Erasure, due to an error, of files of data, by a user authorized legitimately,

connected from the internal network
1 E A 3 1 1 1 3 0 3
Erasure, due to an error, of files of data, by a user authorized illegitimately, max(07A02;09A02)
1 E A 3 1 1 1 3 0 3
Erasure, due to an error, of files of data, by a user not authorized, connected min(07A03;07A04)
from the internal network
1 E A 3 1 1 1 3 0 3
Erasure, due to an error, of files of data, by a member of the production team,
1 E A 3 1 1 1 3 0 3
Erasure, due to an error, of files of data, by a member of the maintenance
team , connected from the internal network
1 E A 3 1 1 1 3 0 3
Malicious erasure of files and backups of data, by a user authorized min(07C01;08E02)
legitimately, connected from the internal network
1 M A 2 1 1 1 3 0 2
Malicious erasure of files and backups of data, by a user authorized min(07C01;08E02) max(07A02;09A02)
illegitimately, connected from the internal network
1 M A 2 1 1 1 3 0 2
Malicious erasure of files and backups of data, by a user not authorized, min(07A03;07A04)
1 M A 2 1 1 1 3 0 2
Malicious erasure of files and backups of data, by a member of the production min(08F02;08F03)
team, connected from the internal network
1 M A 2 1 1 1 3 0 2
Malicious erasure of files and backups of data, by a member of the max(08A05;08E02)
maintenance team , connected from the internal network
1 M A 2 1 1 1 3 0 2
Malicious erasure of files and backups of data, by an unauthorized third party , 08A06
connected through a remote maintenance port
1 M A 2 1 1 1 3 0 2
Malicious erasure of files and backups of data, by a member of the production min(08F02;08F03)
team, connected through a remote maintenance port
1 M A 2 1 1 1 1 0 2
Pollution, by accident, of files of data due to a procedure error, during a 10B05
software maintenance operation
1 A A 3 1 1 1 3 0 3
Pollution, by accident, of files of data due to a procedure error, during a hot 10B06
maintenance operation
1 A A 3 1 1 1 3 0 3
08D03 08E02
Pollution, by accident, of files of data due to a production incident 1 A A 3 1 1 1 3 0 3
max(min(07A01;07A0
Malicious pollution of files of data, by a user authorized illegitimately, 2;08F01);min(09A01;0
1 M A 3 1 1 1 3 0 3
9A02))


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
max(min(07A03;07A0
Malicious pollution of files of data, by a user not authorized, connected from 4;08F02);min(09A03;0
the internal network
1 M A 3 1 1 1 3 0 3
9A04);09C02)
Malicious pollution of files of data, by a member of the production team, 09C02

1 M A 3 1 1 1 3 0 3
Malicious pollution of files of data, by a member of the maintenance team , max(09C02;10B05)
1 M A 3 1 1 1 3 0 3
03D01
Loss, due to accidental destruction, of media supporting files of data, within the
production premises, due to a fire
1 A A 2 1 1 1 3 0 2
Loss, due to accidental destruction, of media supporting files of data, within the
production premises, due to flooding
1 A A 3 1 1 1 3 0 3
Loss, due to accidental destruction, of media supporting files of data, in the 03D01
media storage premises, due to a fire
1 A A 2 1 1 1 3 0 2
Loss, due to accidental destruction, of media supporting files of data, in the
media storage premises, due to flooding
1 A A 3 1 1 1 3 0 3
Loss, due to accidental disappearance, of media supporting files of data, in the
media storage premises
1 A A 3 1 1 1 3 0 3
Loss, due to accidental disappearance, of media supporting files of data, within
the production premises
1 A A 3 1 1 1 3 0 3
Theft of media supporting files of data, within the production premises, by a
member of the staff not authorized
1 M A 2 1 1 1 3 0 2 03B06 min(03B03;03B04)

member of the production team
1 M A 2 1 1 1 3 0 2 03B06

member of the services team
1 M A 2 1 1 1 3 0 2 03B06
Theft of media supporting files of data, in the media storage premises, by a

1 M A 2 1 1 1 3 0 2 03B06 08C03

1 M A 2 1 1 1 3 0 2 03B06

1 M A 2 1 1 1 3 0 2 03B06
09D01
Impossibility, due to an accident, to use a media supporting files of data, within
the production premises, caused by the breakdown of an equipment
1 A A 3 1 1 1 3 0 3
Impossibility, due to an accident, to use a media supporting files of data, within 03C01
the production premises, due to a liquid (water) damage
1 A A 3 1 1 1 3 0 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
min(03A01;03A04)
the production premises, due to an electrical over load
1 A A 2 1 1 1 3 0 2
08A03 08E03
the production premises, due to a production incident
1 A A 3 1 1 1 3 0 3
Impossibility, due to an accident, to use a media supporting files of data, in the

media storage premises, due to pollution
1 A A 2 1 1 1 3 0 2
Impossibility, due to an accident, to use a media supporting files of data, in the 08C03
media storage premises, due to a liquid (water) damage
1 A A 3 1 1 1 3 0 3
Disappearance, due to an accident, of means required for accessing files of
data
1 A A 3 1 1 1 3 0 3
Theft or malicious destruction of means required for accessing files of data 1 M A 2 1 1 1 3 0 2
Accidental erasure of files shared for office work, due to a virus 1 A A 4 1 1 1 1 0 4 min(08D07;11D06)
Erasure, due to an error, of files shared for office work, by a user authorized
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of files shared for office work, by a user authorized
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of files shared for office work, by a user not
authorized, connected from the internal network
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of files shared for office work, by a member of the
production team, connected from the internal network
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of files shared for office work, by a member of the
maintenance team , connected from the internal network
1 E A 3 1 1 1 1 0 3
Malicious erasure of files and backups shared for office work, by a user
authorized legitimately, connected from the internal network
1 M A 2 1 1 1 1 0 2
Malicious erasure of files and backups shared for office work, by a user 07A02
authorized illegitimately, connected from the internal network
1 M A 2 1 1 1 1 0 2
Malicious erasure of files and backups shared for office work, by a user not min(07A03;07A04)
1 M A 2 1 1 1 1 0 2
Malicious erasure of files and backups shared for office work, by a member of min(08F02;08F03)
the production team, connected from the internal network
1 M A 2 1 1 1 1 0 2
Malicious erasure of files and backups shared for office work, by a member of
the maintenance team , connected from the internal network
1 M A 2 1 1 1 1 0 2


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Malicious erasure of files and backups shared for office work, by a member of min(08F02;08F03)
1 M A 2 1 1 1 1 0 2
03D01
Loss, due to accidental destruction, of media supporting files shared for office
work, within the production premises, due to a fire
1 A A 2 1 1 1 1 0 2
Loss, due to accidental destruction, of media supporting files shared for office
work, within the production premises, due to flooding
1 A A 3 1 1 1 1 0 3
Theft of media supporting files shared for office work, within the production
premises, by a member of the staff not authorized
1 M A 2 1 1 1 1 0 2 03B06 min(03B03;03B04)
premises, by a member of the production team
1 M A 2 1 1 1 1 0 2 03B06
premises, by a member of the services team
1 M A 2 1 1 1 1 0 2 03B06
Impossibility, due to an accident, to use a media supporting files shared for

office work, within the production premises, caused by the breakdown of an 1 A A 3 1 1 1 1 0 3
equipment
Impossibility, due to an accident, to use a media supporting files shared for 03C01
office work, within the production premises, due to a liquid (water) damage
1 A A 3 1 1 1 1 0 3
Impossibility, due to an accident, to use a media supporting files shared for min(03A01;03A04)
office work, within the production premises, due to an electrical over load
1 A A 2 1 1 1 1 0 2
Impossibility, due to an accident, to use a media supporting files shared for 08A03 08E03
office work, within the production premises, due to a production incident
1 A A 3 1 1 1 1 0 3
Disappearance, due to an accident, of means required for accessing files

shared for office work
1 A A 3 1 1 1 1 0 3
Theft or malicious destruction of means required for accessing files shared for
office work
1 M A 2 1 1 1 1 0 2
Accidental erasure of files used for personal office activity, due to a virus 1 A A 4 1 1 1 1 0 4 min(08D07;11D06)
Erasure, due to an error, of files used for personal office activity, by an 1

authorized user, directly connected to the workstation
E A 3 1 1 1 1 0 3
Erasure, due to an error, of files used for personal office activity, by a member 1 E A 3 1 1 1 1 0 3
of the production team, connected from the internal network


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Erasure, due to an error, of files used for personal office activity, by a member 1 E A 3 1 1 1 1 0 3
of the maintenance team
Erasure, due to an error, of files used for personal office activity, by a user not 1
authorized, directly connected to the workstation, while the user is absent
E A 3 1 1 1 1 0 3
Malicious erasure of files and backups used for personal office activity, by a
user not authorized, directly connected to the workstation, while the user is 1 M A 2 1 1 1 1 0 2
11B01
absent
Malicious erasure of files and backups used for personal office activity, by a
user not authorized, directly connected to the workstation, outside working 1 M A 2 1 1 1 1 0 2
11B01
hours
Malicious erasure of files and backups used for personal office activity, by a 1 min(08F02;08F03)
member of the production team, connected from the internal network
M A 2 1 1 1 1 0 2
Malicious erasure of files and backups used for personal office activity, by a 1 M A 2 1 1 1 1 0 2
member of the maintenance team
Loss, due to accidental destruction, of media supporting files used for personal 1 A A 2 1 1 1 1 0 2
office activity, in the offices, due to a fire
Loss, due to accidental destruction, of media supporting files used for personal 1 A A 3 1 1 1 1 0 3
office activity, in the offices, due to flooding
Loss, due to accidental disappearance, of media supporting files used for 1
personal office activity, in the offices
A A 3 1 1 1 1 0 3
Loss, due to accidental disappearance, of media supporting files used for 1
personal office activity, outside the company
A A 3 1 1 1 1 0 3
Vol of PC portable contenant des fichiers used for personal office activity, in the 1 02C05 02D02
offices, by a member of the enterprise staff
M A 2 1 1 1 1 0 2
Vol of PC portable contenant des fichiers used for personal office activity, in the 1 02C05 02D02
offices, by a member of the services team
M A 2 1 1 1 1 0 2
Vol of PC portable contenant des fichiers used for personal office activity, in the 1 02C05 max(02C03;02D02)
offices, by a visitor
M A 2 1 1 1 1 0 2
Vol of PC portable contenant des fichiers used for personal office activity, 1 M A 2 1 1 1 1 0 2
outside the company
Theft of media supporting files used for personal office activity, in the offices, by 1 02C05 02D02
a member of the enterprise staff
M A 2 1 1 1 1 0 2
Theft of media supporting files used for personal office activity, in the offices, by 1 02C05 02D02
a member of the services team
M A 2 1 1 1 1 0 2
Theft of media supporting files used for personal office activity, in the offices, by 1 02C05 max(02C03;02D02)
a visitor
M A 2 1 1 1 1 0 2
Impossibility, due to an accident, to use a media supporting files used for
1
personal office activity, in the offices, caused by the breakdown of an A A 3 1 1 1 1 0 3
equipment
Impossibility, due to an accident, to use a media supporting files used for 1
personal office activity, in the offices, due a liquid (water) damage
A A 3 1 1 1 1 0 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Impossibility, due to an accident, to use a media supporting files used for 1 min(03A01;03A04)
personal office activity, in the offices, due to an electrical over load
A A 2 1 1 1 1 0 2
Impossibility, due to an accident, to use a media supporting files used for 1

personal office activity, in the offices, due to ageing
A A 2 1 1 1 1 0 2
Disappearance, due to an accident, of means required for accessing files used 1

for personal office activity
A A 3 1 1 1 1 0 3
1
Theft or malicious destruction of means required for accessing files used for
personal office activity
M A 2 1 1 1 1 0 2
Accidental disappearance or impossibility to use a document written or printed min(02D01;02D06)

detained by users, due to a liquid (water) damage
1 A A 3 1 1 1 1 3

detained by users, due to a fire
1 A A 2 1 1 1 1 2

detained by users, due to flooding
1 A A 3 1 1 1 1 3
Loss of document written or printed detained by users, due to a loss or min(02D01;02D06)

forgetting
1 E A 3 1 1 1 1 3
Loss of document written or printed detained by users, due to a loss or 11B02

forgetting, outside the company
1 E A 3 1 1 1 1 3
02C05 min(02D01;02D06)
Malevolent disappearance, theft or destruction of document written or printed
detained by users, due to a theft, by a member of the enterprise staff
1 M A 2 1 1 1 1 2
Malevolent disappearance, theft or destruction of document written or printed 02C05 min(02D01;02D06)

detained by users, due to a theft, by a visitor
1 M A 2 1 1 1 1 2
02C05 min(02D01;02D06)
detained by users, due to a theft, by a member of the enterprise staff
1 M A 2 1 1 1 1 2
min(02D01;02D06)
detained by users, due to a theft, by a member of the services team
1 M A 2 1 1 1 1 2
Malevolent disappearance, theft or destruction of document written or printed 11B02

detained by users, outside the company
1 M A 2 1 1 1 1 2


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Accidental loss of data during a transfer: messages or transactions waiting for 08A03
treatment, due to a production incident
1 A A 3 1 1 1 1 3
Accidental loss of data during a transfer: messages or transactions waiting for

treatment, caused by the breakdown of an equipment
1 A A 3 1 1 1 1 3
Accidental loss of data during a transfer: messages or transactions waiting for 03D01
treatment, due to a fire
1 A A 2 1 1 1 1 2
Accidental loss of data during a transfer: messages or transactions waiting for 03C01
treatment, due to flooding
1 A A 3 1 1 1 1 3
Malicious destruction of data during a transfer: erasure of data by a member of min(08F02;08F03)

the production team
1 M A 2 1 1 1 1 2
min(08F02;07A03;07A
Malicious destruction of data during a transfer: erasure of data by a member of
the staff not authorized
1 M A 2 1 1 1 1 2 04)
Accidental loss of data during a transfer: e-mails during emission or receipt, 08A03
due to a production incident
1 A A 3 1 1 1 1 3
Accidental loss of data during a transfer: e-mails during emission or receipt,

caused by the breakdown of an equipment
1 A A 3 1 1 1 1 3
Accidental loss of data during a transfer: e-mails during emission or receipt, 03D01
due to a fire
1 A A 2 1 1 1 1 2
Accidental loss of data during a transfer: e-mails during emission or receipt, 03C01
due to flooding
1 A A 3 1 1 1 1 3
Loss of data, due to an error, during a transfer: e-mails during emission or

receipt, due to a procedure error, during user treatments
1 E A 3 1 1 1 1 3

receipt, due to a procedure error, during production
1 E A 3 1 1 1 1 3

receipt, due to a procedure error, during a maintenance operation
1 E A 3 1 1 1 1 3
Malicious destruction of data during a transfer: erasure of e-mails by a member min(08F02;08F03)

of the production team
1 M A 2 1 1 1 1 2
min(08F02;07A03;07A
Malicious destruction of data during a transfer: erasure of e-mails by a member
of the staff not authorized
1 M A 2 1 1 1 1 2 04)


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Accidental loss of documents during a transportation: fax during emission or 02D05
receipt, due to a liquid (water) damage
1 A A 3 1 1 1 1 3

receipt, due to a fire
1 A A 2 1 1 1 1 2
receipt, due to flooding
1 A A 3 1 1 1 1 3
Accidental loss of documents during a transportation: fax during emission or
receipt, caused by the breakdown of an equipment
1 A A 3 1 1 1 1 3
Accidental loss of documents during a transportation: post mail during emission 02D04
or receipt, due to a liquid (water) damage
1 A A 3 1 1 1 1 3
or receipt, due to a fire
1 A A 2 1 1 1 1 2
or receipt, due to flooding
1 A A 3 1 1 1 1 3
Loss of documents due to an error, during a transfer: fax, due to a procedure

error, during user treatments
1 E A 3 1 1 1 1 3
Loss of documents due to an error, during a transfer: post mail, due to a

procedure error, during user treatments
1 E A 3 1 1 1 1 3
Malicious destruction of documents during a transfer : theft of fax, in the fax 02D05
office by a member of the staff not authorized
1 M A 2 1 1 1 1 2
Malicious destruction of documents during a transfer : theft of fax, in the 02D05

distribution office by a member of the enterprise staff
1 M A 2 1 1 1 1 2
Malicious destruction of documents during a transfer 1 M A 3 1 1 1 1 3

Malicious destruction of documents during a transfer : theft of post mail, in the 02D04
post mail office by a member of the staff not authorized
1 M A 2 1 1 1 1 2
Malicious destruction of documents during a transfer : theft of post mail, in the 02D04
distribution office by a member of the enterprise staff
1 M A 2 1 1 1 1 2
min(02D06;02D07)
Accidental disappearance or impossibility to use a document of archives
(patrimony or documents) or important documents to preserve for a long period 1 A A 3 1 1 1 1 3
of time, within the archival premises, due to a liquid (water) damage


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Accidental disappearance or impossibility to use a document of archives min(02D06;02D07)
of time, within the archival premises, due to a fire
Accidental disappearance or impossibility to use a document of archives min(02D06;02D07)

of time, within the archival premises, due to flooding
min(02D06;02D07)
Loss of document of archives (patrimony or documents) or important
documents to preserve for a long period of time, due to to a procedure error, 1 E A 3 1 1 1 1 3
within the archival premises
Malevolent disappearance, theft or destruction of document of archives min(02D06;02D07) min(02D06;02D07)

(patrimony or documents) or important documents to preserve for a long period
of time, within the archival premises, by an authorized staff member, during
1 M A 2 1 1 1 1 2
working hours

of time, within the archival premises, by a member of the services team, outside
1 M A 2 1 1 1 1 2
working hours

of time, within the archival premises, by a member of the staff not authorized,
1 M A 2 1 1 1 1 2
during working hours

of time, within the archival premises, by a member of the staff not authorized,
1 M A 2 1 1 1 1 2
outside working hours
min(02D06;02D07) min(02D06;02D07)
Malevolent disappearance, theft or destruction of document of archives
(patrimony or documents) or important documents to preserve for a long period 1 M A 2 1 1 1 1 2
of time, during the transportation between sites
min(02D06;02D07) min(02D06;02D07)
Malevolent disappearance, theft or destruction of document of archives
(patrimony or documents) or important documents to preserve for a long period 1 M A 2 1 1 1 1 2
of time, within the archival premises, by vandals or terrorists acting from outside
Erasure, due to an error, of files of digitalized archives , by an authorized user,

1 E A 3 1 1 1 1 0 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Erasure, due to an error, of files of digitalized archives , by a member of the
1 E A 3 1 1 1 1 0 3
Malicious erasure of files and backups of digitalized archives , by a member of 08H02
1 M A 2 1 1 1 1 0 2
Malicious erasure of files and backups of digitalized archives , by a user
1 M A 2 1 1 1 1 0 2
Malicious erasure of files and backups of digitalized archives , by a user 08H02
1 M A 2 1 1 1 1 0 2
Malicious erasure of files and backups of digitalized archives , by a member of 08H02
the staff not authorized, connected from the internal network
1 M A 2 1 1 1 1 0 2
Loss, due to accidental destruction, of media supporting files of digitalized 08H03
archives , in the media storage premises, due to a fire
1 A A 2 1 1 1 1 0 2
Loss, due to accidental destruction, of media supporting files of digitalized 08H03
archives , in the media storage premises, due to flooding
1 A A 3 1 1 1 1 0 3
Loss, due to accidental disappearance, of media supporting files of digitalized 08H01
archives , within the archival premises
1 A A 3 1 1 1 1 0 3
Loss, due to accidental disappearance, of media supporting files of digitalized
archives , within the production premises
1 A A 3 1 1 1 1 0 3
Theft of media supporting files of digitalized archives , within the archival
premises, by an authorized staff member
1 M A 2 1 1 1 1 0 2 08H03

premises, by a member of the staff not authorized
1 M A 2 1 1 1 1 0 2 08H03

premises, by a member of the services team
1 M A 2 1 1 1 1 0 2 08H03
Theft of media supporting files of digitalized archives , in the distribution office,

by a member of the staff not authorized
1 M A 2 1 1 1 1 0 2 08H02
Impossibility, due to an accident, to use a media supporting files of digitalized 08H03 08C05
archives , within the archival premises, due to ageing
1 A A 2 1 1 1 1 0 2
Impossibility, due to an accident, to use a media supporting files of digitalized 08H03
archives , within the archival premises, due to a liquid (water) damage
1 A A 3 1 1 1 1 0 3
Disappearance, due to an accident, of means required for accessing files of
digitalized archives
1 A A 3 1 1 1 3 3
Theft or malicious destruction of means required for accessing files of

digitalized archives
1 M A 2 1 1 1 3 2
Erasure, due to an error, of files of data posted on public or internal sites , by a

user authorized legitimately, connected from the internal network
1 E A 3 1 1 1 3 0 3
user authorized illegitimately, connected from the internal network
1 E A 3 1 1 1 3 0 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
user not authorized, connected from the internal network
1 E A 3 1 1 1 3 0 3
member of the production team, connected from the internal network
1 E A 3 1 1 1 3 0 3
1 E A 3 1 1 1 3 0 3
Malicious erasure of files and backups of data posted on public or internal sites min(07A03;07A04)
, by a user not authorized, connected from the internal network
1 M A 2 1 1 1 3 0 2
Malicious erasure of files and backups of data posted on public or internal sites min(08F02;08F03)
, by a member of the production team, connected from the internal network
1 M A 2 1 1 1 3 0 2
Malicious erasure of files and backups of data posted on public or internal sites max(08A05;08E02)
, by a member of the maintenance team
1 M A 2 1 1 1 3 0 2
10B05
Pollution, by accident, of files of data posted on public or internal sites due to
a procedure error, during a software maintenance operation
1 A A 3 1 1 1 3 3
10B06
Pollution, by accident, of files of data posted on public or internal sites due to
a procedure error, during a hot maintenance operation
1 A A 3 1 1 1 3 3
Pollution, by accident, of files of data posted on public or internal sites due a 08D03 08E02
production incident
1 A A 3 1 1 1 3 3
03D01
Loss, due to accidental destruction, of media supporting files of data posted on
public or internal sites , within the production premises, due to a fire
1 A A 2 1 1 1 3 0 2

public or internal sites , within the production premises, due to flooding
1 A A 3 1 1 1 3 0 3
03D01
public or internal sites , in the media storage premises, due to a fire
1 A A 2 1 1 1 3 0 2

public or internal sites , in the media storage premises, due to flooding
1 A A 3 1 1 1 3 0 3
Loss, due to accidental disappearance, of media supporting files of data

posted on public or internal sites , within the production premises
1 A A 3 1 1 1 3 0 3
Theft of media supporting files of data posted on public or internal sites , within
the production premises, by a member of the staff not authorized
1 M A 2 1 1 1 3 0 2 03B06 min(03B03;03B04)


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
the production premises, by a member of the production team
1 M A 2 1 1 1 3 0 2 03B06
the production premises, by a member of the services team
1 M A 2 1 1 1 3 0 2 03B06
Impossibility, due to an accident, to use a media supporting files of data posted

on public or internal sites , within the production premises, caused by the 1 A A 3 1 1 1 3 0 3
breakdown of an equipment
Impossibility, due to an accident, to use a media supporting files of data posted 03C01
on public or internal sites , within the production premises, due to a liquid 1 A A 3 1 1 1 3 0 3
(water) damage
Impossibility, due to an accident, to use a media supporting files of data posted min(03A01;03A04)
on public or internal sites , within the production premises, due to an electrical 1 A A 2 1 1 1 3 0 2
over load
Impossibility, due to an accident, to use a media supporting files of data posted 08A03 08E03
on public or internal sites , within the production premises, due to a production 1 A A 3 1 1 1 3 0 3
incident
Tampering, by accident, (and not detected) of files of data due to a procedure max(09B05;10B05) 09B04
error, during a software maintenance operation
1 A L 3 1 1 1 1 1 3
max(09B05;10B06) 09B04
Tampering, by accident, (and not detected) of files of data due to a procedure
error, during a hot maintenance operation
1 A L 3 1 1 1 1 1 3
Tampering, by accident, (and not detected) of files of data due to a production max(09B05;08D03) 09B04
incident
1 A L 3 1 1 1 1 1 3
Tampering, due to an error of procedure, of configurations of data, by a user 09B05 09B04
1 E L 3 1 1 1 1 1 3
max(09B05;min(07A0 09B04
Tampering, due to an error of procedure, of configurations of data, by a user 1;07A02;08F01);min(0
1 E L 3 1 1 1 1 1 3 9A01;09A02))
max(09B05;min(07A0 09B04
Tampering, due to an error of procedure, of configurations of data, by a user 3;07A04;08F02);min(0
not authorized, connected from the internal network
1 E L 3 1 1 1 1 1 3
9A03;09A04))
Tampering, by accident, (and not detected) of files of data posted on public or max(09B05;10B05) 09B04
internal sites due to a procedure error, during a software maintenance 1 A L 3 1 1 1 1 1 3
operation


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Malicious (and undetected) tampering of files of data, by a user authorized max(09B05;min(07A0 09B04
1 M L 3 1 1 1 1 1 3 1;07A02;08F01);min(0
9A01;09A02))
Malicious (and undetected) tampering of files of data, by a user not authorized, max(09B05;min(07A0 09B04
1 M L 3 1 1 1 1 1 3 3;07A04;08F02);min(0
9A03;09A04);09B01;0
Malicious (and undetected) tampering of files of data, by a member of the max(09B01;09C02)
9C02) 09B04
1 M L 3 1 1 1 1 1 3
Malicious (and undetected) tampering of files of data during production by a max(09B01;09C02) 09B04
1 M L 3 1 1 1 1 1 3
08A06 09B04
Malicious (and undetected) tampering of files of data, by an unauthorized third
party , connected through a remote maintenance port
1 M L 3 1 1 1 1 1 3
Malicious (and undetected) tampering of files of data during the transportation max(09B01;09C02) 09B04
between sites by an authorized staff member
1 M L 3 1 1 1 1 1 3
Malicious (and undetected) swap of media containing files of data during 09B04
production by an authorized staff member
1 M L 2 1 1 1 1 1 2
Malicious (and undetected) swap of media containing files of data during max(03B04;03B05;03 max(min(03B01;03B0 09B04
production by a member of the staff not authorized 1 M L 2 1 1 1 1 1 2 B06) 2;03B03);08C02;09B0
1;09C02)
Malicious (and undetected) swap of media containing files of data during the max(09B01;09C02) 09B04
transportation between sites by an authorized staff member 1 M L 2 1 1 1 1 1 2
Tampering, due to an error of procedure, of configurations shared for office 11C04

work during user treatments, by a user authorized legitimately, connected from 1 E I 3 1 1 1 1 3
min(07A01;07A02;08F
Tampering, due to an error of procedure, of configurations shared for office
01)
work during user treatments, by a user authorized illegitimately, connected from 1 E I 3 1 1 1 1 3
Tampering, due to an error of procedure, of configurations shared for office max(min(08F02;07A0

work during user treatments, by a user not authorized, connected from the 1 E I 3 1 1 1 1 3 3;07A04);11C01;11C0
internal network 4)
Malicious (and undetected) tampering of files shared for office work during min(07A01;07A02;08F
production, by a user authorized illegitimately, connected from the internal 1 M I 3 1 1 1 1 3 01)
network


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
max(min(08F02;07A0
Malicious (and undetected) tampering of files shared for office work during 3;07A04);11C01;11C0
production, by a user not authorized, connected from the internal network
1 M I 3 1 1 1 1 3
4)
Malicious (and undetected) tampering of files shared for office work during max(11C011;11C04)
production, by a member of the production team, connected from the internal 1 M I 3 1 1 1 1 3
network
Malicious (and undetected) tampering of files shared for office work during max(11C01;11C03;11
C04)
production, by a member of the maintenance team , connected from the 1 M I 3 1 1 1 1 3
internal network
Malicious (and undetected) swap of media containing files shared for office max(11C01;11C04)
work during production, by an authorized staff member, connected from the 1 M I 2 1 1 1 1 2
internal network
Malicious (and undetected) swap of media containing files shared for office max(03B04;03B05;03 max(min(03B01;03B0
work during production, by a member of the staff not authorized, connected 1 M I 2 1 1 1 1 2 B06) 2;03B03);08C02;11C0
from the internal network 1;11C04)
Tampering, due to an error of procedure, of configurations used for personal 11C04

office activity during user treatments, by a user authorized legitimately, directly 1 E I 3 1 1 1 1 3
connected to the workstation
Tampering, due to an error of procedure, of configurations used for personal max(11B01;11C04)

office activity during user treatments, by a user not authorized, directly 1 E I 3 1 1 1 1 3
connected to the workstation
Malicious (and undetected) tampering of files used for personal office activity max(11C01;11C04)
stored on the work station, by a member of the production team, connected 1 M I 3 1 1 1 1 3
from the internal network
Malicious (and undetected) tampering of files used for personal office activity max(11C01;11C03;11
stored on the work station by a member of the maintenance team
1 M I 3 1 1 1 1 3 C04)
Malicious (and undetected) tampering of files used for personal office activity 11C02
stored on a removable media by an authorized staff member
1 M I 3 1 1 1 1 3
Malicious (and undetected) tampering of files used for personal office activity max(11B01;11C01;11
open on the workstation, by a user not authorized, directly connected to the 1 M I 3 1 1 1 1 3 C04)
workstation
Malicious (and undetected) swap of media containing files used for personal 11C02
office activity stored on a removable media by an authorized staff member 1 M I 2 1 1 1 1 2


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
09B03 09B04
Tampering of data individually sensitive due to an error during capture or typing 1 E L 3 1 1 1 1 1 3
09B03 09B03 09B04
Malicious handling of data (individually) sensitive during production, by a user
1 M L 3 1 1 1 1 1 3
max(min(07A03;07A0 09B04
Malicious handling of data (individually) sensitive during production, by a 4;08F02);min(09A03;0
member of the staff not authorized, connected from the internal network
1 M L 3 1 1 1 1 1 3
9A04;08F02);09B01;0
9C02)
max(min(07A01;07A0 09B04
Malicious handling of data (individually) sensitive during production, by a user
1 M L 3 1 1 1 1 1 3 2);min(09A01;09A02))
Malicious handling of data (individually) sensitive, during production, by a max(09B01;09C02) 09B04

1 M L 3 1 1 1 1 1 3
Malicious handling of data (individually) sensitive, during production, by a max(09B01;09C02) 09B04
1 M L 3 1 1 1 1 1 3
max(04C01;04C02;09 09B04
Malicious handling of messages or data during transfers over the extended B02;09C01)
network, by an unauthorized third party , connected on the extended network
1 M L 3 1 1 1 1 1 3
max(04C01;04C02;09 09B04
Malicious handling of messages or data during transfers, over the extended
network, by a member of the production team
1 M L 3 1 1 1 1 1 3 B02;09C01)
max(05C03;05C04) 09B04
Malicious handling of messages or data during transfers, during an access to
the network from outside, by a member of the staff not authorized
1 M L 3 1 1 1 1 1 3
max(05C03;05C04) 09B04
Malicious handling of messages or data during transfers, during an access to
the network from outside, by a member of the production team
1 M L 3 1 1 1 1 1 3
max(05C01;05C02;09 09B04
Malicious handling of messages or data during transfers, during exchanges on B02;09C01)
the local area network, by a member of the staff not authorized
1 M L 3 1 1 1 1 1 3
max(05C01;05C02;09 09B04
Malicious handling of messages or data during transfers, during exchanges on B02;09C01)
the local area network, by a member of the production team
1 M L 3 1 1 1 1 1 3
Replay of transaction 1 M L 2 1 1 1 1 1 2 max(04C01;09C01;09 09F03

F02)
Forged message sent by a member of personnel usurping the identity of an 09F01
authorized person (or server) by using a fallacious signature 1 M I 3 1 1 1 1 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Malicious handling of e-mails during emission or receipt, by an unauthorized 11C05
third party
1 M I 3 1 1 1 1 3
Malicious handling of e-mails during emission or receipt, by a member of the 11C05
production team
1 M I 3 1 1 1 1 3
Sending of a faked email, by using a forged signature 1 M I 3 1 1 1 1 3 11C05
Sending of a faked fax, by using a forged signature 1 M I 3 1 1 1 1 3 02D05
Malicious (and undetected) tampering of files of digitalized archives , by a 08H02

1 M I 3 1 1 1 1 3
Malicious (and undetected) tampering of files of digitalized archives , by a 08H02
member of the staff not authorized, connected from the internal network
1 M I 3 1 1 1 1 3
Malicious (and undetected) swap of media containing files of digitalized 08H03

archives , by an authorized staff member, connected from the internal network
1 M I 2 1 1 1 1 2
archives , by a member of the staff not authorized, connected from the internal 1 M I 2 1 1 1 1 2
network
archives , by an unauthorized third party , connected from the internal network
1 M I 2 1 1 1 1 0 2
max(09B05;10B06) 09B04
Tampering, by accident, (and not detected) of files of data posted on public or
internal sites due to a procedure error, during a hot maintenance operation
1 A L 3 1 1 1 1 1 3
Tampering, by accident, (and not detected) of files of data posted on public or max(09B05;08D03) 09B04
internal sites due a production incident
1 A L 3 1 1 1 1 1 3
Tampering, due to an error of procedure, of configurations of data posted on 09B05 09B04
public or internal sites during user treatments, by a user authorized 1 E L 3 1 1 1 1 1 3
Tampering, due to an error of procedure, of configurations of data posted on max(09B05;min(07A0 09B04

public or internal sites during user treatments, by a user authorized 1 E L 3 1 1 1 1 1 3 1;07A02;08F01);min(0
illegitimately, connected from the internal network 9A01;09A02))
Tampering, due to an error of procedure, of configurations of data posted on max(09B05;min(07A0 09B04

public or internal sites during user treatments, by a user not authorized, 1 E L 3 1 1 1 1 1 3 3;07A04;08F02);min(0
connected from the internal network 9A03;09A04))


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Malicious (and undetected) tampering of files of data posted on public or max(09B05;min(07A0 09B04
internal sites during production, by a user authorized illegitimately, connected 1 M L 3 1 1 1 1 1 3 1;07A02;08F01);min(0
from the internal network 9A01;09A02))
Malicious (and undetected) tampering of files of data posted on public or max(09B05;min(07A0 09B04
internal sites during production, by a user not authorized, connected from the 1 M L 3 1 1 1 1 1 3 3;07A04;08F02);min(0
internal network 9A03;09A04))
max(09B01;09C02) 09B04
Malicious (and undetected) tampering of files of data posted on public or
internal sites during production, by a member of the production team
1 M L 3 1 1 1 1 1 3
max(09B01;09C02) 09B04
Malicious (and undetected) tampering of files of data posted on public or
internal sites during production, by a member of the maintenance team
1 M L 3 1 1 1 1 1 3
Disclosure, due to an error, of files of data due to a procedure error during 09C02
production
1 E C 3 1 1 1 1 3
Disclosure, due to an error, of files of data due to a procedure error during a max(08A05;09C02)
hardware maintenance operation
1 E C 3 1 1 1 1 3
Disclosure, due to an error, of files of data due to a procedure error during max(10B04;09C02)
development tests
1 E C 3 1 1 1 1 3
Disclosure, due to an error, of files of data due to a procedure error during a max(08A05;09C02)
software maintenance operation
1 E C 3 1 1 1 1 3
Diversion of files of data during user treatments, by a user authorized 07C01
1 M C 3 1 1 1 1 3
Diversion of files of data during user treatments, by a user authorized 07C01 max(min(07A01;07A0
1 M C 3 1 1 1 1 3 2);min(09A01;09A02))
Diversion of files of data during user treatments, by a user not authorized, max(min(07A03;07A0
1 M C 3 1 1 1 1 3 4;08F02;08C06);min(0
9A03;09A04))
Diversion of files of data, during production, by a member of the production 09C02
team
1 M C 3 1 1 1 1 3
max(05B03;min(07A0
Diversion of files of data during production, by an unauthorized third party , 3;07A04))
1 M C 3 1 1 1 1 3
Diversion of files of data during production, by an unauthorized third party , max(min(05B04;05B0

connected, from outside, to the local area notwork
1 M C 3 1 1 1 1 3 5;05B06;05B07;06B0
2);min(07A03;07A04))
Diversion of files of data during production, by an unauthorized third party , 08A06
connected through a remote maintenance port
1 M C 3 1 1 1 1 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
min(05B08;05B09)
Diversion of files of data during production, by an unauthorized third party ,
connected on the storage network
1 M C 3 1 1 1 1 3
Diversion of files of data, during a maintenance operation, by a member of the max(min(07B01;08A0

maintenance team
1 M C 3 1 1 1 1 3 5);09C02)
09C02
Disclosure of information, due to a theft, of media containing files of data,
during the transportation between sites, by an authorized staff member
1 M C 2 1 1 1 1 2
08C03 09C02
during a storage in the site, by an authorized staff member
1 M C 2 1 1 1 1 2
08C04 09C02
during an externalized storage , by an authorized staff member
1 M C 2 1 1 1 1 2
03B06 max(min(03B03;03B0
Disclosure of information, due to a theft, of media containing files of data, 4);09C02)
during production, by a member of the staff not authorized
1 M C 2 1 1 1 1 2
max(08C07;09C02)
during the transportation between sites, by a member of the staff not authorized
1 M C 2 1 1 1 1 2
08C03 max(08C03;09C02)
during a storage in the site, by a member of the staff not authorized
1 M C 2 1 1 1 1 2
08C04 max(08C04;09C02)
during an externalized storage , by a member of the staff not authorized
1 M C 2 1 1 1 1 2
Disclosure, due to an error, of files shared for office work due to a procedure 11C01
error during production
1 E C 3 1 1 1 1 3
Disclosure, due to an error, of files shared for office work due to a procedure max(11C01;11C03)
error during a hardware maintenance operation
1 E C 3 1 1 1 1 3
Diversion of files shared for office work during user treatments, by a user
1 M C 3 1 1 1 1 3
Diversion of files shared for office work during user treatments, by a user min(07A01;07A02)
1 M C 3 1 1 1 1 3
Diversion of files shared for office work during user treatments, by a user not max(min(07A03;07A0
1 M C 3 1 1 1 1 3 4;08C06;08F02);11C0
1)


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Diversion of files shared for office work during production, by a member of the 11C01
production team
1 M C 3 1 1 1 1 3
Diversion of files shared for office work during a maintenance operation, by a max(11C01;11C03)
1 M C 3 1 1 1 1 3
max(05B03;min(07A0
Diversion of files shared for office work during production, by an unauthorized 3;07A04);11C01)
third party , connected from the internal network
1 M C 3 1 1 1 1 3
max(min(05B04;05B0
Diversion of files shared for office work during production, by an unauthorized 5;05B06;05B07;06B0
third party , connected, from outside, to the local area notwork
1 M C 3 1 1 1 1 3 2);min(07A03;07A04);
11C01)
max(min(05B08;05B0
Diversion of files shared for office work during production, by an unauthorized 9);11C01)
third party , connected on the storage network
1 M C 3 1 1 1 1 3
02C05 11C01
Disclosure of information, due to a theft, of media containing files shared for
office work, during production, by an authorized staff member
1 M C 2 1 1 1 1 2
Disclosure of information, due to a theft, of media containing files shared for 11C01
office work, during the transportation between sites, by an authorized staff 1 M C 2 1 1 1 1 2
member
08C03 11C01
office work, during a storage in the site, by an authorized staff member
1 M C 2 1 1 1 1 2
08C04 11C01
office work, during an externalized storage , by an authorized staff member
1 M C 2 1 1 1 1 2
max(min(03B03;03B0
office work, during production, by a member of the staff not authorized
1 M C 2 1 1 1 1 2 4);11C01)
Disclosure of information, due to a theft, of media containing files shared for max(08C07;11C01)
office work, during the transportation between sites, by a member of the staff 1 M C 2 1 1 1 1 2
not authorized
08C03 max(08C03;11C01)
office work, during a storage in the site, by a member of the staff not authorized
1 M C 2 1 1 1 1 2
Disclosure of information, due to a theft, of media containing files shared for 08C04 max(08C04;11C01)
office work, during an externalized storage , by a member of the staff not 1 M C 2 1 1 1 1 2
authorized


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Disclosure, due to an error, of files used for personal office activity due to a 11C01
procedure error, during user treatments
1 E C 3 1 1 1 1 3
Disclosure, due to an error, of files used for personal office activity due to a max(11C01;11C03)
procedure error, during a hardware maintenance operation
1 E C 3 1 1 1 1 3
Diversion of files used for personal office activity, by a member of the staff not max(min(11B01;11E0
authorized, directly connected to the workstation, while the user is absent
1 M C 3 1 1 1 1 3 1);11C01)
Diversion of files used for personal office activity, by a member of the staff not max(min(11B01;11E0
authorized, directly connected to the workstation, outside working hours
1 M C 3 1 1 1 1 3 1);11C01)
Diversion of files used for personal office activity, during production, by a 11C01
1 M C 3 1 1 1 1 3 min(11E02;11E03)
Diversion of files used for personal office activity, during a maintenance max(11C01;11C03)
operation, by a member of the maintenance team
1 M C 3 1 1 1 1 3
Disclosure of information, due to an accidental loss, of media containing files 11C01
used for personal office activity, outside the company
1 A C 3 1 1 1 1 0 3
02C05 max(min(02C01;02C0
Disclosure of information, due to a theft, of media containing files used for
2;02C03);11C02)
personal office activity, in the offices, by a member of the enterprise staff, while 1 M C 2 1 1 1 1 2
the user is absent
02C05 max(02C06;11C02)
Disclosure of information, due to a theft, of media containing files used for
personal office activity, in the offices, by a visitor, while the user is absent
1 M C 2 1 1 1 1 2
Disclosure of information, due to a theft, of media containing files used for max(02C04;02C05) max(min(02C01;02C0
2;02C03);11C02)
personal office activity, in the offices, by a member of the enterprise staff, 1 M C 2 1 1 1 1 2
Disclosure of information, due to a theft, of media containing files used for 02C05 11C02
personal office activity, in the offices, by a member of the services team, 1 M C 2 1 1 1 1 2
Disclosure of information, due to a theft, of media containing files used for 11C02
personal office activity, outside the company
1 M C 2 1 1 1 1 2
Disclosure of information, due to a theft, of portable equipment (e.g. PC) 02C05 max(min(02C01;02C0
containing files used for personal office activity, in the offices, by a member of 1 M C 2 1 1 1 1 2 2;02C03;11B01);11C0
the enterprise staff, while the user is absent 1)


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Disclosure of information, due to a theft, of portable equipment (e.g. PC) 02C05 max(02C06;11B01;11
containing files used for personal office activity, in the offices, by a visitor, while 1 M C 2 1 1 1 1 2 C01)
the user is absent
max(02C04;02C05) max(min(02C01;02C0
Disclosure of information, due to a theft, of portable equipment (e.g. PC)
2;02C03;11B01);11C0
containing files used for personal office activity, in the offices, by a member of 1 M C 2 1 1 1 1 2 1)
the enterprise staff, outside working hours
Disclosure of information, due to a theft, of portable equipment (e.g. PC) 02C05 max(11B01;11C01)
containing files used for personal office activity, in the offices, by a member of 1 M C 2 1 1 1 1 2
the services team, outside working hours
Disclosure of information, due to a theft, of portable equipment (e.g. PC) max(11B01;11C01)

containing files used for personal office activity, outside the company
1 M C 2 1 1 1 1 2
Disclosure of documents, due to an error or accidental loss, outside the 02D02

company
1 E C 3 1 1 1 1 3
02D02
Theft of documents written or printed detained by users, in the offices, by a
member of the enterprise staff, outside working hours
1 M C 2 1 1 1 1 2
Theft of documents written or printed detained by users, in the offices, by a 02C05 max(02A02;02C03;02
user authorized illegitimately, while the user is absent
1 M C 2 1 1 1 1 2 D02)
Theft of documents written or printed detained by users, in the offices, by a 02C05 02D02
1 M C 2 1 1 1 1 2
02C05 max(02D02;min(02C0
Theft of documents written or printed detained by users, in the offices, by a 1;02C02;02C03))
member of the enterprise staff, while the user is absent
1 M C 2 1 1 1 1 2
Theft of documents written or printed detained by users, in the offices, by a 02C05 max(02D02;min(02C0
visitor, while the user is absent
1 M C 2 1 1 1 1 2 1;02C02;02C06))
02D02
Theft of documents written or printed detained by users, outside the company 1 M C 2 1 1 1 1 2
Theft of documents , during the printing on a shared printer, by a member of the max(02D02;11C06)
enterprise staff
1 M C 2 1 1 1 1 2
max(02D02;11C06)
Theft of documents , during the printing on a shared printer, by a visitor 1 M C 2 1 1 1 1 2
02D02
Theft of documents , during the distribution, by a member of the enterprise staff 1 M C 2 1 1 1 1 2


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Theft of documents , during the distribution, by a visitor 1 M C 2 1 1 1 1 2 02D02
02D03
Theft of discarded documents , within the collection circuit of paper bins 1 M C 2 1 1 1 1 2
08A07
Disclosure of listings or printouts, due to an error or accidental loss, during the
distribution, by a member of the production team
1 E C 3 1 1 1 1 3
Theft of listings or printouts , within the production premises, by an authorized 08A07

staff member
1 M C 2 1 1 1 1 2 03B06
Theft of listings or printouts , within the production premises, by a member of 08A07

the services team
1 M C 2 1 1 1 1 2 03B06
Theft of listings or printouts , within the production premises, by a member of 08A07

1 M C 2 1 1 1 1 2 03B06
08A07
Theft of listings or printouts , during the distribution, by a member of the
enterprise staff
1 M C 2 1 1 1 1 2
Theft of listings or printouts , during the distribution, by a visitor 1 M C 2 1 1 1 1 2 08A07

08A07
Theft of listings or printouts , within the collection circuit of paper bins 1 M C 2 1 1 1 1 2
Disclosure of data after consultation , by a user authorized illegitimately, max(min(07A01;07A0

1 M C 3 1 1 1 1 3 2;08F01);min(08F01;0
9A01;09A02))
max(min(05B01;05B0
Disclosure of data after consultation , by an unauthorized third party , 2;05B03;05B07;06C0
1 M C 3 1 1 1 1 3 2);min(07A03;07A04;0
8F02);min(09A03;09A
min(08F02;08F03) 04))
Disclosure of data after consultation , by a member of the production team,
1 M C 3 1 1 1 1 3
Disclosure of data after consultation , by an unauthorized third party , max(04B02;min(05B0

connected, from outside, to the local area notwork
1 M C 3 1 1 1 1 3 4;05B05;05B06;05B0
7);min(07A03;07A04;0
Disclosure of data after consultation , by an unauthorized third party , through 8F02);min(09A03;09A
09C03
electro-magnetic tapping
1 M C 3 1 1 1 1 3 04))
Disclosure of data after consultation , by a member of the production team, min(08F02;08F03) 07B01
having access to user resources not erased after use.
1 M C 3 1 1 1 1 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Disclosure of data after tampering , by a member of the staff not authorized, max(05C03;09C01)
connected on the extended network
1 M C 3 1 1 1 1 3
max(03B07;05C01;09
Disclosure of data after tampering , by a member of the enterprise staff,
1 M C 3 1 1 1 1 3 C01)
max(min(06C01;06C0
Disclosure of data after tampering , by a member of the enterprise staff, after 2);09C01)
modification of a network equipment
1 M C 3 1 1 1 1 3
Disclosure of data after tampering , by a member of the production team, after min(06A01;06C03) 09C01
modification of a network equipment
1 M C 3 1 1 1 1 3
max(06A04;09C01)
Disclosure of data after tampering , by an unauthorized third party , after a
remote modification of a network equipment, using a remote maintenance line
1 M C 3 1 1 1 1 3
max(06A02;09C01)
Disclosure of data after tampering , by an unauthorized third party , after a
remote modification of a network equipment, using a flaw not yet fixed
1 M C 3 1 1 1 1 3
Disclosure of data after tampering , by an unauthorized third party , using an max(04B03;04C01;09

equipment usurping the identity of an entity also connected to the extended 1 M C 3 1 1 1 1 3 C01)
network
Disclosure of data after tampering , by a member of the production team, by max(04B03;04C01;09
usurpation of the identity of an application server
1 M C 3 1 1 1 1 3 C01)
Accidental disclosure of emails, due to an addressing error 1 E C 3 1 1 1 1 3 11C05
Intentional disclosure of e-mails during emission or receipt, by a member of the 11C05

production team
1 M C 3 1 1 1 1 3
maintenance team
1 M C 3 1 1 1 1 3
staff not authorized
1 M C 3 1 1 1 1 3
Accidental disclosure of post mails, due to an addressing error 1 A C 3 1 1 1 1 3

02D05
Accidental disclosure of faxes, due to an addressing error 1 A C 3 1 1 1 1 3
02D04
Theft of post mail, during collection or diffusion, in the post mail office 1 M C 2 1 1 1 1 2


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
02D04
Theft of post mail, during collection or diffusion, in the offices 1 M C 2 1 1 1 1 2
02D05
Intentional disclosure of faxes, in the fax office 1 M C 2 1 1 1 1 2
02D05
Intentional disclosure of faxes, during collection or diffusion 1 M C 2 1 1 1 1 2
02D05
Diversion of fax due to a malicious transfer of receiver fax 1 M C 3 1 1 1 1 3
Theft or diversion of archived documents , within the archival premises, by an 02D07

authorized staff member
1 M C 2 1 1 1 1 2
Theft or diversion of archived documents , within the archival premises, by a 02D07 02D07
1 M C 2 1 1 1 1 2
Theft or diversion of archived documents , during the transportation between 02D07
sites, by a member of the staff not authorized
1 M C 2 1 1 1 1 2
Diversion of archived documents, by using the identity of a person authorized to 02D07
extract an archive
1 M C 2 1 1 1 1 2
08H03 max(08H03;09C02)
Disclosure of information, due to a theft, of media containing files of digitalized
archives , within the archival premises, by an authorized staff member
1 M C 2 1 1 1 1 2
08H03 max(08H03;09C02)
archives , within the archival premises, by a member of the staff not authorized
1 M C 2 1 1 1 1 2
08H03 max(08H03;09C02)
archives , in the distribution office, by a member of the staff not authorized
1 M C 2 1 1 1 1 2
03D01 min(03D02;03D03)
Unavailability of the working environment, by accident, due to a fire 1 A A 2 1 1 1 1 2
03C01 min(03C02;03C03)
Unavailability of the working environment, by accident, due to flooding 1 A A 3 1 1 1 1 3
Unavailability of the working environment, by accident, due to a lack of power 03A02

supply (external cause)
1 A A 3 1 1 1 1 3
Unavailability of the working environment, by accident, due to the impossibility
of accessing the premises (external cause)
1 A A 2 1 1 1 1 2


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Accidental erasure of programs of telecommunication services (voice, fax, 12A02
videoconferencing, etc.), due to a production incident
1 A A 3 1 1 1 1 0 3
Erasure, due to an error, of configuration (code, parameters, etc.) of 12A03

telecommunication services (voice, fax, videoconferencing, etc.), by a member 1 E A 3 1 1 1 1 0 3
min(12E02;12E03)
Malicious erasure of programs of telecommunication services (voice, fax,
videoconferencing, etc.), by a member of the production team
1 M A 2 1 1 1 1 0 2
12A03
Malicious erasure of programs of telecommunication services (voice, fax,
videoconferencing, etc.), by a member of the maintenance team
1 M A 2 1 1 1 1 0 2
Damaging of (host) system, by accident of telecommunication services (voice, 03C01

fax, videoconferencing, etc.), within the production premises, due to a liquid 1 A A 3 1 1 1 1 0 3
(water) damage
Damaging of (host) system, by accident of telecommunication services (voice, min(03A01;03A04)

fax, videoconferencing, etc.), within the production premises, due to an 1 A A 2 1 1 1 1 0 2
electrical over load
03A05
Long lasting unavailability, damaging or loss of (host) system, by accident of
telecommunication services (voice, fax, videoconferencing, etc.), within the 1 A A 2 1 1 1 1 0 2
production premises, due to a lightning
03D01 min(03D02;03D03)
03C01 min(03C02;03C03)
Temporary unavailability of (host) system, due to an accident, of

telecommunication services (voice, fax, videoconferencing, etc.), caused by the 1 A A 3 1 1 1 1 0 3

telecommunication services (voice, fax, videoconferencing, etc.), caused by the 1 A A 3 1 1 1 1 0 3
breakdown or the unavailability of auxiliary elements


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
telecommunication services (voice, fax, videoconferencing, etc.), due to a lack 1 A A 3 1 1 1 1 0 3
of power supply (external cause)
03B06 min(03B01;03B02;03 03B04

Malicious damaging of host systems of telecommunication services (voice, fax, B03)
videoconferencing, etc.), due to vandalism, within the production premises, by 1 M A 2 1 1 1 1 1 2
an authorized staff member
min(03B03;03B04;03
Malicious damaging of host systems of telecommunication services (voice, fax, B06)
videoconferencing, etc.), due to vandalism, within the production premises, by a 1 M A 2 1 1 1 1 0 2
Malicious damaging of host systems of telecommunication services (voice, fax,

videoconferencing, etc.), due to vandalism, by vandals or terrorists acting from 1 M A 2 1 1 1 1 0 2
outside
min(02A01;02A02;02 02A04
Malicious damaging of host systems of telecommunication services (voice, fax, A03;02A05)
videoconferencing, etc.), due to vandalism, by vandals or terrorists acting from 1 M A 2 1 1 1 1 0 2
inside (after an intrusion)
Malicious destruction of host systems of telecommunication services (voice,

fax, videoconferencing, etc.), due to a terrorist action, by vandals or terrorists 1 M A 2 1 1 1 1 0 2
acting from outside
Stoppage of functioning of telecommunication services (voice, fax,

videoconferencing, etc.), due to system maintenance provider being unable to 1 A A 2 1 1 1 1 0 2
repair (unfixable failure or provider default)
06A02 04D03
Accidental erasure of configuration (code, parameters, etc.) of the extended
network services due to a production incident
1 A A 3 1 1 1 1 0 3
Erasure, due to an error, of configuration (code, parameters, etc.) of the

extended network services by a member of the production team
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of configuration (code, parameters, etc.) of the

extended network services by a member of the maintenance team
1 E A 3 1 1 1 1 0 3
Malicious erasure de configuration (code, parameters, etc.) of the extended 06C02 04D02
network services by a user not authorized
1 M A 2 1 1 1 1 0 2


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Malicious erasure de configuration (code, parameters, etc.) of the extended min(06C02;06C03)
network services by a member of the production team
1 M A 2 1 1 1 1 0 2
Malicious erasure de configuration (code, parameters, etc.) of the extended 04D02

network services by a member of the maintenance team
1 M A 2 1 1 1 1 0 2
min(06C02;06C03)
Malicious erasure of configurations and backups (code, parameters, etc.) of the
extended network services by a member of the production team
1 M A 2 1 1 1 1 0 2
03C01
Damaging of (host) system, by accident of the extended network services ,
within the production premises, due to a liquid (water) damage
1 A A 3 1 1 1 1 0 3
min(03A01;03A04)
Damaging of (host) system, by accident of the extended network services ,
within the production premises, due to an electrical over load
1 A A 2 1 1 1 1 0 2
03A05
Long lasting unavailability, damaging or loss of (host) system, by accident of the
extended network services , within the production premises, due to a lightning
1 A A 2 1 1 1 1 0 2
03D01 min(03D02;03D03)
extended network services , within the production premises, due to a fire
1 A A 2 1 1 1 1 1 2
03C01 min(03C02;03C03)
extended network services , within the production premises, due to flooding
1 A A 3 1 1 1 1 1 3
Temporary unavailability of (host) system, due to an accident, of the extended

network services , caused by the breakdown of an equipment
1 A A 3 1 1 1 1 0 3

network services , caused by the breakdown or the unavailability of auxiliary 1 A A 3 1 1 1 1 0 3
elements

network services , due to a lack of power supply (external cause)
1 A A 3 1 1 1 1 0 3
03B06 min(03B01;03B02;03 03B04

Malicious damaging of host systems of the extended network services , due to B03)
vandalism, within the production premises, by an authorized staff member
1 M A 2 1 1 1 1 0 2
Malicious damaging of host systems of the extended network services , due to min(03B03;03B04;03
vandalism, within the production premises, by a member of the staff not 1 M A 2 1 1 1 1 0 2 B06)
authorized


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Malicious damaging of host systems of the extended network services , due to
vandalism, by vandals or terrorists acting from outside
1 M A 2 1 1 1 1 0 2
min(02A01;02A02;02 02A04
Malicious damaging of host systems of the extended network services , due to A03;02A05)
vandalism, by vandals or terrorists acting from inside (after an intrusion)
1 M A 2 1 1 1 1 0 2
Malicious destruction of host systems of the extended network services , due to

a terrorist action, by vandals or terrorists acting from outside
1 M A 2 1 1 1 1 0 2
Malicious breakdown of the extended network services , mass erasure or min(06C02;06C03)

pollution of the configuration of a host system , by a member of the production 1 M A 2 1 1 1 1 0 2
team
Malicious breakdown of the extended network services , mass erasure or

pollution of the configuration of a host system , by a member of the 1 M A 2 1 1 1 1 0 2
maintenance team
Stoppage of functioning of the extended network services , due to system

maintenance provider being unable to repair (unfixable failure or provider 1 A A 2 1 1 1 1 0 2
default)
Stoppage of functioning of the extended network services , due to a social

conflict with the production staff
1 A A 2 1 1 1 1 0 2
Stoppage of functioning of the extended network services , due to a long lasting

absence of internal staff required
1 A A 2 1 1 1 1 0 2
Stoppage of functioning of the extended network services , due to a long lasting

absence of staff from a provider
1 A A 3 1 1 1 1 0 3
04D01
Stoppage of functioning of the extended network services , due to a worm 1 A A 3 1 1 1 1 0 3
Accidental erasure of configuration (code, parameters, etc.) of Local Area 06A02 05D03
Network services, due to a production incident
1 A A 3 1 1 1 1 1 3
Erasure, due to an error, of configuration (code, parameters, etc.) of Local Area

Network services, by a member of the production team
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of configuration (code, parameters, etc.) of Local Area

Network services, by a member of the maintenance team
1 E A 3 1 1 1 1 0 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Malicious erasure de configuration (code, parameters, etc.) of Local Area 06C02 05D02
Network services, by a user not authorized
1 M A 2 1 1 1 1 0 2
Malicious erasure de configuration (code, parameters, etc.) of Local Area min(06C02;06C03)

1 M A 2 1 1 1 1 0 2
Malicious erasure de configuration (code, parameters, etc.) of Local Area 05D02

1 M A 2 1 1 1 1 0 2
min(06C02;06C03)
Malicious erasure of configurations and backups (code, parameters, etc.) of
Local Area Network services, by a member of the production team
1 M A 2 1 1 1 1 0 2
03C01
Damaging of (host) system, by accident of Local Area Network services, within
the production premises, due to a liquid (water) damage
1 A A 3 1 1 1 1 0 3
min(03A01;03A04)
Damaging of (host) system, by accident of Local Area Network services, within
the production premises, due to an electrical over load
1 A A 2 1 1 1 1 0 2
03A05
Local Area Network services, within the production premises, due to a lightning
1 A A 2 1 1 1 1 0 2
03D01 min(03D02;03D03)
Local Area Network services, within the production premises, due to a fire
1 A A 2 1 1 1 1 1 2
03C01 min(03C02;03C03)
Local Area Network services, within the production premises, due to flooding
1 A A 3 1 1 1 1 1 3
Temporary unavailability of (host) system, due to an accident, of Local Area

Network services, caused by the breakdown of an equipment
1 A A 3 1 1 1 1 0 3

Network services, caused by the breakdown or the unavailability of auxiliary 1 A A 3 1 1 1 1 0 3
elements

Network services, due to a lack of power supply (external cause)
1 A A 3 1 1 1 1 0 3
03B06 min(03B01;03B02;03 03B04

Malicious damaging of host systems of Local Area Network services, due to B03)
1 M A 2 1 1 1 1 1 2


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Malicious damaging of host systems of Local Area Network services, due to min(03B03;03B04;03
authorized
Malicious damaging of host systems of Local Area Network services, due to

1 M A 2 1 1 1 1 0 2
min(02A01;02A02;02 02A04
Malicious damaging of host systems of Local Area Network services, due to A03;02A05)
1 M A 2 1 1 1 1 0 2
Malicious destruction of host systems of Local Area Network services, due to a

terrorist action, by vandals or terrorists acting from outside
1 M A 2 1 1 1 1 0 2
min(06C02;06C03)
Malicious breakdown of Local Area Network services, mass erasure or
pollution of the configuration of a host system by a member of the production 1 M A 2 1 1 1 1 0 2
team
Malicious breakdown of Local Area Network services, mass erasure or

pollution of the configuration of a host system by a member of the maintenance 1 M A 2 1 1 1 1 0 2
team
Stoppage of functioning of Local Area Network services, due to system

default)
Stoppage of functioning of Local Area Network services, due to a social conflict

with the production staff
1 A A 2 1 1 1 1 0 2
Stoppage of functioning of Local Area Network services, due to a long lasting

1 A A 2 1 1 1 1 0 2
Stoppage of functioning of Local Area Network services, due to a long lasting

1 A A 3 1 1 1 1 0 3
05D01
Stoppage of functioning of Local Area Network services, due to a worm 1 A A 3 1 1 1 1 0 3
Accidental erasure of programs of application services , due to a production 08A03 08E03

incident
1 A A 3 1 1 1 1 0 3
Erasure, due to an error, of programs of application services , by a user

authorized legitimately
1 E A 3 1 1 1 1 0 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Erasure, due to an error, of programs of application services , by a user max(07A02;09A02)
authorized illegitimately
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of programs of application services , by a user not min(07A03;07A04)
authorized
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of programs of application services , by a member of
the production team
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of programs of application services , by a member of
the maintenance team
1 E A 3 1 1 1 1 0 3
Malicious erasure of programs of application services , by a user authorized min(07C01;08E02)
legitimately
1 M A 2 1 1 1 1 0 2
Malicious erasure of programs of application services , by a user authorized min(07C01;08E02) max(07A02;09A02)
illegitimately
1 M A 2 1 1 1 1 0 2
min(07A03;07A04)
Malicious erasure of programs of application services , by a user not authorized 1 M A 2 1 1 1 1 0 2
Malicious erasure of programs of application services , by a member of the min(08F02;08F03)
production team
1 M A 2 1 1 1 1 0 2
Malicious erasure of programs of application services , by a member of the min(07C02;08E02)
maintenance team
1 M A 2 1 1 1 1 0 2
min(08F02;08F03)
Malicious erasure of files and backups of application services , by a member of
the production team
1 M A 2 1 1 1 1 0 2
Pollution, by accident, of programs of application services due to a procedure 10B05

error, during a software maintenance operation
1 A A 3 1 1 1 1 0 3
Pollution, by accident, of programs of application services due to a procedure 10B06
error, during a hot maintenance operation
1 A A 3 1 1 1 1 0 3
Pollution, by accident, of programs of application services due a production 08E02
incident
1 A A 3 1 1 1 1 0 3
max(min(07A01;07A0
Malicious pollution of programs of application services during production by a 2;08F01);min(09A01;0
user authorized illegitimately
1 M A 3 1 1 1 1 0 3
9A02))
Malicious pollution of programs of application services during production by a max(min(07A03;07A0

user not authorized
1 M A 3 1 1 1 1 0 3 4;08F02);min(09A03;0
9A04))
Malicious pollution of programs of application services during production by a min(08F02;08F03)
1 M A 3 1 1 1 1 0 3
Malicious pollution of programs of application services during production by a min(08F02;08F03) 10B05
1 M A 3 1 1 1 1 0 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
03D01
Loss, due to destruction, of media supporting programs of application
services , within the production premises, due to a fire
1 A A 2 1 1 1 1 0 2

services , within the production premises, due to flooding
1 A A 3 1 1 1 1 0 3
Loss, due to destruction, of media supporting programs of application 03D01

services , in the media storage premises, due to a fire
1 A A 2 1 1 1 1 0 2
services , in the media storage premises, due to flooding
1 A A 3 1 1 1 1 0 3
Loss, due to accidental disappearance, of media supporting programs of
application services , in the media storage premises
1 A A 3 1 1 1 1 0 3

application services , within the production premises
1 A A 3 1 1 1 1 0 3
Theft of media supporting programs of application services , within the

production premises, by a member of the staff not authorized
1 M A 2 1 1 1 1 0 2 03B06 min(03B03;03B04)

production premises, by a member of the production team
1 M A 2 1 1 1 1 0 2 03B06

production premises, by a member of the services team
1 M A 2 1 1 1 1 0 2 03B06
Theft of media supporting programs of application services , in the media

storage premises, by a member of the staff not authorized
1 M A 2 1 1 1 1 0 2 03B06 08C03

storage premises, by a member of the production team
1 M A 2 1 1 1 1 0 2 03B06

storage premises, by a member of the services team
1 M A 2 1 1 1 1 0 2 03B06
Impossibility, due to an accident, to use a media supporting programs of

application services , within the production premises, caused by the breakdown 1 A A 3 1 1 1 1 0 3
of an equipment
Impossibility, due to an accident, to use a media supporting programs of 03C01
application services , within the production premises, due a liquid (water) 1 A A 3 1 1 1 1 0 3
damage
Impossibility, due to an accident, to use a media supporting programs of min(03A01;03A04)
application services , within the production premises, due to an electrical over 1 A A 2 1 1 1 1 0 2
load
08A03 08E03
application services , within the production premises, due a production incident
1 A A 3 1 1 1 1 0 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
application services , in the media storage premises, due to pollution
1 A A 2 1 1 1 1 0 2
Impossibility, due to an accident, to use a media supporting programs of 08C03
application services , in the media storage premises, due to a liquid (water) 1 A A 3 1 1 1 1 0 3
damage
application services , in the media storage premises, due to ageing
1 A A 2 1 1 1 1 0 2 08C05
03C01
Damaging of (host) system, by accident of application services , within the
production premises, due to a liquid (water) damage
1 A A 3 1 1 1 1 0 3
min(03A01;03A04)
Damaging of (host) system, by accident of application services , within the
production premises, due to an electrical over load
1 A A 2 1 1 1 1 0 2
03A05
application services , within the production premises, due to a lightning
1 A A 2 1 1 1 1 0 2
03D01 min(03D02;03D03)
application services , within the production premises, due to a fire
1 A A 2 1 1 1 1 0 2
03C01 min(03C02;03C03)
application services , within the production premises, due to flooding
1 A A 3 1 1 1 1 0 3
09E01
Temporary unavailability of (host) system, due to an accident, of application
services , caused by the breakdown of an equipment
1 A A 3 1 1 1 1 0 3

services , caused by the breakdown or the unavailability of auxiliary elements
1 A A 3 1 1 1 1 0 3

services , due to a lack of power supply (external cause)
1 A A 3 1 1 1 1 0 3

services , due a stoppage of the air conditioning
1 A A 2 1 1 1 1 0 2
03B06 min(03B01;03B02;03 03B04

Malicious damaging of host systems of application services , due to vandalism, B03)
within the production premises, by an authorized staff member
1 M A 2 1 1 1 1 0 2


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
min(03B03;03B04;03
Malicious damaging of host systems of application services , due to vandalism, B06)
within the production premises, by a member of the staff not authorized
1 M A 2 1 1 1 1 0 2
Malicious damaging of host systems of application services , due to vandalism,

by vandals or terrorists acting from outside
1 M A 2 1 1 1 1 0 2
min(02A01;02A02;02 02A04
Malicious damaging of host systems of application services , due to vandalism, A03;02A05)
by vandals or terrorists acting from inside (after an intrusion)
1 M A 2 1 1 1 1 0 2
Malicious destruction of host systems of application services , due to a terrorist

action, by vandals or terrorists acting from outside
1 M A 2 1 1 1 1 0 2
min(08F02;08F03)
Malicious breakdown of application services , mass erasure or pollution of the
configuration of a host system , by a member of the production team
1 M A 2 1 1 1 1 0 2
min(07C02;08E02)
Malicious breakdown of application services , mass erasure or pollution of the
configuration of a host system , by a member of the maintenance team
1 M A 2 1 1 1 1 0 2
Stoppage of functioning of application services , due to to system maintenance

provider being unable to repair (unfixable failure or provider default)
1 A A 2 1 1 1 1 0 2
Stoppage of functioning of application services , due to to the software

maintenance provider being unable to repair (unfixable failure or provider 1 V A 3 1 1 1 1 0 3
default)
Stoppage of functioning of application services , due to to a social conflict with

the production staff
1 V A 2 1 1 1 1 0 2
Stoppage of functioning of application services , due to to a long lasting

1 A A 2 1 1 1 1 0 2
Stoppage of functioning of application services , due to to a long lasting

1 A A 3 1 1 1 1 0 3
Locking of application services , due to to a blocking bug in a system or 08A03

application software
1 E A 2 1 1 1 1 0 2
08A03
Locking of application services , due to to a blocking bug in a custom software 1 E A 3 1 1 1 1 0 3
07D01 08E01
Locking of application services , due to a production incident 1 A A 3 1 1 1 1 0 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Locking of application services , due to to a malicious saturation of computing min(07C01;07C02) 08E01 min(08E02;08E03)
or network equipments
1 M A 3 1 1 1 1 0 3
Locking of accounts necessary for operation of application services , due to to
a blockage of accounts attack
1 M A 2 1 1 1 1 0 2
Accidental erasure of programs of common office services, due to a production 08A03 08E03
incident
1 A A 3 1 1 1 1 0 3
Erasure, due to an error, of programsof common office services, by a user

1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of programsof common office services, by a user max(07A02;09A02)
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of programsof common office services, by a user not min(07A03;07A04)
authorized
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of programsof common office services, by a member
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of programsof common office services, by a member
1 E A 3 1 1 1 1 0 3
Malicious erasure of programs of common office services, by a user authorized min(07C01;08E02)
legitimately
1 M A 2 1 1 1 1 0 2
Malicious erasure of programs of common office services, by a user authorized min(07C01;08E02) max(07A02;09A02)
illegitimately
1 M A 2 1 1 1 1 0 2
Malicious erasure of programs of common office services, by a user not min(07A03;07A04)

authorized
1 M A 2 1 1 1 1 0 2
Malicious erasure of programs of common office services, by a member of the min(08F02;08F03)
production team
1 M A 2 1 1 1 1 0 2
Malicious erasure of programs of common office services, by a member of the min(07C02;08E02)
maintenance team
1 M A 2 1 1 1 1 0 2
min(08F02;08F03)
Malicious erasure of files and backups of common office services, by a member
1 M A 2 1 1 1 1 0 2
Pollution, by accident, of programs of common office services due to a 10B05

procedure error, during a software maintenance operation
1 A A 3 1 1 1 1 3
Pollution, by accident, of programs of common office services due to a 10B06
procedure error, during a hot maintenance operation
1 A A 3 1 1 1 1 3
Pollution, by accident, of programs of common office services due a production 08D03 08E02
incident
1 A A 3 1 1 1 1 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Malicious pollution of programs of common office services during production by max(min(07A01;07A0
a user authorized illegitimately
1 M A 3 1 1 1 1 3 2;08F01);min(09A01;0
9A02))
Malicious pollution of programs of common office services during production by max(min(07A03;07A0
a user not authorized
1 M A 3 1 1 1 1 3 4;08F02);min(09A03;0
9A04))
Malicious pollution of programs of common office services during production by min(08F02;08F03)
a member of the production team
1 M A 3 1 1 1 1 3
Malicious pollution of programs of common office services during production by min(08F02;08F03) 10B05
a member of the maintenance team
1 M A 3 1 1 1 1 3
03D01
Loss, due to destruction, of media supporting programs of common office
services, within the production premises, due to to a fire
1 A A 2 1 1 1 1 0 2

services, within the production premises, due to to flooding
1 A A 3 1 1 1 1 0 3
Loss, due to destruction, of media supporting programs of common office 03D01

services, in the media storage premises, due to to a fire
1 A A 2 1 1 1 1 0 2
services, in the media storage premises, due to to flooding
1 A A 3 1 1 1 1 0 3
common office services, in the media storage premises
1 A A 3 1 1 1 1 0 3

common office services, within the production premises
1 A A 3 1 1 1 1 0 3
Theft of media supporting programs of common office services, within the

1 M A 2 1 1 1 1 0 2 03B06 min(03B03;03B04)

1 M A 2 1 1 1 1 0 2 03B06

1 M A 2 1 1 1 1 0 2 03B06
Theft of media supporting programs of common office services, in the media

1 M A 2 1 1 1 1 0 2 03B06 08C03

1 M A 2 1 1 1 1 0 2 03B06

1 M A 2 1 1 1 1 0 2 03B06


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Impossibility, due to an accident, to use a media supporting programsof
common office services, within the production premises, caused by the 1 A A 3 1 1 1 1 0 3
Impossibility, due to an accident, to use a media supporting programsof 03C01

common office services, within the production premises, due a liquid (water) 1 A A 3 1 1 1 1 0 3
damage
Impossibility, due to an accident, to use a media supporting programsof min(03A01;03A04)
common office services, within the production premises, due to an electrical 1 A A 2 1 1 1 1 0 2
over load
Impossibility, due to an accident, to use a media supporting programsof 08A03 08E03
common office services, within the production premises, due a production 1 A A 3 1 1 1 1 0 3
incident

common office services, in the media storage premises, due to pollution
1 A A 2 1 1 1 1 0 2
common office services, in the media storage premises, due a liquid (water) 1 A A 3 1 1 1 1 0 3
damage
common office services, in the media storage premises, due to ageing
1 A A 2 1 1 1 1 0 2
03C01
Damaging of (host) system, by accident of common office services, within the
production premises, due a liquid (water) damage
1 A A 3 1 1 1 1 0 3
Damaging of (host) system, by accident of common office services, within the min(03A01;03A04)
1 A A 2 1 1 1 1 0 2
03A05
common office services, within the production premises, due to a lightning
1 A A 2 1 1 1 1 0 2
03D01 min(03D02;03D03)
common office services, within the production premises, due to a fire
1 A A 2 1 1 1 1 0 2
03C01 min(03C02;03C03)
common office services, within the production premises, due to flooding
1 A A 3 1 1 1 1 0 3
09E01
Temporary unavailability of (host) system, due to an accident, of common office
services, caused by the breakdown of an equipment
1 A A 3 1 1 1 1 0 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
services, caused by the breakdown or the unavailability of auxiliary elements
1 A A 3 1 1 1 1 0 3

services, due to a lack of power supply (external cause)
1 A A 3 1 1 1 1 0 3
03B06 min(03B01;03B02;03 03B04

Malicious damaging of host systems of common office services, due to B03)
1 M A 2 1 1 1 1 0 2
Malicious damaging of host systems of common office services, due to min(03B03;03B04;03

authorized
Malicious damaging of host systems of common office services, due to

1 M A 2 1 1 1 1 0 2
min(02A01;02A02;02 02A04
Malicious damaging of host systems of common office services, due to A03;02A05)
1 M A 2 1 1 1 1 0 2
Malicious destruction of host systems of common office services, due to a

1 M A 2 1 1 1 1 0 2
min(08F02;08F03)
Malicious breakdown of common office services, mass erasure or pollution of
the configuration of a host system , by a member of the production team
1 M A 2 1 1 1 1 0 2
min(07C02;08E02)
Malicious breakdown of common office services, mass erasure or pollution of
the configuration of a host system , by a member of the maintenance team
1 M A 2 1 1 1 1 0 2
Stoppage of functioning of common office services, due to to system

maintenance provider being unable to repair (unfixable failure or provider 1 A A 2 1 1 1 1 2
default)
Stoppage of functioning of common office services, due to the software
maintenance provider being unable to repair (unfixable failure or provider 1 V A 3 1 1 1 1 0 3
default)
Stoppage of functioning of common office services, due to a social conflict with

the production staff
1 V A 2 1 1 1 1 0 2


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Stoppage of functioning of common office services, due to a long lasting
1 A A 2 1 1 1 1 0 2
Stoppage of functioning of common office services, due to a long lasting

1 A A 3 1 1 1 1 0 3
Locking of common office services, due to a blocking bug in a system or 11A01

1 E A 2 1 1 1 1 0 2
Locking of common office services, due to a malicious saturation of computing min(07C01;07C02) 08E01 min(08E02;08E03)
or network equipments
1 M A 3 1 1 1 1 0 3
Locking of accounts necessary for operation of common office services, due to
a blockage of accounts attack
1 M A 2 1 1 1 1 0 2
c interfaces, etc.)
11A01
Accidental erasure of all configuration files (programs, codes, parameters, etc.)
of equipments provided to end users, due to a production incident
1 A A 3 1 1 1 1 0 3
General erasure, by error, of configurations (programs, code, parameters, etc.)

of equipments provided to end users, by a member of the production team
1 E A 3 1 1 1 1 0 3
General erasure, by error, of configurations (programs, code, parameters, etc.)

of equipments provided to end users, by a member of the maintenance team
1 E A 3 1 1 1 1 0 3
min(11E02;11E03)
Malicious erasure of all configurations (programs, code, parameters, etc.) of
equipments provided to end users, by a member of the production team
1 M A 3 1 1 1 1 0 3
11D06
Heavy unavailability of equipments provided to end users, due a virus 1 A A 4 1 1 1 1 0 4
Heavy unavailability of equipments provided to end users, within the production 03A05
premises, due to a lightning
1 A A 2 1 1 1 1 0 2
03D01 min(03D02;03D03)
Heavy unavailability of equipments provided to end users, within the production
premises, due to a fire
1 A A 2 1 1 1 1 0 2
Heavy unavailability of equipments provided to end users, within the production 03C01 min(03C02;03C03)
premises, due to flooding
1 A A 3 1 1 1 1 0 3
Heavy unavailability of equipments provided to end users, due to a lack of 03A02

power supply (external cause)
1 A A 3 1 1 1 1 0 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
03B06 min(03B01;03B02;03 03B04
Malicious heavy destruction of equipments provided to end users, due to B03)
1 M A 2 1 1 1 1 0 2
min(03B03;03B04;03
Malicious heavy destruction of equipments provided to end users, due to B063)
vandalism, within the production premises, by an unauthorized third party
1 M A 2 1 1 1 1 0 2
Temporary unavailability, due to an accident, of equipments provided to end

users, caused by the breakdown of an equipment (shared equipment)
1 A A 3 1 1 1 1 0 3
Accidental erasure of programs of common system services , due to a 08A03 08E03

production incident
1 A A 3 1 1 1 1 0 3
Erasure, due to an error, of programsof common system services , by a user

1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of programsof common system services , by a user max(07A02;09A02)
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of programsof common system services , by a user min(07A03;07A04)
not authorized
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of programsof common system services , by a
1 E A 3 1 1 1 1 0 3
Erasure, due to an error, of programsof common system services , by a
1 E A 3 1 1 1 1 0 3
Malicious erasure of programs of common system services , by a user min(07C01;08E02)
1 M A 2 1 1 1 1 0 2
min(07C01;08E02) max(07A02;09A02)
Malicious erasure of programs of common system services , by a user
1 M A 2 1 1 1 1 0 2
min(07A03;07A04)
Malicious erasure of programs of common system services , by a user not
authorized
1 M A 2 1 1 1 1 0 2
Malicious erasure of programs of common system services , by a member of min(08F02;08F03)

the production team
1 M A 2 1 1 1 1 0 2
Malicious erasure of programs of common system services , by a member of min(07C02;08E02)
1 M A 2 1 1 1 1 0 2
Malicious erasure of files and backups of common system services , by a min(08F02;08F03)
1 M A 2 1 1 1 1 0 2


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Pollution, by accident, of programs of common system services due to a 10B05
1 A A 3 1 1 1 1 0 3
Pollution, by accident, of programs of common system services due to a 10B06
procedure error, during a hot maintenance operation
1 A A 3 1 1 1 1 0 3
Pollution, by accident, of programs of common system services due a 08E02
production incident
1 A A 3 1 1 1 1 0 3
Malicious pollution of programs of common system services during production max(min(07A01;07A0

by a user authorized illegitimately
1 M A 3 1 1 1 1 0 3 2;08F01);min(09A01;0
9A02))
Malicious pollution of programs of common system services during production max(min(07A03;07A0
by a user not authorized
1 M A 3 1 1 1 1 0 3 4;08F02);min(09A03;0
9A04))
Malicious pollution of programs of common system services during production min(08F02;08F03)
by a member of the production team
1 M A 3 1 1 1 1 0 3
Malicious pollution of programs of common system services during production min(08F02;08F03) 10B05
by a member of the maintenance team
1 M A 3 1 1 1 1 0 3
03D01
Loss, due to destruction, of media supporting programs of common system
services , within the production premises, due to to a fire
1 A A 2 1 1 1 1 0 2

services , within the production premises, due to to flooding
1 A A 3 1 1 1 1 0 3
Loss, due to destruction, of media supporting programs of common system 03D01

services , in the media storage premises, due to to a fire
1 A A 2 1 1 1 1 0 2
services , in the media storage premises, due to to flooding
1 A A 3 1 1 1 1 0 3
common system services , in the media storage premises
1 A A 3 1 1 1 1 0 3

common system services , within the production premises
1 A A 3 1 1 1 1 0 3
Theft of media supporting programs of common system services , within the

1 M A 2 1 1 1 1 0 2 03B06 min(03B03;03B04)

1 M A 2 1 1 1 1 0 2 03B06

1 M A 2 1 1 1 1 0 2 03B06


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Theft of media supporting programs of common system services , in the media
1 M A 2 1 1 1 1 0 2 03B06 08C03

1 M A 2 1 1 1 1 0 2 03B06

1 M A 2 1 1 1 1 0 2 03B06

common system services , within the production premises, caused by the 1 A A 3 1 1 1 1 0 3

common system services , within the production premises, due a liquid (water) 1 A A 3 1 1 1 1 0 3
damage

common system services , within the production premises, due to an electrical 1 A A 2 1 1 1 1 0 2
over load
common system services , within the production premises, due a production 1 A A 3 1 1 1 1 0 3
incident

common system services , in the media storage premises, due to pollution
1 A A 2 1 1 1 1 0 2
common system services , in the media storage premises, due a liquid (water) 1 A A 3 1 1 1 1 0 3
damage
common system services , in the media storage premises, due to ageing
1 A A 2 1 1 1 1 0 2 08C05
03C01
Damaging of (host) system, by accident of common system services , within the
1 A A 3 1 1 1 1 0 3
Damaging of (host) system, by accident of common system services , within the min(03A01;03A04)
1 A A 2 1 1 1 1 0 2
03A05
common system services , within the production premises, due to a lightning
1 A A 2 1 1 1 1 0 2
03D01 min(03D02;03D03)
common system services , within the production premises, due to a fire
1 A A 2 1 1 1 1 0 2


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
03C01 min(03C02;03C03)
common system services , within the production premises, due to flooding
1 A A 3 1 1 1 1 0 3
09E01
Temporary unavailability of (host) system, due to an accident, of common
system services , caused by the breakdown of an equipment
1 A A 3 1 1 1 1 0 3

system services , caused by the breakdown or the unavailability of auxiliary 1 A A 3 1 1 1 1 0 3
elements

system services , due to a lack of power supply (external cause)
1 A A 3 1 1 1 1 0 3

system services , due a stoppage of the air conditioning
1 A A 2 1 1 1 1 0 2
03B06 min(03B01;03B02;03 03B04

Malicious damaging of host systems of common system services , due to B03)
1 M A 2 1 1 1 1 0 2
Malicious damaging of host systems of common system services , due to min(03B03;03B04;03

authorized
Malicious damaging of host systems of common system services , due to

1 M A 2 1 1 1 1 0 2
min(02A01;02A02;02 02A04
Malicious damaging of host systems of common system services , due to A03;02A05)
1 M A 2 1 1 1 1 0 2
Malicious destruction of host systems of common system services , due to a

1 M A 2 1 1 1 1 0 2
Stoppage of functioning of common system services , due to to system

default)
Stoppage of functioning of common system services , due to to the software

default)


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Stoppage of functioning of common system services , due to to a social conflict
with the production staff
1 V A 2 1 1 1 1 0 2
Stoppage of functioning of common system services , due to to a long lasting

1 A A 2 1 1 1 1 0 2
Stoppage of functioning of common system services , due to to a long lasting

1 A A 3 1 1 1 1 0 3
Locking of common system services , due to to a blocking bug in a system or 08A03
1 E A 2 1 1 1 1 0 2
Locking of common system services , due to to a blocking bug in a custom 08A03
software
1 E A 3 1 1 1 1 0 3
07D01 08E01
Locking of common system services , due to a production incident 1 E A 3 1 1 1 1 0 3
Locking of common system services , due to to a malicious saturation of min(07C01;07C02) 08E01 min(08E02;08E03)
computing or network equipments
1 M A 3 1 1 1 1 0 3
Locking of accounts necessary for operation of common system services , due
to to a blockage of accounts attack
1 M A 2 1 1 1 1 0 2
08A03 08E03
Accidental erasure of programs of information publishing services on an
internal or public web site, due to a production incident
1 A A 3 1 1 1 1 0 3
Erasure, due to an error, of programsof information publishing services on an

internal or public web site, by a user authorized legitimately
1 E A 3 1 1 1 1 0 3
max(07A02;09A02)
internal or public web site, by a user authorized illegitimately
1 E A 3 1 1 1 1 0 3
min(07A03;07A04)
internal or public web site, by a user not authorized
1 E A 3 1 1 1 1 0 3

internal or public web site, by a member of the production team
1 E A 3 1 1 1 1 0 3

internal or public web site, by a member of the maintenance team
1 E A 3 1 1 1 1 0 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
min(07C01;08E02)
Malicious erasure of programs of information publishing services on an internal
or public web site, by a user authorized legitimately
1 M A 2 1 1 1 1 0 2
min(07C01;08E02) max(07A02;09A02)
or public web site, by a user authorized illegitimately
1 M A 2 1 1 1 1 0 2
min(07A03;07A04)
or public web site, by a user not authorized
1 M A 2 1 1 1 1 0 2
min(08F02;08F03)
or public web site, by a member of the production team
1 M A 2 1 1 1 1 0 2
min(07C02;08E02)
or public web site, by a member of the maintenance team
1 M A 2 1 1 1 1 0 2
min(08F02;08F03)
Malicious erasure of files and backups of information publishing services on an
internal or public web site, by a member of the production team
1 M A 2 1 1 1 1 0 2
Pollution, by accident, of programs of information publishing services on an 10B05

internal or public web site due to a procedure error, during a software 1 A A 3 1 1 1 1 0 3
maintenance operation
Pollution, by accident, of programs of information publishing services on an 10B06

internal or public web site due to a procedure error, during a hot maintenance 1 A A 3 1 1 1 1 0 3
operation
08D03 08E02
Pollution, by accident, of programs of information publishing services on an
internal or public web site due a production incident
1 A A 3 1 1 1 1 0 3
max(min(07A01;07A0
Malicious pollution of programs of information publishing services on an internal 2;08F01);min(09A01;0
or public web site during production by a user authorized illegitimately
1 M A 3 1 1 1 1 0 3
9A02))
max(min(07A03;07A0
Malicious pollution of programs of information publishing services on an internal 4;08F02);min(09A03;0
or public web site during production by a user not authorized
1 M A 3 1 1 1 1 0 3
9A04))


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
min(08F02;08F03)
Malicious pollution of programs of information publishing services on an internal
or public web site during production by a member of the production team
1 M A 3 1 1 1 1 0 3
min(08F02;08F03) 10B05
Malicious pollution of programs of information publishing services on an internal
or public web site during production by a member of the maintenance team
1 M A 3 1 1 1 1 0 3
Loss, due to destruction, of media supporting programs of information 03D01

publishing services on an internal or public web site, within the production 1 A A 2 1 1 1 1 0 2
premises, due to to a fire
Loss, due to destruction, of media supporting programs of information
publishing services on an internal or public web site, within the production 1 A A 3 1 1 1 1 0 3
premises, due to to flooding
Loss, due to destruction, of media supporting programs of information 03D01
publishing services on an internal or public web site, in the media storage 1 A A 2 1 1 1 1 0 2
premises, due to to a fire
Loss, due to destruction, of media supporting programs of information

publishing services on an internal or public web site, in the media storage 1 A A 3 1 1 1 1 0 3
premises, due to to flooding

information publishing services on an internal or public web site, in the media 1 A A 3 1 1 1 1 0 3
storage premises

information publishing services on an internal or public web site, within the 1 A A 3 1 1 1 1 0 3
production premises
Theft of media supporting programs of information publishing services on an

internal or public web site, within the production premises, by a member of the 1 M A 2 1 1 1 1 0 2 03B06 min(03B03;03B04)

internal or public web site, within the production premises, by a member of the 1 M A 2 1 1 1 1 0 2 03B06
production team

internal or public web site, within the production premises, by a member of the 1 M A 2 1 1 1 1 0 2 03B06
services team

internal or public web site, in the media storage premises, by a member of the 1 M A 2 1 1 1 1 0 2 03B06 08C03


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
internal or public web site, in the media storage premises, by a member of the 1 M A 2 1 1 1 1 0 2 03B06
production team

internal or public web site, in the media storage premises, by a member of the 1 M A 2 1 1 1 1 0 2 03B06
services team

production premises, caused by the breakdown of an equipment

production premises, due a production incident

storage premises, due to pollution

storage premises, due a liquid (water) damage

information publishing services on an internal or public web site, in the media 1 A A 2 1 1 1 1 0 2 08C05
storage premises, due to ageing
Damaging of (host) system, by accident of information publishing services on 03C01

an internal or public web site, within the production premises, due a liquid 1 A A 3 1 1 1 1 0 3
(water) damage
Damaging of (host) system, by accident of information publishing services on min(03A01;03A04)

an internal or public web site, within the production premises, due to an 1 A A 2 1 1 1 1 0 2
electrical over load
Long lasting unavailability, damaging or loss of (host) system, by accident of 03A05

production premises, due to a lightning


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Long lasting unavailability, damaging or loss of (host) system, by accident of 03D01 min(03D02;03D03)
Long lasting unavailability, damaging or loss of (host) system, by accident of 03C01 min(03C02;03C03)
Temporary unavailability of (host) system, due to an accident, of information 09E01

publishing services on an internal or public web site, caused by the breakdown 1 A A 3 1 1 1 1 0 3
of an equipment
Temporary unavailability of (host) system, due to an accident, of information

publishing services on an internal or public web site, caused by the breakdown 1 A A 3 1 1 1 1 0 3
or the unavailability of auxiliary elements
Temporary unavailability of (host) system, due to an accident, of information

publishing services on an internal or public web site, due to a lack of power 1 A A 3 1 1 1 1 0 3
supply (external cause)
03B06 min(03B01;03B02;03 03B04
Malicious damaging of host systems of information publishing services on an
B03)
internal or public web site, due to vandalism, within the production premises, by 1 M A 2 1 1 1 1 0 2
an authorized staff member
min(03B03;03B04;03
Malicious damaging of host systems of information publishing services on an B063)
internal or public web site, due to vandalism, within the production premises, by 1 M A 2 1 1 1 1 0 2
a member of the staff not authorized
Malicious damaging of host systems of information publishing services on an

internal or public web site, due to vandalism, by vandals or terrorists acting 1 M A 2 1 1 1 1 0 2
from outside
Malicious damaging of host systems of information publishing services on an min(02A01;02A02;02 02A04

internal or public web site, due to vandalism, by vandals or terrorists acting 1 M A 2 1 1 1 1 0 2 A03;02A05)
from inside (after an intrusion)
min(08F02;08F03)
Malicious breakdown of information publishing services on an internal or public
web site, mass erasure or pollution of the configuration of a host system , by a 1 M A 2 1 1 1 1 0 2
min(07C02;08E02)
Malicious breakdown of information publishing services on an internal or public
web site, mass erasure or pollution of the configuration of a host system , by a 1 M A 2 1 1 1 1 0 2


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Malicious destruction of host systems of information publishing services on an
internal or public web site, due to a terrorist action, by vandals or terrorists 1 M A 2 1 1 1 1 0 2
acting from outside
Stoppage of functioning of information publishing services on an internal or

public web site, due to to system maintenance provider being unable to repair 1 A A 2 1 1 1 1 0 2
(unfixable failure or provider default)

public web site, due to to the software maintenance provider being unable to 1 A A 3 1 1 1 1 0 3
repair (unfixable failure or provider default)

public web site, due to to a social conflict with the production staff
1 V A 2 1 1 1 1 0 2

public web site, due to to a long lasting absence of internal staff required
1 A A 2 1 1 1 1 0 2

public web site, due to to a long lasting absence of staff from a provider
1 A A 3 1 1 1 1 0 3
08A03
Locking of information publishing services on an internal or public web site, due
to to a blocking bug in a system or application software
1 E A 2 1 1 1 1 0 2
08A03
to to a blocking bug in a custom software
1 E A 3 1 1 1 1 0 3
07D01 08E01
to a production incident
1 E A 3 1 1 1 1 0 3
min(07C01;07C02) 08E01 min(08E02;08E03)

to to a malicious saturation of computing or network equipments
1 M A 3 1 1 1 1 1 3
Tampering, due to an error of procedure, of configurations of min(12A02;12B02)

telecommunication services (voice, fax, videoconferencing, etc.), by a member 1 E I 3 1 1 1 1 0 3
Tampering, due to an error of procedure, of configurations of 12B01

telecommunication services (voice, fax, videoconferencing, etc.), by a member 1 E I 3 1 1 1 1 0 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Malicious (and undetected) tampering of configurations (code, parameters, 12A03 12B01
etc.) of telecommunication services (voice, fax, videoconferencing, etc.), by a 1 M I 3 1 1 1 1 0 3
Malicious (and undetected) tampering of configurations (code, parameters, min(12E02;12E03)

Malicious (and undetected) tampering of configurations (code, parameters, min(12E01;12E02)

user not authorized, connected from the internal network
12A04
Malicious (and undetected) tampering of configurations (code, parameters,
etc.) of telecommunication services (voice, fax, videoconferencing, etc.), by an 1 M I 3 1 1 1 1 0 3
unauthorized third party , connected through a remote maintenance port
Tampering, due to an error of procedure, of configurations of the extended 06A02

network services , by a member of the maintenance team
1 E I 3 1 1 1 1 0 3
Tampering, due to an error of procedure, of configurations of the extended 06B01

network services , by a member of the production team
1 E I 3 1 1 1 1 0 3
06A03 06B01
etc.) of the extended network services , by a member of the maintenance team
1 M I 3 1 1 1 1 0 3
min(06C02;06C03)
etc.) of the extended network services , by a member of the production team
1 M I 3 1 1 1 1 0 3
min(06C01;06C02)
etc.) of the extended network services , by a user not authorized
1 M I 3 1 1 1 1 0 3
Tampering, due to an error of procedure, of configurations of Local Area 06A02

1 E I 3 1 1 1 1 0 3
Tampering, due to an error of procedure, of configurations of Local Area 06B01

1 E I 3 1 1 1 1 0 3
06A03 06B01
etc.) of Local Area Network services, by a member of the maintenance team
1 M I 3 1 1 1 1 0 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
min(06C02;06C03)
etc.) of Local Area Network services, by a member of the production team
1 M I 3 1 1 1 1 0 3
min(06C01;06C02)
etc.) of Local Area Network services, by a user not authorized
1 M I 3 1 1 1 1 0 3
Tampering of programs by accident (not detected) of application services , by a max(08A03;08B03;09 09B05

member of the development team
1 E I 3 1 1 1 1 1 3 B05;10B01)
Tampering of programs by accident (not detected) of application services , by a max(08A03;08B03;09 09B05

1 E I 3 1 1 1 1 1 3 B05;10B05)
Tampering of programs by accident (not detected) of application services , by a max(08B02;08B03;09 09B05
1 E I 3 1 1 1 1 1 3 B05)
Malicious (and undetected) tampering of programs of application services , by 10B01 10B01

a member of the development team
1 M I 3 1 1 1 1 1 3
Malicious (and undetected) tampering of programs of application services , by 10B05 10B05

a member of the maintenance team
1 M I 3 1 1 1 1 1 3
Malicious (and undetected) tampering of programs of application services , by max(07C02;08F03) max(08B02;08B03) 09B04
a member of the production team
1 M I 3 1 1 1 1 1 3
Malicious (and undetected) tampering of programs of application services , by 07C02 max(min(07A01;07A0 09B04
a user not authorized
1 M I 3 1 1 1 1 1 3 2;07A03;07A04);08B0
2;08B03;09B05)
Malicious (and undetected) swap of media containing programs of application max(08B03;09B05) 09B04
services during production by an authorized staff member 1 M I 2 1 1 1 1 1 2
Malicious (and undetected) swap of media containing programs of application max(03B04;03B05;03 max(min(03B01;03B0 09B04
services during production by a member of the staff not authorized B06) 2;03B03);08B03;08C0
1 M I 2 1 1 1 1 1 2 2;09B05)
Malicious (and undetected) swap of media containing programs of application max(08B03;09B05) 09B04
services during the transportation between sites by an authorized staff member 1 M I 2 1 1 1 1 1 2
Tampering of service, due to an altered process of connection to the server of max(07C02;08F03) max(07A05.09A05)
application services during the connection to the service by a member of the 1 M I 3 1 1 1 1 1 3
production team
Tampering of service, due to an altered process of connection to the server of 10B01 max(07A05.09A05)
development team


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
maintenance team
Tampering or inhibition of security functions by accident (not detected) of
application services during the setting up after an intervention by a member of
the production team
1 E I 3 1 1 1 1 1 3
Tampering or inhibition of security functions by accident (not detected) of 08A04

application services during the setting up after an intervention by a member of 1 E I 3 1 1 1 1 1 3
Malicious (and undetected) tampering or inhibition of security functions of min(07C02;08F03)

application services during the setting up after an intervention by a member of 1 M I 3 1 1 1 1 1 3
the production team
Malicious (and undetected) tampering or inhibition of security functions of 10B05 08A04

application services during the setting up after an intervention by a member of
1 M I 3 1 1 1 1 1 3
Malicious (and undetected) tampering or inhibition of security functions of min(08F01;08F02)

application services during the setting up after an intervention by a member of 1 M I 3 1 1 1 1 1 3
08B01
Tampering, due to an error of procedure, of configurations of common office
services, by a member of the maintenance team
1 E I 3 1 1 1 1 0 3
08B01
Tampering, due to an error of procedure, of configurations of common office
services, by a member of the production team
1 E I 3 1 1 1 1 0 3
08A04 08B01
etc.) of common office services, by a member of the maintenance team
1 M I 3 1 1 1 1 0 3
min(08F02;08F03)
etc.) of common office services, by a member of the production team
1 M I 3 1 1 1 1 0 3
max(min(07A01;07A0
Malicious (and undetected) tampering of configurations (code, parameters, 2;07A03;07A04);08B0
etc.) of common office services, by a user not authorized
1 M I 3 1 1 1 1 0 3
1)


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Tampering or inhibition of security functions by accident (not detected) of 08B01
common office services, during the setting up after an intervention by a
1 E I 3 1 1 1 1 0 3

common office services, during the setting up after an intervention by a
1 E I 3 1 1 1 1 0 3

common office services, during the setting up after an intervention by a 1 M I 3 1 1 1 1 0 3

common office services, during the setting up after an intervention by a 1 M I 3 1 1 1 1 0 3
Tampering, due to an error of procedure, of configurations of common system 08B01

services , by a member of the maintenance team
1 E I 3 1 1 1 1 0 3
Tampering, due to an error of procedure, of configurations of common system 08B01

services , by a member of the production team
1 E I 3 1 1 1 1 0 3
08A04 08B01
etc.) of common system services , by a member of the maintenance team
1 M I 3 1 1 1 1 0 3
min(08F02;08F03)
etc.) of common system services , by a member of the production team
1 M I 3 1 1 1 1 0 3
max(min(07A01;07A0
Malicious (and undetected) tampering of configurations (code, parameters, 2;07A03;07A04);08B0
etc.) of common system services , by a user not authorized
1 M I 3 1 1 1 1 0 3
1)
common system services , during the setting up after an intervention by a 1 E I 3 1 1 1 1 0 3

common system services , during the setting up after an intervention by a 1 E I 3 1 1 1 1 0 3

common system services , during the setting up after an intervention by a 1 M I 3 1 1 1 1 0 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
common system services , during the setting up after an intervention by a 1 M I 3 1 1 1 1 0 3
Tampering of programs by accident (not detected) of information publishing max(08A03;08B03;09 09B05

services on an internal or public web site, by a member of the development 1 E L 3 1 1 1 1 1 3 B05;10B01)
team
Tampering of programs by accident (not detected) of information publishing max(08A03;08B03;09 09B05

services on an internal or public web site, by a member of the maintenance 1 E L 3 1 1 1 1 1 3 B05;10B05)
team
max(08B02;08B03;09 09B05
Tampering of programs by accident (not detected) of information publishing B05)
services on an internal or public web site, by a member of the production team
1 E L 3 1 1 1 1 1 3
Malicious (and undetected) tampering of programs of information publishing 10B01 10B01

services on an internal or public web site, by a member of the development 1 M L 3 1 1 1 1 1 3
team
Malicious (and undetected) tampering of programs of information publishing 10B05 10B05

services on an internal or public web site, by a member of the maintenance 1 M L 3 1 1 1 1 1 3
team
max(07C02;08F03) max(08B02;08B03) 09B04

Malicious (and undetected) tampering of programs of information publishing
services on an internal or public web site, by a member of the production team
1 M L 3 1 1 1 1 1 3
07C02 max(min(07A01;07A0 09B04

Malicious (and undetected) tampering of programs of information publishing 2;07A03;07A04);08B0
services on an internal or public web site, by a user not authorized
1 M L 3 1 1 1 1 1 3
2;08B03;09B05)
Malicious (and undetected) swap of media containing programs of information max(08B03;09B05) 09B04
publishing services on an internal or public web site during production by an 1 M L 2 1 1 1 1 1 2
authorized staff member
Malicious (and undetected) swap of media containing programs of information max(03B04;03B05;03 max(min(03B01;03B0 09B04
publishing services on an internal or public web site during production by a B06) 2;03B03);08B03;08C0
1 M L 2 1 1 1 1 1 2 2;09B05)
Malicious (and undetected) swap of media containing programs of information max(08B03;09B05) 09B04
publishing services on an internal or public web site during the transportation 1 M L 2 1 1 1 1 1 2
between sites by an authorized staff member


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Tampering of service, due to an altered process of connection to the server of max(07C02;08F03) max(07A05.09A05)
information publishing services on an internal or public web site during the
connection to the service by a member of the production team 1 M L 3 1 1 1 1 1 3
connection to the service by a member of the development team 1 M L 3 1 1 1 1 1 3
connection to the service by a member of the maintenance team 1 M L 3 1 1 1 1 1 3
Tampering or inhibition of security functions by accident (not detected) of

setting up after an intervention by a member of the production team 1 E I 3 1 1 1 1 1 3
Tampering or inhibition of security functions by accident (not detected) of 08A04

setting up after an intervention by a member of the maintenance team 1 E I 3 1 1 1 1 1 3

setting up after an intervention by a member of the production team 1 M I 3 1 1 1 1 1 3
Malicious (and undetected) tampering or inhibition of security functions of 10B05 08A04

setting up after an intervention by a member of the maintenance team 1 M I 3 1 1 1 1 1 3

setting up after an intervention by a member of the staff not authorized 1 M I 3 1 1 1 1 1 3
Disclosure of program files, due to an error of application services due to a 10B02

procedure error, during production
1 M C 3 1 1 1 1 0 3


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
procedure error, during a hardware maintenance operation
1 M C 3 1 1 1 1 0 3

procedure error, during development tests
1 M C 3 1 1 1 1 0 3

1 M C 3 1 1 1 1 0 3
Diversion of programs of application services , during user treatments, by a 10B02

user authorized legitimately
1 M C 3 1 1 1 1 0 3
Diversion of programs of application services , during user treatments, by a max(min(07A01;07A0

user authorized illegitimately
1 M C 3 1 1 1 1 0 3 2);min(09A01;09A02);
10B02)
Diversion of programs of application services , during user treatments, by a max(min(07A03;07A0
user not authorized
1 M C 3 1 1 1 1 0 3 4;08F02;08C06);min(0
9A03;09A04);10B02)
Diversion of programs of application services , during production, by a member 10B02
1 M C 3 1 1 1 1 0 3
Diversion of programs of application services , during a maintenance 10B02

operation, by a member of the maintenance team
1 M C 3 1 1 1 1 0 3
Disclosure of information, due to a theft, of media containing files of application 10B02

services , during the transportation between sites, by an authorized staff 1 M C 2 1 1 1 1 0 2
member
Disclosure of programs, due to a theft, of media containing program files of 08C03 10B02
application services , during a storage in the site, by an authorized staff 1 M C 2 1 1 1 1 0 2
member
Disclosure of programs, due to a theft, of media containing program files of 08C04 10B02
application services , during an externalized storage , by an authorized staff 1 M C 2 1 1 1 1 0 2
member
03B06 max(min(03B03;03B0
Disclosure of programs, due to a theft, of media containing program files of 4);10B02)
application services , during production, by a member of the staff not authorized
1 M C 2 1 1 1 1 0 2
Disclosure of programs, due to a theft, of media containing program files of max(08C07;10B02)

application services , during the transportation between sites, by a member of 1 M C 2 1 1 1 1 0 2
Disclosure of programs, due to a theft, of media containing program files of 08C03 max(08C03;10B02)
application services , during a storage in the site, by a member of the staff not 1 M C 2 1 1 1 1 0 2
authorized


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Disclosure of programs, due to a theft, of media containing program files of 08C04 max(08C04;10B02)
application services , during an externalized storage , by a member of the staff 1 M C 2 1 1 1 1 0 2
not authorized
13A01
Non compliance to laws or regulations concerning the protection of personal
information due to the use of inadequate procedures
1 E L 2 1 1 1 1 1 2
Non compliance to laws or regulations concerning the protection of personal 13A03

information due to the non application of procedures, consequence of lack of 1 E L 2 1 1 1 1 1 2
resources
Non compliance to laws or regulations concerning the protection of personal 13A02

information due to the non application of procedures, consequence of lack of 1 E L 2 1 1 1 1 1 2
knowledge
13A04
Non compliance to laws or regulations concerning the protection of personal
information due to the intentional non application of procedures
1 M L 2 1 1 1 1 1 2
13B01
Non compliance to laws or regulations concerning financial communication
due to the use of inadequate procedures
1 E L 2 1 1 1 1 1 2
13B03
due to the non application of procedures, consequence of lack of resources
1 E L 2 1 1 1 1 1 2
13B02
due to the non application of procedures, consequence of lack of knowledge
1 E L 2 1 1 1 1 1 2
13B04
due to the intentional non application of procedures
1 M L 2 1 1 1 1 1 2
min(13C01;13C02)
Non compliance to laws or regulations concerning the digital accounting
control due to the use of inadequate procedures
1 E L 2 1 1 1 1 0 2


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
Non compliance to laws or regulations concerning the digital accounting 13C04
control due to the non application of procedures, consequence of lack of 1 E L 2 1 1 1 1 1 2
resources
Non compliance to laws or regulations concerning the digital accounting 13C03

control due to the non application of procedures, consequence of lack of 1 E L 2 1 1 1 1 1 2
knowledge
13C05
Non compliance to laws or regulations concerning the digital accounting
control due to the intentional non application of procedures
1 M L 2 1 1 1 1 1 2
min(11A03;13D01)
Non compliance to laws or regulations concerning the protection intellectual
property due to the use of inadequate procedures
1 E L 2 1 1 1 1 1 2
Non compliance to laws or regulations concerning the protection intellectual 13D03

property due to the non application of procedures, consequence of lack of 1 E L 2 1 1 1 1 1 2
resources
Non compliance to laws or regulations concerning the protection intellectual 13D02

property due to the non application of procedures, consequence of lack of 1 E L 2 1 1 1 1 1 2
knowledge
min(11A03;13D04)
Non compliance to laws or regulations concerning the protection intellectual
property due to the intentional non application of procedures
1 M L 2 1 1 1 1 1 2
Non compliance to laws or regulations concerning the protection of computer 13E01

systems due to the use of inadequate procedures
1 E L 2 1 1 1 1 1 2

systems due to the non application of procedures, consequence of lack of 1 E L 2 1 1 1 1 1 2
resources

systems due to the non application of procedures, consequence of lack of 1 E L 2 1 1 1 1 1 2
knowledge
13E04
Non compliance to laws or regulations concerning the protection of computer
systems due to the intentional non application of procedures
1 M L 2 1 1 1 1 1 2


DESCRIPTION


Direct Selection
Confinability
seriousness
seriousness
Dissuasion
Prevention
Impact
Impact
Likelihood
Likelihood
Type AICE
Confining
Type AEM
Exposure
Palliation
Impact
13F01
Non compliance to laws or regulations concerning the security of persons and
the protection of environment due to the use of inadequate procedures
1 E L 2 1 1 1 1 1 2
Non compliance to laws or regulations concerning the security of persons and 13F03
the protection of environment due to the non application of procedures, 1 E L 2 1 1 1 1 1 2
consequence of lack of resources
the protection of environment due to the non application of procedures, 1 E L 2 1 1 1 1 1 2
consequence of lack of knowledge
the protection of environment due to the intentional non application of 1 M L 2 1 1 1 1 1 2
procedures

las)
Palliative
EFF-PALL
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05

las)
Palliative
EFF-PALL
08D05
08D05
08D05
min(08D05;08D09)
min(08D05;08D09)
min(08D05;08D09)
min(08D05;08D09)
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05

las)
Palliative
EFF-PALL
08D05
08D05
08D05
08D05
09D02
09D02
11D04
11D04
11D04
11D04
11D04
11D04
11D04
11D04
11D04
11D04
11D04

las)
Palliative
EFF-PALL
min(11D04;08D09)
min(11D04;08D09)
11D04
11D04
11D04
11D04
11D04
11D04
11D04
11D08
11D08
11D05
11D05
11D05

las)
Palliative
EFF-PALL
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05
11D05

las)
Palliative
EFF-PALL
11D05
11D05
11D08
11D08

las)
Palliative
EFF-PALL
09F03
09F03
09F03
09F03
09F03
09F03
11C05
11C05
11C05
11C05
11C05
11C05
11C05
11C05
11C05

las)
Palliative
EFF-PALL
02D05
02D05
02D05
02D05
02D04
02D04
02D04
02D05
02D04
02D05
02D05
02D05
02D04
02D04

las)
Palliative
EFF-PALL
08H02

las)
Palliative
EFF-PALL
08H02
08H02
08H02
08H02
08H02
08H02
08H02
08H02
09D02
09D02
08D05
08D05

las)
Palliative
EFF-PALL
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
08D05
min(08D05;08D09)
min(08D05;08D09)
min(08D05;08D09)
min(08D05;08D09)
08D05
08D05

las)
Palliative
EFF-PALL
08D05
08D05
08D05
08D05
08D05
08D05

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL
01E03
01E03
01E03
01E03

las)
Palliative
EFF-PALL
12C03
12C03
12C03
12C03
12C04
12C04
12C04
12C04
12C04
12C01
03A06

las)
Palliative
EFF-PALL
03A02
12C01
12C01
12C01
12C01
12C04
12C05
04A04
04A04
04A04
04A04

las)
Palliative
EFF-PALL
04A04
04A04
max(04A01;04A05;mi
n(01E01;01E02))
max(04A01;04A05;mi
n(01E01;01E02))
04A05
04A05
04A05
max(04A01;04A02)
03A06
03A02
04A02
04A02

las)
Palliative
EFF-PALL
04A02
04A02
04A05
04A04
04A04
04A06
min(01E01;01E02)
01C02
01C02
04A03
05A05
05A05
05A05

las)
Palliative
EFF-PALL
05A05
05A05
05A05
max(05A02;05A06;mi
n(01E01;01E02))
max(05A02;05A06;mi
n(01E01;01E02))
05A06
05A06
05A06
max(05A02;05A03)
03A06
03A02
05A03

las)
Palliative
EFF-PALL
05A03
05A03
05A03
05A06
05A05
05A05
05A07
min(01E01;01E02)
01C02
01C02
05A04
08D04
08D04

las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04

las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04

las)
Palliative
EFF-PALL
08D04
08D04
08D04
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
min(08D06;09E02)
min(08D06;09E02)
min(08D06;09E02)
max(07D01;08D01)
03A06
03A02
03A03
08D01

las)
Palliative
EFF-PALL
08D01
08D01
08D01
min(08D06;09E02)
08D04
08D04
08D08
09E03
min(01E01;01E02)
01C02
01C02
08D02
10A04
08D03

las)
Palliative
EFF-PALL
08D10
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04

las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04

las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
min(08D06;09E02)
min(08D06;09E02)
min(08D06;09E02)
max(07D01;08D01)

las)
Palliative
EFF-PALL
03A06
03A02
08D01
08D01
08D01
08D01
min(08D06;09E02)
08D04
08D04
08D08
09E03
min(01E01;01E02)

las)
Palliative
EFF-PALL
01C02
01C02
11D02
08D10
11D03
11D03
11D03
11D03
max(01E03;11D07)
max(01E03;11D07)
max(01E03;11D07)
max(01E03;11D07)
max(01E03;11D07)

las)
Palliative
EFF-PALL
max(01E03;11D07)
max(01E03;11D07)
11D01
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04

las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04

las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
min(08D06;09E02)
min(08D06;09E02)

las)
Palliative
EFF-PALL
min(08D06;09E02)
max(07D01;08D01)
03A06
03A02
03A03
08D01
08D01
08D01
08D01
min(08D06;09E02)
08D08
09E03

las)
Palliative
EFF-PALL
min(01E01;01E02)
01C02
01C02
08D02
10A04
08D03
08D10
08D04
08D04
08D04
08D04
08D04
08D04

las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04

las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04

las)
Palliative
EFF-PALL
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
08D04
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
max(07D01;09E01;mi
n(08D06;09E02);min(
01E01;01E02))
min(08D06;09E02)

las)
Palliative
EFF-PALL
min(08D06;09E02)
min(08D06;09E02)
max(07D01;08D01)
03A06
03A02
08D01
08D01
08D01
08D01
08D04
08D04

las)
Palliative
EFF-PALL
min(08D06;09E02)
08D08
09E03
min(01E01;01E02)
01C02
01C02
08D02
10A04
08D03

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

las)
Palliative
EFF-PALL

Number of scenarios per asset type and seriousness level Availability Integrity Confidentiality
Data and information assets S. 1 S. 2 S. 3 S. 4 S. 1 S. 2 S. 3 S. 4 S. 1 S. 2 S. 3 S. 4
Data and information
D01 Data files and data bases accessed by applications 0 0 0 0 > 0 0 0 0 > 0 0 0 0 >
D02 Shared office files and data 0 0 0 0 > 0 0 0 0 > 0 0 0 0 >
D03 Personal office files (on user work stations and equipments) 0 0 0 0 > 0 0 0 0 > 0 0 0 0 >
D04 Written or printed information and data kept by users and personal archives 0 0 0 0 > 0 0 0 0 >
D05 Listings or printed documents 0 0 0 0 >
D06 Exchanged messages, screen views, data individually sensitive 0 0 0 0 > 0 0 0 0 > 0 0 0 0 >
D07 electronic mailing 0 0 0 0 > 0 0 0 0 > 0 0 0 0 >
D08 (Post) Mails and faxes 0 0 0 0 > 0 0 0 0 > 0 0 0 0 >
D09 Patrimonial archives or documents used as proofs 0 0 0 0 > 0 0 0 0 >
D10 IT related Archives 0 0 0 0 > 0 0 0 0 > 0 0 0 0 >
D11 Data and information published on public or internal sites 0 0 0 0 > 0 0 0 0 >
Service assets
General Services
G01 User workspace and environment 0 0 0 0 >
G02 Telecommunication Services (voice, fax, audio & videoconferencing, etc.) 0 0 0 0 > 0 0 0 0 >
IT and networking Services

R01 Extended Network Service 0 0 0 0 > 0 0 0 0 >
R02 Local Area Network Service 0 0 0 0 > 0 0 0 0 >
S01 Services provided by applications 0 0 0 0 > 0 0 0 0 > 0 0 0 0 >
S02 Shared Office Services (servers, document management, shared printers, etc.) 0 0 0 0 > 0 0 0 0 >
S03 Users' disposal of Equipments (workstations, local printers, peripherals, specific interfaces, etc.) 0 0 0 0 >
S04 Common Services, working environment: messaging, archiving, print, editing, etc. 0 0 0 0 > 0 0 0 0 >
S05 Web editing Service (internal or public) 0 0 0 0 > 0 0 0 0 >
Management process types of assets Efficiency

Management processes for compliance to law or regulations
C01 Compliance to law or regulations relative to personal information protection 0 0 0 0 >
C02 Compliance to law or regulations relative to financial communication 0 0 0 0 >
C03 Compliance to law or regulations relative to digital accounting control 0 0 0 0 >
C04 Compliance to law or regulations relative to intellectual property 0 0 0 0 >
C05 Compliance to law or regulations relative to the protection of information systems 0 0 0 0 >
C06 Compliance to law or regulations relative to people safety and protection of environment 0 0 0 0 >
351061430.xls ! Risk%asset 569 Dcembre 2006

Number of scenarios sorted per type of event and seriousness level
Code
Type Event Code
type
Absence of personnel from a partner AB.P.Pep
Absence of personnel, accidental AB.P
Absence of internal personnel AB.P.Per
Absence of service : Power supply AB.S.Ene
Absence of service : Air-conditioning AB.S.Cli
Absence or unavailability of service,
AB.S Absence of service : Premises AB.S.Loc
by accident
Absence or unavailability of application maintenance AB.S.Maa
Absence or unavailability of system maintenance AB.S.Mas
Lightning AC.E.Fou
Serious accident affecting the
AC.E Fire AC.E.Inc
environment
Flooding AC.E.Ino
Breakdown of computing or telecommunication equipment AC.M.Equ
Accident affecting hardware AC.M
Breakdown of auxiliary equipment AC.M.Ser
Voluntary absence of personnel AV.P Social conflict with strike AV.P.Gre
Design error ER.L Blocking bug due to a design or programming error (internal development) ER.L.Lin
Loss or oblivion of document or media ER.P.Peo

Error affecting hardware or originated
ER.P Error of operation or execution of a procedure ER.P.Pro
by personnel
Capture or typing error ER.P.Prs
Damage due to obsolescence IC.E.Age
Incident caused by the environment IC.E Water damage IC.E.De

Electrical overloading IC.E.Pol
Damage due to pollution IC.E.Se
Production incident IF.L.Exp
Blocking bug in system or packaged software IF.L.Lsp
Incident or dysfunction of software IF.L
Blocking jam due to external cause (worm) IF.L.Ver
Virus IF.L.Vir
Attempt to block an account MA.L.Blo
Deliberate erasure or massive pollution of system configurations MA.L.Cfg
Deliberate erasure of physical or logical media MA.L.Del
Electromagnetic harnessing MA.L.Ele
Malevolence effected using logical or Logical alteration of data or functions) MA.L.Fal

MA.L
functional means Forgery (of messages or data) MA.L.Fau
Replay of transaction MA.L.Rej
Malicious saturation of computer equipments or networks MA.L.Sam
Complete destruction of data (files and backup copies) MA.L.Tot
Harnessing of files or data (illegal remote loading or copy) MA.L.Vol
Rigging or alteration of hardware equipment MA.P.Fal
Malevolence effected using physical Terrorism MA.P.Ter

MA.P
means Vandalism MA.P.Van
Robbery MA.P.Vol
Inadequate procedures PR.N.Api
Procedures not applied due to lack of resources PR.N.Naa
Non compliance of procedures PR.N
Procedures not applied due to ignorance PR.N.Nam
Procedures not applied deliberately PR.N.Nav
Number of scenarios for
each seriousness level
S. 1 S. 2 S. 3 S. 4
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
If 0 in the opposite cell, the intrinsic seriousness of the scenarios will be
considered
Action plans If 1 in the opposite cell, the current seriousness of the scenarios will be
1
considered
If 1 in the opposite cell, the reduced seriousness from the completion of

Number of scenarios projects (Obj_projects) or selected plans (1 in the "Decision" row below) will 1
Family of be considered
scenarios
Measures
Services to Current Target Services to Curren Target Services to Curren Target
S1 S2 S3 S4 Tot needing Type of plan Decision improve level level improve t level level improve t level level
improvement
D01-A Loss of data for applications
Deterrence : Plan of type A 07C01 1 3 07C02 1 3 08E02 1 3
0 0 0 0 0 Deterrence : Plan of type A 03B06 1 3
Prevention : Plan of type A 07A01 1 4 07A02 1 4 07A03 1 4
Prevention : Plan of type B 08A03 1 4 08A06 1 4 08C03 1 4
Prevention : Plan of type A 03A01 1 4 03A04 1 4 03B03 1 4
Confining : Plan of type A 08E02 1 3 08E03 1 3
Palliation : Plan of type E 1 08D05 1 3 08D09 1 3 09D02 1 3
D02-A Loss of office shared data
Deterrence : Plan of type A 08F02 1 4 08F03 1 4
0 0 0 0 0 Deterrence : Plan of type A 03B06 1
Prevention : Plan of type A 03A01 1 4 03A04 1 4 03B03 1 4
Confining : Plan of type A 08E03 1 3
Palliation : Plan of type E 08D09 1 3 11D04 1 3 11D08 1 3
D03-A Loss of personal office data
0 0 0 0 0 Deterrence : Plan of type B 02C05 1 4
Prevention : Plan of type A 08D07 1 4 11B01 1 4 11D06 1 4
Prevention : Plan of type B 02C03 1 4 02D02 1 4 03A01 1 4
Confining :
Palliation : Plan of type E 11D05 1 3 11D08 1 3
D04-A Loss of documents
Deterrence : Plan of type B 02C05 1 3
0 0 0 0 0 Prevention : Plan of type E 02D01 1 4 02D06 1 4 11B02 1 4
Confining :
Palliation :
D06-A Loss of transmitted data or messages
0 0 0 0 0 Prevention : Plan of type D 03C01 1 4 03D01 1 4 07A03 1 4
Confining :
Palliation : Plan of type E 09F03 1 3
D07-A Loss of e-mails (during sending or receipt)
0 0 0 0 0 Prevention : Plan of type C 03C01 1 4 03D01 1 4 07A03 1 4
scenarios
Measures
improvement
0 0 0 0 0
Confining :
Palliation : Plan of type E 11C05 1 3
D08-A Loss of transmitted documents (during sending or receipt)
Deterrence :
0 0 0 0 0 Prevention :
Confining :
D09-A Loss or impossibility to use archived documents
Deterrence : Plan of type D 02D06 1 4 02D07 1 4
0 0 0 0 0 Prevention : Plan of type E 02D06 1 4 02D07 1 4
Confining :
Palliation :
D10-A Loss of digitalized archives
Deterrence : Plan of type A 08H03 1
0 0 0 0 0 Prevention : Plan of type B 08H01 1 4 08H03 1 4
Confining : Plan of type A 08C05 1
Palliation : Plan of type D 08H02 1 3 09D02 1 3
D11-A Unavailability or Loss of data published on private or public sites
Deterrence :
0 0 0 0 0 Prevention :
Confining :
D01-I Distorsion (not detected) of files containing data for applications
Deterrence :
0 0 0 0 0 Prevention : Plan of type B 08D03 1 4 10B05 1 4 10B06 1 4
Prevention : Plan of type B 07A01 1 4 07A02 1 4 07A03 1 4
Prevention : Plan of type C 09B01 1 4
Prevention : Plan of type C 09C02 1 4
Confining : Plan of type E 09B04 1 3
Palliation :
D02-I Distorsion (not detected) of shared office files
Deterrence :
0 0 0 0 0 Prevention : Plan of type D 11C01 1 4
Prevention : Plan of type A 11C03 1 4
Prevention : Plan of type D 11C04 1 4
Prevention : Plan of type C 07A01 1 4 07A02 1 4 07A03 1 4
Confining :
Palliation :
scenarios
Measures
improvement
D03-I Distorsion (not detected) of personal office files

Deterrence :
0 0 0 0 0 Prevention : Plan of type C 11C01 1 4
Prevention : Plan of type D 11C04 1 4
Prevention : Plan of type B 11C02 1 4
Confining :
Palliation :
D06-I Distorsion (not detected) of data individually sensitive or during transfer
Deterrence : Plan of type A 09B03 1 4
0 0 0 0 0 Prevention : Plan of type A 09B03 1 4
Prevention : Plan of type C 09B01 1 4 09B02 1 4 09F01 1 4
Prevention : Plan of type C 09C01 1 4 09C02 1 4
Prevention : Plan of type C 04C01 1 4 04C02 1 4 05C01 1 4
Confining : Plan of type A 09F03 1 3
Palliation :
D07-I Distorsion of e-mails during sending or receipt
Deterrence :
0 0 0 0 0 Prevention : Plan of type E 11C05 1 4
Confining :
Palliation :
D08-I Distorsion of faxes during sending or receipt
Deterrence :
0 0 0 0 0 Prevention : Plan of type E 02D05 1 4
Confining :
Palliation :
D10-I Distorsion of computerized archives
Deterrence : Plan of type B 08H03 1 4
0 0 0 0 0 Prevention : Plan of type D 08H02 1 4
Confining :
Palliation :
D11-I Distorsion of data published on internal or public sites
Deterrence :
0 0 0 0 0 Prevention : Plan of type D 09B05 1 4
Prevention : Plan of type B 09B01 1 4
Prevention : Plan of type B 09C02 1 4
Prevention : Plan of type C 07A01 1 4 07A02 1 4 07A03 1 4
scenarios
Measures
improvement
Prevention : Plan of type B 08D03 1 4 10B06 1
Palliation :
D01-C Disclosure of data files
Deterrence : Plan of type B 03B06 1 3 08C03 1 3 08C04 1 3
Prevention : Plan of type B 07B01 1 4 08A05 1 4 08A06 1 4
Prevention : Plan of type A 05B03 1 4 05B04 1 4 05B05 1 4
Prevention : Plan of type B 03B03 1 4 03B04 1 4 08C03 1 4
Confining :
Palliation :
D02-C Disclosure of shared office files
Deterrence : Plan of type B 08C03 1 3 08C04 1 3 02C05 1 3
Prevention : Plan of type B 03B03 1 4 03B04 1 4 08C03 1 4
Confining :
Palliation :
D03-C Disclosure of personal office files
Deterrence : Plan of type C 02C04 1 3 02C05 1 3 11E02 1 3
0 0 0 0 0 Prevention : Plan of type E 11C01 1 4 11C02 1 4
Prevention : Plan of type C 11B01 1 4 11E01 1 4
Prevention : Plan of type B 02C01 1 4 02C02 1 4 02C03 1 4
Confining :
Palliation :
D04-C Disclosure of documents
Prevention : Plan of type B 02C01 1 4 02C02 1 4 02C03 1 4
Confining :
Palliation :
D05-C Disclosure of listings or printouts
Deterrence : Plan of type C 03B06 1 3
0 0 0 0 0 Prevention : Plan of type E 08A07 1 4
Confining :
Palliation :
D06-C Disclosure of data after consulting or harnessing
scenarios
Measures
improvement
Deterrence : Plan of type B 06A01 1 3 06C03 1 3 08F02 1 3
0 0 0 0 0 Prevention : Plan of type B 09A01 1 4 09A02 1 4 09A03 1 4
Prevention : Plan of type C 05C01 1 4 05C03 1 09C01 1 4
Prevention : Plan of type B 03B07 1 3 04B02 1 3 04B03 1 3
Confining :
Palliation :
D07-C Disclosure of e-mails during sending or receipt
Deterrence :
Confining :
Palliation :
D08-C Disclosure of post-mails or faxes during sending or receipt
Deterrence :
Confining :
Palliation :
D09-C Disclosure of archived document
Deterrence : Plan of type C 02D07 1 3
0 0 0 0 0 Prevention : Plan of type D 02D07 1 4
Confining :
Palliation :
D10-C Disclosure of archive computer data
Deterrence : Plan of type E 08H03 1 3
Confining :
Palliation :
G01-A Unavailability of the users' working environment
Deterrence :
0 0 0 0 0 Prevention : Plan of type D 03A02 1 4 03C01 1 4 03D01 1 4
Confining : Plan of type C 03C02 1 4 03C03 1 4 03D02 1 4
Palliation : Plan of type E 01E03 1 3
G02-A Unavailability of the telecommunication services (voice, faxes, videoconferencing)
Deterrence : Plan of type A 03B06 1 3 12E02 1 3 12E03 1 3
0 0 0 0 0 Prevention : Plan of type A 02A01 1 4 02A02 1 4 02A03 1 4
Prevention : Plan of type A 12A02 1 4
scenarios
Measures
improvement
Confining : Plan of type A 02A04 1 4 03B04 1 4 03C02 1 4
Palliation : Plan of type E 03A02 1 3 03A06 1 3 12C01 1 3
R01-A Unavailability of the extended network service
Deterrence : Plan of type A 03B06 1 3 06C02 1 3 06C03 1 3
Prevention : Plan of type A 04D01 1 4 06A02 1 4 06C02 1 4
Palliation : Plan of type E 01C02 1 3 01E02 1 3 03A02 1 3
R02-A Unavailability of the local area network service
Deterrence : Plan of type A 03B06 1 3 06C02 1 3 06C03 1 3
Prevention : Plan of type A 05D01 1 4 06A02 1 4 06C02 1 4
Palliation : Plan of type E 01C02 1 3 01E01 1 3 01E02 1 3
Palliation : Plan of type A 03A02 1 3 03A06 1 3 05A02 1 3
S01-A Unavailability of the application service
Prevention : Plan of type A 07D01 1 4 08A03 1 4 08E01 1 4
Palliation : Plan of type A 01C02 1 3 08D01 1 3 08D02 1 3
Palliation : Plan of type D 01E01 1 3 01E02 1 3 03A02 1 3
S02-A Unavailability of the shared office services
S03-A Unavailability of the interface services or peripherals needed by users (PC, printers, specific interfaces, etc.)
Deterrence : Plan of type A 03B06 1 3 11E02 1 3 11E03 1 3
0 0 0 0 0 Prevention : Plan of type A 11A01 1 4 11D06 1 4
Confining : Plan of type B 03B04 1 3 03C02 1 3 03C03 1 3
Palliation : Plan of type E 01E03 1 3 11D03 1 3 11D07 1
scenarios
Measures
improvement
S04-A Unavailability of common system services: e-mailing, archiving, printing, edition, etc.
Palliation : Plan of type B 01C02 1 3 08D01 1 3 08D02 1 3
S05-A Unavailability of the publication service on a web site (internal or public)
Palliation : Plan of type E 01E01 1 3 01E02 1 3 03A02 1 3
G02-I Alteration of the telecommunication fonctions
Deterrence : Plan of type C 12A03 1 3 12E02 1 3 12E03 1 3
0 0 0 0 0 Prevention : Plan of type E 12A02 1 4 12B01 1 4 12B02 1 4
Confining :
Palliation :
R01-I Alteration of the extended network service
Deterrence : Plan of type C 06A03 1 3 06C02 1 3 06C03 1 3
0 0 0 0 0 Prevention : Plan of type E 06A02 1 4 06B01 1 4 06C01 1 4
Confining :
Palliation :
R02-I Alteration of the local area network service
Deterrence : Plan of type C 06A03 1 3 06C02 1 3 06C03 1 3
0 0 0 0 0 Prevention : Plan of type E 06A02 1 4 06B01 1 4 06C01 1 4
Confining :
Palliation :
S01-I Alteration of the application services
Deterrence : Plan of type C 03B04 1 3 03B05 1 3 03B06 1 3
0 0 0 0 0 Prevention : Plan of type E 08A03 1 4 08A04 1 4 08B01 1 4
Confining : Plan of type C 09B04 1 3 09B05 1 3
Palliation :
S02-I Alteration of the common office services
Deterrence : Plan of type B 07C02 1 3 08A04 1 3 08F02 1 3
0 0 0 0 0
scenarios
Measures
improvement
0 0 0 0 0 Prevention : Plan of type D 07A01 1 4 07A02 1 4 07A03 1 4
Prevention :
Confining :
Palliation :
S04-I Alteration of the common system services
Deterrence : Plan of type B 07C02 1 3 08A04 1 3 08F02 1 3
Confining :
Palliation :
S05-I Alteration of the edition services for web sites (public or internal)
Deterrence : Plan of type C 03B04 1 3 03B05 1 3 03B06 1 3
0 0 0 0 0 Prevention : Plan of type E 08A03 1 4 08A04 1 4 08B01 1 4
Confining : Plan of type C 09B04 1 3 09B05 1 3
Palliation :
S01-C Disclosure of application program service
0 0 0 0 0 Prevention : Plan of type E 10B02 1 4
Palliation :
C01-E Non compliance of processes relating to the protection of personal information
Deterrence : Plan of type B 13A04 1 4
Prevention :
Palliation :
C02-E Non compliance of processes relating to the communication of financial information
Deterrence : Plan of type B 13B04 1 4
0 0 0 0 0 Prevention : Plan of type D 13B01 1 4 13B02 1 4 13B03 1 4
Prevention :
Palliation :
C03-E Non compliance of processes relating to the control of the computerized accounting
0 0 0 0 0 Prevention : Plan of type D 13C01 1 4 13C02 1 4 13C03 1 4
Prevention :
Palliation :
C04-E Non compliance of processes relating to the protection of intellectual property
Deterrence : Plan of type B 13D04 1 4
0 0 0 0 0 Prevention : Plan of type D 13D01 1 4 13D02 1 4 13D03 1 4
Prevention :
Palliation :
C05-E Non compliance of processes relating to the protection of computing systems and operations
Deterrence : Plan of type B 13E04 1 4
0 0 0 0 0
scenarios
Measures
improvement
0 0 0 0 0 Prevention : Plan of type D 13E01 1 4 13E02 1 4 13E03 1 4
Prevention :
Palliation :
C06-E Non compliance of processes relating to the protection of humans and environment
Deterrence : Plan of type B 13F04 1 4
0 0 0 0 0 Prevention : Plan of type D 13F01 1 4 13F02 1 4 13F03 1 4
Prevention :
Palliation :
Number of selected scenarios whose I and P parameters are defined: 0

scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
0
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
scenarios
Measures
improvement
0
Summary of the objectives resulting from the action plans
DOMAIN
SERVICE
D01-C
D02-C
D03-C
D01-A
D02-A
D03-A
D04-A
D06-A
D07-A
D08-A
D09-A
D10-A
D11-A
Objectives
D01-I
D02-I
D03-I
D06-I
D07-I
D08-I
D10-I
D11-I
SUB-SERVICE from the
action plans
01 Organization of security
01D Insurance
02 Sites security
02A05 Access to the loading and unloading areas (goods receipt and consignment) or to areas open to
02B public
Protection Against Miscellaneous Environmental Risks
02C01 Partitioning of office areas into protected zones 0
02C02 Physical access control to the protected office zones 0
02C03 Management of access authorizations to protected office area 0 0
02C04 Detection of intrusions into protected office areas 0
02C05 Monitoring of protected office areas 0 0 0 0
0
02D01 Conservation and protection of important commonly used documents 0
02D02 Protection of documents and removable support media 0
02D04 Security of post mail 0
02D05 Security of faxes (traditional) 0 0
02D06 Conservation and protection of important documents (to be preserved during a long period) 0 0
02D07 Management of archived documents 0
03 Security of Premises
03A01 Quality of energy supply 0 0 0
03A04 Quality of cabling 0 0 0
03B03 Access control to sensitive locations 0 0 0 0
03B04 Intruder detection in sensitive locations 0 0 0 0
03B06 Surveillance of sensitive locations 0 0 0
03C01 Prevention of risk of water damage 0 0 0 0 0
03D Fire security
03D01 Fire risk prevention 0 0 0 0 0
04 Extended Network (intersite)

04C01 Encryption of exchanges on the extended network 0
04C02 Integrity control of exchanges on the extended network 0
05 Local Area Network (LAN)
05B03 User or entity authentication for access requests to the local area network from an internal access
point 0 0
05B04 User or requestor authentication before access to the local area network from a remote site via
domain controller.
the extended network 0 0
(e.g. from the switched telephone network (POTS), X25, ISDN, broadband, Internet, etc.) 0 0
05B06 User or requestor authentication for access requests to the local area network from a WiFi sub-
network 0 0
05B07 General filtering of access to the local area network 0 0
05B08 Routing control of outgoing access 0 0
05B09 Authentication of the external entity accessed for outgoing access to sensitive sites 0 0
05C01 Encryption of exchanges on the local area network 0
05C02 Encryption can be
Integrity control effected at layer
of exchanges on the3 local
(IPSEC VPN)
area or at level 4-5 (SSL) or directly effected by the
network 0
05C03 Encryption of
by domain 09. exchanges in the case of remote access to the local area network 0
05C04 Protection
It could be of
systematic
the integrity
on the
of exchanges
"pipeline" (physical
in the case
or of
logical)
remoteor access
limited only
to thetolocal
certain
area
data
network
flows (as 0
a function of address or type, etc.) it can also be performed on intermediate systems (VPN boxes)
06 Network operations

06B02 Control of the network access configurations of user equipment 0 0

07 Security and architecture of systems
07A01 Management of access profiles (rights and privileges granted by functional profile) 0 0 0 0 0 0 0
07A02 Management of access authorizations and privileges (granting, delegation, revocation) 0 0 0 0 0 0 0 0
07A03 Authentication of the access requestor (user or entity) 0 0 0 0 0 0 0 0 0 0
07A04 Access filtering and management of associations 0 0 0 0 0 0 0 0 0 0
07B01 Control of access to residual data 0
07C01 Recording access to sensitive resources 0
07C02 Recording privileged system calls 0
08 IT Production environment

08A03 Acceptance control of systems introduction or modification 0 0 0 0
08A04 Systems
Control ofhere include operating
maintenance systems, applications and associated middleware
operations
0
08A06 Control of remote maintenance 0 0 0
08C03 Physical security of media kept on site 0 0 0
08C04 Physical security of storage media (kept in an external site) 0 0
08C05 Verification and turnover of archive storage media 0
08C06 Security of storage networks (SAN : Storage Area Network and NAS) 0 0
08C07 Physical Security of Transiting Medias 0 0
08D03 Application recovery procedures and plans following incidents during operation 0 0 0
08D05 Backup of application data 3.0 3 0

08D07 Anti virus protection for production servers 0
08D09 Off site emergency (recourse) backups 3.0 3 0 0
08E02 Offline management of traces, logs and event journals 0
08E03 Management of system and application incidents 0 0
08F01 Control of administrative access rights granted on systems 0 0 0 0
0 0 0 0 0 0 0 0 0 0
08F03 Surveillance of system administrators' actions 0 0 0 0 0
08H01 Organization of the management for IT archives 0
08H02 IT Archives access management 0 0
08H03 Management of IT archive safety 0 0
09 Application security
09A01 Management of application data access profiles 0 0 0 0 0
09A02 Management of access authorizations to application data (granting, delegation, revocation) 0 0 0 0 0
09A03 Authentication of the access requestor 0 0 0 0 0
09A04 Access filtering and management of associations 0 0 0 0 0
09B01 Sealing of sensitive data 0 0 0
09B02 Protection of integrity of exchanged data 0
09B03 Control of data entry 0
09B04 Permanent checks (accuracy, etc) relating to data 0 0 0
09B05 Continuous (plausibility, ) checks on data processing 0
09C01 Encryption of data exchanges 0
09C02 Encryption of stored data 0 0 0 0 0
09D01 Very high security recording 0
09D02 Management of access to data files 3.0 3 0
09F01 Proof of origin, electronic signature 0
09F02 Prevention of message duplication and replay (numbering, sequencing) 0
09F03 Acknowledgements of receipt 0 0
10 Security of application projects and developments
10B04 Protection of Data during tests 0
10B05 Security of application maintenance 0 0
10B06 Hot Maintenance 0 0 0
11 Protection of users' work equipment

11A05 Management of service suppliers and providers relating to the operation and handling of the user
workstations base
11B01 Control of access to workstations 0 0
11B02 Work effected off company premises 0
11C01 Protection of the confidentiality of data on the workstation or on a data server (logical disk for the
workstation) 0 0 0 0
0 0
0 0
11C04 Protection of the integrity of files stored on workstations or on data servers (logical disk for
workstations) 0 0
11C05 Security of Email and Electronic Information Exchanges 0 0

0
0
0
11D08 Access management to office data and files 0 0
0
11E02 Authentication and control of the access rights of administrators and operational personnel 0
11E03 Surveillance of system administrators' actions over the users' workstations 0
12 Telecommunications operations
12A03 Equipments for classicaloperations
Control of maintenance telephony : PABX, ...
12A04 Control of Remote
Equipments Maintenance
dedicated to users: telephone terminal, fax machines (often combined with printing,
12A05 scanning and of
Management photocopy
Operatingcapabilities
Procedures , ...),
for tele and videoconferencing,
Telecommunication ...
Operation

12E01 Management of privileged access rights granted on equipments and systems (administrative
rights)
13 Management processes
13B01 For example,
Policy the Financial
and instructions Security
related Law (loi Mer) of
to Communication in financial
France and the Sarbanes Oxley Act in the
data
United States
14 Information security management
14E Documentation
14E03 Updates
D04-C
D05-C
D06-C
D07-C
D08-C
D09-C
D10-C
G01-A
0
G02-A
0
0
0
0
R01-A
0
0
0
0
0
0
R02-A
0
0
0
0
0
0
0
S01-A
0
0
0
0
0
0
0
S02-A
0
0
0
0
0
0
0
S03-A
0
S04-A
0
0
0
0
0
0
0
S05-A
0
0
0
0
0
0
0
G02-I
R01-I
R02-I
S01-I
S02-I
S04-I
S05-I
S01-C
C01-E
C02-E
C03-E
C04-E
C05-E
C06-E
0 0 0 0 0 0 0
0
0
0
0
0
0
0
0
0
0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0
0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0
0 0 0 0 0 0 0 0 0 0 0 0
0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 0 0 0 0
0 0
0
0 0
0 0 0
0 0 0 0 0
0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0
0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0
0 0 0 0 0 0
0 0 0 0
0 0 0 0
0 0
0 0
0 0
0 0 0 0 0
0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0
0 0 0 0 0 0
0 0 0 0 0 0
0 0 0 0 0
0 0 0 0 0
0 0
0 0
0 0
0
0
0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0
0
0 0 0 0 0 0
0 0 0 0
0
0
0
0
0 0
0
0
0
0
0
0
0 0
0 0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Objectives per project Projects :
Each cell should mention the level of quality (up to 4) expected for the service w
DOMAINS line 4, giving the target date "yy (year), space, mm (month)" (for example 12 06
Objectives
target date:
SERVICES
P1
P2
P3
P4
P5
P6
Need
SUB-SERVICES 10 01
01 Organization of security
01D Insurance
02 Sites security
02A05 Access to the loading and unloading areas (goods receipt and consignment) or to areas open to
02B public
Protection Against Miscellaneous Environmental Risks
02C01 Partitioning of office areas into protected zones
02C02 Physical access control to the protected office zones
02C03 Management of access authorizations to protected office area
02C04 Detection of intrusions into protected office areas
02C05 Monitoring of protected office areas

02D01 Conservation and protection of important commonly used documents
02D02 Protection of documents and removable support media
02D04 Security of post mail
02D05 Security of faxes (traditional)
02D06 Conservation and protection of important documents (to be preserved during a long period)
02D07 Management of archived documents
03 Security of Premises
03A01 Quality of energy supply
03A04 Quality of cabling
03B03 Access control to sensitive locations
03B04 Intruder detection in sensitive locations
03B06 Surveillance of sensitive locations
03C01 Prevention of risk of water damage
03D Fire security
03D01 Fire risk prevention
04 Extended Network (intersite)

04C01 Encryption of exchanges on the extended network
04C02 Integrity control of exchanges on the extended network
05 Local Area Network (LAN)
05B03 User or entity authentication for access requests to the local area network from an internal access
point
05B04 User or requestor authentication before access to the local area network from a remote site via
domain controller.
the extended network
(e.g. from the switched telephone network (POTS), X25, ISDN, broadband, Internet, etc.)
05B06 User or requestor authentication for access requests to the local area network from a WiFi sub-
network
05B07 General filtering of access to the local area network
05B08 Routing control of outgoing access
05B09 Authentication of the external entity accessed for outgoing access to sensitive sites
05C01 Encryption of exchanges on the local area network
05C02 Encryption can be
Integrity control effected at layer
of exchanges on the3 local
(IPSEC VPN)
area or at level 4-5 (SSL) or directly effected by the
network
05C03 Encryption
by domain 09.of exchanges in the case of remote access to the local area network
05C04 Protection
It could be of the integrity
systematic of exchanges
on the in the case
"pipeline" (physical or of remote
logical) or access to thetolocal
limited only area
certain network
data flows (as
05D a function
Control, of address
detection andorresolution
type, etc.)ofitincidents
can also onbe the
performed on intermediate systems (VPN boxes)
local network
06 Network operations

06B02 Control of the network access configurations of user equipment

07 Security and architecture of systems
07A01 Management of access profiles (rights and privileges granted by functional profile)
07A02 Management of access authorizations and privileges (granting, delegation, revocation)
07A03 Authentication of the access requestor (user or entity)
07B01 Control of access to residual data
07C01 Recording access to sensitive resources
07C02 Recording privileged system calls
08 IT Production environment

08A03 Acceptance control of systems introduction or modification
08A04 Systems
Control ofhere include operating
maintenance systems, applications and associated middleware
operations
08A06 Control of remote maintenance

08C03 Physical security of media kept on site
08C04 Physical security of storage media (kept in an external site)
08C05 Verification and turnover of archive storage media
08C06 Security of storage networks (SAN : Storage Area Network and NAS)
08C07 Physical Security of Transiting Medias
08D03 Application recovery procedures and plans following incidents during operation
08D05 Backup of application data

08D07 Anti virus protection for production servers
08D09 Off site emergency (recourse) backups
08E02 Offline management of traces, logs and event journals
08E03 Management of system and application incidents
08F01 Control of administrative access rights granted on systems
08F03 Surveillance of system administrators' actions

08H01 Organization of the management for IT archives
08H02 IT Archives access management
08H03 Management of IT archive safety
09 Application security
09A01 Management of application data access profiles
09A02 Management of access authorizations to application data (granting, delegation, revocation)
09A03 Authentication of the access requestor
09B01 Sealing of sensitive data
09B02 Protection of integrity of exchanged data
09B03 Control of data entry
09B04 Permanent checks (accuracy, etc) relating to data
09B05 Continuous (plausibility, ) checks on data processing
09C01 Encryption of data exchanges
09C02 Encryption of stored data
09D01 Very high security recording
09D02 Management of access to data files
09F01 Proof of origin, electronic signature
09F02 Prevention of message duplication and replay (numbering, sequencing)
09F03 Acknowledgements of receipt
10 Security of application projects and developments
10B04 Protection of Data during tests
10B05 Security of application maintenance
10B06 Hot Maintenance
11 Protection of users' work equipment

11A05 Management of service suppliers and providers relating to the operation and handling of the user
workstations base
11B01 Control of access to workstations
11B02 Work effected off company premises
11C01 Protection of the confidentiality of data on the workstation or on a data server (logical disk for the
workstation)
11C04 Protection of the integrity of files stored on workstations or on data servers (logical disk for
workstations)
11C05 Security of Email and Electronic Information Exchanges


11D08 Access management to office data and files
11E03 Surveillance of system administrators' actions over the users' workstations
12 Telecommunications operations
12A03 Equipments for classicaloperations
Control of maintenance telephony : PABX, ...
12A04 Control of Remote
Equipments Maintenance
dedicated to users: telephone terminal, fax machines (often combined with printing,
12A05 scanning and of
Management photocopy
Operatingcapabilities
Procedures , ...),
for tele and videoconferencing,
Telecommunication ...
Operation

12E01 Management of privileged access rights granted on equipments and systems (administrative
rights)
13 Management processes
13B01 For example,
Policy the Financial
and instructions Security
related Law (loi Mer) of
to Communication in financial
France and the Sarbanes Oxley Act in the
data
United States
14 Information security management
14E Documentation
14E03 Updates
List of intrinsic vulnerabilities
Criteria
Type of supporting asset Type of damage Type of vulnerability Code
AICE
Category: Service
Alteration Possibility of alteration of software configurations (software and parameters) A and I Cfl.alt
Failure Possibility of software failure (bug) A Cfl.bug
Disclosure of software Possibility of disclosure of a software file C Cfl.dif
Software Configuration
Erasure Possibility of erasure of software configurations A Cfl.eff
Unauthorized use Possibility of denial to use (due to lack of license) I Cfl.lic
Pollution Possibility of pollution of software configurations I Cfl.pol
Account or means to access the Lock Possibility of user accounts to be blocked A Cpt.blo
service Loss Possibility of loss of capability to connect to the service A Cpt.dis
Destruction Possibility of destruction of equipment A Eq.des
Hardware (Equipment) Failure Possibility of failure of equipment A Eq.hs
Not operable Possibility of non operable equipment A Eq.mo
Premises Unavailability Possibility of premises to be not accessible A Loc.ina
Destruction Possibility of destruction of media containing software A Med.des
Loss Possibility of loss of media containing software A Med.dis
Media containing software
Exchange Possibility of loss of media containing software I Med.ech
Not operable Possibility of non operable media containing software A Med.ine
Auxiliary means or equipments Unavailability Possibility of unavailability of auxiliary means or equipments I Ser.hs
Category: data
means to access data Loss Possibility of loss of means allowing to access data (physical or logical keys) A Cle.dis
Alteration Possibility of alteration of data in transit or messages I Dtr.alt
Disclosure Possibility of duplication and disclosure of data in transit, messages, screens C Dtr.div
Data in transit, messages, screens
Loss Possibility of loss of data in transit or messages A and C Dtr.per
Alteration Possibility of alteration of files containing data I Fic.alt
Disclosure Possibility of duplication or diffusion (and disclosure) of a file containing data C Fic.dif
File containing data
Erasure Possibility of erasure of data files A Fic.eff
Pollution Possibility of pollution (slow evolution) of data in a file A Fic.pol
Destruction Possibility of destruction of media containing data A Med.des
Loss Possibility of loss of media containing data A and C Med.dis
Media containing data Duplication Possibility of duplication and disclosure of media containing data A and C Med.dup
Exchange Possibility of exchange of media containing data A and C Med.ech

Unavailability Possibility of unavailability of media containing data A Med.ine
Category: management process
Procedures and instructions Inefficiency Possibility that procedures observed be inefficient (towards laws, regulations or contractual commitments) E Pro.inf
Selection Comments
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
Synthesis table : Risk seriousness
Impact
4 2 3 4 4
3 2 3 3 4
2 1 2 2 3
1 1 1 1 2
1 2 3 4
Likelihood
351061430.xls ! Seriousness 651 Dcembre 2006

Grids of of evaluation of STATUS-I
The non evolutionary scenarios are represented on the nc line
1. Scenarios affecting Availability
II = 1 II = 2 II = 3 II = 4
C 4 1 1 1 1 C 4 2 2 1 1 C 4 2 2 1 1 C 4 2 2 2 1
O 3 1 1 1 1 O 3 2 2 1 1 O 3 3 2 2 1 O 3 3 3 2 1
N 2 1 1 1 1 N 2 2 2 2 1 N 2 3 3 2 1 N 2 4 3 2 1
F 1 1 1 1 1 F 1 2 2 2 1 F 1 3 3 2 1 F 1 4 3 2 1
nc 1 1 1 1 nc 2 2 2 1 nc 3 3 2 1 nc 4 3 2 1
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
P A L L P A L L P A L L P A L L
2. Scenarios affecting Integrity

II = 1 II = 2 II = 3 II = 4
C 4 1 1 1 1 C 4 1 1 1 1 C 4 1 1 1 1 C 4 1 1 1 1
O 3 1 1 1 1 O 3 2 2 1 1 O 3 2 2 1 1 O 3 2 2 2 1
N 2 1 1 1 1 N 2 2 2 2 1 N 2 3 3 2 1 N 2 3 3 2 1
F 1 1 1 1 1 F 1 2 2 2 1 F 1 3 3 2 1 F 1 4 3 2 1
nc 1 1 1 1 nc 2 2 2 1 nc 3 3 2 1 nc 4 3 2 1
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
3. Scenarios affecting Confidentiality

II = 1 II = 2 II = 3 II = 4
C 4 1 C 4 2 C 4 2 C 4 2
O 3 1 O 3 2 O 3 2 O 3 2
N 2 1 N 2 2 N 2 3 N 2 3
F 1 1 F 1 2 F 1 3 F 1 4
nc 1 nc 2 nc 3 nc 4
1 1 1 1
4. Type L (limitable?) scenarios

II = 1 II = 2 II = 3 II = 4
351061430.xls ! IP_Grids 652 Dcembre 2006

C 4 1 C 4 1 C 4 1 C 4 1
O 3 1 O 3 2 O 3 2 O 3 2
N 2 1 N 2 2 N 2 3 N 2 3
F 1 1 F 1 2 F 1 3 F 1 4
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4

Grids of evaluation of STATUS-P
1. Scenarios resulting from an Accident

E X P O = 1 E X P O = 2 E X P O = 3 E X P O = 4
D D D D
I I I I
S S S S
S 1 1 1 1 1 S 1 2 2 2 1 S 1 3 3 2 1 S 1 4 4 2 1
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
P R E V P R E V P R E V P R E V
2. Scenarios resulting from an Error

D D D D
I I I I
S S S S
S 1 1 1 1 1 S 1 2 2 2 1 S 1 3 3 2 1 S 1 4 4 2 1
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
3. Scenarios resulting from a Volontary action

D 4 1 1 1 1 D 4 1 1 1 1 D 4 2 2 1 1 D 4 2 2 2 1
I 3 1 1 1 1 I 3 2 2 1 1 I 3 2 2 1 1 I 3 3 3 2 2
S 2 1 1 1 1 S 2 2 2 2 1 S 2 3 3 2 1 S 2 4 4 3 2
S 1 1 1 1 1 S 1 2 2 2 1 S 1 3 3 2 1 S 1 4 4 3 2
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4

DB-Mehari 2010 Exc en 2-20

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

DB-Mehari 2010 Exc en 2-20

Încărcat de

Drepturi de autor:

Formate disponibile

MEHARI 2010 - release 2-2

Mehari 2010 knowledge base

Nav Scheme of navigation within the knowledge base

Display fo the seriousness of scenarios based on the origin or event

Grids for risk acceptability,

Impact Potentiality or likelihood

Intrinsic seriousness ISO 27002

Risk%asset Scenarios selection

Risk%event Reduce Retain Avoid Transfer

Action_plans Obj_PA Obj_Projects

The CLUSIF may revise this license from time to time.

MEHARI is a registered trademark of the CLUSIF.

Copyright 1997-2010 The CLUSIF, PARIS, France.

Table T1 CLASSIFICATION OF DATA

Le 04/09/2017 Page 5 / 654

Table T2 CLASSIFICATION OF SERVICES

Le 04/09/2017 Page 6 / 654

Le 04/09/2017 Page 7 / 654

Business processes, domains personal

There is only one criteria for classification:

the protection of people safety and

or contractual requirements, for the

Management process type of assets E

351061430.xls ! Classif 10 Dcembre 2006

351061430.xls ! Classif 11 Dcembre 2006

Mise jour : janvier 2010 351061430.xls ! 01 Org page 12

Mise jour : janvier 2010 351061430.xls ! 01 Org page 13

Mise jour : janvier 2010 351061430.xls ! 01 Org page 14

01B05-04 Have all necessary measures been taken consequently? 2 E2

Mise jour : janvier 2010 351061430.xls ! 01 Org page 15

Mise jour : janvier 2010 351061430.xls ! 01 Org page 16

Mise jour : janvier 2010 351061430.xls ! 01 Org page 17

Mise jour : janvier 2010 351061430.xls ! 01 Org page 18

Mise jour : janvier 2010 351061430.xls ! 01 Org page 19

Mise jour : janvier 2010 351061430.xls ! 01 Org page 20

Mise jour : janvier 2010 351061430.xls ! 01 Org page 21

Mise jour : janvier 2010 351061430.xls ! 01 Org page 22

Mise jour : janvier 2010 351061430.xls ! 01 Org page 23

Mise jour : janvier 2010 351061430.xls ! 01 Org page 24

Mise jour : janvier 2010 351061430.xls ! 01 Org page 25

Mise jour : janvier 2010 351061430.xls ! 01 Org page 26

Mise jour : janvier 2010 351061430.xls ! 01 Org page 27

Mise jour : janvier 2010 351061430.xls ! 01 Org page 28

Mise jour : janvier 2010 351061430.xls ! 01 Org page 29

Mise jour : janvier 2010 351061430.xls ! 02 Sit page 48

02B Protection Against Miscellaneous Environmental Risks

Mise jour : janvier 2010 351061430.xls ! 02 Sit page 49

Mise jour : janvier 2010 351061430.xls ! 02 Sit page 50

02C05 Monitoring of protected office areas

Mise jour : janvier 2010 351061430.xls ! 02 Sit page 51

Mise jour : janvier 2010 351061430.xls ! 02 Sit page 52

02D03 Paper-bin collection and destruction of documents

Mise jour : janvier 2010 351061430.xls ! 02 Sit page 53

Mise jour : janvier 2010 351061430.xls ! 02 Sit page 54

Mise jour : janvier 2010 351061430.xls ! 02 Sit page 55

Mise jour : janvier 2010 351061430.xls ! 02 Sit page 56

Mise jour : janvier 2010 351061430.xls ! 02 Sit page 57

Mise jour : janvier 2010 351061430.xls ! 02 Sit page 58

Mise jour : janvier 2010 351061430.xls ! 02 Sit page 59

Mise jour : janvier 2010 351061430.xls ! 02 Sit page 60

Mise jour : janvier 2010 351061430.xls ! 02 Sit page 61

Mise jour : janvier 2010 351061430.xls ! 02 Sit page 62

Mise jour : janvier 2010 351061430.xls ! 02 Sit page 63