Download Free SAS70 Outsourcing Project Implementation Contracts Evaluation Checklist

Purpose
This section describes in simple terms the purpose of the evaluation, how it relates to the customer, and the benefits the organization will receive from the evaluation process. It is essential that you use common terminology relevant to the organization to ensure that this material is understood.

Methodology
This section describes the methodology that will be used to conduct the evaluation. This is a good place to emphasize the IEM as a standard methodology to conduct technical INFOSEC evaluations, developed and approved by the National Security Agency. This section includes the phases, processes, and steps to be used during the evaluation.

Scope
This section is a detailed demonstration of the level of effort, boundaries, and limitations of the evaluation. Appropriate assumptions are a critical part of the scoping process. The scope section provides a detailed listing of known assumptions affecting the evaluation. Assumptions are critical in demonstrating an understanding of the customer environment and detailing how that environment will affect the evaluation. The types of assumptions may include number of physical locations, number and type of systems, number and type of networks, relevant POC information, information about scheduling of the technical scans and conducting the 10 baseline IEM activities, and any associated constraints that can be listed as assumptions.

Roles and responsibilities of customer staff

Download Free Access Control Supervision and Review

- Determine if the organization supervises and reviews the activities of users with respect to the enforcement and usage of information system access controls.

- Examine access control policy, procedures addressing supervision and review of access control enforcement and usage, security plan or other relevant documents; reviewing for the measures to be employed to supervise and review user activities with respect to the enforcement and usage of information system access controls.

Download Free ISO 27001/ISO17799 Wireless LAN Security Summary

1. Develop an agency security policy that addresses the use of wireless technology, including 802.11.
A security policy is the foundation on which other countermeasures—the operational and technical ones—are rationalized and implemented. A documented security policy allows an organization to define acceptable architecture, implementation, and uses for 802.11 wireless technologies.

2. Ensure that users on the network are fully trained in computer security awareness and the risks associated with wireless technology (e.g., 802.11).
A security awareness program helps users to establish good security practices to prevent inadvertent or malicious intrusions into an organization’s information systems.

Download Free How to Backup Sensitive Information - Best Practices Checklist

1. Wipe each previous backup before proceeding with the next one.
2. Use full backups and never incremental ones.
3. Be aware that some disk-encryption and partition-encryption software have the quirky requirement that they can only back up the encrypted portion after it has first been decrypted. This means that the backup will be extremely vulnerable. Do not use such encryption software. If your backups do contain unencrypted information that is encrypted on your computer(s), store your backups where they cannot be found by unauthorized third parties.

Download free ISO 27001 Information Classification, Labelling and Handling (available in PDF and XLS format):

Objectives:
- The organization defines in the security plan, explicitly or by reference, its protected environment for media labeling requirements;
- The organization defines in the security plan, explicitly or by reference, media types and hardware components that are exempted from external labeling requirements; and
- The organization affixes external labels to removable information storage media and information system output not otherwise exempted from this labeling requirement, indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information.