Self Assessment MASTER v7.0

Fusion Alliance, Inc. , University of Cincinnati Confidential 04/19/2023 Page 1

Primary Security Domain COBIT 4.0 Control Objective ISO 27001/17799 ISO 20000/ITIL Reference Question (Control Objective) Business Staff Question (Control Objective) IT Staff

I. Security Policy 1 1



I. Security Policy 3.1

I. Security Policy 4 4 Is there a current process for defining and ongoing review of policy exceptions?

I. Security Policy 4.1 Are you familiar with the University's Risk Acceptance Process? 4.1 Are you familiar with the University's Risk Acceptance Process?

I. Security Policy 5

I. Security Policy 11.27 Protection of Sensitive Messages 6 Are you aware of email and Internet acceptable usage policies?

II. Organizational Security 4.1 Information Security Infrastructure 7 5

II. Organizational Security 8 6

II. Organizational Security 6.1 Personnel Security 9 7

Question Number

Question Number

PO6 Communicate Management Aims and DirectionPO4.14 Contracted Staff Policies and Procedures

3.1 Information Security Policy4.1 Information Security Infrastructure

6.6 Information Security Management6.6.1 General (See ISO Mapping for additional details)6.6.6 Controls c)

Are you and members of your department aware of information security policies and have you been provided with any type of

awareness training or ongoing communications?

Has an information security policy framework been developed including who is responsible for development, review, and approval of policies?

PO6 Communicate Management Aims and DirectionPO4.14 Contracted Staff Policies and Procedures

3.1 Information Security Policy4.1 Information Security Infrastructure

6.6 Information Security Management6.6.1 General (See ISO Mapping for additional details)6.6.6 Controls c)

For policies that have been provided, are the supported and enforced by your department's leadership?

Has the policy framework been implemented resulting in creation of information security policies that are supported in the highest levels of the organization?

M1 Monitor the Processes1.1 Collecting Monitoring Data1.2 Assessing Performance1.3 Assessing Customer Satisfaction1.4 Management ReportingM2 Assess Control Adequacy2.1 Internal Control Monitoring

12.2 Reviews of Security Policy and Technical Compliance

6.6 Information Security Management6.6.1 General (See ISO Mapping for additional details)6.6.6 Controls (a,c,e)

Is there a process in place to review employee compliance with organizational policies?

Does internal staff regularly monitor security controls to measure performance and adequacy?




If you answered yes to question 3, is effectiveness measured against security policy, regulatory/contract compliance?




Has your department or employees ever requested an exception from policy items?




11.18 Protection of Disposed Sensitive Information, 11.26 Archiving

5.2.2 Information labeling and handling

6.6 Information Security Management6.6.1 General (See ISO Mapping for additional details)

Do policies and procedures exist for the handling of paper copy documents?

3 Security Policy6.2.1 Information security education and training

6.6 Information Security Management6.6.6 Controls (a,c,e)

PO1 Define a Strategic IT PlanPO4.11 IT Staffing

4 Planning and Implementing Service Management

Does your department collaborate with the IT department for purposes of strategic planning?

Is strategic IT planning performed to determine business requirements that could have an impact on technologies, staffing, and information security

requirements?

4.2 Organizational Placement of the IT Function4.4 Roles and Responsibilities4.6 Responsibility for Logical and Physical Security

4.1 Information Security Infrastructure6.11 Including Security in Responsibilities8.1 Operational procedures and responsibilities

6.6 Information Security Management6.6.1 General (See ISO Mapping for additional details)6.6.6 Controls (a,c,d)

Are members of your department assigned responsibilities for information security and if so do they have specific directives for

protecting critical information?

Has a security organizational structure been created that defines information security roles and responsibilities?

PO7 Manage Human Resources7.1 Personnel Recruitment and Promotion7.2 Personnel Qualifications7.5 Cross-training or Staff Backup7.6 Personnel Clearance Procedures

3.3.2 Professional Development a) Recruitment

Are background and reference checks performed and verified during the recruiting hiring and processes?

Are background and reference checks performed and verified during the recruiting and hiring and processes?


Primary Security Domain COBIT 4.0 Control Objective ISO 27001/17799 ISO 20000/ITIL Reference Question (Control Objective) Business Staff Question (Control Objective) IT StaffQuestion Number

Question Number

II. Organizational Security 6.1 Personnel Security 3.3 Competence, Awareness, and Training 8

II. Organizational Security 6.1 Personnel Security 9

II. Organizational Security 10

II. Organizational Security 10 11

II. Organizational Security 12

5.2 Information Classification 11 13

PO2.3 Data Classification Scheme 5.2 Information Classification 12 14

PO4.8 Data and System Ownership 13 15

13.1 15.1

14

16

IX. Access Control 15 17

IX. Access Control 16 18

IX. Access Control 9.2.3 User password management 17

PO7 Manage Human Resources7.1 Personnel Recruitment and Promotion7.2 Personnel Qualifications7.5 Cross-training or Staff Backup7.6 Personnel Clearance Procedures

Are security skill requirements reviewed and mapped to current security staff capabilities and evaluated against organizational security requirements?

PO7 Manage Human Resources7.1 Personnel Recruitment and Promotion7.2 Personnel Qualifications7.5 Cross-training or Staff Backup


Are security skills redundant within staff members so that no critical security functions are dependent on a single employee?

DS2 Manage Third-party Services 2.4 Third-party Qualifications2.5 Outsourcing Contracts

4.3 Outsourcing4.3.1 Security requirements in outsourcing contracts

7.3 Supplier Management (See ISO 27001 mapping for additional details)

Are there specific criteria that a business partner or vendor must meet for security requirements?

DS2 Manage Third-party Services2.6 Continuity of Services2.7 Security Relationships

4.3 Outsourcing4.3.1 Security requirements in outsourcing contracts4.2, 4.3, 6.1, 6.3, 8.1, 8.7, 10.5

7.3 Supplier Management6.6.3 Security Risk Assessment Practices

Does your department include information security requirements in contracts with third parties that handle or change sensitive data

or systems?

When partnering with a third party or contracting services, is a risk review performed to determine risks such as handling sensitive data and sharing

proprietary information or intellectual property?

DS5 Ensure Systems Security5.13 Counterparty Trust

4.2.2 Security requirements in third party contracts4.3 Outsourcing4.3.1 Security requirements in outsourcing contracts

7 Relationship Process7.3 Supplier Management7.3.2 Contract Management

Are business associate agreements or similar contracts required for third party partners that contain expected levels of security? Are those contracts typically

included and signed for all partner access to systems?

III. Asset Classification and Control

PO2.3 Data Classification SchemePO4.7 Ownership and CustodianshipPO4.8 Data and System Ownership

6.62 Identifying and Classifying Information Assets

Do you know which of the data items in your department need protected? Do you have a way of identifying this data that is

different than the words and vocabulary you use to identify data that does not need secured?

Has a data and/or asset classification scheme been developed and implemented and does it map handling requirements to the classification

levels?


6.62 Identifying and Classifying Information Assets

Do you know which computer systems in your department are used to process or store critical or private data? Are you aware of

any mechanism to document any such systems?

Has an asset inventory system been implemented that includes asset criticality and/or classification ratings?


3 Security Policy7.2.5 Security of equipment off-premises8.7.2 Security of media in transit9.8.1 Mobile computing


Have you worked with members of the IT department to map out information flows into and out of the organization?

Have information flows and systems moves into and out of systems and facilities been identified? Is there a policy that defines this flow of data, systems,

and information?


PO8 Ensure Compliance with External Requirements8.4 Privacy, Intellectual Property and Data Flow

3 Security Policy7.2.5 Security of equipment off-premises8.7.2 Security of media in transit9.8.1 Mobile computing


Have you worked with members of the IT department to map out systems movement (such as mobile devices) into and out of the

organization?

Is there a policy that defines acceptable flow of data, systems, and information between third parties?


PO7 Manage Human Resources7.8 Job Change and TerminationPO4.8 Data and System Ownership

7.2.5 Security of equipment off-premises8.7.2 Security of media in transit9.8.1 Mobile computing


Do you have the ability to track information, mobile or storage devices in the possession of employees and ensure safe return of

those items upon employee termination?


DS9 Manage the Configuration9.1 Configuration Recording 9.3 Status Accounting9.4 Configuration Control9.8 Software Accountability

10.4.1 Control of operational software10.5.2 Technical review of operating system changes7.2 Equipment Security

9.1 Configuration Management9.1.4 Configuration Status Accounting and Reporting

Is there a document or system that contains hardware, software, application, or operating system configurations for your department?

DS5 Ensure Systems Security 5.3 Security of Online Access to Data5.4 User Account Management

9.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL9.1 Business Requirement for Access Control

6.6 Information Security Management6.6.7 Documents and Records d) control over access to information, assets, and systems

Do you provide IT with access requirements to information, data, and applications in use by your department?

Are there defined procedures for granting access levels to staff and third parties based on there job requirement to access the information?

DS5 Ensure Systems Security 5.4 User Account Management 5.5 Management Review of User Accounts 5.21 Protection of Electronic Value

9.2 User Access Management9.2.1 User registration9.2.4 Review of user access rights

6.6 Information Security Management6.6.7 Documents and Records d) control over access to information, assets, and systems

Is a new employee or terminated employee process in place to add or remove employees access to key systems and data?

Have employees been identified that add/remove user accounts and is account creation/removal logged so that information can be audited or reviewed?

DS5 Ensure Systems Security5.2 Identification, Authentication and Access5.4 User Account Management5.5 Management Review of User Accounts5.6 User Control of User Accounts

6.6 Information Security Management6.6.1 General (See ISO Mapping for additional details)6.6.7 Documents and Records d) control over access to information, assets, and systems

Are you aware of requirements for the complexity or length of your password?



Question Number

IX. Access Control 9.2.3 User password management 18 Do you change you password often?

IX. Access Control 19

IX. Access Control 20

21 19

VI. Equipment Security 9.8.1 Mobile computing 22 20

VII. General Controls 23 21

VII. General Controls 22


VII. General Controls 24 24





5.2.2 Information labeling and handling9.2 User Access Management


Do you ever utilize a password or userID that is shared between multiple employees?


5.2.2 Information labeling and handling9.2 User Access Management


Use accounts that have system administrator rights only in special situations, such as when installing software or configuring

your system?

V. Physical and Environmental Security

DS12 Manage Facilities12.1 Physical Security

7.1 Secure Areas7.2 Equipment Security


Is access controlled, monitored, and recorded to your work areas or facilities?

Are physical security controls implemented for key IT systems such as the data center and has a third party assessed those controls for the level of

effectiveness?

PO6 Communicate Management Aims and Direction6.3 Communication of Organization Policies6.6 Compliance with Policies, Procedures and Standards6.11 Communication of IT Security AwarenessPO8 Ensure Compliance with External Requirements8.4 Privacy, Intellectual Property and Data FlowDS7 Educate and Train Users


Do employees in your department understand requirements to protect mobile devices that contain sensitive or critical data?

Has a policy been defined and implemented that outlines security for mobile devices such as laptops and PDA's, and mobile storage such as flash drives?

PO9 Assess Risks9.1 Business Risk Assessment 9.3 Risk IdentificationDS5 Ensure Systems Security5.8 Data Classification

4.2.1 Identification of risks from third party access 12.3 System Audit Considerations12.3.1 System audit controls

6.6.3 Security Risk Assessment Practices6.6.4 Risks to Information Assets

Has your department worked with the IT or Information Security department to identify risks to key systems and data for your

department?

Have you worked with departments in the organization to assess risks to critical data or systems and the resulting impact to the business should those risks be

realized?

PO9 Assess Risks 9.5 Risk Action Plan AI1 Identify Automated Solutions1.9 Cost-effective Security ControlsDS7 Educate and Train Users

4.2.1 Identification of risks from third party access 12.3 System Audit Considerations12.3.1 System audit controls

6.6.3 Security Risk Assessment Practices6.6.4 Risks to Information Assets

Have high risk areas identified through risk assessment activities been prioritized and a plan to prioritize the remediation of these risks been

developed?

AI1 Identify Automated Solutions1.1 Definition of Information Requirements

No direct mapping (See COBIT mapping for additional details)

6.6 Information Security Management6.6.1 General (See COBIT Mapping for additional details)

Does automation of businesses processes through IT systems cause additional risk to the security of information and have you worked to the identify

automated processes that might contain those risks?

DS11 Manage Data11.1 Data Preparation Procedures11.2 Source Document Authorization Procedures11.3 Source Document Data Collection11.4 Source Document Error Handling11.7 Accuracy, Completeness and Authorization Checks11.8 Data Input Error Handling11.9 Data Processing Integrity11.10 Data Processing Validation and Editing11.11 Data Processing Error Handling11.14 Output Balancing and Reconciliation11.15 Output Review and Error Handling11.27 Protection of Sensitive Messages11.29 Electronic Transaction Integrity

8.7.3 Electronic commerce security10.2 Security in Application Systems10.3 Cryptographic Controls

9.1.3 Configuration Control10.1.5 Design, Build and Configure Release b) ensure the integrity is maintained during build, installation, packaging, and delivery

Are automated or manual processes in place to ensure the accuracy, validity, and non-repudiation of transactions in your

department?

Have integrity controls been implemented in systems that process transactions to verify accuracy, validity, and non-repudiation?



6.6 Information Security Management6.6.1 General (See ISO Mapping for additional details)6.6.3 Security Risk Assessment Practices

Is regular security assessment and testing performed that includes things such as penetration testing, vulnerability scanning, policy and configuration review?



Question Number

VII. General Controls No relevant mapping 26

VII. General Controls 11.18 Protection of Disposed Sensitive Information 25 27

VII. General Controls 11.18 Protection of Disposed Sensitive Information 26 28

VII. General Controls 11.26 Archiving, 11.27 Protection of Sensitive Messages 8.7.4 Security of electronic mail 27 Do you know how long your email is retained?

VII. General Controls 11.26 Archiving, 11.27 Protection of Sensitive Messages 8.7.4 Security of electronic mail 28 Do you archive email and if so, where do you store the archive?

29

6.2 User Training 29 30

30 31

30.1 31.1

7.3 Supplier Management 32

6.6.3 Security Risk Assessment Practices 33

34

M3 Obtain Independent Assurance 3.3 Independent Effectiveness Evaluation of IT Services3.4 Independent Effectiveness Evaluation of Third-party Service Providers3.5 Independent Assurance of Compliance with Laws and Regulatory Requirements and Contractual Commitments3.6 Independent Assurance of Compliance with Laws and Regulatory Requirements by Third-party Service Providers3.7 Competence of Independent Assurance Function

6.6 Information Security Management6.6.1 General (See ISO Mapping for additional details)6.6.6 Controlsf) Expert help on risk assessment and control implementation

Does your organization provision the services of a trusted advisor to assess information security controls and provide guidance for areas of weakness or

vulnerability?



Does your organization have a secure disposal process for dispose of paper copy documents containing sensitive

information?


6.6 Information Security Management6.6.1 General (See ISO Mapping for additional details)6.6.5 Security and Availability of Information a) disclosure of sensitive information to unauthorized parties6.6.6 Controls f) Expert help on risk assessment and control implementation

Have you ever had to disclose a loss or leak of sensitive information to a student?



VIII. Communications & Operations Management

PO9 Assess RisksAI3-3.6 Acquire and Maintain Technology InfrastructurePO11 Manage Quality

10 Systems Development and Maintenance8.1.5 Separation of development and operational facilities


If you answered yes to question 17, do you prioritize patches and perform testing to determine suitability to be implemented on production systems?


AI4 Develop and Maintain Procedures4.2 User Procedures Manual4.3 Operations Manual4.4 Training MaterialsDS7 Educate and Train Users7.1 Identification of Training Needs

3.3 Competence, Awareness, and Training3.3.1 General3.3.2 Professional Development

Are information security related procedures integrated into work procedures and are employees in your department provided any

security awareness training?

Are specific work procedures either documented or provided verbally? If so, is security integrated into the procedures?


DS5 Ensure Systems Security 5.19 Malicious Software Prevention, Detection and Correction

8.3 Protection against Malicious Software


Do your systems all have antivirus and antispyware software and do employees ever disable or remove the software?

Do all systems in your department have current anti-virus software installed and are definition files updated on a regular basis (preferably every day)?


DS5 Ensure Systems Security 5.19 Malicious Software Prevention, Detection and Correction

8.3 Protection against Malicious Software


If you answered yes to question 30, do employees ever disable or remove the software?

If you answered yes to question 32, are definition files updated on a regular basis (preferably every day)?

X. Systems Development and Maintenance

AI3 Acquire and Maintain Technology Infrastructure3.1 Assessment of New Hardware and SoftwareDS8 Assist and Advise CustomersPO11 Manage Quality11.9 Acquisition and Maintenance Framework for the Technology Infrastructure

10.1 Security Requirements of Systems10.1.1 Security requirements analysis and specification

Is security an integrated component of the evaluation and selection of Information Technology solutions?


PO9 Assess Risks9.1 Business Risk Assessment 9.3 Risk IdentificationAI3-3.6 Acquire and Maintain Technology Infrastructure11.9 Acquisition and Maintenance Framework for the Technology Infrastructure

8.1.2 Operational change control 10.5.1 Change control procedures10.1 Security Requirements of Systems10.1.1 Security requirements analysis and specification12.3.1 System audit controls

Is a risk review performed prior to the implementation of new infrastructure (routers, switches, servers, firewalls, etc)?


PO9 Assess RisksAI3-3.6 Acquire and Maintain Technology InfrastructurePO11 Manage Quality

10 Systems Development and Maintenance


Is there a defined process for monitoring vendors for software patches or vulnerabilities that impact the infrastructure systems in production?



Question Number

35

8.2.2 System acceptance 32 36

33 37

38

XI. Business Continuity 34 39

XI. Business Continuity 40






AI5 Install and Accredit Systems5.7 Testing of Changes 5.11 Operational Test5.12 Promotion to Production

8.2 System Planning and Acceptance 8.1.5 Separation of development and operational facilities

10 Release Process10.1.2 Release Policy c) authority of release into acceptance test and production environments

Are changes to existing systems or new implementations performed in a test environment separate from production systems?


AI5 Install and Accredit Systems5.9 Final Acceptance Test5.13 Evaluation of Meeting User Requirements5.14 Management’s Post-implementation Review

10 Release Process10.1.2 Release Policy g) verification and acceptance of release

Does you department review and accept new technology system functionality and is information security a component of the

review and acceptance process?

Is acceptance testing a part of the pre-production testing process and does acceptance include both key IT and Business personnel?


AI5 Install and Accredit Systems5.7 Testing of ChangesAI6 Manage Changes 6.4 Emergency Changes

8.1.2 Operational change control10.5 Security in Development and Support Processes10.5.1 Change control procedures10.5.2 Technical review of operating system changes10.5.3 Restrictions on changes to software packages

10 Release Process10.1.2 Release Policy c) authority of release into acceptance test and production environments g) verification and acceptance of release9.2 Change Management

Do you review or test any changes to your systems and applications prior to the IT department implementing those

changes?

Is a formal or informal change management function practiced for changes to systems? Does it include changes to configuration including patching and

functionality.


AI5 Install and Accredit Systems5.7 Testing of ChangesAI6 Manage Changes 6.4 Emergency Changes

8.1.2 Operational change control10.5 Security in Development and Support Processes10.5.1 Change control procedures10.5.2 Technical review of operating system changes10.5.3 Restrictions on changes to software packages

9.2 Change Management9.2.4 Change management reporting, analysis, and actions

Is there a log or document that outlines all changes including who reviewed the changes, testing performed, back out plans, acceptance/denial, and who

performed the changes?

DS4 Ensure Continuous Service 4.2 IT Continuity Plan Strategy and Philosophy 4.4 Minimizing IT Continuity Requirements4.10 Critical IT ResourcesDS10 Manage Problems and Incidents10.1 Problem Management System10.2 Problem EscalationDS12 Manage Facilities 12.6 Uninterruptible Power Supply

11 Business Continuity Management11.1.2 Business continuity and impact analysis

6.3 Service Continuity and Availability Management6.3.4 Service Continuity Planning and Testing

Has your department worked with the IT or Information Security department to identify the core systems, applications, and

information in order to determine the impact to the department in the event of un-availability, loss, theft, or disclosure?

Has a business impact analysis been performed with regard to identifying critical or sensitive information?

DS4 Ensure Continuous Service 4.2 IT Continuity Plan Strategy and Philosophy 4.4 Minimizing IT Continuity Requirements4.10 Critical IT ResourcesDS10 Manage Problems and Incidents10.1 Problem Management System10.2 Problem EscalationDS12 Manage Facilities 12.6 Uninterruptible Power Supply

11 Business Continuity Management11.1.3 Writing and implementing continuity plans11.1.4 Business continuity planning framework


If you answered yes to question 26, have provisions been made to ensure critical information is available for mission critical business processes in the

event of a security incident?

DS4 Ensure Continuous Service 4.3 IT Continuity Plan Contents4.9 User Department Alternative Processing Backup Procedures

11 Business Continuity Management11.1.3 Writing and implementing continuity plans

6.3 Service Continuity and Availability Management6.3.3 Service Continuity Strategy a) maximum acceptable period of lost service

Does your department have requirements for timeframes to recover each of the core systems, applications, or information

that affect the departments operations?

Does your department have the ability to identify and resolve such incidents in a timeframe consistent with business operational requirements?

DS4 Ensure Continuous Service 4.2 IT Continuity Plan Strategy and Philosophy 4.10 Critical IT ResourcesDS10 Manage Problems and Incidents10.1 Problem Management System10.2 Problem Escalation

11.1 Aspects of Business Continuity Management11.1.3 Writing and implementing continuity plans


Are you aware of procedures or contact listings in the event of a disaster involving your facility and IT systems?

Has your department developed business continuity or disaster recovery plans that include maintaining or restoring basic IT resources during a disaster or

outage?

DS4 Ensure Continuous Service 4.3 IT Continuity Plan Contents4.9 User Department Alternative Processing Backup Procedures

11.1 Aspects of Business Continuity Management11.1.5 Testing, maintaining and re-assessing business continuity plans


Has your department been involved with any testing of disaster plans?

Are these plans tested on a recurring basis and updated as required depending on the outcome of tests?

DS4 Ensure Continuous Service 4.6 Testing the IT Continuity Plan 4.12 Offsite Backup StorageDS11 Manage Data 11.23 Backup and Restoration11.24 Backup Jobs11.25 Backup Storage

8.4 Housekeeping8.4.1 Information back-up 11.1 Aspects of Business Continuity Management


Do employees in your department have access to store files on network folders that are backed up on a daily basis? If so, have

you been able to successfully restore data when required?

Has the IT staff collaborated with key business users to make sure that business critical information is backed up and available offsite? If so, have

restore operations been tested successfully?



Question Number

XII. Compliance 6.6.5 Security and Availability of Information 39 45

XII. Compliance 40 46

XII. Compliance 47

XII. Compliance 41 48 Is there a policy and/or standard that defines data retention requirements?

PO8 Ensure Compliance with External Requirements8.1 External Requirements Review8.2 Practices and Procedures for Complying with External Requirements8.3 Safety and Ergonomic Compliance8.4 Privacy, Intellectual Property and Data Flow8.5 Electronic Commerce8.6 Compliance With Insurance Contracts

12.1 Compliance With Legal Requirements

Are any regulatory requirements relevant to information your department creates or stores? Examples of potential legal or

regulatory requirements are; PCI Compliance (Visa, MasterCard), HIPAA (Healthcare), GLB (Insurance, Financial), software

licensing, intellectual property rights, contractual obligations, etc.

Does an employee responsible for information security review requirements for regulatory compliance and legal obligations and collaborate with executive leadership and legal counsel to determine which issues are relevant to the

organization? Examples include PCI Compliance (Visa, MasterCard), HIPAA (Healthcare), GLB (Insurance, Financial), software licensing, intellectual property rights, contractual obligations, etc.

DS5 Ensure Systems Security5.7 Security Surveillance 5.11 Incident Handling

12.1 Compliance with Legal Requirements12.3 System Audit Considerations9.7 Monitoring System Access and Use12.2.1 Compliance with security policy12.2.2 Technical compliance checking6.3 Responding to Security Incidents and Malfunctions

6.6.6 Controls c) See ISO 27001 mapping for additional detail

Does your department have the ability to monitor employee behavior with regard to compliance to organizational policies

and/or identify illegal activities?

Have you deployed processes and/or automated alerts so that policy violations and intrusive behavior can be identified? This includes things such as account lockout alerts, intrusion detections systems, virus alerting, intellectual property

violations, etc.

DS9 Manage the Configuration 9.5 Unauthorized Software9.8 Software Accountability

5.1.1 Inventory of assets12.1 Compliance with Legal Requirements12.1.2 Intellectual property rights

9.1 Configuration Management9.1.2 Configuration Identification e) licenses9.1.4 Configuration Status Accounting and Reporting

Is there a software licensing inventory that provides the ability to effectively review and manage for license compliance and is there an ongoing process to

review licenses?

DS11 Manage Data 11.5 Source Document Retention 11.19 Storage Management 11.20 Retention Periods and Storage Terms11.26 Archiving

8.6 Media Handling and Security12 Compliance12.1.3 Safeguarding of organizational records12.1.4 Data protection and privacy of personal information


Are you aware of legal or organization policy or requirements to retain data? (note: Examples could include financial, health, or

transaction history / information)


Primary Security Domain

1I. Security Policy

I. Security Policy

I. Security Policy

I. Security Policy

I. Security Policy

I. Security Policy

I. Security Policy

I. Security Policy

II. Organizational Security



Answer Yes/No/Somewhat/

Not Applicable

Describe Existing Key Security Controls Supporting This

Question

Describe Key Weaknesses Relative to This Question

Describe any Current Projects Relative to This Question

Current Maturity Rating (Please read FAQ for definitions)

0 - Non Existent1 - Initial / Ad-Hoc

2 - Repeatable but Intuitive3 - Defined Process

4 - Managed and Measurable5 - Optimized

Not Applicable


Primary Security DomainAnswer

Yes/No/Somewhat/Not Applicable


Question






4 - Managed and Measurable5 - Optimized II. Organizational Security





IX. Access Control

IX. Access Control

IX. Access Control











Question






4 - Managed and Measurable5 - Optimized IX. Access Control

IX. Access Control

IX. Access Control

VI. Equipment Security

VII. General Controls










Question






4 - Managed and Measurable5 - Optimized VII. General Controls
















Question






4 - Managed and Measurable5 - Optimized

XI. Business Continuity














Question






4 - Managed and Measurable5 - Optimized XII. Compliance

XII. Compliance

XII. Compliance

XII. Compliance

Information Security DomainsSecurity Control Maturity Rating

0 - Non Existent 1 - Initial / Ad-Hoc 2 - Repeatable but Intuitive 3 - Defined Process 4 - Managed and Measurable 5 - Optimized

I. Security Policy



IV. Personnel Security


VI. Equipment Security



IX. Access Control



XII. Compliance

0 - Non-existent Complete lack of any recognizable processes. The enterprise has not even recognized that there is an issue to be addressed.

1 - Initial

2 - Repeatable

3 - Defined

4 - Managed

5 - Optimized

.

There is evidence that the enterprise has recognized that the issues exist and need to be addressed. There are, however, no standardized processes; instead there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized.

Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely.

Procedures have been standardized and documented, and communicated through training. It is, however, left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.

It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.

Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modeling with other enterprises. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt

PO1 Define a Strategic IT Plan1.1 IT as Part of the Organization’s Long and Short Range Plan1.2 IT Long-range Plan1.3 IT Long-range Planning—Approach and Structure1.4 IT Long-range Plan Changes1.5 Short-range Planning for the IT Function1.6 Communication of IT Plans1.7 Monitoring and Evaluating of IT Plans1.8 Assessment of Existing SystemsPO2 Define the Information Architecture2.1 Information Architecture Model2.2 Corporate Data Dictionary and Data Syntax Rules2.3 Data Classification Scheme2.4 Security LevelsPO3 Determine Technological Direction3.1 Technological Infrastructure Planning3.2 Monitor Future Trends and Regulations3.3 Technological Infrastructure Contingency3.4 Hardware and Software Acquisition Plan3.5 Technology StandardsPO4 Define the IT Organization and Relationships4.1 IT Planning or Steering Committee4.2 Organizational Placement of the IT Function4.3 Review of Organizational Achievements4.4 Roles and Responsibilities4.5 Responsibility for Quality Assurance4.6 Responsibility for Logical and Physical Security4.7 Ownership and Custodianship4.8 Data and System Ownership4.9 Supervision4.10 Segregation of Duties4.11 IT Staffing4.12 Job or Position Descriptions for IT Staff4.13 Key IT Personnel4.14 Contracted Staff Policies and Procedures4.15 RelationshipsPO5 Manage the IT Investment5.1 Annual IT Operating Budget5.2 Cost and Benefit Monitoring5.3 Cost and Benefit JustificationPO6 Communicate Management Aims and Direction6.1 Positive Information Control Environment6.2 Management’s Responsibility for Policies6.3 Communication of Organization Policies6.4 Policy Implementation Resources6.5 Maintenance of Policies6.6 Compliance with Policies, Procedures and Standards6.7 Quality Commitment6.8 Security and Internal Control Framework Policy6.9 Intellectual Property Rights6.10 Issue-specific Policies6.11 Communication of IT Security AwarenessPO7 Manage Human Resources7.1 Personnel Recruitment and Promotion7.2 Personnel Qualifications7.3 Roles and Responsibilities7.4 Personnel Training7.5 Cross-training or Staff Backup7.6 Personnel Clearance Procedures7.7 Employee Job Performance Evaluation7.8 Job Change and TerminationPO8 Ensure Compliance with External Requirements8.1 External Requirements Review8.2 Practices and Procedures for Complying with External Requirements8.3 Safety and Ergonomic Compliance8.4 Privacy, Intellectual Property and Data Flow8.5 Electronic Commerce

8.6 Compliance With Insurance ContractsPO9 Assess Risks9.1 Business Risk Assessment9.2 Risk Assessment Approach9.3 Risk Identification9.4 Risk Measurement9.5 Risk Action Plan9.6 Risk Acceptance9.7 Safeguard Selection9.8 Risk Assessment CommitmentPO10 Manage Projects10.1 Project Management Framework10.3 Project Team Membership and Responsibilities10.4 Project Definition10.5 Project Approval10.6 Project Phase Approval10.7 Project Master Plan10.8 System Quality Assurance Plan10.9 Planning of Assurance Methods10.10 Formal Project Risk Management10.11 Test Plan10.12 Training Plan10.13 Post-implementation Review PlanPO11 Manage Quality11.1 General Quality Plan11.2 Quality Assurance Approach11.3 Quality Assurance Planning 11.4 Quality Assurance Review of Adherence to IT Standards and Procedures11.5 System Development Life Cycle Methodology11.6 System Development Life Cycle Methodology for Major Changes to Existing Technology11.7 Updating of the System Development Life Cycle Methodology11.8 Coordination and Communication11.9 Acquisition and Maintenance Framework for the Technology Infrastructure11.10 Third-party Implementer Relationships11.11 Program Documentation Standards11.12 Program Testing Standards11.13 System Testing Standards11.14 Parallel/Pilot Testing11.15 System Testing Documentation11.16 Quality Assurance Evaluation of Adherence to Development Standards11.17 Quality Assurance Review of the Achievement of IT Objectives11.18 Quality Metrics11.19 Reports of Quality Assurance ReviewsAI1 Identify Automated Solutions1.1 Definition of Information Requirements1.2 Formulation of Alternative Courses of Action1.3 Formulation of Acquisition Strategy1.4 Third-party Service Requirements1.5 Technological Feasibility Study1.6 Economic Feasibility Study1.7 Information Architecture1.8 Risk Analysis Report1.9 Cost-effective Security Controls1.10 Audit Trails Design1.11 Ergonomics1.12 Selection of System Software1.13 Procurement Control1.14 Software Product Acquisition1.15 Third-party Software Maintenance1.16 Contract Application Programming1.17 Acceptance of Facilities1.18 Acceptance of TechnologyAI2 Acquire and Maintain Application Software2.1 Design Methods2.2 Major Changes to Existing Systems2.3 Design Approval2.4 File Requirements Definition and Documentation

2.5 Program Specifications2.6 Source Data Collection Design2.7 Input Requirements Definition and Documentation2.8 Definition of Interfaces2.9 User-machine Interface2.10 Processing Requirements Definition and Documentation2.11 Output Requirements Definition and Documentation2.12 Controllability2.13 Availability as a Key Design Factor2.14 IT Integrity Provisions in Application Program Software2.15 Application Software Testing2.16 User Reference and Support Materials2.17 Reassessment of System DesignAI3 Acquire and Maintain Technology Infrastructure3.1 Assessment of New Hardware and Software3.2 Preventive Maintenance for Hardware3.3 System Software Security3.4 System Software Installation3.5 System Software Maintenance3.6 System Software Change Controls3.7 Use and Monitoring of System UtilitiesAI4 Develop and Maintain Procedures4.1 Operational Requirements and Service Levels4.2 User Procedures Manual4.3 Operations Manual4.4 Training MaterialsAI5 Install and Accredit Systems5.1 Training5.2 Application Software Performance Sizing5.3 Implementation Plan5.4 System Conversion5.5 Data Conversion5.6 Testing Strategies and Plans5.7 Testing of Changes5.8 Parallel/Pilot Testing Criteria and Performance5.9 Final Acceptance Test5.10 Security Testing and Accreditation5.11 Operational Test5.12 Promotion to Production5.13 Evaluation of Meeting User Requirements5.14 Management’s Post-implementation ReviewAI6 Manage Changes6.1 Change Request Initiation and Control6.2 Impact Assessment6.3 Control of Changes6.4 Emergency Changes6.5 Documentation and Procedures6.6 Authorized Maintenance6.7 Software Release Policy6.8 Distribution of SoftwareDS1 Define and Manage Service Levels1.1 Service Level Agreement Framework1.2 Aspects of Service Level Agreements1.3 Performance Procedures1.4 Monitoring and Reporting1.5 Review of Service Level Agreements and Contracts1.6 Chargeable Items1.7 Service Improvement ProgramDS2 Manage Third-party Services2.1 Supplier Interfaces2.2 Owner Relationships2.3 Third-party Contracts2.4 Third-party Qualifications2.5 Outsourcing Contracts2.6 Continuity of Services2.7 Security Relationships2.8 Monitoring

DS3 Manage Performance Capacity3.1 Availability and Performance Requirements3.2 Availability Plan3.3 Monitoring and Reporting3.4 Modeling Tools3.5 Proactive Performance Management3.6 Workload Forecasting3.7 Capacity Management of Resources3.8 Resources Availability3.9 Resources ScheduleDS4 Ensure Continuous Service4.1 IT Continuity Framework4.2 IT Continuity Plan Strategy and Philosophy4.3 IT Continuity Plan Contents4.4 Minimizing IT Continuity Requirements4.5 Maintaining the IT Continuity Plan4.6 Testing the IT Continuity Plan4.7 IT Continuity Plan Training4.8 IT Continuity Plan Distribution4.9 User Department Alternative Processing Backup Procedures4.10 Critical IT Resources4.11 Backup Site and Hardware4.12 Offsite Backup Storage4.13 Wrap-up ProceduresDS5 Ensure Systems Security5.1 Manage Security Measures5.2 Identification, Authentication and Access5.3 Security of Online Access to Data5.4 User Account Management5.5 Management Review of User Accounts5.6 User Control of User Accounts5.7 Security Surveillance5.8 Data Classification5.9 Central Identification and Access Rights5.10 Management Violation and Security Activity Reports5.11 Incident Handling5.12 Reaccreditation5.13 Counterparty Trust5.14 Transaction Authorization5.15 Nonrepudiation5.16 Trusted Path5.17 Protection of Security Functions5.18 Cryptographic Key Management5.19 Malicious Software Prevention, Detection and Correction5.20 Firewall Architectures and Connections with Public Networks5.21 Protection of Electronic ValueDS6 Identify and Allocate Costs6.1 Chargeable Items6.2 Costing Procedures6.3 User Billing and Chargeback ProceduresDS7 Educate and Train Users7.1 Identification of Training Needs7.2 Training Organization7.3 Security Principles and Awareness TrainingDS8 Assist and Advise Customers8.1 Help Desk8.2 Registration of Customer Queries8.3 Customer Query Escalation8.4 Monitoring of Clearance8.5 Trend Analysis and ReportingDS9 Manage the Configuration9.1 Configuration Recording9.2 Configuration Baseline9.3 Status Accounting9.4 Configuration Control9.5 Unauthorized Software9.6 Software Storage

9.7 Configuration Management Procedures9.8 Software AccountabilityDS10 Manage Problems and Incidents10.1 Problem Management System10.2 Problem Escalation10.3 Problem Tracking and Audit Trail10.4 Emergency and Temporary Access Authorization10.5 Emergency Processing PrioritiesDS11 Manage Data11.1 Data Preparation Procedures11.2 Source Document Authorization Procedures11.3 Source Document Data Collection11.4 Source Document Error Handling11.5 Source Document Retention11.6 Data Input Authorization Procedures11.7 Accuracy, Completeness and Authorization Checks11.8 Data Input Error Handling11.9 Data Processing Integrity11.10 Data Processing Validation and Editing11.11 Data Processing Error Handling11.12 Output Handling and Retention11.13 Output Distribution11.14 Output Balancing and Reconciliation11.15 Output Review and Error Handling11.16 Security Provision for Output Reports11.17 Protection of Sensitive Information During Transmission and Transport11.18 Protection of Disposed Sensitive Information11.19 Storage Management11.20 Retention Periods and Storage Terms11.21 Media Library Management System11.22 Media Library Management Responsibilities11.23 Backup and Restoration11.24 Backup Jobs11.25 Backup Storage11.26 Archiving11.27 Protection of Sensitive Messages11.28 Authentication and Integrity11.29 Electronic Transaction Integrity11.30 Continued Integrity of Stored DataDS12 Manage Facilities12.1 Physical Security12.2 Low Profile of the IT Site12.3 Visitor Escort12.4 Personnel Health and Safety12.5 Protection Against Environmental Factors12.6 Uninterruptible Power SupplyDS13 Manage Operations13.1 Processing Operations Procedures and Instructions Manual13.2 Start-up Process and Other Operations Documentation13.3 Job Scheduling13.4 Departures from Standard Job Schedules13.5 Processing Continuity13.6 Operations Logs13.7 Safeguard Special Forms and Output Devices13.8 Remote OperationsM1 Monitor the Processes1.1 Collecting Monitoring Data1.2 Assessing Performance1.3 Assessing Customer Satisfaction1.4 Management ReportingM2 Assess Control Adequacy2.1 Internal Control Monitoring2.2 Timely Operation of Internal Controls2.3 Internal Control Level Reporting2.4 Operational Security and Internal Control AssuranceM3 Obtain Independent Assurance3.1 Independent Security and Internal Control Certification/Accreditation of IT Services

3.2 Independent Security and Internal Control Certification/Accreditation of Third-party Service Providers3.3 Independent Effectiveness Evaluation of IT Services3.4 Independent Effectiveness Evaluation of Third-party Service Providers3.5 Independent Assurance of Compliance with Laws and Regulatory Requirements and Contractual Commitments3.6 Independent Assurance of Compliance with Laws and Regulatory Requirements by Third-party Service Providers3.7 Competence of Independent Assurance Function3.8 Proactive Audit InvolvementM4 Provide for Independent Audit4.1 Audit Charter4.2 Independence4.3 Professional Ethics and Standards4.4 Competence4.5 Planning4.6 Performance of Audit Work4.7 Reporting4.8 Follow-up Activities

3 SECURITY POLICY3.1 INFORMATION SECURITY POLICY3.1.1 Information security policy document3.1.2 Review and evaluation4 ORGANIZATIONAL SECURITY4.1 INFORMATION SECURITY INFRASTRUCTURE4.1.1 Management information security forum4.1.2 Information security co-ordination4.1.3 Allocation of information security responsibilities4.1.4 Authorization process for information processing facilities4.1.5 Specialist information security advice4.1.6 Co-operation between organizations4.1.7 Independent review of information security4.2 SECURITY OF THIRD PARTY ACCESS4.2.1 Identification of risks from third party access4.2.2 Security requirements in third party contracts4.3 OUTSOURCING4.3.1 Security requirements in outsourcing contracts5 ASSET CLASSIFICATION AND CONTROL5.1 ACCOUNTABILITY FOR ASSETS5.1.1 Inventory of assets5.2 INFORMATION CLASSIFICATION5.2.1 Classification guidelines5.2.2 Information labelling and handling6 PERSONNEL SECURITY6.1 SECURITY IN JOB DEFINITION AND RESOURCING6.1.1 Including security in job responsibilities6.1.2 Personnel screening and policy6.1.3 Confidentiality agreements6.1.4 Terms and conditions of employment6.2 USER TRAINING6.2.1 Information security education and training6.3 RESPONDING TO SECURITY INCIDENTS AND MALFUNCTIONS6.3.1 Reporting security incidents6.3.2 Reporting security weaknesses6.3.3 Reporting software malfunctions6.3.4 Learning from incidents6.3.5 Disciplinary process7 PHYSICAL AND ENVIRONMENTAL SECURITY7.1 SECURE AREAS7.1.1 Physical security perimeter7.1.2 Physical entry controls7.1.3 Securing offices, rooms and facilities7.1.4 Working in secure areas7.1.5 Isolated delivery and loading areas7.2 EQUIPMENT SECURITY7.2.1 Equipment siting and protection7.2.2 Power supplies7.2.3 Cabling security7.2.4 Equipment maintenance

7.2.5 Security of equipment off-premises7.2.6 Secure disposal or re-use of equipment7.3 GENERAL CONTROLS7.3.1 Clear desk and clear screen policy7.3.2 Removal of property8 COMMUNICATIONS AND OPERATIONS MANAGEMENT8.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES8.1.1 Documented operating procedures8.1.2 Operational change control8.1.3 Incident management procedures8.1.4 Segregation of duties8.1.5 Separation of development and operational facilities8.1.6 External facilities management8.2 SYSTEM PLANNING AND ACCEPTANCE8.2.1 Capacity planning8.2.2 System acceptance8.3 PROTECTION AGAINST MALICIOUS SOFTWARE8.3.1 Controls against malicious software8.4 HOUSEKEEPING8.4.1 Information back-up8.4.2 Operator logs8.4.3 Fault logging8.5 NETWORK MANAGEMENT8.5.1 Network controls8.6 MEDIA HANDLING AND SECURITY8.6.1 Management of removable computer media8.6.2 Disposal of media8.6.3 Information handling procedures8.6.4 Security of system documentation8.7 EXCHANGES OF INFORMAT ION AND SOFTWARE8.7.1 Information and software exchange agreements8.7.2 Security of media in transit8.7.3 Electronic commerce security8.7.4 Security of electronic mail8.7.5 Security of electronic office systems8.7.6 Publicly available systems8.7.7 Other forms of information exchange9 ACCESS CONTROL9.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL9.1.1 Access control policy9.2 USER ACCESS MANAGEMENT9.2.1 User registration9.2.2 Privilege management9.2.3 User password management9.2.4 Review of user access rights9.3 USER RESPONSIBILITIES9.3.1 Password use9.3.2 Unattended user equipment9.4 NETWORK ACCESS CONTROL9.4.1 Policy on use of network services

9.4.2 Enforced path9.4.3 User authentication for external connections9.4.4 Node authentication9.4.5 Remote diagnostic port protection9.4.6 Segregation in networks9.4.7 Network connection control9.4.8 Network routing control9.4.9 Security of network services9.5 OPERATING SYSTEM ACCE SS CONTROL9.5.1 Automatic terminal identification9.5.2 Terminal log-on procedures9.5.3 User identification and authentication9.5.4 Password management system9.5.5 Use of system utilities9.5.6 Duress alarm to safeguard users9.5.7 Terminal time-out9.5.8 Limitation of connection time9.6 APPLICATION ACCESS CONTROL9.6.1 Information access restriction9.6.2 Sensitive system isolation9.7 MONITORING SYSTEM ACCESS AND USE9.7.1 Event logging9.7.2 Monitoring system use9.7.3 Clock synchronization9.8 MOBILE COMPUTING AND TELEWORKING9.8.1 Mobile computing9.8.2 Teleworking10 SYSTEMS DEVELOPMENT AND MAINTENANCE10.1 SECURITY REQUIREMENTS OF SYSTEMS10.1.1 Security requirements analysis and specification10.2 SECURITY IN APPLICATION SYSTEMS10.2.1 Input data validation10.2.2 Control of internal processing10.2.3 Message authentication10.2.4 Output data validation10.3 CRYPTOGRAPHIC CONTROLS10.3.1 Policy on the use of cryptographic controls10.3.2 Encryption10.3.3 Digital signatures10.3.4 Non-repudiation services10.3.5 Key management10.4 SECURITY OF SYSTEM FILES10.4.1 Control of operational software10.4.2 Protection of system test data10.4.3 Access control to program source library10.5 SECURITY IN DEVELOPMENT AND SUPPORT PROCE SSES10.5.1 Change control procedures10.5.2 Technical review of operating system changes10.5.3 Restrictions on changes to software packages10.5.4 Covert channels and Trojan code

10.5.5 Outsourced software development11 BUSINESS CONTINUITY MANAGEMENT11.1 ASPECTS OF BUSINESS CONTINUITY MANAGEMENT11.1.1 Business continuity management process11.1.2 Business continuity and impact analysis11.1.3 Writing and implementing continuity plans11.1.4 Business continuity planning framework11.1.5 Testing, maintaining and re-assessing business continuity plans12 COMPLIANCE12.1 COMPLIANCE WITH LEGAL REQUIREMENTS12.1.1 Identification of applicable legislation12.1.2 Intellectual property rights (IPR)12.1.3 Safeguarding of organizational records12.1.4 Data protection and privacy of personal information12.1.5 Prevention of misuse of information processing facilities12.1.6 Regulation of cryptographic controls12.1.7 Collection of evidence12.2 REVIEWS OF SECURITY P OLICY AND TECHNICAL COMPLIANCE12.2.1 Compliance with security policy12.2.2 Technical compliance checking12.3 SYSTEM AUDIT CONSIDERATIONS12.3.1 System audit controls12.3.2 Protection of system audit tools

3 The management system3.1 Management and Responsibility3.2 Documentation requirements3.3 Competence, awareness and training3.3.1 General3.3.2 Professional development3.3.3 Approaches to be considered4 Planning and implementing service management4.1 Plan service management (Plan)4.1.1 Scope of service Management4.1.2 Planning approaches4.1.3 Events to be considered4.1.4 Scope and contents of the plan4.2 Implement service management and provide the services4.3 Monitoring, measuring and reviewing (Check)4.4 COntinual improvement (Act)4.4.1 Policy4.4.2 Planning for service improvements5 Planning and implementing new or changed services5.1 Topics for consideration5.2 Change records6 Service delivery process6.1 Service level management6.1.1 Service catalogue6.1.2 Service level agreements (SLAs)6.1.3 Service level management (SLM) process6.1.4 Supporting service agreements6.2 Service reporting6.2.1 Policy6.2.2 Purpose and quality checks on service reports6.2.3 Service reports6.3 Service continuity and availability management6.3.1 General6.3.2 Availability monitoring and activities6.3.3 Service continuity strategy6.3.4 Service continuity planning and testing6.4 Budgeting and accounting for IT services6.4.1 General6.4.2 Policy6.4.3 Budgeting6.4.4 Accounting6.5 Capacity management6.6 Information security management6.6.1 General6.6.2 Identifying and classifying information assets6.6.3 Seruciry risk assessment practices6.6.4 Risks to information assets6.6.5 Security and availability of information6.6.6 Controls6.6.7 Documents and records

7 Relationship processes7.1 General7.2 Business relationship management7.2.1 Service reviews7.2.2 Service complaints7.2.3 Customer satisfaction measurement7.3 Supplier management7.3.1 Introduction7.3.2 Contract management7.3.3 Service definition7.3.4 Manageing multiple suppliers7.3.5 Contractual disputes management7.3.6 Contract end8 Resolution processes8.1 Background8.1.1 Setting priorities8.1.2 Workarounds8.2 Incident management8.2.1 General8.2.2 Major incidents8.3 Problem management8.3.1 Scope of problem management8.3.2 Initiation of problem management8.3.3 Known errors8.3.4 Problem resolution management8.3.5 Communication8.3.6 Tracking and escalation8.3.7 Incident and problem record closure8.3.8 Problem reviews8.3.9 Topics for reviews8.3.10 Problem prevention9 Control processes9.1 Configuratin management9.1.1 Configuration management planning and implementation9.1.2 Configuration identification9.1.3 Configuration control9.1.4 Configuration status accounting and reporting9.1.5 Configuration verification and audit9.2 Change management9.2.1 Planning and implementation9.2.2 Closing and reviewing the change request9.2.3 Emergency changes9.2.4 Change management reporting, analysis and actions10 Release process10.1 Release management process10.1.1 General10.1.2 Release policy10.1.3 Release and roll-out planning10.1.4 Developing or acquiring software10.1.5 Design, uild and configure release

10.1.6 Release verification and acceptance10.1.7 Documentation10.1.8 Roll-out, distribution and installation10.1.9 Post release and roll-out