VSAQ

Warning — possible high-risk issue

A completely custom security program is difficult to audit against. It's best to model your program on industry standards. If you already have a security program in place, it is often quite easy to remodel the program to comply with a standard of your choice. Make sure the standard you choose is appropriate for your systems. For example, PCI DSS was created specifically for systems and networks processing credit card information.

Warning — possible high-risk issue

Excluding parts of the company from the security program means that out-of-scope processes might put your customers' data at risk. Because overall security level is often determined by the weakest link, your security program should cover all of the processes that can directly or indirectly affect the security of your customers' information.

Warning — possible high-risk issue

Not having someone formally responsible for information security often means that there are no resources available to make security-conscious decisions, plan controls, and implement policies. Customers typically expect companies to have an adequate security team.

Warning — possible high-risk issue

Security policies are an important tool for establishing authoritative security requirements and enforcing them throughout the company. Policies form the basis of any security program.

Warning — possible high-risk issue

To verify that theoretical controls work well in practice, you should have an internal audit process that checks for compliance with your own policies and reviews the adequacy of your security program overall.

Warning — possible high-risk issue

External audits help to ensure that your security program meets industry standards. In addition, it is often helpful to have a second set of eyes (particularly those of security experts) review the controls and their implementation. Many companies require their vendors to do annual, independent audits of the security program.

Warning — possible high-risk issue

Employees handling sensitive information is still a major risk factor for most companies. It's important to have security controls in human resources, including:

• Job descriptions for all employees with access to confidential or sensitive information
• Granting access to data solely on a "need-to-know" basis, in accordance with the employee's job description and responsibilities; and revoking access when the need no longer exists
• Having processes in place to make sure access (both physical and logical) is revoked when an employee, intern, vendor, contractor, or other associate leaves the company or a contract ends
• Regularly training employees on current security and awareness best practices
• Running background checks on new hires and contractors

Warning — possible high-risk issue

Anytime a customer, partner, subcontractor, vendor, or other third party is given access to sensitive information or systems, it's necessary to ensure they are capable of protecting this information at least as well as you do. Several recent data breaches in the news were caused by the compromise of a vendor somewhere down the line.

Warning — possible high-risk issue

A change management process helps to ensure that the effect of a change is properly assessed before it's actually implemented. Although it's not necessary for everyday changes within defined procedures to undergo a formal review process, any change that is out of the ordinary should be reviewed and assessed before it's made. A good change management process has the following characteristics:

• Formal documentation is in place, including classification of changes by size and impact
• Change documentation is retained, both to facilitate auditing and so that changes can be reversed if necessary
• A member of the security team sits on the change review board, to make sure security impact is properly assessed

Warning — possible high-risk issue

It seems that some important topics are not covered by your security policies.

Warning — possible high-risk issue

A lot can change within a year, particularly in a field as dynamic and fast-paced as information security. A functioning and well-maintained security program should include reviewing and updating security policies at least once per year, to make sure the company's security requirements are still relevant and adequate to address current threats.

Warning — possible high-risk issue

A lot can change within a year, particularly in a field as dynamic and fast-paced as information security. A functioning and well-maintained security program should include internal audits of the program at least once per year, to make sure the company's security requirements are still functional, relevant, and adequate to address current threats.

Warning — possible high-risk issue

A lot can change within a year, particularly in a field as dynamic and fast-paced as information security. A functioning and well-maintained security program should be audited by a third party at least once per year, to make sure the company's security program meets industry standards, functions properly, and is adequate to address current threats.

Warning — possible high-risk issue

Independent third-party audits of your security program should cover all processes that may affect the security of your and your customers' information. It is fine if only part of the security program is audited each year, as long as the auditors are able to freely select the scope of the audit. Within a three-year timespan, these partial audits should have reviewed the entire security program.

Warning — possible high-risk issue

In order to protect confidential data while it is exposed to your outsourcing providers, vendors, and subcontractors, you should contractually enforce security controls similar to your own.

Warning — possible high-risk issue

The change review board should include at least one member who can assess the impact of all changes on security.

Warning — possible high-risk issue

Because your project involves sensitive data, potential security incidents should be immediately investigated and addressed. To respond promptly, you should have in-house incident investigation experts.

Warning — possible high-risk issue

Because you don't have resources for dealing with security incidents in house, it is important to have written procedures that explain how to deal with an identified incident.

Warning — possible high-risk issue

Job descriptions help ensure that security responsibilities are addressed and can be monitored, and they're essential for granting only "need-to-know" access to information.

Warning — possible high-risk issue

Minimizing the number of personnel exposed to confidential information is key to keeping that information secure. Only those with a "need to know" should be granted access to the data. When you have processes and technical controls in place to enforce the need-to-know principle, you greatly reduce the risk of unauthorized data access and other security incidents.

Warning — possible high-risk issue

New hire background checks should always be performed, both to ensure that an informed hiring decision is made and to verify the trustworthiness of new employees. Many legislatures limit the kinds of background checks that are permissible; make sure your checks comply with all applicable laws. For sensitive projects, you should at least do CV/resume checks, reference checks, and criminal record checks for new hires.