ISO 27001 Initial Assessment Report - UnderDefense

1 ISO 27001 Initial Assessment Report for [CLIENT] September 2018 TABLE OF CONTENTS Table of contents1 Executive Summary3 Our methodology4 Key stakeholders interviewed4 Maturity Level for each clause of ISO 270015 Conclusions6 RoadMap7 Recommendations ISMS activities10 Plan stage11 Do stage14 Check stage15 Act stage16 Recommendations Annex A controls17 Information Security Policies17 Organisation of Information Security18 Human resources security20 Asset management22 Inventory tools to install (as a recommendation )22 Access control24 Password managers to install (as a recommendation )26 Cryptography28 Physical and environmental security29 Operations security31 Antivirus tools to install (as a recommendation )32 Vulnerability management tools to install (as a recommendation )35 Communications security36 System acquisition, development and maintenance38 Supplier relationships41 Information security incident management43 Information security aspects of business continuity management45 Compliance47 Summary50 [CLIENT] Initial Assessment Report Page 1 of 49 EXECUTIVE SUMMARY [CLIENT]hasrequestedthatUnderDefense,asa nindependentandtrustedCyberSecuritypartn er, conductsanassessmentandanalysisofthecurr entstateoftheinformationsecurityprogramo fthe organizationanditscompliancewithISO27001 (ISO27001:2013)isan internationalstandardfortheimplementatio nofabestpracticeInformationSecurityManag ement System(ISMS).

2 ISO27001accreditationrequiresanorganisat iontobringinformationsecurityunder explicit management control. Theobjectiveoftheassessmentwastodocument thecurrentstateoftheISMSandAnnexAcontrol sat [CLIENT]sites,understandthestate,andreco mmendactionsneededtoachievetherequiredst ateto prepare for ISO/IEC 27001 certification. [CLIENT] Initial Assessment Report Page 2 of 49 Our methodology Ourmethodologyisbasedontheinterviewandpr acticalevaluationwiththekeystakeholders, reviewing aremappedonISO/IEC27001:2013standard(see below). RatingprovidedinformofMaturityLevel matrix and Radar chart. Key stakeholders interviewed Thefirstimportantstepofourassessmentwast heinterviewwiththekeystakeholdersandempl oyeesto collectinformationandcheckonpracticethec urrentcontrolsetandtherisksthatknowledge keepers , presentedcurrentcontrolsofinformationsec urityintheirdepartmentsandansweredquesti onsfrom ISO27001checklistsregardingprocesses,fin ance,systems,infrastructure,businessproc esses,policies, growth plans, endpoint security, operating systems, access controls, valuable assets, risks, etc.

3 Position in the company Respondent Director of Operations IT Director Head of CIS (corp. information systems) Managing Director HR Department Accounting Department HR Director DevOps PMO Director QA Director Head of Recruiting [CLIENT] Initial Assessment Report Page 3 of 49 Maturity Level for each clause of ISO 27001 ToillustratetheconformitytoISO27001,weha veassignedalevelofcoveragebaseduponthele gend below. UD Observation Ranking (Conforms or Major and Minor non-conformity) (Conformity Rating) Description Major Significant improvement needed (major non-conformities and/or significant number of minor non-conformities) Minor Minor to moderate improvement needed (minor non-conformities and/or observations) Conforms Certification ready Observation Informational comment not impacting certification readiness Cannot be assessed The control cannot be assessed as it has not been neither designed or implemented and it's applicability to [CLIENT] ISMS is not defined Noneoftheseshortfallsareinsurmountable,b utaddressingthemwillrequiremanagementcom mitment to establish, implement, maintain and improve a comprehensive ISMS.

4 [CLIENT] Initial Assessment Report Page 4 of 49 Conclusions currentmaturitylevelofeachISO/IEC27001 numeric level on the chart: -Level 1 - Major non-conformity, -Level 2 - Minor non-conformity, -Level 3 - Conforms Figure 1. Graphical representation of each maturity level. [CLIENT] Initial Assessment Report Page 5 of 49 RoadMap [CLIENT]needstoassignrolesandresponsibil ities,tohandleallactionsrelatedtotheanal ysisofthe non-conformity,executionofimprovementsan dcontrolsimplementationtoachievetheaccep table state for certification. The table below shows ISO 27001 :2013 controls ordered and prioritized by severity of Maturity Levels. Thetablerepresentsstepbystepguidetostart executingimprovementsonminornon-conformi ty ,controls, whichmarkedasConforms,representwhat salreadyinplaceandworkingwell,minornon-c onformities canberesolvedbyone-timeactivities( ),majornon-conformitiesrequires iterative, team -based approach, in order complete all activities, resolve issues effectively and in time.

5 Thetablecanbetreatedasaprojectplanthatco ntents3 Stages,aspresentedinthetablebelow,which represent required steps for successful transition and compliance. # Сontrol Maturity Level Recommendations - Appendix A Prior to employment Conforms Redundancies Conforms 1 Stage 1 Internal Organisation Minor non-conformity Business requirements for access control Minor non-conformity User access management Minor non-conformity Secure areas Minor non-conformity Operational procedures and responsibilities Minor non-conformity Backup Minor non-conformity Network security management Minor non-conformity Security in development and support processes Minor non-conformity Information security in supplier relationships Minor non-conformity Information security continuity Minor non-conformity [CLIENT]

6 Initial Assessment Report Page 6 of 49 Compliance with legal and contractual requirements Minor non-conformity 2 Stage 2 Mobile devices and teleworking Major non-conformity During employment Major non-conformity Responsibility for assets Major non-conformity Information Classification Major non-conformity Media handling Major non-conformity User responsibilities Major non-conformity System and application access control Major non-conformity Cryptographic controls Major non-conformity Equipment Major non-conformity Protection from malware Major non-conformity Control of operational software Major non-conformity Controls against malware Major non-conformity Technical vulnerability management Major non-conformity Information transfer Major non-conformity Security requirements of information systems Major non-conformity Management of information security incidents and improvements Major non-conformity Information security reviews Major non-conformity Management direction for information security Major non-conformity Cannot be assessed Information systems audit considerations Cannot be assessed Test data Cannot be assessed [CLIENT]

7 Initial Assessment Report Page 7 of 49 Supplier service delivery management Cannot be assessed Recommendations ISMS activities 3 Stage 3 Scope Definition Major non-conformity Risk Assessment Approach and Execution Major non-conformity Treatment of Risks, including Statement of Applicability Major non-conformity Risk Treatment Plan Major non-conformity Monitoring, Review of the ISMS & Effectiveness of Controls Major non-conformity ISMS Improvement including Corrective & Preventive Actions Major non-conformity [CLIENT] Initial Assessment Report Page 8 of 49 Recommendations ISMS activities Thetablesonthesubsequentpagesincludereco mmendationsforimprovementsneededtoachiev ethe level of maturity required for ISO 27001 certification (Required target state). TheactionsaredividedintothePlan,Do,Check andActphasesofthe[CLIENT] sInformationSecurity ManagementSystem(ISMS).

8 ThePlan-Do-Check-Act(PDCA)cycleisanitera tiveprocessandwitheach iterationtheorganizationhastheopportunit yto(re-)definethescopeofitsInformationSe curity ManagementSystem,(re-)definerisks,(re-)s electcontrolsandadjustorcreateprocesses, policiesand guidelines. All activities listed within this section must be completed in advance of the Initial certification audit. Note,eachstageofthePDCA cyclerequiresapproachdocumentstobecreate d( documents).Itisuptothediscretionofmanage menttodetermineifthesedocumentsshouldbe createdduringthePlanstageoriftheyshouldb edevelopedduringtherespectivestagesinwhi chthe documents will be used. Theserecommendationsrepresenttypicalacti vitiesneededtoimplementandoperateanISMS andto prepareforISO27001certification.[CLIENT] managementwillneedtoultimatelydecidewhat actionsto undertake within their environment.

9 [CLIENT] Initial Assessment Report Page 9 of 49 Plan stage Scope Definition Short description TheISMS scopeshouldbedefinedintermsofcharacteris ticsofthebusiness, the organization, its locations, assets and technologies. UD Observations ISMS scope is not documented and approved by management. The scope contains the list of the areas, locations, assets, and technologies of the organization controlled by the ISMS. Exclusions from the scope are not documented and justified. UD Observation Ranking Major non-conformity Recommendations DocumentISMS scopeincludingthelistoftheareas,location s,assets, and technologies of the organization. DocumentallexclusionsfromISMS scope( ,salesrepresentative offices,softwaredevelopedbyclient-facing projectteams,etc.),and justification for exclusion from scope.

10 Reviewandre-approveISMS scopedocumentwithmanagement annuallyorincasesifsignificantchangestot heenvironmentoccur outsideoftheannualreviewcycle( ,inclusion of new locations, etc.). Documents reviewed N/a Risk Assessment Approach and Execution Short description A Risk Assessment approach should be created for the organization. UD Observations The organization has not developed and documented a comprehensive Risk Management Framework that describes all steps and relevant methods required to be carried out in terms of risk Assessment process, including: -Asset Identification -Threat Identification -Vulnerability Identification -Control Analysis -Likelihood Determination -Impact Analysis -Risk Determination -Control Recommendations -Results Documentation The organization has not defined and documented the lists of assets that are included within ISMS scope.