1. |
Microcomputers |
YES |
NO |
N.A. |
1.1.i |
Development of software |
41% |
49% |
10% |
1.1.ii |
Testing of software |
34% |
53% |
13% |
1.1.iii |
Prohibit unlicensed software |
57% |
36% |
7% |
1.1.iv |
Virus protection |
54% |
39% |
7% |
1.2 |
- Checked Quarterly |
23% |
73% |
4% |
1.2 |
- Checked Annually |
17% |
79% |
4% |
1.2 |
- Checked Never |
38% |
58% |
4% |
1.3.i |
Backing-up of data |
77% |
20% |
3% |
1.3.ii |
Storage of diskettes |
69% |
24% |
7% |
1.3.iii |
Physical access control |
64% |
33% |
3% |
1.3.iv |
Password protection |
76% |
21% |
3% |
1.3.v |
Keyboard locks in use |
38% |
59% |
3% |
1.3.vi |
Encrypting of sensitive data |
15% |
73% |
12% |
1.4 |
Security reviewed regularly |
76% |
22% |
2% |
1.5 |
Input controls in place |
82% |
8% |
10% |
2. |
Organisational Controls |
|
|
|
2.1 |
Written security policy |
21% |
70% |
9% |
2.2 |
Security Officer |
61% |
31% |
8% |
2.3 |
Third party security review |
21% |
71% |
8% |
2.4 |
Internal security review |
52% |
40% |
8% |
2.5 |
Security training |
65% |
24% |
11% |
2.6 |
Segregation of duties |
51% |
21% |
28% |
2.7 |
Clerical procedures |
55% |
24% |
21% |
3. |
Physical Security |
|
|
|
3.1 |
Fire protection |
70% |
19% |
11% |
|
Vandalism protection |
83% |
6% |
11% |
|
Water protection |
46% |
43% |
11% |
|
Temperature/Humidity protection |
60% |
29% |
11% |
3.2 |
Uninterruptible power supply |
52% |
40% |
8% |
3.3 |
Visitors - Identified |
80% |
1% |
19% |
|
Visitors - Logged |
23% |
58% |
19% |
|
Visitors - Supervised |
78% |
3% |
19% |
3.4 |
Secure storage area |
87% |
4% |
9% |
3.5 |
Security for data in transit |
48% |
12% |
40% |
4. |
Logical Access Controls |
|
|
|
4.1 |
Unique IDs and Passwords |
80% |
11% |
9% |
4.2 |
Default passwords removed |
81% |
3% |
16% |
4.3 |
Access attempts logged etc |
50% |
38% |
12% |
4.4 |
Access control software used |
57% |
30% |
13% |
5. |
Operations Controls |
|
|
|
5.1 |
Schedule of authorised jobs |
26% |
30% |
44% |
5.2 |
Review actual versus authorised jobs |
23% |
33% |
44% |
5.3 |
Incident/error report procedure |
49% |
17% |
34% |
5.4 |
Operator access to production utilities |
22% |
44% |
34% |
5.5 |
Sensitive output supervised |
62% |
6% |
32% |
5.6 |
Written operating instructions |
59% |
11% |
30% |
6. |
Backup & Recovery |
6.1 |
Software and Date backed-up |
87% |
1% |
12% |
6.2 |
Copies of software and date held off-site |
6.3 |
Back-up reconciled |
53% |
19% |
28% |
6.4 |
Back-up tested |
69% |
16% |
15% |
7. |
Contingency |
7.1 |
Documented contingency plan |
17% |
75% |
8% |
7.2 |
Contingency plan ever tested |
19% |
54% |
27% |
8. |
Telecommunications |
8.1 |
External users restricted |
34% |
2% |
64% |
8.2 |
Modems disconnected when not in use |
35% |
24% |
41% |
8.3 |
Unauthorised external login monitored |
30% |
4% |
66% |
8.4 |
Message source confirmation |
11% |
12% |
77% |
8.5 |
Dial-up facilities in use |
28% |
28% |
44% |
8.6 |
Authorisation procedures on dial-up lines |
12% |
25% |
63% |
8.7 |
Sensitive data encrypted |
7% |
34% |
59% |
9. |
Software Integrity |
9.1 |
Written development standards |
47% |
21% |
32% |
9.2 |
Changes authorised by users |
59% |
2% |
39% |
9.3 |
Acceptance testing procedures |
59% |
5% |
36% |
9.4 |
Procedures for test to live promotion |
54% |
0% |
46% |
9.5 |
Third party software tested |
47% |
1% |
52% |
10. |
Database Administration |
10.1 |
Segregated Database Administrator role |
22% |
32% |
46% |
10.2 |
Database Utilities controlled/reviewed |
33% |
10% |
57% |
10.3 |
Transaction logs for control/recovery |
24% |
26% |
50% |
10.4 |
Integrity of Database reviewed |
45% |
5% |
50% |
