1. IT support team |
||
| Index | Item | Check |
|---|---|---|
| 1 | Making a list of service providers and system owners | |
| 2 | Service Contract Establishment | |
| 3 | User Administration | |
| 4 | Change Control Policy | |
| 5 | Log | |
| Total Score in this criteria : | 0 | |
2. Data Classification |
||
| Index | Item | Check |
|---|---|---|
| 1 | Define the sensitive level of different document like :
- Public - Internal - Restricted |
|
| 2 | Principle of data handling in different sensitive level | |
| 3 | Private personal data handling | |
| 4 | Policy of Company's supplied computer | |
| 5 | Policy of employee's laptop | |
| 6 | Software License Management | |
| 7 | End User Access Control | |
| Total Score in this criteria : | 0 | |
3. Internet Usage |
||
| Index | Item | Check |
|---|---|---|
| 1 | Internet access shall be used for business activities only | |
| 2 | Files Downloaded from Internet must be screened with virus detection | |
| 3 | Users shall not install software on any Company's computer and equipment | |
| 4 | Users shall not post any internal or restricted information to public websites and storages | |
| 5 | Users shall not save passwords in their browsers or email clients | |
| 6 | Users shall only use their own credentials prior to accessing the Company's internal network and Internet | |
| 7 | Company shall restrict or block the downloading of certain file types that are likely to cause network service failure | |
| 8 | Users shall realize that their communications may not be protected from viewing by third parties | |
| Total Score in this criteria : | 0 | |
4. Wireless Control |
||
| Index | Item | Check |
|---|---|---|
| 1 | Only wireless devices that support security WPA2 or above will be permitted at the Company network | |
| 2 | Data transmitted over wireless networks must be protected using encryption technologies such as SSL/TLS, AES, WPA2, or IPSEC VPN | |
| 3 | Default configuration settings shall not be used | |
| 4 | Authentication and authorization must be implemented at all working wireless networks | |
| 5 | Guest network shall have proper segregation from the internal network | |
| 6 | Encryption keys shall be at least 128-bits or longer | |
| 7 | Encryption keys shall be changed frequently | |
| 8 | Passphrases shall be at least 8 characters and include number , uppercase letter, lowercase letter and symbols | |
| 9 | PCs connected to the wireless LAN must be installed with firewall and anti-virus software | |
| 10 | Users must not setup their own wireless access point in the Company's network | |
| Total Score in this criteria : | 0 | |
5. Electronic Communications / Emails |
||
| Index | Item | Check |
|---|---|---|
| 1 | All messages distributed via the Company's communications software are Company's property | |
| 2 | Company's Messages software shall be used for business activities only | |
| 3 | Company's Messages software shall not be used for charitable fund raising campaigns, political advocacy efforts, religious efforts, private business activities, or personal amusement and entertainment | |
| 4 | Regardless of the circumstances, individual email account password must never be shared or revealed to anyone else | |
| 5 | Staff shall not use Company's email account to register to any Internet news feeds, mailing lists or forum | |
| 6 | News feeds, electronic mail mailing lists, push data updates, and other mechanisms for receiving information over the Internet shall be restricted | |
| 7 | Users shall not send or forward emails containing libelous, defamatory, offensive, racist or obscene remarks. If any email of this nature is received, the individual shall promptly notify their supervisor | |
| 8 | Users shall not forge or attempt to forge email messages | |
| 9 | Users shall not disguise or attempt to disguise their identities when sending mail | |
| 10 | Users shall not send email messages using another person's email account | |
| 11 | Users are strictly forbidden to use Company's email system for personal purposes | |
| 12 | Privacy and Intellectual Property Rights | |
| Total Score in this criteria : | 0 | |
6. Password Policy |
||
| Index | Item | Check |
|---|---|---|
| 1 | Every user must have a single unique user ID and a personal password for access to computers and internal networks | |
| 2 | Default system user account (e.g. admin, administrator etc.) shall be prevented to use if technical feasible in order to minimize the chance of being abuse | |
| 3 | To make dictionary-based cracking programs less effective, passwords shall not be words found in a dictionary. Passwords shall be a combination of at least 8 characters and consist of alphabet, number and symbol | |
| 4 | Passwords shall have specific days of expiry (e.g. 90 days). All users shall be forced to define another password before the next logon process is completed | |
| 5 | If system functions available, automatically suspend a user account after 5 invalid logon attempts shall be implemented. The suspension shall last or for at least 30 minutes. A password history of at least 5 entries long shall preclude easy re-use of passwords. User shall use newly changed password for at least 1 day | |
| 6 | All users must be prohibited from capturing or otherwise obtaining passwords, decryption keys, or any other access control mechanism, which could permit unauthorized access | |
| 7 | Passwords must always be well protected when held in storage. Passwords must be encrypted when transmitted over an un-trusted communication network. Compensating controls (e.g. regular change of password) must be applied to reduce the risk exposure of Information Systems to an acceptable level if encryption is not implementable | |
| 8 | Passwords shall not be shared or divulged in all circumstances | |
| 9 | If a staff requests to share password, it is recommended to escalate to both the Company's management and the system owner of such request | |
| 10 | Every staff is responsible for the access credentials and their password and can be liable for misuse | |
| 11 | Password shall be at least 8 characters and include number , uppercase letter, lowercase letter and symbols | |
| Total Score in this criteria : | 0 | |
7. Anti-virus |
||
| Index | Item | Check |
|---|---|---|
| 1 | Anti-virus software must be installed and enabled on all Company's devices and servers | |
| 2 | Anti-virus software must be check for and update virus and malicious code signature, definition or pattern files daily | |
| 3 | IT support shall educate users on how to update virus signatures and active the protection | |
| 4 | Users shall be aware of their responsibility to protect against computer virus and malicious code attacks | |
| 5 | Users shall not interrupt during periodic virus scanning or signature update process | |
| 6 | Users shall not use any storage media and files from unknown source or origin (including email or web site) | |
| 7 | Users shall not save unverified email attachments | |
| 8 | Users must not intentionally write, generate, copy, propagate, execute or involve in introducing computer viruses or malicious codes | |
| Total Score in this criteria : | 0 | |
8. Data Backup |
||
| Index | Item | Check |
|---|---|---|
| 1 | Backup copies must be maintained for all critical operational data to enable reconstruction that data is inadvertently destroyed or lost | |
| 2 | Access to backup media must be restricted to authorized personnel only | |
| 3 | A copy of the backup must be stored in an off-site location on a periodic basis | |
| 4 | All sensitive, valuable, or critical information recorded on backup computer media and stored outside Company’s offices shall be encrypted if system feasible (e.g. performance issue is not significant and acceptable) | |
| 5 | PC users shall back up their important files on a regular basis (e.g. monthly) to the file server or storage which is centralized for local or off-site backup purpose | |
| Total Score in this criteria : | 0 | |
9. System Access & Privilege Control |
||
| Index | Item | Check |
|---|---|---|
| 1 | Segregation of duty: A conflict of interest should be minimized by having a segregation of duties in the user access rights (e.g. maker and checker process have to be performed by different staff) | |
| 2 | Least privilege principle: System users should only own the least system privilege according to their job function | |
| Total Score in this criteria : | 0 | |
10. Access Contorl to Main Equipment |
||
| Index | Item | Check |
|---|---|---|
| 1 | Physical access to servers and IT equipment should be limited to personnel including system administrators or staff who are authorized by the management | |
| 2 | Visitor log shall be established to keep track of the visitors accessing the server rack | |
| 3 | Environmental controls over the server, fire extinguisher(s), smoke detector(s), temperature and humidity monitoring devices, uninterrupted power devices etc., shall be used to ensure that servers and other IT equipment can be function effectively as per-designed | |
| 4 | Appropriate fire suppression system (e.g. portable CO2 fire extinguisher.) is required to be equipped to protect the equipment inside the room from fire hazard | |
| 5 | Thermometer and hygrometer should be installed closely to the server rack to provide temperature and humidity status for IT personnel to regulate the temperature and humidity for the IT equipment at optimal level (i.e. recommended server room temperature range between 18 °C and 27 °C, humidity range between 40% and 60 %) | |
| Total Score in this criteria : | 0 | |