IASME Governance Self-Assessment Preparation Booklet · CONFIDENTIAL WHEN COMPLETED © The IASME...
Transcript of IASME Governance Self-Assessment Preparation Booklet · CONFIDENTIAL WHEN COMPLETED © The IASME...
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
©TheIASMEConsortiumltd2018
Allrightsreserved.
ThecopyrightinthisdocumentisvestedinTheIASMEConsortiumltd.Thedocumentmustnotbereproduced,byanymeans,inwholeorinpartorusedformanufacturingpurposes,exceptwiththepriorwrittenpermissionofTheIASMEConsortiumltdandthenonlyonconditionthatthisnoticeis
includedinanysuchreproduction.
InformationcontainedinthisdocumentisbelievedtobeaccurateatthetimeofpublicationbutnoliabilitywhatsoevercanbeacceptedbyanymemberofTheIASMEConsortiumltdarisingoutofany
usemadeofthisinformation.
Compliancewiththisstandarddoesnotinferimmunityfromlegalproceedingnordoesitguaranteecompleteinformationsecurity.
.
IASME Governance Self-Assessment Preparation
Booklet Includes Assessment against Cyber Essentials and GDPR
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
1
IASMEGovernance,includingCyberEssentialsandGDPRcomplianceSelf-Assessment
Version10.8March2018
IntroductionThiscombinedquestionnaireexploresthetechnicalissuesoftheCyberEssentialsandthebroaderscopeoftheIASMEGovernanceStandard.TheEuropeanUnion’sGeneralDataProtectionRegulation(GDPR)requirementsarealsoincluded.BasedoncurrentgovernmentguidanceandpolicyitislikelythatanyorganisationproposingtooffergoodsandservicestoEUmembersstateswillneedtocomplywiththeEUGeneralDataProtectionRegulation(GDPR)fromMay2018.Thesearethequestionsyouwillbeaskedtocompletethroughtheonlineassessmentplatform.QuestionswhichapplyonlytotheIASMEgovernancestandardareinred,questionswhichapplyonlytotheGDPRrequirementsareinblueallotherquestionsapplytotheCyberEssentialsrequirementsandareinblack.
Allanswersareassessed.YouranswersmustbeapprovedbyaBoardlevelrepresentative,businessownerortheequivalent,otherwisecertificationcannotbeawarded.Pleaseanswerallthequestionstothebestofyourknowledgeandaddbriefnoteswithmostanswers.
AchievingcompliancewiththeCyberEssentialsprofileortheIASMEgovernancestandardindicatesthatyourorganisationhastakenthestepssetoutintheHMGCyberEssentialsSchemedocumentsorthebroaderIASMEgovernancestandard.ItdoesnotamounttoanassurancethattheorganisationisfreefromcybervulnerabilitiesandneitherIASMEConsortiumLimited(asAccreditationBody)northeCertificationBodyacceptsanyliabilitytocertifiedorganisationsoranyotherpersonorbodyinrelationtoanyreliancetheymightplaceonthecertificate.
A"pass"undertheGDPRassessmentdoesnotmeanthatyouareassessedasbeinglegallycompliant.Itindicatesonlythatyourorganisationisstartingonthepathwaytocomplianceandiscommittedtoensuring'privacybydesign'.
YoushouldensurethatyourorganisationobtainsspecialistlegaladviceontheGDPRasonanyotherdataprotectionissue.ThisGDPRassessmentisnotlegaladviceandmustnotberelieduponassuchandIASMEacceptsnoliabilityforlossordamagesufferedasaresultofrelianceonviewsexpressedhere.
ThefullextentoftheGDPRregimeanditsapplicationpostBrexit(forexample)isnotyetfullyknownbuttheassessmentaddresseswhatweconsidertobekeyelementsandtohelporganisationsdemonstrateprogresstowardsmeetingthepolicyobjectivesthatunderpinstheGDPR.
Ifyouareawardedacertificateyouwillalsobesentabadgetouseincorrespondenceandpublicityandmustaccepttheconditionsofuse.
FurtherguidanceontheCyberEssentialsschemecanbefoundat
https://www.cyberessentials.ncsc.gov.uk/requirements-for-it-infrastructure.html
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
2
Your Company
Pleasetellusalittleabouthowyourcompanyissetupsowecanaskyouthemostappropriatequestions.
1. Whatisyourorganisation'sname(forcompanies:asregisteredwithCompaniesHouse)?
2. Whatisyourorganisation'sregistrationnumber(ifyouhaveone)?
3. Whatisyourorganisation'saddress(forcompanies:asregisteredwithCompaniesHouse)?
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
3
4. Whatisyourmainbusiness?Agriculture,ForestryandFishingMiningandQuarryingManufacturingElectricity,Gas,SteamandAir-conditioningSupplyWatersupply,Sewerage,WastemanagementandRemediationConstructionWholesaleandRetailtradeRepairofmotorcarsandmotorcyclesTransportandstorageAccommodationandfoodservicesInformationandcommunicationFinancialandinsurance
RealestateProfessional,scientificandtechnicalAdministrationandsupportservicesPublicadministrationanddefenceCompulsorysocialsecurityEducationHumanHealthandSocialWorkArtsEntertainmentandRecreationOtherserviceactivitiesActivitiesofhouseholdsasemployers;undifferentiatedgoodsandservicesproducingforhouseholdsforownuseActivitiesofextraterritorialorganisationsandbodies
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
4
5. Whatisyourwebsiteaddress?
6. Whatisthesizeofyourorganisation?BasedontheEUdefinitionsofMicro(<10employees,<€2mturnover),Small(<50employees,<€10mturnover),Medium(<250employees,<€50mturnover)orLarge.
7. Howmanystaffarehomeworkers?Homeworkersarestaffwhosemainworklocationistheirhomeaddressandwhoworkthereforthemajorityoftheirtime.Thisdoesnotincludeofficeworkerswhooccasionallyworkathomeorwhentravelling.
Scope of Assessment
Pleasebrieflydescribetheelementsofyourorganisationwhichyouwanttocertifytothisaccreditation.Thescopeshouldbeeitherthewholeorganisationoranorganisationalsub-unit(forexample,theUKoperationofamultinationalcompany).Allcomputers,laptops,servers,mobilephones,tabletsandfirewalls/routersthatcanaccesstheinternetandareusedbythisorganisationorsub-unittoaccessbusinessinformationshouldbeconsidered"in-scope".Alllocationsthatareownedoroperatedbythisorganisationorsub-unit,whetherintheUKorinternationallyshouldbeconsidered"in-scope".
8. Doesthescopeofthisassessmentcoveryourwholeorganisation?
Pleasenote:YourorganisationisonlyeligibleforfreeCyberInsuranceifyourassessmentcoversyourwholecompany,ifyouanswer"No"tothisquestionyouwillnotbeinvitedtoapplyforinsurance.
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
5
9. Ifitisnotthewholeorganisation,thenwhatscopedescriptionwouldyouliketoappearonyourcertificateandwebsite?
10. Doesyourorganisationholdorprocesspersonaldata(asdefinedbyyourcountry'sdataprotectionlegislation)?
11. HaveyoucompletedaDataProtectionImpactAssessment,orPrivacyImpactAssessmentinthelast12months?
12. IsyourusageofpersonaldatasubjecttotheEUGDPR?IfyouholdandprocesspersonaldataaboutEUcitizens,youmustcomplywiththeEUGDPRwhereveryouarelocatedintheworld).
13. Pleasedescribethegeographicallocationsofyourbusinesswhichareinthescopeofthisassessment.
14. Pleaselistallequipmentwhichisincludedinthescopeofthisassessment(pleaseincludedetailsoflaptops,computers,servers,mobilephonesandtablets).
Alllaptops,computers,serversandmobiledevicesthatcanaccessbusinessdataandhaveaccesstotheinternetmustbeincludedinthescopeoftheassessment.
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
6
15. Pleaseprovidedetailsofthenetworksthatwillbeinthescopeforthisassessment(suchasofficenetwork,homeofficesandfirewalls).
16. Pleaseprovidethenameandroleofthepersonwhoisresponsibleformanagingtheinformationsystemsinthescopeofthisassessment?
Managing Security
Pleasetellusabouthowyoumanagesecuritywithinyourorganisation.
17. Pleaseprovidethenameoftheboardmember/director/partner/trusteeidentifiedasresponsibleforinformationsecurityanddataprotection?
18. IsinformationsecurityanddataprotectionastandingagendaitemforyourBoardMeetings?
19. Pleaseprovidethenameandroleofthepersonwhohasoverallresponsibilityforsecurityinyourorganisation?Thisshouldbeanamedboardmemberordirector.
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
7
20. Pleaseprovidethenameandroleofthepersonwhohasoverallresponsibilityfordataprotectioninyourorganisation?Thisshouldbeanamedboardmemberordirector.
21. Howdoyouensurethatyouprovidesufficientfundingandasuitablenumberofappropriatelyskilledstafftodevelopandmaintaingoodinformationsecurity?
Information Assets
Riskassessmentandrecoveryfrominformationandcybersecurityincidentsbothrelyonhavingagoodunderstandingofyourkeyinformationassets.Onlythencanyouappreciateyourattacksurfaceandwhatyou’vegottolose.Theimpactofanysecurityincidentwillbemostsevereifithappenstotheassetswhichkeeptheorganisationgoing.
22. Doesyourorganisationhaveuptodateassetregisters?
23. Howdoesyourassetmanagementsystemtrackyourownandothercompany'sintellectualpropertywithinyourorganisation?
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
8
24. Howdoesyourassetregistertrackinformationassets(iecategoriesofinformation)?Aninformationassetmightbeasetofdata(forexample"employeeinformation")whichwillhavealocationattachedtoit(forexample"theserverintheHRdepartment")andanowner(forexamplethe"HRdirector").
25. Doallassets(bothphysicalandinformationassets)havenamedowners?
26. Howisremovablemediarecordedandmanaged?
27. Confirmanddescribehowallmobilephonesandtabletsaretrackedintheassetregister,pinorpasswordprotected,encryptedandremotelywipeable.Pleasedescribeallcriteriawithinthisquestion.
Thiscanbeachievedusingbuilt-intoolsoradditionalmobiledevicemanagementsoftware.
28. Isallpersonaldataandspecialcategorydataidentified(e.g.byprotectivemarking)andproperlyprotected?Describehowthisisdone.
29. Howdoyouensureallflowsofpersonalandspecialcategorydataaredocumentedincludingwheredatawasobtainedandalldestinationsofdata?
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
9
30. Isallsensitiveinformationidentified(e.g.byprotectivemarking)andproperlyprotected?
31. Describehowyourprocessesallowdatasubjectstorequestchangestoincorrectdataordeletionofdata?
32. Whenassetsarenolongerrequired,isalldatasecurelywipedfromthemoraretheassetssecurelydestroyed?Describehowthisisdone.
Specialsoftwarecanbeusedtosecurelywipedataandexternalcompaniescanbeusedtoprovideasecuredestructionservice.
Cloud Services
Someorganisationsusepubliccloudservicestostoreorsharefilesbetweenemployees,suppliersandcustomers.CloudservicesincludeOffice365,GSuite(GoogleApps),Dropbox,SalesforceandAmazonWebServices(AWS).33. Doyouuseapubliccloudprovidertostoreorsharefilesandinformationbetweenemployees?Ifso,pleaselistallproviders.
34. Whereisthedatathatissenttoapubliccloudproviderstored?
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
10
35. Ifyoustorepersonaldatawithyourcloudprovider,doyoustoreanyofthatdataoutsideoftheEuropeanEconomicArea(EEA)?
36. Ifyestotheabove,haveyouobtainedexplicitconsentfromdatasubjectstotransfertheirdataoutsideoftheEuropeanEconomicArea(EEA)?
37. Ifyestotheabove,doesyourprovidercertifytoanagreementsuchasEU-UKPrivacyShieldortootherbindingcorporaterulesthatconfirmthelevelofprotectiongiventothatdata?
38. Dothepubliccloudprovidersthatyourorganisationusesholdanyrecognisedsecurityaccreditations?
39. Isyourdataencryptedbeforebeingpassedbetweenyoursiteandthepubliccloudprovider(ieencryptedintransit)?
40. Isyourdataencryptedwhilstbeingstoredorprocessedbythepubliccloudprovider(ieencryptedatrest)?
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
11
Risk Management
Itisimportanttoidentifythethreatstotheorganisationandassesstheresultingrisk.Theapplicabilityofthecontrolstoyourbusinessisdeterminedpartlybyariskassessmentandpartlybyyourriskappetite.IASMEknowsthattoofewSMEshaveaformalinformationriskassessment,norabusinessriskassessmentofanykind.However,theydohaveakeensenseoftherisksandfrailtyoftheirbusinessatboardlevel.TheorganisationshouldcreateandregularlyreviewRiskAssessments.
41. DoyouhaveacurrentRiskAssessment?
42. Hasyourriskassessmentbeenreviewedinthelast12months?Whoreviewedit?
43. Doestheriskassessmentcoverthescopeofthisassessment?
44. WastheriskassessmentapprovedatBoardLevel?
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
12
Data Protection
Theorganisationshouldhaveapolicytomanagepersonaldataasdefinedbyyourcountry'sdataprotectionlegislation.TheInformationCommissioner’sOffice(ICO)websiteprovidesmoreinformationonthistopicintheUK.BasedoncurrentgovernmentguidanceandpolicyitislikelythatanyorganisationproposingtooffergoodsandservicestoEUmembersstateswillneedtocomplywiththeEUGeneralDataProtectionRegulation(GDPR)fromMay2018.
45. Haveyouputpoliciesandproceduresinplacetomitigateriskstopersonaldata?
46. Arethesepoliciesandproceduresprovidedtoallemployees,requiredtobefollowedineverydaypracticeandlinkedtodisciplinaryprocedures?Howdoyouachievethis?
47. IsDataProtectionreferredtoinemployeecontractsofemployment?
48. Dopoliciesandproceduressetclearresponsibilitiesforhandlingofpersonaldata,includingwhereappropriatereferencetoresponsibilitiesheldbyyourDataProtectionOfficer?
49. Whenyourorganisationcollectspersonaldatafromasubjectdoyouclearlystatewhatitisbeingcollectedfor,howitwillbeprocessedandwhowillprocessitanddoesthedatasubjecthavetoprovideconsentforthis?
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
13
50. Whereyoucollectdatafromchildrendoyouactivelyseekparentalconsent?Howdoyourecordthis?
51. Doesyourriskassessmentcoverthemanagementofpersonaldataorspecialcategorydata?
52. WhatisyourprocessfordealingwithSubjectAccessorDataPortabilityrequestswithin30days?
Underdataprotectionlegislation,individualshavearighttoobtainacopyoftheinformationyouholdaboutthem.
53. Whatisyourprocessforcorrectinginaccuraterecords,deletingrecordsorsuspendingtheprocessingofrecords?
Underdataprotectionlegislation,individualshavetherighttohaveinaccuraciescorrectedandmayhavetherighttohaveinformationaboutthemdeletedfromsystems.
54. Doyouhavedocumenteddataretentionperiodsanddothesecovercontractualandlegalrequirements?
55. Doyouhavedocumenteddataclassificationcriteria?
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
14
56. DoyouhaveadataprotectionordataprivacystatementcompliantwiththerequirementsoftheGeneralDataProtectionRegulation(GDPR)anddoesthestatementprovideapointofcontactfordataprotectionissues?Whoisthepointofcontact?
57. Whereyouareholdingdatabasedupontheconsentofthedatasubject,howdoyourecorddetailsoftheconsent?
58. Doyouhavemechanismsinplacewhichmakeitaseasyforthedatasubjecttoremoveconsentfordataprocessinganddoyouensureitisaseasytoremoveconsentasitwasforthemtogiveit?
59. Foreachpieceofpersonalinformationyouhold,doyourecordthepurposeforwhichitwasobtained?Whereisthisrecorded?
60. Foreachpieceofpersonalinformationyouhold,doyourecordthejustificationforobtainingit?Whereisthisrecorded?
Justificationsforobtainingtheinformationmightincludeexplicitconsent,contractfulfilment,performingapublicfunction,meetingalegalrequirementoranotherlegitimateinterest.
61. Foreachpieceofspecialcategorydatayouhold,doyourecordthejustificationforobtainingit?Whereisthisrecorded?
Justificationsforobtainingspecialcategory(orsensitivepersonaldata)couldincludespecificconsent,useforemploymentpurposesortomeetamedicalneed.
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
15
62. Foreachpieceofpersonalinformationyouhold,doyourecordwhetheryourorganisationisthedataprocessororthedatacontroller?
63. Ineachcontractyouholdwithsuppliersandcustomersinvolvingtheprocessingofpersonaldata,doyouconfirmwhetheryouarethedatacontrollerordataprocessor?
64. Whereyoudisclosepersonaldatatoasupplier/providerdoesthecontractexplicitlyimposetheobligationtomaintainappropriatetechnicalandorganisationalmeasurestoprotectpersonaldatainlinewithrelevantlegislation?
People
Peopleareyourgreatestalliesinprotectingyourorganisation'sinformation.Theycanalsopresentariskbecausetheyhaveprivilegedaccesstoinformation.Itisimportantthereforetoensurethatyouknowasmuchaboutthemaspossiblebeforeyouemploythem.Thisisusuallydonebytakingupreferences,andincertaincasesthroughformalvettingprocedures.
Itisessentialthatnewemployeesaregivenabriefingontheircorporateandsecurityresponsibilitiesbefore,orimmediatelyafteremployment.Employeecontractsshouldalsoincludesecurityobligationsandremindersshouldtakeplaceatregularintervals.
Employeeswithspecialresponsibilityforsecurity,orwithprivilegedaccesstobusinesssystemsshouldbeadequatelytrained/qualifiedasappropriate.Onterminationofemployment,useraccessprivilegesshouldbeimmediatelywithdrawnandtheemployeede-briefedontheirpost-employmentconfidentialityresponsibilities.
65. Doyoutakeupreferencesand/orconfirmemploymenthistorywhenemployingnewstaff?Howdoyoudothis?
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
16
66. Wherecriminalrecordchecksarecarriedout,doyouensurethatexplicitconsenthasbeenobtainedfromemployeesandthatsuchchecksarecarriedoutforlawfulpurposes?
67. Providethenameandroleofthepersonresponsibleforsecurityanddataprotectiontrainingandawareness.
68. Doallstaffandcontractorsreceiveregularinformationsecurityanddataprotectiontraining(atleastannually)?Describehowthisisdone.
69. Doyougivenewemployeesabriefingontheircorporateandsecurityresponsibilitiesbefore,orimmediatelyafteremployment,preferablyreinforcedbyreferenceliterature?Howdoyoudothis?
70. Doemployeecontractsincludesecurityobligations(suchasanobligationtocomplywiththesecuritypolicy)andareremindersgivenatregularintervals?
71. Areemployeeswithresponsibilityforinformationsecurity,orwithprivilegedaccesstobusinesssystems,appropriatelyqualifiedandsuitablytrained?
72. Onterminationofemployment,areuseraccessprivilegesimmediatelywithdrawnandtheemployeede-briefedontheirpost-employmentconfidentialityresponsibilities?Howdoyoudothis?
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
17
Security Policy
Theorganisationmusthaveanimplementedsecuritypolicytomatchitsriskprofile.ThisisusuallytheultimateresponsibilityoftheCIO/Director.
IASMEprovidesamodeltemplatepolicywhichcanbeadaptedtotheindividualcircumstancesofmostorganisations.
Datesforachievingobjectivescanbesetwithinthepolicy,whichshouldbereviewedbytheBoardatregularintervalsorwhensecurityincidentsoccurorchangesintheriskthelandscapeemerge.
73. DoyouhaveacurrentSecurityPolicy?
ASecurityPolicycanbestand-aloneorincorporatedintootherpolicy,butitshouldsetoutyourobjectivesformanagingyoursecurity.
74. HasyourPolicybeenreviewedinthelast12months?
75. DoesthePolicycoverthescopeofthisassessment?
76. Providethenameandroleofthepersonwhoapprovedthepolicy?
77. Isthereapolicyreviewandconsultationprocess?
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
18
78. DoesthepolicyrefertoIntellectualPropertyRightsandlegalrequirements?
79. Doesthepolicyrefertopersonnelsecurity?
80. Doesthepolicyrefertoassetmanagement?
81. Doesthepolicyrefertoaccessmanagement?
82. Doesthepolicyrefertophysicalandenvironmentalsecurity?
83. Doesthepolicyrefertocomputerandnetworksecurity?
84. Doesthepolicyrefertosecurityfrommalwareandintrusion?
85. Doesthepolicyrefertosecurityincidentmanagement?
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
19
86. Doesthepolicyrefertobusinesscontinuitymeasures?
87. Doesthepolicyrefertohandlingpersonaldata(and,whereappropriate,referenceyourdataprotectionpolicy)?
88. Isthepolicydistributedtoallemployees?
89. Isthesecuritypolicypartofallemployees’contractualobligations?
90. Dothecontractswithallyoursuppliersensurethattheymeettherequirementsofyoursecuritypolicyaroundhandlingdataandkeepinginformationsecure?
91. Listanybusinesssector-specificlaws/regulationsrelatingtorisktreatmentorinformationsecuritywhichapplytoyourbusiness.
92. ListanyUKorEUlaws/regulationsrelatingtorisktreatmentorinformationsecuritywhichapplytoyourbusiness.
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
20
93. ListanyotherInternationallegislation/regulationsrelatingtorisktreatmentorinformationsecuritywhichapplytoyourbusiness.
94. Doyoustorecreditcardinformation?
95. Ifyestoabove,arethesystemsthatyouusetostorecreditcardinformationcomplianttoPCI-DSSregulation?
96. Isyourbusinesspartofapublicglobalorganisationthatisrequiredtohaveexternalfinancialreporting?
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
21
Physical and Environmental Protection
Protectionofyourinformationandcybersecurityextendstothephysicalprotectionofinformationassetstopreventtheft,loss,ordamageandtheirimpactontheavailabilityofyourbusinessinformationandassociatedresources.
Usuallythisisnomorethanthecommonsenseapproachtodoorlocks,windowbars,andvideosurveillanceetc,asdictatedbytheorganisation’sphysicalenvironment.However,insomecases,physicalprotectionmaybedictatedbygovernmentalorlegalrequirements.
Ifyourequipmentrequiresanyparticularworkingconditions–suchasheating,ventilation,orairconditioning(HVAC)–becarefultomaintainthesewithintheguidelinessetoutbytherespectivemanufacturers.
97. Areonlyauthorisedpersonnelwhohaveajustifiedandapprovedbusinesscasegivenaccesstorestrictedareascontaininginformationsystemsorstoreddata?Howdoyouachievethis?
98. Aredeviceswhichrequireparticularworkingconditions-suchasheatingandcooling-providedwithasuitableenvironmentwithintheguidelinessetoutbytheirrespectivemanufacturers?Howdoyouachievethis?
99. Doallbusinesspremiseshaveeffectivephysicalprotectionand,ifindicatedbyariskassessment,surveillanceandmonitoring?Howdoyouachievethis?
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
22
Office Firewalls and Internet Gateways
Firewallisthegenericnameforsoftwareorhardwarewhichprovidestechnicalprotectionbetweenyoursystemsandtheoutsideworld.Therewillbeafirewallwithinyourinternetrouter.CommoninternetroutersareBTHomeHub,VirginMediaHuborSkyHub.Yourorganisationmayalsohavesetupaseparatehardwarefirewalldevicebetweenyournetworkandtheinternet.Firewallsarepowerfuldevicesandneedtobeconfiguredcorrectlytoprovideeffectivesecurity.Questionsinthissectionapplyto:HardwareFirewalldevices,Routers,ComputersandLaptopsonly
100. Doyouhavefirewallsattheboundariesbetweenyourorganisationsinternalnetworksandtheinternet?Youshouldhavefirewallsinplacebetweenyourofficenetworkandtheinternet.Youshouldalsohavefirewallsinplaceforhome-basedworkers,ifthoseusersarenotusingaVirtualPrivateNetwork(VPN)connectedtoyourofficenetwork.Remembermostinternet-routerscontainafirewall.
101. Whenyoufirstreceiveaninternetrouterorhardwarefirewalldeviceitwillhavehadadefaultpasswordonit.Hasthisinitialpasswordbeenchangedonallsuchdevices?Howdoyouachievethis?
102. Isthenewpasswordonallyourinternetroutersorhardwarefirewalldevicesatleast8charactersinlengthanddifficulttoguess?
Apasswordthatisdifficulttoguesswillnotbemadeupofcommonorpredictablewordssuchas"password"or"admin",orincludepredictablenumbersequencessuchas"12345".
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
23
103. Doyouchangethepasswordwhenyoubelieveitmayhavebeencompromised?Howdoyouachievethis?
104. Doyouhaveanyservicesenabledthatareaccessibleexternallyfromyourinternetroutersorhardwarefirewalldevicesforwhichyoudonothaveadocumentedbusinesscase?Attimesyourfirewallmaybeconfiguredtoallowasystemontheinsidetobecomeaccessiblefromtheinternet(suchasaserveroravideoconferencingunit).Thisissometimesreferredtoas"openingaport".Youneedtoshowabusinesscasefordoingthisbecauseitcanpresentsecurityrisks.Ifyouhavenotenabledanyservices,answer"No".
105. Ifyoudohaveservicesenabledonyourfirewall,doyouhaveaprocesstoensuretheyaredisabledinatimelymannerwhentheyarenolongerrequired?Describetheprocess.
106. Haveyouconfiguredyourinternetroutersorhardwarefirewalldevicessothattheyblockallotherservicesfrombeingadvertisedtotheinternet?
Bydefault,mostfirewallsblockallservicesfrominsidethenetworkfrombeingaccessedfromtheinternet,butyouneedtocheckyourfirewallsettings.
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
24
107. Areyourinternetroutersorhardwarefirewallsconfiguredtoallowaccesstotheirconfigurationsettingsovertheinternet?
Sometimesorganisationsconfiguretheirfirewalltoallowotherpeople(suchasanITsupportcompany)tochangethesettingsviatheinternet.IfyouhavenotsetupyourfirewallstobeaccessibletopeopleoutsideyourorganisationsoryourdeviceconfigurationsettingsareonlyaccessibleviaaVPNconnection,thenanswer"no"tothisquestion.
108. Ifyes,isthereadocumentedbusinessrequirementforthisaccess?
109. Ifyes,istheaccesstothesettingsprotectedbyeithertwo-factorauthenticationorbyonlyallowingtrustedIPaddressestoaccessthesettings?Listwhichoptionisused.
110. Doyouhavesoftwarefirewallsenabledonallofyourcomputersandlaptops?YoucancheckthissettingonMaclaptopsintheSecurity&PrivacysectionofSystemPreferences.OnWindowslaptopsyoucancheckthisbygoingtoSettingsorControlPanelandsearchingfor"windowsfirewall".
111. Ifno,isthisbecausesoftwarefirewallsarenotcommonlyavailablefortheoperatingsystemyouareusing?Pleaselisttheoperatingsystems.
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
25
Secure Configuration
Computersareoftennotsecureupondefaultinstallation.An‘out-of-the-box’set-upcanoftenincludeanadministrativeaccountwithastandard,publiclyknowndefaultpassword,one orormoreunnecessaryuseraccountsenabled(sometimeswithspecialaccessprivileges)andpre-installedbutunnecessaryapplicationsorservices.Allofthesepresentsecurityrisks.
Questionsinthissectionapplyoperatingsystemsandapplicationsrunningon:Servers,Computers,Laptops,TabletsandMobilePhones.
112. Whereyouareabletodoso,haveyouremovedordisabledallthesoftwarethatyoudonotuseonyourlaptops,computers,servers,tabletsandmobilephones?Describehowyouachievethis.Thisincludesapplications,systemutilitiesandnetworkservices.
113. Haveyouensuredthatallyourlaptops,computers,servers,tabletsandmobiledevicesonlycontainnecessaryuseraccountsthatareregularlyusedinthecourseofyourbusiness?
114. Haveyouchangedthedefaultpasswordforalluserandadministratoraccountsonallyourlaptops,computers,servers,tabletsandsmartphonestoanon-guessablepasswordof8charactersormore?
115. Doallyourusersandadministratorsusepasswordsofatleast8characters?Astrongpasswordtypicallyisamixtureofatleast8characters,numbersandsymbols,thelongerthebetter.
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
26
116. Doyourunsoftwarethatprovidessensitiveorcriticalinformation(thatshouldn'tbemadepublic)toexternalusersacrosstheinternet?
117. Ifyes,doyouensureallusersoftheseservicesuseapasswordofatleast8charactersandthatyoursystemsdonotrestrictthelengthofthepassword?
118. Ifyes,doyouensurethatyouchangepasswordsifyoubelievethattheyhavebeencompromised?
119. Ifyes,areyoursystemssettolockoutaftertenorfewerunsuccessfulloginattempts,orlimitthenumberofloginattemptstonomorethantenwithinfiveminutes?
120. Ifyes,doyouhaveapasswordpolicythatguidesallyourusers?Thepasswordpolicymustinclude:guidanceonhowtochoosenon-guessablepasswords,nottousethesamepasswordformultipleaccounts,whichpasswordsmaybewrittendownandwheretheycanbestored,andiftheymayuseapasswordmanager.
121. Is"auto-run"or"auto-play"disabledonallofyoursystems?ThisisasettingwhichautomaticallyrunssoftwareonaDVDormemorystick.Youcandisable"auto-run"or"auto-play"throughcontrolpanel/systempreferences.
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
27
Software Patching Toprotectyourorganisation,youshouldensurethatyoursoftwareisalwaysup-to-datewiththelatestupdatesor“patches”.If,onanyofyourin-scopedevices,youareusinganoperatingsystemwhichisnolongersupported,e.g.MicrosoftWindowsXPormacOSMountainLion,andyouarenotbeingprovidedwithupdatesfromanotherreliablesource,thenyouwillnotbeawardedcertification.Mobilephonesandtabletsarein-scopeandmustalsouseanoperatingsystemthatisstillsupportedbythemanufacturer.
Questionsinthissectionapplyto:Servers,Computers,Laptops,Tablets,MobilePhones,RoutersandFirewalls.122. Arealloperatingsystemsandfirmwareonyourdevicessupportedbyasupplierthatproducesregularfixesforanysecurityproblems?Pleaselistanyoperatingsystemsthatarenotsupported.
123. Areallapplicationsonyourdevicessupportedbyasupplierthatproducesregularfixesforanysecurityproblems?Pleaselistanyapplicationsthatarenotesupported.
124. Isallsoftwarelicensedinaccordancewiththepublisher’srecommendations?
125. Areallhigh-riskorcriticalsecurityupdatesforoperatingsystemsandfirmwareinstalledwithin14daysofrelease?Describehowdoyouachievethis.
126. Areallhigh-riskorcriticalsecurityupdatesforapplications(includinganyassociatedfilesandanypluginssuchasAdobeFlash)installedwithin14daysofrelease?Describehowyouachievethis.
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
28
127. Haveyouremovedanyapplicationsonyourdevicesthatarenolongersupportedandnolongerreceivedregularfixesforsecurityproblems?
Operations and Management
Yourorganisationneedstoensurethatmanagementofcomputers,networksanddevicesiscarriedoutinacontrolledmannertoensurethatchangestoconfigurationareonlyimplementedwithauthorisation.Thisensuresyoursecurityenvironmentremainsappropriatefortheorganisation.
128. Ismanagementofcomputersandnetworkscontrolledusingdocumentedproceduresthathavebeenauthorised?Describehowyouachievethis.
129. Doestheorganisationensurethatallnewandmodifiedinformationsystems,applicationsandnetworksincludesecurityprovisions,arecorrectlysized,complywithsecurityrequirements,arecompatiblewithexistingsystemsandareapprovedbeforetheycommenceoperation?Describehowyouachievethis.
130. Wherepersonaldataisinuse,doyouensurethataprivacyimpactassessmentiscarriedoutfornewsystemsandprojects?
131. Arechangestoinformationsystems,applicationsornetworksreviewedandapproved?Describetheapprovalprocess.
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
29
132. Howdoyouensurethatallyoursuppliers(includingcloudprovidersandsub-contractors)followinformationsecurityproceduresthatarecertifiedtobethesameas,ormorecomprehensivethan,theinformationsecurityproceduresfollowedbyyourownorganisationforthedatainvolvedinthatcontract?AnexampleofsuchcertificationwouldbeanindependentauditofthewholebusinesstoISO27001,theIASMEGovernancestandardorCyberEssentials.
User Accounts Itisimportanttoonlygiveusersaccesstotheresourcesanddatanecessaryfortheirroles,andnomore.Allusersneedtohaveuniqueaccountsandshouldnotbecarryingoutday-to-daytaskssuchasinvoicingordealingwithe-mailwhilstloggedonasauserwithadministratorprivilegeswhichallowsignificantchangestothewayyourcomputersystemswork.
Questionsinthissectionapplyto:Servers,Computers,Laptops,TabletsandMobilePhones.
133. Areusersonlyprovidedwithuseraccountsafteraprocesshasbeenfollowedtoapprovetheircreation?Describetheprocess.
134. Canyouonlyaccesslaptops,computersandserversinyourorganisation(andtheapplicationstheycontain)byenteringauniqueusernameandpassword?
135. Howdoyouensureyouhavedeleted,ordisabled,anyaccountsforstaffwhoarenolongerwithyourorganisation?
Whenanindividualleavesyourorganisation,youneedtostopthemaccessinganyofyoursystems.
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
30
136. Doyouensurethatstaffonlyhavetheprivilegesthattheyneedtodotheircurrentjob?Howdoyoudothis?Whenastaffmemberchangesjobroleyoumayalsoneedtochangetheiraccessprivileges.
Administrative Accounts
Useraccountswithspecialaccessprivileges(e.g.administrativeaccounts)typicallyhavethegreatestlevelofaccesstoinformation,applicationsandcomputers.Whentheseprivilegedaccountsareaccessedbyattackerstheycancausethemostamountofdamagebecausetheycanusuallyperformactionssuchasinstallmalicioussoftwareandmakechanges.Specialaccessincludesprivilegesoverandabovethoseofnormalusers.Itisnotacceptabletoworkonday-to-daybasisinaprivileged“administrator”mode.
Questionsinthissectionapplyto:Servers,Computers,Laptops,TabletsandMobilePhones.
137. Doyouhaveaformalprocessforgivingsomeoneaccesstosystemsatan“administrator”level?Describetheprocess.
138. Howdoyouensurethatstaffonlyuseadministratoraccountstocarryoutadministrativeactivities(suchasinstallingsoftwareormakingconfigurationchanges)?
139. Howdoyouensurethatadministratoraccountsarenotusedforaccessingemailorwebbrowsing?
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
31
140. Doyouformallytrackwhichusershaveadministratoraccountsinyourorganisation?
141. Doyoureviewwhoshouldhaveadministrativeaccessonaregularbasis?
142. Haveyouenabledtwo-factorauthenticationforaccesstoalladministrativeaccounts?
143. Ifno,isthisbecausetwo-factorauthenticationisnotavailableforsomeorallofyourdevicesorsystems?Listthedevicesorsystemsthatdonotallowtwo-factorauthentication.
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
32
Malware protection Malware(suchascomputerviruses)isgenerallyusedtostealordamageinformation.Malwareareoftenusedinconjunctionwithotherkindsofattacksuchas‘phishing’(obtaininginformationbyconfidencetrickery)andsocialnetworksites(whichcanbeminedforinformationusefultoahacker)toprovideafocussedattackonanorganisation.Anti-malwaresolutions(includinganti-virus)areavailablefromcommercialsuppliers,somefree,butusuallyascompletesoftwareandsupportpackages.Malwarearecontinuallyevolving,soitisimportantthatthesupplierincludesbothmalwaresignaturesandheuristicdetectionfacilitieswhichareupdatedasfrequentlyaspossible.Anti-malwareproductscanalsohelpconfirmwhetherwebsitesyouvisitaremalicious.Questionsinthissectionapplyto:Computers,Laptops,TabletsandMobilePhones.144. Areallofyourcomputers,laptops,tabletsandmobilephonesprotectedfrommalwarebyeither
A-havinganti-malwaresoftwareinstalled,B-limitinginstallationofapplicationstoanapprovedset(ieusinganAppStoreorapplicationwhitelisting)or
C-applicationsandboxing(iebyusingavirtualmachine)?
145. IfOptionA:Whereyouhaveanti-malwaresoftwareinstalled,isitsettoupdatedailyandscanfilesautomaticallyuponaccess?Thisisusuallythedefaultsettingforanti-malwaresoftware.
146. IfOptionA:Whereyouhaveanti-malwaresoftwareinstalled,isitsettoscanwebpagesyouvisitandwarnyouaboutaccessingmaliciouswebsites?
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
33
147. IfOptionB:Whereyouuseanapp-storeorapplicationsigning,areusersrestrictedfrominstallingunsignedapplications?
Bydefault,mostmobilephonesandtabletsdonotallowyoutoinstallunsignedapplications.Usuallyyouhaveto"root"or"jailbreak"adevicetoallowunsignedapplications.
148. IfOptionB:Whereyouuseanapp-storeorapplicationsigning,doyouensurethatusersonlyinstallapplicationsthathavebeenapprovedbyyourorganisationanddoyoudocumentthislistofapprovedapplications?
149. (C)Whereyouuseapplicationsandboxing,doyouensurethatapplicationswithinthesandboxareunabletoaccessdatastores,sensitiveperipheralsandyourlocalnetwork?Describehowyouachievethis.Ifyouareusingavirtualmachinetosandboxapplications,youcanusuallysetthesesettingswithintheconfigurationoptionsofthevirtualmachinesoftware.
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
34
Vulnerability Scanning AvulnerabilityscanisatechnicalexaminationofthesecuritystatusofyourITsystem.Itcanbeperformedbyanexpertorbysomeautomatictoolsandcanhelpyouanswerandprovideevidenceforsomeofthefollowingquestions.Somescanningtoolsareevenavailabletodownloadforfreefromtheinternet.Youcanalsouseacontinuousvulnerabilityscanningtooltomonitoryourongoingvulnerabilities.Pleasenotethatwedonotendorseanyparticularproduct.
150. Whenwasthelasttimeyouhadavulnerabilityscanonyoursystem?
151. Howdidyouacttoimprovethesecurityofyoursystemonthebasisofthescanresults?
Monitoring Monitoringcanhelpidentifysuspiciousactivityonyoursystems.Knowwhichbusinesssystemsandprocessesyouneedtotrackandmonitorforacceptableactivity–accordingtheinformationsafetypoliciesthatyouhaveset-andhowyouwillidentifyanyunacceptableaspects.
152. Doestheorganisationregularlyrevieweventlogs?
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
35
153. Isanaudittrailofsystemaccessand/ordatausebystaffmaintainedandreviewedonaregularbasis?Describehowyouachievethis.
Backup and Restore Keyinformationshouldbebackedupregularlyandthebackupspreferablykeptinasecurelocationawayfromthebusinesspremises.Restoresshouldbetestedregularlyinordertotesttheperformanceofthebackupregime.
154. Aredatastoredonthebusinesspremisesbackedupregularly(atleastweekly)andrestorestestedatappropriateintervals(atleastmonthly)?
155. Areallbackupssecuredwithanappropriatelevelofprotectionforthetypeofdatatheycontain?
156. Isabackupcopyheldinadifferentphysicallocation?
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
36
Incident Management Allorganisationsshouldhavesecurityincidentmanagementprocedurestoallowanyincidents(suchaslossofdata,malwareinfectionsandphishingattacks)tobedealtwithsuccessfully.Itisimportantthatincidentsareeasytoreporttoaresponsibleentitywithoutblameandthattheorganisationlearnsthelessonsfromincidents.157. Areuserswhoinstallsoftwareorotheractivecodeontheorganisation’ssystemswithoutpermissionsubjecttodisciplinaryaction?
158. Areallinformationsecurityincidentsorsuspectedweaknessesreportedandrecorded,anddoyouprovideamethodforallemployeesandcontractorstoreportsecurityincidentswithoutriskofrecrimination(oranonymously)?
159. WhatisyourprocessforreportinglossesofpersonaldatatotheInformationCommissioner(oryournationaldataprotectionauthority)andthedatasubjects?
160. Areinformationsecurityincidentsinvestigatedtoestablishtheircauseandimpactswithaviewtoavoidingsimilarevents?
161. Ifrequiredasaresultofanincident,isdataisolatedtofacilitateforensicexamination?Howisthisdone?
162. Isarecordkeptoftheoutcomeofallsecurityincidentinvestigations?
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
37
Business Continuity Plansforrecoveryandcontinuityshouldbedrawnupandreviewedregularly,andtestedinwholeorinpartsothatparticipantsintheplanunderstandtheirresponsibilities.Theaimisisfortheorganisationtokeepworkingthrough,andrecoverfrom,theeffectsofdeliberateattack,accidentaldamage,andnaturaldisasters.
163. Doestheorganisationensurethatbusinessimpactassessment,businesscontinuityanddisasterrecoveryplansareproducedforallmissioncriticalinformation,applications,systemsandnetworks?
164. Doestheorganisationreviewthebusinesscontinuityanddisasterrecoveryplansatleastonceperyearandwhoisinvolvedinthereview?
165. Doestheorganisationexercisethebusinesscontinuityanddisasterrecoveryplansatleastonceperyear?
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
38
InsuranceAllorganisationswithaheadofficedomiciledintheUKthathavethewholecompanyinscopeandaturnoverof<£20mgetautomaticcyberinsuranceiftheyachieveCyberEssentialscertification.Thecostofthisisincludedintheassessmentpackagebutyoucanoptoutoftheinsuranceelementifyouchoose.Thiswillnotchangethepriceoftheassessmentpackage.Ifyouwanttheinsurancethenwedoneedtoasksomeadditionalquestionsandtheseanswerswillbeforwardedtothebroker.TheanswerstothesequestionswillnotaffecttheresultofyourCyberEssentialsassessment.166. IsyourheadofficedomiciledintheUKandisyourgrossannualturnoverlessthan£20m?
Theanswertothisquestionisjustforinformationand,ifyouareeligiblefortheinsuranceandoptin,willbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertification.
Ifyouhaveanswered"yes"tothelastquestion,thenyourcompanyiseligiblefortheincludedcyberinsuranceifyougaincertification.Thecostoftheinsuranceisincludedinthecostoftheassessment
167. Doyouwanttoacceptthiscyberinsurance?Theanswertothisquestionisjustforinformationand,ifyouareeligiblefortheinsuranceandoptin,willbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertification.
168. Whatisyourtotalgrossrevenue?Youonlyneedtoanswerthisquestionifyouaretakingtheinsurance.TheanswertothisquestionisjustforinformationandwillbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertification.
[Notes]
[Notes]
[Notes]
CONFIDENTIALWHENCOMPLETED
© The IASME Consortium Ltd 2018 All rights reserved
39
169. Isthecompanyoritssubsidiariesanyofthefollowing:medical,callcentre,telemarketing,dataprocessing(outsourcers),internetserviceprovider,telecommunicationsoranorganisationregulatedbytheFCA?Youonlyneedtoanswerthisquestionifyouaretakingtheinsurance.TheanswertothisquestionisjustforinformationandwillbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertification.
170. DoesthecompanyhaveanydomiciledoperationorderivedrevenuefromtheterritoryorjurisdictionofCanadaand/orUSA?Youonlyneedtoanswerthisquestionifyouaretakingtheinsurance.TheanswertothisquestionisjustforinformationandwillbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertification.
171. Whatistheorganisationemailcontactfortheinsurancedocuments?Youonlyneedtoanswerthisquestionifyouaretakingtheinsurance.TheanswertothisquestionwillbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertificationandtheywillusethistocontactyouwithyourinsurancedocumentsandrenewalinformation.
[Notes]
[Notes]
[Notes]